PART A: Introduction and Background d. Virus - A virus is maliciously written code that replicates itself.

It may damage hardware, software, or information files. By definition, human interaction is necessary for a virus to spread to another user's files. New viruses are discovered daily. Most viruses exist simply to replicate themselves. Others can do serious damage such as erasing files or even rendering the computer itself inoperable. Many viruses do a large amount of damage by infecting another program, boot sector, partition sector, or a document that supports macros by inserting itself or attaching itself to that medium. Worm - A worm is similar to a virus. A worm is designed to copy itself from one computer to another, but it does so automatically (perhaps over a network) by taking control of features on the computer that can transport files or information. This often occurs without the action of humans. Worms are very effective at using e-mail systems and address books to spread. They replicate themselves like viruses, but do not alter files the way that viruses do. The main difference is that worms reside in memory and usually remain unnoticed until their effects become apparent, obnoxious, or overwhelming. A worm may arrive in the form of a joke program or software of some sort, or by copying itself using email or another transport mechanism. A great danger of worms is their ability to replicate in great volume. When new worms are unleashed, they spread very quickly, clogging networks and possibly making you wait twice as long to view Web pages on the Internet. This is called a Denial of Service Attack. The worm may do damage and compromise the security of the computer. Once a worm is in a computer system it can travel alone. Because worms don't need to travel via a "host" program or file, they can tunnel into the system and allow another person to take control of the computer remotely. To protect against a worm, networked users must keep up with operating system patches and updates as well as anti-virus software, and be aware of any suspicious traffic.

Trojan Horse - A Trojan (or Trojan horse) is a malicious program disguised as a normal application. Trojan horse programs do not replicate themselves like a virus, but they can be propagated as attachments to a virus. Trojan horses cause damage or compromise the security of the computer. Trojan horses spread when people are lured into opening a program because they think it comes from a legitimate source. But while it runs, it could be allowing "back door" access to the computer by hackers or destroying files on the hard disk. Often an individual emails a Trojan horse-it does not email itself-and it may arrive in the form of a joke program or software of some sort. A recent Trojan horse came in the form of an e-mail that included attachments claiming to be Microsoft security updates, but turned out to be viruses that attempted to disable antivirus and firewall software. Trojan horses can be included in software that you download for free. Never download software from a source that you don't trust. For protection against a Trojan horse, users must be suspicious of any unknown program and be sure it is safe before running it.

PART B: Technical Review d. Infection

Methods

Recent security threats, such as MyDoom, have spread through e-mails disguised as familiar-looking returned-mail error messages. The attached file appeared to be the text of a message recently sent, disguised as a wrong address. However, if opened, one fell victim to the virus. No matter how authentic an e-mail appears to be, know the contents of the attachment before opening it. Virtually all viruses and many worms cannot spread unless opened or run from an infected program. Worms can spread in insidious manners, but the initial user action is crucial to their deployment.

Detection
Suspicious computer activity is a sign of a virus infection. Consistent computer action beyond the control of the user is to be considered suspicious. If one notices that their email program has just sent out 100 email messages without their consent, there is probably a virus or worm at work.

When one opens and runs an infected program, a contracted virus may not be apparent. The computer may slow down, stop responding, or crash and restart every few minutes. Sometimes a virus will attack the boot files that start the computer. If this is the case, pressing the power button produces only a blank screen. All of these symptoms are common signs that the computer has become infected by a virus. Another possibility is hardware or software failure, and may have nothing to do with a virus. The symptoms are the same in both cases. Up-to-date antivirus software installed on the computer is the only sure way to know if there is a virus or not.

Prevention
Although viruses, worms, and Trojan Horses operate differently, there are four main ways to help protect the computer and files: 1. Never open an e-mail attachment from a stranger. 2. Never open an e-mail attachment from known source unless expected, and the contents have been verified. 3. Update antivirus software at least once per week. 4. Keep your operating system software current. Many of the most dangerous viruses have spread prolifically through e-mail attachments. Viruses, Worms, and Trojan Horses can all be contained in photos, letters written in Microsoft Word, and even Excel spreadsheets. The virus is launched when the file attachment is opened or executed (usually by double-clicking the attachment icon). If an e-mail arrives with an attachment from an unknown source, delete it immediately. Unfortunately, viruses have the ability to steal the information out of e-mail programs and send themselves to everyone listed in an address book. Even an e-mail from someone familiar can be infected. If an email contains a message that is not coherent, or appears to be gibberish, or has an attachment that wasnt expected, contact the person and confirm the contents of the attachment before opening it. Beware of messages with a warning that you sent e-mail that contained a virus. A practice known as spoofing permits the forging of return email addresses, and does not mean that the email message came from the origin stated. Other viruses can spread through programs downloaded from the Internet or

from virus-ridden computer disks that were borrowed from friends. Viruses can potentially be contained in the disks bought from a store. These are less common ways to contract a virus. Most viruses come from opening and running unknown e-mail attachments. Nothing will guarantee the security of a computer 100%. However, by keeping the operating system software up to date, and maintaining a current antivirus software subscription, the chances of remaining virus-free increase dramatically.
Where Viruses Hide A program is called a virus for three reasons: 1. it has an incubination period (does not do damage immediately) 2. it is contagious (can replicate itself) 3. it is destructive. There are several types of viruses and methods that viruses use to avoid detection by AV software (similar tp HIV) Boot Sector Virus A boot sector virus hides in a boot sector program. It can hide on a dard drive either in the program code of the Master Boot Record or in the boot record program that loads the OS on the active partition of the hard drive. On a floppy disc, a boot sector virus hides in the boot program of the boot sector. One of the most common ways a virus spreads is from a floppy disc/CD used to boot a PC. When the boot program is loaded into memory, so is the virus, which can then spread to other programs. Many CMOS setups have an option that can protect against some boot sector viruses. It prevents writing to the boot sector of the hard drive. This feature must be turned off before installing an OS, which must write to the Master Boot Record during the installation. File Viruses A file virus hides in an executable (.exe .com .sys) program or in a word-processing document that contains a macro (auto-execute when the document is opened or by a special event). Macro viruses are the most common viruses spread by email, hiding in macros of attached document files. One type of virus searches a hard drive for files with .exe extensions and then creates another file with the same filename and a .com file extension, and stores itself there. When the user launches a program, the OS first looks for the program name with the .com file extension. It then finds and executes the virus. The virus is loaded into memory and loads the program with the .exe extension. The user appears

to thave launched the desired program. The virus is then free to do damage or spread inself to other programs. Virus Symptoms ..a program takes longer than usual to load ..unusual error messages occur regularly ..less memory than usual is available ..fils mysteriously disappear or appear

PART C: Technical Potential

a. Recovering from a Trojan Horse or Virus It can happen to anyone. Considering the vast number of viruses and Trojan horses traversing the Internet at any given moment, its amazing it doesnt happen to everyone. Hindsight may dictate that you could have done a better job of protecting yourself, but that does little to help you out of your current predicament. Once you know that your machine is infected with a Trojan Horse or virus (or if your machine is exhibiting unexpected behavior and you suspect that something is wrong), what can you do? If you know what specific malicious program has infected your computer, you can visit one of several antivirus web sites and download a removal tool. Chances are, however, that you will not be able to identify the specific program. Unfortunately your other choices are limited, but the following steps may help save your computer and your files.
1. Call IT support If you have an IT support department at your disposal, notify them immediately and follow their instructions. 2. Disconnect your computer from the Internet Depending on what type of Trojan horse or virus you have, intruders may have access to your personal information and may even be using your computer to attack other computers. You can stop this activity by turning off your Internet connection. The best way to accomplish this is to physically disconnect your cable or phone line, but you can also simply disable your network connection. 3. Back up your important files At this point it is a good idea to take the time to back up your files. If possible, compile all of your photos, documents, Internet favorites, etc., and burn them onto a CD or DVD or save them to some other external storage device. It is vital to note that these files cannot be trusted, since they are still potentially infected. (Actually, its good practice to back up your files on a regular basis so that if they do get infected, you might have an uninfected set you can restore.)

4. Scan your machine

Since your computer (including its operating system) may be infected with a malicious program, it is safest to scan the machine from a live CD (or rescue CD) rather than a previously installed antivirus program. Many antivirus products provide this functionality. Another alternative is to use a web-based virus removal service, which some antivirus software vendors offer (try searching on online virus scan). Or you could just try Microsofts web-based PC Protection Scan. The next best action is to install an antivirus program from an uncontaminated source such as a CD-ROM. If you dont have one, there are many to choose from, but all of them should provide the tools you need. After you install the software, complete a scan of your machine. The initial scan will hopefully identify the malicious program(s). Ideally, the antivirus program will even offer to remove the malicious files from your computer; follow the advice or instructions you are given. If the antivirus software successfully locates and removes the malicious files, be sure to follow the precautionary steps in Step 7 to prevent another infection. In the unfortunate event that the antivirus software cannot locate or remove the malicious program, you will have to follow Steps 5 and 6. 5. Reinstall your operating system If the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computer is free from backdoors and intruder modifications. Many computer vendors also offer a rescue partition or disc(s) that will do a factory restore of the system. Check your computers user manual to find out whether one of these is provided and how to run it. Before conducting the reinstall, make a note of all your programs and settings so that you can return your computer to its original condition. It is vital that you also reinstall your antivirus software and apply any patches that may be available. Consult Before You Connect a New Computer to the Internet for further assistance. 6. Restore your files If you made a backup in Step 3, you can now restore your files. Before placing the files back in directories on your computer, you should scan them with your antivirus software to check them for known viruses. 7. Protect your computer To prevent future infections, you should take the following precautions: Do not open unsolicited attachments in email messages. Do not follow unsolicited links. Maintain updated antivirus software. Use an Internet firewall. Secure your web browser. Keep your system patched. To ensure that you are doing everything possible to protect your computer and your important information, you may also want to read some of the articles in the Resources section below.

PART D: Commercial Potential

Antivirus Protection Tips and Suggestions

About Antivirus Software
Antivirus (or anti-virus) software is used mainly for the prevention, detection, and removal of malware, like computer viruses, bugs etc. Antivirus software also assists by preventing and removing adware, spyware, and other forms of malware. A variety of strategies are typically employed in the assemblage of antivirus software. The signature-based detection attribute of the antivirus software involves searching for known malicious patterns in executable code. However, it is possible for a user to be tainted with new malware in which no signature yet exists. Heuristics can be used effectively to counter such so called zero-day menaces. The most common sort of heuristic approach, generic signatures, is capable of identifying the new viruses or variants of existing viruses looking for known malicious code in files. Some antivirus softwares bear this unusual property of predicting what a file will do if opened/run by any of the applications on your computer and analyzing the consequences thereby informing the user beforehand of its malicious actions.

Tips for Virus Detection and Prevention

Do not open any files attached to any emails which are from unknown, suspicious or untrustworthy source. Do not open any files attached to an email unless you are sure of what it is, even if you have received it from a friend or someone you know. Some viruses can reduplicate themselves and diffuse through email. Confirm that your contact has really sent an attachment before opening the attachment. Do not open any files attached to an email if the subject line is suspicious or unexpected. Delete chain emails and junk email. Do not forward or reply to any sort of questionable mail. These types of email are considered spam and are unsolicited mails sent with an intention of compromising the security of your system.

You should be very cautious while downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Make sure that an anti-virus program checks the files on the download site.

Reliable Antivirus Software

Many of the updated Antivirus software available on the market nowadays contain all the properties that you would expect in a professional antivirus program. They are very easy to use and normally offer a nice simple user interface. They are ideal for beginners but also offer the features professionals need. Protecting your computer against viruses not only saves your computer from the potential harm that can be induced by these viruses but also saves your routine professional from getting disrupted.

PART E: Discussion and Conclusions d. Malicious code is a catch-all term used to refer to various types of software

that can cause problems or damage a computer. The more common classes of programs referred to as malicious code are the previously mentioned viruses, worms, Trojan horses, macro viruses, and backdoors. But, malicious code can also be used as a general term to refer to other malicious or destructive programs not covered by those definitions Heuristics: A method of analysis that uses past experience to make educated guesses about the present. Using rules and decisions based on analysis of past network or email traffic, heuristic scanning in antivirus software can self-learn and use artificial intelligence to attempt to block viruses or worms that are not yet known about and for which the antivirus software does not yet have a filter to detect or block. Vulnerability: In network security, a vulnerability refers to any flaw or weakness in the network defense that could be exploited to gain unauthorized access to, damage or otherwise affect the network Firewall: Basically, a firewall is a protective barrier between a computer, or internal network, and the outside world. Traffic into and out of the firewall is blocked or restricted by configuration. By blocking all unnecessary traffic and restricting other traffic to those protocols or individuals necessary, one can

greatly improve the security of the internal network. Denial of Service: A denial of service (DoS) attack floods a network with an overwhelming amount of traffic, slowing its response time for legitimate traffic or grinding it to a halt completely. The more common attacks use built-in features of the TCP/IP protocol to create exponential amounts of network traffic Key Logger: A program placed on a computer to log the keystrokes entered. A hacker then accesses the program to gain account numbers or access illegally. Spoofing: A method of forging an address in the email system to cloak its true source or sender.

REFERENCE July 31, 2004 - material compiled by Bob Carnaghi, www.webpointmorpheus.com