Boot viruses:
These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo, and Stone virus
Program viruses:
These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade
Multipartite viruses:
A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila
Stealth viruses:
These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Examples: Frodo, Joshi, Whale
Polymorphic viruses:
A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
Macro Viruses:
A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.
Examples: DMV, Nuclear, Word Concept.
Active X:
ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom.
The Worms of the Net
The first encounter with a computer virus is a mixture of thrill, suspense, comedy and later tragedy. It is comical at first to see your programs act funny and show comical messages. This is accompanied by an element of suspense when you realize that your computer has been infected, but you don't know what it will do, or what it can do. When important data is lost and you have to re-format your hard disk, the story becomes tragic. But when your anti-virus package (you have one, don't you?) detects the culprit and deletes it, you are filled with pride and satisfaction. The same old story of a Hollywood blockbuster.
Computers generally pick up viruses from infected files over a floppy (who uses these nowadays?), a network or the mother of all networks, the Internet. Research shows that the main culprits for the spread of these unwanted guests is the Internet. Infected files are attached to anonymous messages and sent to thousands of people who unknowingly download and execute the file attachment, creating a havoc on their machines as well as the network the are on.
Many people configure their mail clients to automatically forward the mails they receive, assuring that the infected file is generously distributed to other people too.
Detection and removal of computer viruses is a thriving industry today. A philosopher has rightly said, someone's troubles are a boon to others. Major players in the field of Virus detection and elimination are Symantec (Norton Antivirus), Network Associates (Mcaffee Viruscan), Datafellows (F-Secure) and Trend Micro (PC-cillin). These are international players. Besides, regional antivirus software are also available, which are modified to suit local needs.
Trojans: The Method of Infection
The most simple method is to send a trojan via email. So you receive a message saying that a wonderful file is attached and it will coerce you to click on it. This one is for dumb heads. I assume you are not one of those who click every attachment without scanning it with an up-to-date AV.
Secondly, you may receive a file from someone you know and the file looks harmless enough. On clicking you find a small application running, so you rest assured that the file was not a trojan. Here is where the ingenuity of the hacker comes into play. What he does is that he joins the trojan horse with an harmless application. . Such joiners are widely available on the Net. (If you want one, try Joiner). He designs a new icon for it using Micro Angelo. If he uses sub 7, the best and the most dangerous trojan according to me, then the latest version comes with an inbuilt icon changer. So one can easily assign a mp3 icon to a sub 7 server. (More on sub seven later)
If you are an experienced net user (I assume male, though I am not gender biased), you can easily restrict yourself from falling prey to above methods. But can you resist the feminine charm? This is one of the most widely used and successful means to catch a prey who is not a fool. For this, you need ICQ (I don't need to tell you about this, right?). So you may meet someone on random chat claiming to be a sultry babe from Amsterdam. She arouses your erotic senses and then says that she wishes to send you an erotic photo of herself. Naturally, no male (Here I am talking about normal males, not those rare ones who can resist such a temptation) would like to miss such an opportunity. So you get an incoming file request, say pic.jpg. Now you know that trojan has to be an .EXE file, so this cannot be one. So you receive it and click it.
The file is indeed a Jpg file joined with a trojan. But it is a fact that though you can bind an exe file to a Jpg one, the final file has to be an exe. What the hacker does is that he renames the file as pic.jpg.exe. ICQ shows this as pic.jpg. So you end up making a fool of yourself.
Subseven – Beware of this one!
Last time we saw how Trojans work and what general facilities they provide. Today we look into "Subseven" – the most dangerous Trojan available on the net. Its ferocity lies in its simplicity. It is so simple to use that any Tom, Dick and Harry can use it. IQ level required to use subseven is below normal though to infect people you do need to have sufficient intelligence.
The interface of subseven is a bit bunched up. But the power it imparts is tremendous. On the left pane you have options like Connection, key/messages, advanced, fun, extra fun etc. Each of these is a menu that offers much more usability. The connection tab allows you to scan IP addresses to search for a particular victim infected by the subseven server. It also allows you to get all information about the victim including his home address and telephone number!!.
The key tab allows you to send keystrokes to the victim. So if you press Ctrl+Alt+Del on your PC, you can effectively boot you victims PC. Also the most powerful feature of subseven is that it allows you to retrieve offline keys. These are the keys you just enter before you go online. 90% of time, these are your dial-up username and password. So next time you see a deficit of 50 hours in your newly acquired internet account, you know whom to blame.
One of the unique and outstanding feature of subseven is The Matrix. After you have connected to the victim's PC, you can activate the matrix and whatever you type is displayed in green letters on your victims screen.( Remember "Wake up Neo").
The advanced tab, as the name suggests offers more power to you. You can search files, modify the registry, get cached passwords (passwords where you chose the "Remember password option"), open the PC as a ftp port, etc. In short, it can really mess you up.
Most people seem to like the fun part of subseven. Here you can activate the screensaver, change screen resolution, get access to web cam (i.e. if the victim has one), etc. The extra fun has options to reverse mouse buttons, shut down windows, change time-date, etc.
The latest version of subseven is 2.2. This is packed with more features like Text-speech where whatever you type is spoken out on the victims PC. The revolutionary feature of this version is the "icon-changer". Now one can assign any icon to the subseven server. So you can find subseven servers in Winamp, Ultraedit or real player icon and if you are not careful, you are doomed. The fact that subseven is most dangerous because no antivirus seems to detect it. I tried fully updated versions of Mcaffee 4.03 and Norton Antivirus 2001 and they were helpless against the power of subseven. Mcaffee 5.12 does detect subseven Trojan 2.1 gold but I am not sure it'll be able to detect the latest version about to release.
The purpose of this article is not to promote destructive activities using subseven. I want you to acknowledge the genius of the person who invented this deadly tool (His name is Mobman). What I don't understand is that why don't they put their genius minds to creative purposes. Though it can be argued that Subseven can be used as a creative tool if used in proper direction. As they say, technology is a good servant but a bad master.
If you want to play with this subseven thing, be prepared to face the music yourself. If you are not careful then you may infect yourself and there will be no way to save you from the hands of eagerly waiting hackers.
Symptoms of Virus Infection
10 virus symptoms
1. Programs take longer to load. Memory-intensive operations take a lot of time to start.
2. A change in dates against the filenames in the directory. When the virus modifies a file the operating system changes the date stamp.
3. The floppy disk or hard disk is suddenly accessed without logical reason.
4. Increased use of disk space and growth in file size-the virus attaches itself to many files.
5. Abnormal write-protect errors. The virus trying to write to a protected disk.
6. Strange characters appear in the directory listing of filenames.
7. Strange messages like "Type Happy Birthday Joshi" (Joshi Virus) or "Driver Memory Error" (kak.worm) appear on the screen and in documents.
8. Strange graphic displays such as falling letters or a bouncing ball appear on screen.
9. Programs may hang the computer or not work at all.
10. Junk characters overwrite text in document or data files.
Your guide to safe computing
Listed below are some of the steps recommended by experts to safeguard your PC from viruses. These are a compilation of my past experiences and magazine sources.
1. Write-protect your floppy disks when using them on other computers.
2. Remove floppy disks from drives while booting.
3. Change a setting in the BIOS that enables your PC to boot from the C-drive first.
4. Use a good anti-virus program to scan floppy disks before copying files. Recommended ones are Norton Antivirus 2000 and Mcaffee 5.
5. Install software only from original write-protected disks with the publisher’s label.
6. Do not install pirated software, especially computer games.
7. Activate watch-guard programs (monitors) that look out for suspicious activity.
8. Use the update service offered by software vendors and update the anti-virus software every month.
9. Scan the entire hard disk twice a month.
10. Scan files downloaded from the Internet or those transferred through a network.
11. Prepare a rescue disk with critical system files. Preferably, it should be bootable.
12. Keep the original CD-ROM or diskettes containing the operating system handy.
Kak Worm - An Internet Virus
In the ongoing series on computer viruses, we have already given considerable attention to the anatomy of a virus, its symptoms and modes of infection. In this article, I am going to talk on worms. These are a special type of viruses in the sense that they are more to annoy you rather than cause destruction. We will also take a look at kak.worm, the latest offering of the underground in this category.
A worm is a self-contained program or set of programs that can propagate from one machine to another. Unlike a virus, the computer worm does not need to modify a host program to spread. First notable instance of a worm is the Internet Worm, which supposedly originated in 1988. It infected almost 6000 machines connected to the Internet running Sun OS and UNIX. This figure may not sound alarming today when there are millions of machines connected to the net but it was a total chaotic situation then when the ration of infected machines to the total was substantial.
The most important characteristic of a worm is that it must be able to send one or more executable program/s to target client machines connected to a network before it can function. After the worm establishes itself, and is executing on a new machine, it can then spread to other machines on the Internet. Earlier versions of Win 95 (OSR1) did not provide remote execution facility and hence the number of worms for the PC platform was few. But today, worms are lot more intelligent than they used to be. Written mostly in Visual Basic script (VBScript), they today use intelligent algorithms to avoid detection and promote mass spread.
Today, worms use email clients as their mode of infection. The actual modus operandi may vary from worm to worm. I take the case of kak.worm to illustrate the way a worm spreads and executes:
Method of Infection
Kak.worm consists of the main .vbs file Kak.htm which resides in the Windows folder along with Kak.reg which contains all the configuration of the worm. This attaches the kak.htm as a signature to all outgoing mails of the infected computer. This signature is not visible and it needs not be executed in order to get infected as uses the loophole in Outlook Express preview window. So as soon as you view the mail, you are infected.
How does the Worm work?
The worm adds a .HTA file in the Windows/system folder. There is a registry key in the Run folder (Run Regedit.exe and then go to Local Machine/software/Microsoft/Windows/Current Version/Run) which starts this HTA file each time Windows starts or reboots. Also the Autoexec.bat is modified and a entry is added in the startup folder. So it attacks from 3 directions (registry, autoexec and startup), in case one fails.
What does it do?
As said earlier, it does not cause data loss. It gives an irritating Driver Memory Error on startup and sends itself along with all your emails.
How do I remove it?
Change Folder options to show all files. Then deleted kak.htm and kak.reg from windows folder and the .hta file from system folder. Then remove the registry key of the .hta file from the previously specified location. Delete the startup entry and the entry in the Autoexec.bat. If you are not comfortable with registry editing, you can go to Symantec.com and search there for kak.worm. They have a patch to remove kak. To fix the Outlook Express preview loophole go to Microsoft.com. There are lot of valuable resources on viruses on the Net. Check the Virus section of links. Also searching for kak.worm on Google.com may give you what more you are looking for.
Melissa
Until now, we have seen the anatomy of a computer virus, its modus operandi and symptoms. To complete this series, I am going to discuss few of the most deadly virus species. These may not be the latest in the offering but are important study materials because they are the source of inspiration for new variants. First on this list is Melissa.
Also known as WM97, Melissa made its first appearance in late 1998. According to its nature, it is a Macro virus. Specifically targeted at Microsoft Word 97/2000, this is supposed to be the first in-the-wild virus which accelerates its spread via email.
If you have Microsoft OutLook98 installed (Latest variants also known to work with Outlook Express 5), the virus will send itself to the first 50 names in your address book.
The message sent by the original Melissa variant contains this subject:
Important Message From xxxxx
(Where "xxxxx" is the name of the sender, who is most likely someone that you know and who is probably unaware that they are infected.) This is not the only subject of the infected mail you may receive. Different Melissa variants have their own subjects. Try to recognize the pattern of the subject rather than the subject itself.
This e-mail is accompanied by an attachment List.doc (may be different also). This may contain sultry pornographic material. When this file is opened, Melissa lowers the computer security levels and permits use of all macros without warning.
The virus sets the registry key:
HKEY_Current_User\Software\Microsoft\Office\Melissa?
to a value of "... by Kwyjibo" and emails copies of itself to the first 50 people in your address book, if the above key is not already present. The virus will infect the default template file and all newly created documents on the infected system. So all word documents created henceforth will be infected. if the minute of the hour matches the day of the month, the virus will insert into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
Damage caused by this virus is variant dependent. Some are known to damage data and corrupt files. Since this is an old virus, all latest anti-virus software readily detect this virus. This is only if you have a virus scanner on all the time. If not, take the following precautions.
1. Scan all emails with attachments.
2. Never open any executable attachments unless you have specifically requested the file. (MS Office files, such as MS Word documents and Excel Spreadsheets can contain programs that are automatically executed when you open these files.)
3. Whenever you run a new program for the first time, run an integrity check to make sure that nothing changed on your PC that shouldn't be. This will help protect against threats like Happy99 and Melissa but will also prevent damage from poorly designed or buggy programs.
4. Unless you absolutely need to use macros, disable them. (This applies to any program that is foolish enough to have macros that can be executed automatically without the user being aware but the threat is greatest with MS Word and MS Excel.)
Note: In MS Word2000 make sure your security setting is set to "high" (click on Tools/Macro/Security). This will give a warning before executing any document with a macro.
Good explanation. There are much more new viruses are coming, day by day they are increasing. we should be more careful in securing the PC.