Você está na página 1de 40

What is a Computer Virus?

• A computer virus is a small program written to alter the


way a computer operates, without the permission or
knowledge of the user. With an ability to replicate itself,
thus continuing to spread. Also, known as Malicious
Software, a program that can cause damage to a
computer.

• The computer viruses can damage or corrupt data,


modify existing data, or degrade the performance of the
system by utilising resources such as memory or disk
space.
Classification of Computer viruses:

• Boot sector virus


• Master Boot Record (MBR) virus
• File infector virus
• Multipartite virus
• Macro virus
Boot sector virus

• Boot sector viruses generally hide in the boot sector,


either in the bootable disk or the hard drive.
• It attaches itself to the first part of the hard disk that is
read by the computer upon boot up.
• These viruses are spread rapidly by floppy disks and not
on CD-ROMs.
• Once copied to the memory, any floppy disks that are
not write protected will become infected when the floppy
disk is accessed.
• Error message “Invalid system disk”

E.g. Form, Disk Killer, Michelangelo, Stoned.


Master Boot Record (MBR) virus

• MBR viruses are memory-resident viruses that infect


disks in the same manner as boot sector viruses.

• However it, infects the MBR of the system, gets


activated when the BIOS activates the Master boot code.

• MBR infectors normally save a legitimate copy of the


master boot record in an different location.

E.g. AntiEXE, Unashamed, NYB


File infector virus

• File infector viruses infect program files.


• Normally infect executable code, such as .COM, .SYS,
.BAT and .EXE files.
• They can infect other files when an infected program is
run from floppy, hard drive, or from the network. Many of
these viruses are memory resident.
• After memory becomes infected, any uninfected
executable file that runs becomes infected.

E.g. Snow.A, Jerusalem, Cascade.


Multipartite virus

• Multipartite (also known as polypartite) viruses infect


both boot records and program files.
• These are particularly difficult to repair. If the boot area is
cleaned, but the files are not, the boot area will be
reinfected.
• The same holds true for cleaning infected files. If the
virus is not removed from the boot area, any files that
you have cleaned will be reinfected.

E.g. One_Half, Emperor, Anthrax, Tequilla.


Macro virus

• Macro are mini-programs which make it possible to


automate series of operations so that they are performed
as a single action, thereby saving the user from having
to carry them out one by one.
• Macro viruses infect files that are created using certain
applications or programs that contain macros.
• They are platform-independent since the virus itself are
written in language of the application and not the
operating system.
• They infect documents created from Microsoft Office
Word, Excel, PowerPoint and Access files.

E.g.W97M.Melissa, Bablas, WM.NiceDay, W97M.Groov.


In addition to Computer viruses, there are
two more types of malicious software. These
are :
 Worms and Trojans
Computer Worms

• Worms are programs that replicate themselves from


system to system without the use of a host file. The
worms are spread through networks like LAN, WAN and
also through Internet. There are various ways by which a
worm spreads, through Internet like E-mails, Messaging
and Chats.

• Worms almost always cause harm to the network, like


consuming network bandwidth.

E.g.W32.Mydoom.AX@mm
Computer Trojans
• Trojan horses are impostors: files that claim to be
something desirable but, in fact, are malicious. Trojan
horse programs do not replicate themselves. Trojan
horses contain malicious code that when triggered cause
loss, or even theft, of data. E.g. Trojan.Vundo

 Retrieving user’s critical information. i.e. name, password.

 Spreading malware programs i.e. ‘dropper’ or ‘vector’.

 Erasing or overwriting data on a computer.

 Spying on a user to gather his information like browsing


habits, sites visited etc. These are called Spyware.
Antivirus Software

• An antivirus software is a computer program that identify


and remove computer viruses, and other malicious
software like Worms and Trojans from an infected
computer. Not only this, an antivirus software also
protects the computer from further virus attacks.

• We should regularly run an antivirus program to scan


and remove any possible virus attacks from a computer.
Screenshots of some popular
Antivirus
McAfee Antivirus
AVG Antivirus
Kaspersky Antivirus
AntiVir Antivirus
BitDefender Antivirus
NOD32 Antivirus
Avast Antivirus
How an Antivirus works

 Using dictionary Approach:

• The antivirus software examines each and every file in a


computer and examines its content with the virus
definitions stored in its virus dictionary.

• A virus dictionary is an inbuilt file belonging to an


antivirus software that contains code identified as a virus
by the antivirus authors.
Using Suspicious Behavior Approach:

• Antivirus software will constantly monitors the activity of


all the programs.
• If any program tries to write data on an executable file,
the antivirus software will flag the program having a
suspicious behavior, means the suspected program will
be marked as a virus.
• The advantage of this approach is that it can safeguard
the computer against unknown viruses also.
• The disadvantage is that it may create several false
alerts too.
When selecting an Antivirus Software

• Real-Time Scanning
The antivirus software is automatically running in the
background on a continuous basis, scanning files and
folders for possible virus attacks as they are opened or
executed, and checking e-mails as they are downloaded.

Most commercial antivirus software provide real time


scanning.
• Virus Updates

Providing regular updates for the virus dictionary. You


should look for antivirus program that provides free virus
updates on a periodic basis.
With the current outburst in macro and script-based
viruses, virus updates that address the latest threats are
essential.
Most commercial antivirus software in today’s scenario
provide virus updates on daily basis.
Configuring your Antivirus software

 Adjust the settings to scan all (*all*) files. Also, ensure


that real time scanning is enabled by default.

 Create a recovery/reference/cure disk because if a boot


sector or MBR virus attack the system, it may fail to boot.
In that case, recovery cure disk can be used to boot the
system and remove the virus.

 Read the vendors manual. This will help you to


understand the advanced options and how to use them
according to your preference.
What to do on Suspecting Virus attack?

 Disconnect the suspected computer system from the


Internet as well as from the Local Network.
 Start the system in Safe Mode or from the Windows boot
disk, if it displays any problem in starting.
 Take backup of all crucial data to an external drive.
 Install antivirus software if you do not have it installed.
 Now, download the latest virus definitions updates from
the internet. (do it on a separate computer)
 Perform a full system scan.
Virus found!!
• Repair
• Quarantine
• Delete
• Rename
• Ignore
Worm Alert
Queries??
Some of the symptoms of an infected
computer:
• Folder Options disappears from the Tools. Now, hidden
files cannot be viewed. Changing registry values has no
effect.
• Regedit doesn’t works, when you try to invoke it from
the RUN box.
• Task Manager has been disabled by Administrator.
• In My Computer, Autoplay option appears instead of
Open in every drive you enter i.e. when you click on your
drive letters (C, D, E etc) a window opens to select any
one program to Open with.
• Computer becomes slow and there is noticeable delay in
characters to appear on screen when you press in
keyboard.
• Command prompt doest open, if it does closes
suddenly.
• You cannot open system utilities like Task Manager,
Regedit, Msconfig, gpedit.msc; it opens and suddenly
closes.
• It creates new entries & add values to the existing
Registry.
Hidden processes running on your system

1. monit.exe- runs under explorer.exe, keylogger app,


creates problems with Counter Strike
2. scvhost.exe or 713xRMTmon.exe - not to be confused
with svchost.exe, an important windows process.
3. wscript.exe - a harmless process which can be made
to execute harmful VBScripts like mswin32.dll.vbs
4. amvo.exe or amva.exe
5. autorun.inf - Its actually a harmless file. But can be
used to invoke a virus when you click a folder/drive
which has this file.
Deleting Identified Virus files manually

• Identify files say like autorun.inf or mswin32.dll.vbs in the


root of all drives or in your system drive.
• You can also delete a file from DOS. the command DIR
/w/a displays all hidden files and folders. with command
attrib -s -h -r <filename>. Then del <filename>
• A virus also hides itself in the System Volume
Information and PREFETCH folder. So it might be a
good idea to turn off System Restore for a while.
• To prevent future infections in your USB Drive, what you
could try is create an empty autorun.inf file and set read
only attribute to it. This should prevent a malicious
autorun.inf taking its place
General precautions you should take

• When inserting removable media (floppy, CD, flash drive


etc.) scan the whole device with the antivirus software
before opening it.
• If you have internet access, make sure you use internet
security software.
• Get Windows updates.
• From time to time, update your installed software to their
latest version. E.g. (MS Office, Adobe Reader, java,
Flash player etc.)
• Most important, disable the Autoplay on all drives on
your PC.
– Go to start > run > type gpedit.msc
– Select ‘computer configuration’ from the left tree
and then go to > ‘administrative templates’->
‘system’.
– In the right panel look for ‘Turn off Autoplay’, Double
click on it and Select ‘enabled’ and then select 'all
drives'.

• Last but not least, you should have an updated antivirus


guarding your PC all time.
Terminology

• Log file
• Quarantine
• New virus definitions
• Subscription
• Virus database
• License key
Example of a Log
Bibliography

• Removing flash drives viruses


http://andback.wordpress.com/2008/03/20/removing-the-
flashdrive-autoruninf-virus-v13/

• About Viruses, Worms, Trojans


http://service1.symantec.com/support/nav.nsf/docid/199904
1209131106

• Difference B/w a Computer Virus, Worm and Trojan Horse


http://www.webopedia.com/DidYouKnow/Internet/2004/virus
.asp