Virus part2

Editor's Notes

• #4: What is a Computer Virus? A computer virus is a program (a block of executable code) that has the ability to replicate, or make copies of itself, and spread to other files. Viruses can attach themselves to many types of files and programs. The file or program that is infected by the virus will serve as its host. Computer viruses are actually a special case of something known as Malware.
• #5: What is Malware? Malware is the general term used to refer to any unexpected or malicious program or mobile codes such as viruses, Trojans, worms, or Joke programs. A malware needs to be executed for it to do anything and the malicious code would have to be in a form that the computer will actually try to execute. To put it simply, all forms of malware require executable code. Files that are pure data are therefore generally safe.
• #6: What does malware do to computers? Malware run on a computer just like software programs. Their actions (generally called as their payload) depend on the programming written by their writers. Some malware are deliberately designed to cause damage by deleting certain types of files, or even reformatting a hard drive and destroying all data. Others interfere with the computer's operations in various ways. For malware which are able to infect (i.e. viruses), even if they only spread and not cause damage to files or the computer system, they still are harmful in that they take up hard disk and memory space and they reduce the computer’s overall system performance. And the more sophisticated forms of malware may even be able to take control of a computer system or of a network thereby compromising security. But Malware payload is also limited to what software programs can do. Their payload cannot possibly damage hardware. Malware will not burn out your CPU or cause a meltdown in your hard drive. Warnings about Malware that will physically destroy your computer are hoaxes, not legitimate.
• #7: How do viruses and other forms of malware spread? Viruses are potentially destructive software that spread from program to program, from disk to disk, and from document to document. Previously, viruses spread mainly through floppy disks and they only infect programs and boot sectors. Nowadays, even document files are vulnerable to viruses. Viruses and other forms of malware are now also able to spread over networks and over the Internet. The Internet has introduced new distribution mechanisms for them which were not available before. And with email used as an important business communication tool, viruses and other forms of malware are spreading faster than ever.
• #9: Virus Characteristics (Direct-Action vs. Memory-Resident) Viruses can be either direct-action or memory-resident. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when they are executed or when other conditions are fulfilled. Direct-action viruses are also sometimes referred to an non-resident viruses. The advantage of a direct-action virus is that it automatically infects a couple of programs at the time a program infected by it is executed. The disadvantage is that it is limited in the number of programs it infects since it will take too long if a lot of programs are infected at one time and the user will most likely notice the delay. The advantage of a memory-resident virus over a direct-action virus is that it can infect as many files as possible long after it has first executed (as long at it is still resident in memory). The disadvantage is that it will not infect files automatically when it is first executed and the user may turn off the system immediately afterwards or will not be able to trigger the conditions required and no programs may be infected.
• #10: Other Virus Characteristics Aside from being either a direct-infected or memory-resident, viruses may also apply either or both of the following characteristics or techniques to enhance their chances of spreading: Stealth Some viruses will go to great lengths to hide their infections from normal users and even anti-virus products. This is usually achieved by staying resident in memory and monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Polymorphic To make it difficult for some virus-scanners, some viruses will employ some strategies that produce varied but operational copies of themselves. A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus. A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind. More sophisticated polymorphic viruses vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g. a NOP instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
• #12: Classification of Malware The more commonly encountered forms of malware are viruses and Trojans. But viruses and Trojans are only a subset of the possible classification of malware a computer user may come across. Other forms of malware include worms, joke programs, and malware droppers. Let’s go over each classification in detail.
• #14: Trojan Horse Programs A Trojan Horse is a destructive program that comes concealed in software that not only appears harmless, but is also particularly attractive to the unsuspecting user (such as a game or a graphics application). Trojans are non-replicating malware, they do not replicate by themselves and they rely on the user to send out copies of the Trojan to others. They sometimes achieve this by hiding themselves inside desirable software (i.e. computer games or graphics software) which novice users oftentimes forward to other users. Because a Trojan horse does not replicate, it cannot be disinfected since it is not attached to a host program. To get rid of the Trojan malware, simply delete the program.
• #15: Many people don't know what a Trojan is. They think that when they run an executable and nothing happened because their computer is still working and all the data is there, and if it was a virus their data will be damaged and their computer will stop working.  Well, unbeknownst to them and if it is a Trojan, someone may already be… downloading and uploading files on their computer reading all of their IRC logs and learning interesting things about them and their friends. reading their ICQ messages. stealing information such as credit card numbers, username and passwords, etc.. and worst…deleting their files, formatting their hard drive. Well, these are just but a few examples of how dangerous a Trojan can be. The maliciousness of the action is only limited to the imagination of the perpetrator and capability of the Trojan used.
• #17: Worms A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. Unlike viruses, worms do not need to attach themselves to host programs.
• #18: Checking for Trojans and Worms Trojans and Worms may be operating either in the DOS or Windows environment. Therefore, checking them and determining their symptoms may be similar to those for DOS and Windows viruses. As with other forms of malware, there may be some noticeable slowdown or unusual behavior in the system if a Trojan or computer worm is active. Sometimes, intermittent errors occur which were not happening previously. Some of these malware are also capable of residing in memory and we could oftentimes determine if they are already active by checking the Task Manager (or any similar tool that is applicable to the environment used) for any unusual tasks. Moreover, they may additionally modify the Windows Registry and/or other configuration (i.e: *.ini, *.dat, etc.) files in the system. Nowadays, some created Trojans and computer worms have email spamming capabilities. It would be wise to check the Sent Items for any unusual emails if you suspect your system to have an email-enabled malware.
• #20: Joke Programs Joke programs are ordinary executable programs. They are the digital equivalent of the old fashioned prank. These novelty programs are designed for humor at the expense of other users. They neither infect other programs nor replicate, and normally do not interfere with computer systems on their own. As with all jokes, the problem with these e-pranks is in how they are received by their victims. Just as a joke could unexpectedly provoke a person to violence, joke programs can cause a computer user, especially a novice one, to act rashly. Like turning off the computer to stop the joke -- and in the process, losing all unsaved files in other programs. Joke programs cannot spread unless someone deliberately distributes them. To get rid of a Joke program, simply delete the file from your system.
• #21: Joke Programs Since joke programs are ordinary something wrong is happening in his or her computer. After the joke program has finished, the computer is back to what it used to be and nothing wrong really happened to the computer. executable programs, they will not infect other programs nor will they do any damage to the computer system directly. Most of the joke programs are meant to annoy or make fun of the user. Sometimes, they may be difficult to halt or terminate and some would temporarily reconfigure the mouse, keyboard, or some other devices. Joke programs will commonly come in a software that fools the user into thinking that
• #23: Virus or Malware Droppers These are programs that will install a virus, a Trojan, or some other malware in a computer system. They are usually created to provide an easy way to start infecting a system. Some of these droppers are actually virus construction software which allow novice programmers to create viruses. If a suspected software is thought to be a dropper program, look for any dropped file or program after the suspected software is executed. If a dropped file or program is found, check if it malicious by using the techniques available for inspecting the different types of malware.
• #25: Backdoors A backdoor is a program that opens secret access to systems, and is often used to bypass security. A backdoor is usually installed in a system by worms, Trojans, or viruses. When this backdoor is installed, it allows a hacker to have a remote access to that infected computer. Backdoors are specific types of Trojans and they are sometimes referred to as the Remote Access Trojans. Basically, backdoors are divided in two components: 1. The Server part – this is the backdoor Trojan installed in the target computer. It enables the hacker to gain access to the infected computer. 2. The Client part – this is the actual program used by a hacker to connect to the server part installed on the target computer. This is where the hacker issues its commands or requests to the server program.
• #26: Backdoors Once a backdoor Trojan is installed in a certain computer, a hacker can do just about anything to that computer. These are some of the things these backdoors are capable of: 1. Log keystrokes 2. Edit or delete files and folders 3. Edit the registry 4. Sends out confidential information such as password to the hacker 5. Run programs on the host or target machine 6. Restarts or shuts down the computer 7. Capture screens 8. Browse and sends out files to the hacker 9. Changes computer settings such as wallpaper 10.Kills or disables running programs.