Computer

Virus
Submitted by:
Babasa, Maria Cecilia Beatriz
Dakay, Princess Dianne
Gonzaga, Khareen
Miranda, Angelo Marco
(Group 8)

II – BSITE

Submitted to:
Prof. Rosalie Muñoz
 2
COMPUTER VIRUS

Computer Virus is a short computer program, hidden within another, that makes copies of itself and spreads
them, disrupting the operation of a computer that receives one.

A virus may be transmitted on diskettes and through networks, on-line services, and the Internet.

Viruses are most easily spread by attachments in e-mail messages or instant messaging messages as funny
images, greeting cards, or audio and video files. It also spreads through downloads on the Internet. They can be
hidden in illicit software or other files or programs you might download.

HISTORY OF VIRUS

1986

The first PC virus was created. Known as the Brain virus, it was written in Pakistan.

1987

In November, the Lehigh virus was discovered at Lehigh University in the U.S.

In December, the Jerusalem virus appeared at Hebrew University in Israel.

1988

In March, the first anti-virus virus was written. It was designed to detect and remove the Brain virus and
immunized disks against Brain infection.

The Cascade virus is found in Germany.

Viruses started getting media attention, with articles in magazines like Business Week, Newsweek, Fortune,
PC Magazine and Time

1989

On September 17, the Washington Post reports that a computer virus "that springs to life destructively on
Friday the 13th is on the loose". The virus was called DataCrime and ended up being blown way out of
proportion.

A virus called Dark Avenger introduced a new feature. It was designed to damage a system slowly, so it
would go unnoticed at first and damaged files would be backed up.

In October, the Frodo virus turned up in Israel. If was the first full-stealth file infector, designed to damage
the hard drive if run on or after September 22 of any year.

1990

Many anti-virus products were introduced, including ones from IBM, McAfee, Digital Dispatch and Iris.

Viruses combining various characteristics spring up. They included Polymorphism (involves encrypted
viruses where the decryption routine code is variable), Armoring (used to prevent anti-virus researchers
from dissembling a virus) and Multipartite (can infect both programs and boot sectors).

1991

Symantec releases Norton Anti-Virus software.

In April, the Tequlia virus is discovered. It is Stealth, Polymorphic and Multipartite!

1992

Media mayhem greeted the virus Michaelangelo in March.

Predictions of massive disruptions were made and anti-virus software sales soared. As it turned out, the
cases of the virus were far and few between.

1993

The SatanBug virus appears around Washington DC. The anti-virus industry helped the FBI find the person
who wrote it - it was a kid.

Cruncher was considered a "good" virus because it compressed infected programs and gave users more
disk space.

1994

Babasa, Dakay, Gonzaga, & Miranda

 3

A virus called Kaos4 was posted on a pornography news group file. It was encoded as text and downloaded
by a number of users.

A virus called Pathogen appeared in England. The writer was tracked down by Scotland Yard's Computer
Crime Unit and convicted.

1995

Macro viruses appeared. These viruses worked in the MS-Word environment, not DOS.

1996

Concept, a macro-virus, becomes the most common virus in the world.

Boza, a weak virus, is the first virus designed for Windows 95

Laroux is the first virus to successfully infect Microsoft Excel spreadsheets.

1999

The Melissa virus, a macro, appears.

2000

The "I Love You Virus" wreaks havoc around the world. It is transmitted by e-mail and when opened, is
automatically sent to everyone in the user's address book.

WHY PEOPLE CREATE COMPUTER VIRUSES

Boredom

Curiosity

Rebellion

Peer Pressure

Attracted to the rush of causing damage

GENERAL SYMPTOMS OF A COMPUTER VIRUS

Computer programs take longer to load than normal.

The computer's hard drive constantly runs out of free space.

The floppy disk drive or hard drive runs when you are not using it.

New files keep appearing on the system and you don't know where they came from.

Strange sounds or beeping noises come from the computer or keyboard.

Strange graphics are displayed on your computer monitor.

Files have strange names you don't recognize.

You are unable to access the hard drive when booting from the floppy drive.

Program sizes keep changing.

Conventional memory is less than it used to be and you can't explain it.

Programs act erratically.

Babasa, Dakay, Gonzaga, & Miranda

 4
TYPES OF VIRUS

Boot viruses: A virus that replaces or implants itself in the boot sector - an area of the hard drive (or any other
disk) accessed when you first turn on your computer. This kind of virus can prevent you from being able to boot
your hard disk.

Example 1: FORM

ALIAS: FORM_A
ORIGIN: Switzerland

INFECTION MECHANISM
Unlike most other boot sector viruses, Form infects the DOS boot sector on hard drives instead of the
Master Boot Record.
Form is only able to infect a hard disk when you try to boot the machine from an infected diskette. At this
time Form infects boot sector, and after that it will go resident to high DOS memory during every boot-up from
the hard disk. Once Form gets resident to memory, it will infect practically all non-write protected diskettes
used in the machine. Form will create bad sectors on disks it infects.
Form activates on the 18th of any month.

SYMPTOMS
Form infects hard disks as well as floppies, and stores the rest of itself, as well as the original boot sector
on the last track of the hard disk, or in clusters marked as "bad" on a diskette. It contains the following text:
The FORM-Virus sends greetings to everyone who's reading this text.
FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.
On the 18th of any month, it will cause a 'click' from the PC speaker every time a key is pressed.
*On most machines this activation routine will not be heard, because the routine will fail if a keyboard driver
(typically keyb.com) is loaded.

SOLUTION
If you have Form on a NTFS partition under NT, you need to repair the boot sector with a separate utility.
A free program called BOOTPART can do this easily with this command:
BOOTPART WINNT BOOT:C:
BOOTPART can be downloaded from ftp://ftp.F-Secure.com/misc/anti-vir/bootpa20.zip

Example 2: MICHELANGELO

INFECTION MECHANISM
When a Michelangelo-infected diskette is placed in the A: drive and the machine is booted, the virus is
loaded into memory from the infected floppy disk.
It then quickly infects the machine by moving the hard disk's original boot sector to another location on the
disk, and installs itself as the boot sector. From then on, any access to another disk spreads the virus to that
disk
On March 6 of any year this virus will destroy all data on any disk from which the machine is booted. This
occurs by overwriting hard disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette with random
characters, thus making recovery questionable at best.

SYMPTOM
CHKDSK reports "total bytes memory" 2048 bytes less than expected

SOLUTION

A backup prior to eradication will enable full recovery of all user data and programs.

Babasa, Dakay, Gonzaga, & Miranda

 5

Example 3: DISK KILLER

ALIAS: Ogre
ORIGIN: USA

INFECTION MECHANISM AND SYMPTOMS

A rather nasty virus, which will activate if the computer has been turned on for 48 hours. It will then display
the following messages on the screen:
Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989
Warning !! Don't turn off the power or remove the diskette while Disk
Killer is Processing!
PROCESSING
When this appears, it means that the virus has started to encrypt all the data on the hard disk.
When finished, the virus will display this message:
Now you can turn off the power I wish you luck!

SOLUTION

Start looking for a recovery program; or

You can of course reformat the disk and restore everything from a backup, but it is not necessary
because the virus only encrypts everything on the disk, but does not actually destroy anything. At least,
this seems to have been the intention of the author, but there are a few errors in the encryption code,
which may make recovery impossible.

Program or File viruses: These infect executable program files, such as those with extensions like .BIN, .COM,
.EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution,
taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.

Example 1: SUNDAY

ALIAS: Sunday.a, Jeru-Sunday

INFECTION MECHANISM AND SYMPTOMS

Files infected by Sunday grow by 1,636 bytes.

On each Sunday the virus displays one of the following messages during 30 minute intervals:
Today is SunDay! Why do you work so hard?
All work and no play make you a dull boy!
Come on! Let's go out and have some fun!
The variant is intended to delete every program as it is run. Software bugs prevent this from happening.

Example 2: CASCADE

ALIAS: BlackJack, Falling Letters

INFECTION MECHANISM AND SYMPTOMS

Cascade is often not detected, because it produces no obvious effects.
In the original version, the virus contained code that was set to "go off" between Oct. 1 and Dec. 31. 1988,
shortly after an infected program is run.
The effect is actually quite amusing - the characters on the screen fall down and end in a heap on the
bottom.

Babasa, Dakay, Gonzaga, & Miranda

 6
Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected
program is executed, these viruses infect the boot record. When you boot the computer next time the virus from
the boot record loads in memory and then starts infecting other program files on disk.

Example 1: INVADER

ALIAS: PlastiqueBoot, Anticad.4096.Mozart

INFECTION MECHANISM
Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay
Resident (TSR). The TSR is 5,120 bytes and interrupts 08, 09, 13, and 21 are hooked.
At this time, the virus also infects the boot sector of the drive where the infected file was executed. The
new boot sector is an MS-DOS 3.30 boot sector, and can be easily identified because the normal DOS error
messages found in the boot sector are now at the beginning of the boot sector instead of the end.
Once the virus has become memory resident, any .COM or .EXE file opened is infected by the virus.
Additionally, any non-write protected diskettes which are exposed to the infected system will have their
boot sectors infected.

SYMPTOMS
The Invader virus activates after being memory resident for 30 minutes. At that time, a melody may be
played on the system speaker. On systems which play the melody, it will continue until the system is rebooted.
If the user presses CTL-ALT-DEL to reboot the system, the first track of the system's hard disk will be
overwritten with an unencrypted copy of the virus. The melody isn't played on all systems as it is configuration
dependent. The melody was originally composed by Mozart.

Example 2: FLIP

INFECTION MECHANISM
It attacks not only COM and EXE files but also hard disk’s MBR. When it is installed into memory it finds
out the original address of interrupts services by means of tunneling, and attacks MBR. Before the virus writes
its body, it encrypts it using always a different decryptor.

SYMPTOMS
The virus presents itself as follows: on the second day in a month, after 4 o’clock in the afternoon, it will
turn the contents of the screen upside down around an imaginary centre. By doing so the first line becomes
the last one; at the same time everything from the right side is moved to the left side.
When infecting MBR the virus has difficulties with disks of capacity higher than 32 MB {at time of its origin
disk like that were rare}; while manipulating the partition table it can reduce their size below 32 MB.

Example 3: TEQUILA

ALIAS: Stealth
ORIGIN: Switzerland

INFECTION MECHANISM
Tequila is a memory resident, encrypting, stealth, multi-partite virus. It infects Master Boot Record (MBR)
and .EXE files. Tequila uses a complex encryption method and garbling to avoid disassembly and detection.
Upon infection, the virus writes an unencrypted copy of itself to the last six sectors of the system hard disk,
as well as modify the hard disk MBR so that it is infectious. Tequila does not become memory resident at this
time, and does not infect files at this time.
Later, when the system is rebooted from the system hard disk, Tequila becomes memory resident. It is
located at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved,
preventing the virus from being overwritten in memory. Interrupts 13 and 21 are hooked by the virus.

Babasa, Dakay, Gonzaga, & Miranda

 7

SYMPTOMS
Tequila activates four months after the initial date of infection of the system hard disk. At that time, and
every month thereafter on the anniversary date, the virus displays a graphic and the following message:
"Execute: mov ax, FE03 / int 21.Key to go on!"
If the user executes a file containing this sequence of instructions, the following message which is found
on the last sectors of the system hard disk is displayed.
"... T.TEQUILA's latest production. Contact T.TEQUILA/P.o.Box 543/6312
St'hausen Switzerland. Loving thought to L.I.N.D.A. BEER and TEQUILA
forever !"
Systems infected with Tequila have file allocation errors detected with the DOS CHKDSK command when
the virus is memory resident. If CHKDSK is executed with the /F option, file corruption may result.
Total system memory and available free memory decreases 3,072 bytes. Infected .EXE files increase in
size by 2,468 bytes, but this increase is hidden when the virus is memory resident (Stealth techniques). The
virus is located at the end of infected files. The infected file's date and time in the disk directory are not altered.

Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head
to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s
size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus
subtracts the same number of bytes (9216) from the size given in the directory.

Example 1: FRODO

INFECTION MECHANISM
The virus has a very odd way of finding out whether a file, which it intends to attack, is executable – it
implements a check sum of the file extension. But this activity causes that the virus can attack also files with
different extensions (e.g. *.MEM, *.BMP, *.LOG, *.TBL, *. PIF). If the virus successfully attacks a file it would
mark it so that it increases the year of origin by 100 and sets seconds to a nonsensical value of 62.
Stealth of the virus is almost perfect but when the program CHKDSK is used and the virus is present in
memory, the CHKDSK program will detect a disagreement between the number of memory blocks allocated
for the infected file and its length. The virus reinstalls the original length of the file as well as the original time
and date of origin. When the file is opened the virus disinfects it, and when the file is closed, the virus attacks
it again.

SYMPTOM
After September 22 the virus writes a code into hard disc MBR. This code should display the following text
on the monitor:
FRODO LIVES!
(The text should be surrounded by moving rectangles.)

Babasa, Dakay, Gonzaga, & Miranda

 8

Example 1: JOSHI

ALIAS: Happy Birthday Joshi, Stealth virus

ORIGIN: India

INFECTION MECHANISM
After a system has been booted from a Joshi-infected diskette, the virus will be resident in memory. Joshi
takes up approximately 6K of system memory, and infected systems will show that total system memory is 6K
less than is installed if the DOS CHKDSK program is run.

SYMPTOMS
On January 5th of any year, the Joshi virus activates. At that time, the virus will hang the system while
displaying the message:
“type Happy Birthday Joshi"
If the system user then types "Happy Birthday Joshi", the system will again be usable.
Systems infected with Joshi may experience problems when attempting to access programs or data files
on write-protected diskettes.

DETECTION
This virus may be recognized on infected systems by powering off the system and then booting from a
known-clean, write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of
suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the disk is infected. The EB 1F
is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 40, sectors 1
through 5 on 360K 5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 80,
sectors 1 through 5. It will also be located on the last track of 3.5" diskettes.
To determine if a system's hard disk is infected, you must look at the hard disk's master boot sector. If the
first two bytes of the master boot sector are EB 1F hex, then the hard disk is infected. The remainder of the
virus can be found at cylinder 0, side 0, sectors 2 through 6. The original master boot sector will be located at
cylinder 0, side 0, sector 9.

SOLUTION
The Joshi virus can be manually removed from an infected system by first powering off the system, and
then booting from a known-clean, write-protected master DOS diskette. If the system has a hard disk, the
hard disk should have data and program files backed up, and the original master boot sector copied back to
cylinder 0, side 0, sector 1 from sector 9. Diskettes are easier to remove Joshi from, the DOS SYS command
can be used. There are also several disinfector programs available.

Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each
infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101

Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or
template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects
the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every
document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus
attaches itself to documents, the infection can spread if such documents are opened on other computers.

Babasa, Dakay, Gonzaga, & Miranda

 9

Example 1: MELISSA

INFECTION MECHANISM AND SYMPTOMS

The Melissa macro virus propagates in the form of an email message containing an infected Word
document as an attachment. The transport message has most frequently been reported to contain the
following Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two sections. The first section of the
message (Content-Type: text/plain) contains the following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to be a document called
"list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are
likely to see documents with other names. In fact, under certain conditions the virus may generate
attachments with documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is
immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to permit all macros to run when
documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the
future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo",
the virus proceeds to propagate itself by sending an email message in the format described above to the first
50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro. Keep in
mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the
mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed;
however, Outlook does not need to be the mailer used to read the message.
This virus can not send mail on systems running MacOS; however, the virus can be stored on MacOS.
Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes
the virus to only propagate once per session. If the registry key does not persist through sessions, the virus
will propagate as described above once per every session when a user opens an infected document. If the
registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user
opens an infected document.
The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot
template; thus, any newly created Word document will be infected. Because unpatched versions of Word97
may trust macros in templates the virus may execute without warning.
Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the
current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for using all
my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and look at the list of macros in this
document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You can see the code by going into the

Visual Basic editor.

Users who open an infected document in Word97 or Word2000 with macros enabled will infect the
Normal.dot template causing any documents referencing this template to be infected with this macro virus. If
the infected document is opened by another user, the document, including the macro virus, will propagate.
Note that this could cause the user's document to be propagated instead of the original document, and
thereby leak sensitive information.

Babasa, Dakay, Gonzaga, & Miranda

 10

Trojan horses: A Trojan horse is simply a computer program. The program claims to do one thing (it may claim
to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way
to replicate automatically.

Example 1: AIDS

ALIAS: Aids Info Disk or PC Cyborg Trojan

ORIGIN: USA

INFECTION MECHANISM AND SYMPTOMS

A trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the
number times the computer has booted. Once this boot count reaches 90, AIDS hides directories and
encrypts the names of all files on drive C: (rendering the system unusable), at which time the user is
asked to 'renew the license' and contact PC Cyborg Corporation for payment (which would involve
sending 378 US$ to a post office box in Panama). There exists more than one version of AIDS, and at
least one version does not wait to munge drive C:, but will hide directories and encrypt file names upon the
first boot after AIDS is installed. The AIDS software also presented to the user an interesting EULA, some
of which read:
If you install [this] on a microcomputer...
then under terms of this license you agree to pay PC Cyborg Corporation
in full for the cost of leasing these programs...
In the case of your breach of this license agreement, PC Cyborg reserves
the right to take legal action necessary to recover any outstanding
debts payable to PC Cyborg Corporation and to use program mechanisms to
ensure termination of your use...
These program mechanisms will adversely affect other program
applications...
You are hereby advised of the most serious consequences of your failure
to abide by the terms of this license agreement; your conscience may
haunt you for the rest of your life...
and your [PC] will stop functioning normally...
You are strictly prohibited from sharing [this product] with others...

Worms: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A
copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the
new machine using the security hole, and then starts replicating from there, as well.

Babasa, Dakay, Gonzaga, & Miranda

 11

Example 1: “ILOVEYOU”

ALIAS: WormLoveLetter, Love Bug

INFECTION MECHANISM AND SYMPTOMS

This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:
Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"
(*Note that other threats use similar filenames, such as W95/MTX.gen@M which uses the filename LOVE-
LETTER-FOR-YOU.TXT.pif)
If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not
normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.
When the worm is first run it drops copies of itself and writes an .HTM file in the following places:
WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
It also adds the registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSKernel32.vbs
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs
in order to run the worm at system startup.
This worm searches all drives connected to the host system and replaces the following files: *.JPG,
*.JPEG with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be
replaced with PICT.JPG.VBS and this would contain the worm.
The worm also overwrites the following files: *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.HTA with
copies of itself and renames the files to *.VBS.
This virus locates instances of the following file types: *.MP3 and *.MP2 and if found, makes them hidden
and copies itself as these filenames except with .VBS extension. For instance, if file exists as "2PAC.MP3",
this now becomes a hidden file and the virus is copied as "2PAC.MP3.VBS".
The worm creates a file 'LOVE-LETTER-FOR-YOU.HTM' which contains the worm and this is then sent to
the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file
SCRIPT.INI.
After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address
book. The mails will be of the same format as the original mail.
This worm also has another trick up it's sleeve in that it tries to download and install an executable file
called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any
cached passwords to the mail address MAILME@SUPER.NET.PH
In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point
to the web-page containing the password stealing trojan.
The email sent by this program is as follows:
-------------copy of email sent-----------
From: [victim machine name]@[victim IP address]
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]

RAS Passwords:...[victim password info]

Babasa, Dakay, Gonzaga, & Miranda

 12

Cache Passwords:...[victim password info]

-------------copy of email sent-----------

The password stealing trojan is also installed via the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to autorun at system startup. After it has been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE
This virus will run if Windows Scripting Host is installed. Running the email attachment received either
accidentally or intentionally will install to the local system, and also to all available drives, send via email
message as an attachment and also via IRC if installed.

Hoaxes: The virus hoax sends out fake warnings rather than real viruses. They do a great deal of damage to the
Internet as a whole. Not only do they slow down traffic and clog up email servers, but they also cause people to
panic.

Example 1: “WINDOWS 2000 UPDATE” HOAX

THIS IS THE ORIGINAL HOAX MESSAGE:

Date: Tuesday, August 03, 1999 8:39 PM

Subject: Fw: This is real

I called Microsoft and this is for real. They are mailing me a Y2K update CD which is not available on the Web.
Paul B.
----------

You may or may not need these numbers, but pass it on to people who do!

Windows 95 and 98 both need CD's to ready them for y2k. I called the numbers and it's TRUE.

For no charge they mail you what is needed....the MS lady told me it makes them MORE y2k compliant or
something like that....so I sent for one for my neighbor too, they don't mind sending more than 1 in a package.
Here is the info. she sent me below:

Notice to anyone running Windows 98 - it is NOT year 2000 compliant. Call Microsoft at 1-888-219-1302 to
order the upgrade on CD-ROM. [Windows 95 see below]

When you call, do not use the digital telephone number access. STAY on the line until the recording is done,
and you'll get an operator to take your order..

Tell them you want "Windows 98 Year 2000 Update" on CD-ROM..

It IS free and there is no charge whatsoever for the CD or the shipping..

If you are using Windows 95 you must call 1-888-673-8925, option # 4 for 2000 update, which is free.

Babasa, Dakay, Gonzaga, & Miranda

 13

Example 2: 'Y2K COMPUTER CLOCK BUG FIX' HOAX

THERE APPEARED A HOAX MESSAGE ABOUT QUICK Y2K FIX. IT IS IMPOSSIBLE TO MAKE A COMPUTER Y2K COMPLIANT
BY JUST MODIFYING SOME SETTINGS IN W INDOWS. HERE'S HOW THE HOAX MESSAGE LOOKS LIKE:

Hey all,
If you haven't heard of this, you need to do it. It is simple and quick. Send it to everyone else you know.

Best regards, Bill Snyder-Computer Guru

Y2K Computer Clock Bug Fix

I received this and checked my computer and found it to be set up to fail. I recommend you check and fix your
computers. If you are running Windows, this is a fix for a small Y2K problem almost everyone should do. After
running this quick little test, much to my surprise, I learned that my computer would have failed on 01-01-2000
due to a computer clock glitch.

Fortunately, a quick fix is provided, should your computer fail the test. I submit the following for your
consideration:

TEST
1. Double click on "My Computer".
2. Double click on "Control Panel".
3. Double click on "Regional Settings" icon.
4. Click on the "Date" tab at the top of the page.
5. Where it says, "Short Date Sample", look and see if it shows a "two digit" year. Of course it does. That's the

default setting for Windows 95, Windows 98 and NT. This date RIGHT HERE is the date that feeds application
software and WILL NOT rollover in the year 2000. It will roll over to 00.

NOW TO FIX IT :
6. Click the drop-down arrow to the right of "Short Date Style"
7. Select the option mm/dd/yyyy. (Be sure your selection has four Y's, not two)
8. Click "OK"

Easy enough to fix. However, every single installation of Windows worldwide is defaulted to fail Y2K rollover.
Makes you wonder. Please feel free to pass this on to your friends and associates.

Babasa, Dakay, Gonzaga, & Miranda

 14

Example 3: THE TERRORIST HALLOWEEN MALL THREAT HOAX

THIS VERSION IS CURRENTLY THE MOST COMMON FORM OF THIS HOAX:

Hi All -

I think you all know that I don't send out hoaxes and don't do the reactionary thing and send out anything that
crosses my path. This one, however, is a friend of a friend and I've given it enough credibility in my mind that
I'm writing it up and sending it out to all of you. My friend's friend was dating a guy from Afghanistan up until a
month ago. She had a date with him around 9/6 and was stood up. She was understandably upset and went
to his home to find it completely emptied. On 9/10, she received a letter from her boyfriend explaining that he
wished he could tell her why he had left and that he was sorry it had to be like that. The part worth mentioning
is that he BEGGED her not to get on any commercial airlines on 9/11 and to not to
go any malls on Halloween. As soon as everything happened on the 11th, she called the FBI and has since
turned over the letter.

This is not an email that I've received and decided to pass on. This came from a phone conversation with a
long-time friend of mine last night. I may be wrong, and I hope I am. However, with one of his warnings being
correct and devastating, I'm not willing to take the chance on the second and wanted to make sure that people
I cared about had the same information that I did..

__________________________________

FURTHER VERSIONS

My friend Colleen arrived for a facial when FBI agents were leaving Murad on Sunday, October 7, 2001. They
were there to interrogate a girl who worked there to find out if she knew anything. The reason for their lead
was she was best-friends with a girl who was dating an Arab man, who disappeared and was involved in the
terrorist attacks on the WTC. He disappeared this summer and left her a note, saying the following in the
effect of: "I have to go away and will not be able to see you again. Please do me a favor and do not fly in any
planes on September 11, 2001 nor shop at any shopping malls on October 31, 2001 ......... "

Don't know about you but I live across the street from a shopping mall, and my in-laws do too. Given my
daughter is usually at their house on a Wednesday afternoon, right near the mall, am thinking of where else to
go.

Halloween may not be so Happy.

Please send this to anyone that you know. Let's hope this isn't for real, but since it was actually left in a letter
to a loved one from one of the people involved in the attacks of September 11, 2001, I am not taking it too
lightly

Active X: ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to
control there web browser to enable or disable the various functions like playing sound or video and so, by
default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot
of commotion behind this and with the amount of power that JAVA imparts things from the security angle seem a
bit gloom.

Spyware: Spyware are programs, cookies, or registry entries that track your activity and send that data off to
someone who collects this data for their own purposes. Usually, those people are marketing companies trying to
collect information to help them sell better.
Spyware is usually installed quietly, or even secretly, when you install shareware applications.
Many people feel that spyware is a violation of their privacy.

Babasa, Dakay, Gonzaga, & Miranda

 15
Excessive spyware programs can slow down your Internet connection by filling the line with their traffic. They
can also slow down your computer by using up available RAM and CPU cycles.

Example 1: CoolWebSearch

INFECTION MECHANISM AND SYMPTOMS

CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities.
The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they
display pop-up ads, rewrite search engine results, and alter the infected computer's hosts file to direct DNS
lookups to these sites.

Example 2: DyFuCa

INFECTION MECHANISM AND SYMPTOMS

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When
users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because
password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors,
Internet Optimizer makes it impossible for the user to access password-protected sites.

Example 3: 180 SOLUTIONS

INFECTION MECHANISM AND SYMPTOMS

180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also
alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make
unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of
competing companies.

Example 4: HUNTBAR

INFECTION MECHANISM AND SYMPTOMS

HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic
Syndicate. It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by
other spyware programs—an example of how spyware can install more spyware. These programs add
toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display
advertisements.

Babasa, Dakay, Gonzaga, & Miranda

 16
VIRUS PREVENTION
There are several things you can do the help protect your computer against viruses:

Anti-Virus Software - If you don't have an anti-virus software program, invest in one.

Scan Your Computer on a Regular Basis - Scan you system with anti-virus software regularly.

Update Your Anti-Virus Software on a Regular Basis - Keep your anti-virus software up to date. Do this
at least weekly and more often if there are news reports of a new virus threat.

Backup - Backup your files on a regular basis. Always maintain copies of files you can't do without, just in
case your computer gets infected and crashes.

Turn off E-Mail Preview - Turn off the preview function if your e-mail software has one.

Scan Floppy Disks - Scan floppy disks from other computers with anti-virus software before you use the
disk. Simply place the disk in your floppy drive and run the anti-virus software program. If a virus is found,
most programs will give you several choices about what to do, such as removing the virus, doing nothing, or
deleting the file that contains the virus.

Protect Your Floppy Disks - Write-protect any floppy disk you place into another computer. If the other
computer has a boot sector virus, the write-protect on the disk will prevent it from becoming infected with
the virus.

Scan Downloaded Files - Scan downloaded Internet files with anti-virus software before you use or run
them.

Scan All E-Mail Attachments - If you receive an attachment you need to view, scan it with anti-virus
software before you open it.

Beware of E-Mail Attachments from Unknown Sources - If you receive an unexpected attachment from
an unknown source, delete it. Never open attachments for files that end in .vbs (Visual Basic Script) or .js
(Java Script). Viruses often travel in these types of files.

Be Alert - Pay attention to news about virus alerts. You might want to subscribe to a virus alert e-mail
notice from one of the anti-virus software makers.

Babasa, Dakay, Gonzaga, & Miranda

 17
BIBLIOGRAPHY

Microsoft® Encarta® Premium Suite 2005. © 1993-2004 Microsoft Corporation. All rights reserved.
http://www.microsoft.com/protect/computer/basics/virus.mspx
http://www.boloji.com/computing/security/015.htm
http://www.tml.tkk.fi/Opinnot/Tik-110.501/1997/viruses.html
http://www.howstuffworks.com/
http://www.bbc.co.uk/science/hottopics/computerviruses/types.shtml
http://www.online.tusc.k12.al.us/tutorials/viruses/viruses.htm
http://www.tech-faq.com/spyware.shtml
http://en.wikipedia.com/
http://www.mtholyoke.edu/~rmcorriv/webproj/topic5.html
http://www.f-secure.com/
http://www.ciac.org/ciac/bulletins/c-15.shtml
http://vil.nai.com/
http://ve.nod32.ch/
http://wiw.org/~meta/vsum/view.php?vir=712
http://www.cert.org/
http://home.fuse.net/tschmick/security.html
http://virusall.com/hoaxexamples.shtml

Babasa, Dakay, Gonzaga, & Miranda