An Introduction To Viruses, Worms And Trojans

[max123]

Polymorphic Virii

 

* Polymorphic virii encrypt there own body.

* Self encryption usually hides the virus signature from the AV software.

* For polymorphic virii to spread the virus first decrypts itself .

* The virus has to momentarily take control of the CPU in order to do this.

* After decrypting the body of the virus, the decryption routine gives control of the machine to the decrypted viral body so the virus can spread.

* A polymorphic virus is significantly harder for Anti-Virus software to detect, because they generate new decryption routines on each infect which also changes the virus signature.

* Usually polymorphic code changes its signature using a simple binary generator called the mutation engine (MTE).

The MTE uses a random number generator and a simply algorithm to change the virus signature.

* With the MTE we can make any virus polymorphic by making a few simple changes to the assembly code to call MTE before copying itself.

[max123]

Stealth Virii

 

* Stealth virii hide the modifications they make to your files or boot records.

* They hide this by monitoring the system functions of the OS used to read the files or sectors and by forging calls to such functions.

* Therefore programs that try to read the files or sectors see the original uninfected version.

* This helps hide it from Anti-Virus, another way a stealth virus does this is to sit in memory while you run the AV.

* The first DOS virus, Brain, was a stealth virus .

* This boot sector virus monitors physical disc I/O operations and redirects the OS every time it tries to read an infected sector.

* Stealth virii usually have either size stealth or read stealth properties.

* Size stealth virii are the file infectors, the virus attaches itself to an executable and then replicates which makes the file grow, so the virus shows a copy of the uninfected size which is the first thing it looks at upon infection (after checking for itself).

* Read stealth virii are of the Brain variety.

[nilayz]

Hmm... that's some real good info.. thanks max123

[max123]

Slow Virii

 

* Slow virii are hard to detect be cause they only infect files (*.com for example) that the OS is modifying or copying.

* A slow virus only infects a file when a user performs some operation on the file.

* For example a slow virus might only infect the boot sector of a floppy w hen commands such as format and sys write to the boot sector.

* A slow virus might infect the copied version but not the original.

 

 

 

 

 

 

 

 

 

Retro Virii

 

*

A retro virus is a virus that bypasses, edits, or destroys Anti-Virus programs by attacking it directly.

*

Making a retro virus is a pretty simple task as all the programmer has to do if find the execution path and edit or otherwise hinder the Anti-Virus software, this could involve editing the AV itself or its definition files which could render the AV useless and the user totally oblivious to ANY virii that infect their system.

*

Other types of retro virii detect the AV and either hide from it, stop the AV, or in some cases trigger a destructive payload before the AV has chance to stop it.

[max123]

Multipartite Virii

 

* Multipartite virii infect both executable files and boot sectors and sometimes floppy boot sectors too.

* They are called multipartite because they infect in multiple ways rather than specific disk locations or file type.

* When you run a file infected with a multipartite virus, it infects the boot sector and next time you boot your system the virus activates again and sits in memory it then infects every program you run.

 

 

 

Armored Virii

 

* Armored virii protect themselves by adding code that makes them very difficult to trace, understand and disassemble the code.

* They may protect themselves by wrapping code that deflects the onlooker from the actual operating code or it might add distraction code that makes you think the virus is somewhere other than it's true location.

[max123]

Companion Virii

 

 

* Companion virii attach themselves to an executable file by creating a new file with a different extension.

* Hence there namesake, they make a companion file for each infected program.

* A companion virus might make notepad.com and then launch itself first then the original notepad.exe infecting the system.

 

 

 

 

Macro Virii

 

* Macro virii are written in a simple macro programming language, and more often than not nowadays using VBA (Visual Basic for Applications), these virii usually target Microsoft Office applications such as Word and Excel.

* About 3/4 of all virii found in the wild today are macro virii.

* A macro infected document may have several macros, such as AutoSave, Exit etc that replace there original counterparts with there own code but still operate in the expected way.

* The macro will generally try to infect any template that exists such as world.dot so that if the macro is removed they may still regenerate.

* Macro virii have picked up on the trend of opening the WAB and sending a copy of themselves to all addresses in the address book, the most famous of these being WM97/Melissa.

 

 

 

 

 

 

 

 

Phage Virii

 

*

The last of the true virii. Phage virii are programs that modify programs or databases.

*

Phage virii are by far the most destructive by nature.

*

They are not designed to attach themselves to other code or to replicate .... they are designed to overwrite every program they infect.

*

A phage virii can spread by creating a companion virus of itself so when the program is attempted to be launched the virus runs again.(NOTE: Phage virii can also create companion files but it's not a defining or a required feature.)

[max123]

Sample Structure Of A Virus

Virus() { infectExecutable(); if (triggered())  { doDamage(); } jump to main of infected program; } void infectExecutable() { file = choose an uninfected executable file; prepend V to file; } void doDamage() { ... }  int triggered() { return (some test? 1 : 0); }

 

 

Disclaimer: Please note. The above information is for educational purposes only. Any misuse of the above information is not caused due to the author of this article.

Also, while those who have some idea of programming may understand the above structure, there are others who may be left clueless of what this is. If you are one of the people who have been left clueless, please ignore this part of the thread and proceed further.

[max123]

Worms

 

* Worms are not virii.

* The name 'worm' was taken from The Shockwave Rider, a 1970s science fiction novel by John Brunner.

* They are self replicating pieces of code that by natures should contain no payload (although this is not *always* the case).

* The most famous worm of all time was the Robert Morris Jnr worm that exploited a buffer overflow in the UNIX Sendmail program. Due to which the speed of which worms create new instances of themselves if they stayed on a single host they would soon eat up all the resources, so they spread from computer to computer, network to network (unlike a virus which needs some sort of human intervention in order to spread).

* Because they can move so fast they often cause havoc, not due to malicious nature, but due to overload of mail server etc etc

* Most worms you will find written today are written in VBS (Visual Basic Script) and spread though Outlook. Recent high profile worms include LoveLetter and Life_Stages.

[max123]

Trojans

 

* The name "Trojan Horse" derives itself from a page in Greek history.

* A Trojan horse is simply a computer program.

The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk).

* Trojan horses have no way to replicate automatically.

* Examples:- Picture.exe,RIDBO,FIX2001,AOL4FREE

* These types of viruses were originally designed as a means of self expression by gifted programmers and did little more than to cause the system to lock up, behave abnormally in a specific way or perhaps cause loss of data on the user?s machine.

* Virtually every Trojan virus is comprised of two main parts:

o the "server"

+ The server part is the part of the program that infects a victim's computer.

o the "client?

+ The client part is the one that allows a hacker to manipulate data on the infected machine

 

------------------------------------------------------------------------------------------------

 

How does a Trojan Affect Your Computer?

 

*

In order to gain access to a users computer, the victim has to be induced to install the Trojan himself.

*

The usual method is to offer a seemingly useful system enhancement or perhaps a free game that has the Trojan attached to it.

*

By installing it,the user also installs the Trojan.

*

Trojan Horse acts as a means of entering the victim?s computer undetected and then allowing a remote user unrestricted access to any data stored on the user's hard disk drive whenever he or she goes online.

*

In this way, the user gets burned and like the unfortunate citizens of Troy, may only discover that fact when it is too late.

*

Intruders scan the Internet for an infected user(technically speaking, an attacker sends request packets to all users of a specific Internet provider) using the client part of the virus.

*

Once an infected computer has been found (the server part of the virus that is located on infected machine replies to client part's request).

*

The attacker connects to that user's computer and creates a "link" between the two just like the one in an ordinary telephone conversation.

*

Once that has happened (this procedure may only take a few seconds), the intruder will be able to get unrestricted access to the user's computer and can do anything he likes with it.

*

The intruder becomes the master and the user the slave before disconnecting from the Internet, the user is helpless and has no means at his disposal to ward off an attack.

*

Intruders can monitor, administer and perform any action on your machine just as if they were sitting right in front of it.

*

There are no visible outward signs that anything untoward is happening other than perhaps unusual hard disk activity for no apparent reason.

 

------------------------------------------------------------------------------------------------

 

Ways Of Infection

 

* E-Mail Attachments

* Web Pages

* Open Network Shares (Peer to Peer Networking)

* Internet Relay Chat & Instant Messaging

* Floppy Disks

* MS Office Document Macros

* Macromedia Flash Documents

* And, new ways are appearing all the time.

 

------------------------------------------------------------------------------------------------

 

Signs Of Infection

 

* Sluggish network performance

* Buggy operating system function

* Processor always at 100%

* Unusual system error messages

* Mysterious/unknown/hidden files

 

------------------------------------------------------------------------------------------------

 

Steps To Avoid Infection

 

* Be paranoid.

o According to Murphy's law--"If anything can go wrong, it will? In computing, this is not as far from the truth as you might hope.

o Make sure you have an up to date anti-virus package installed on your computer.

* Do not open unexpected attachments.

o Increasingly, viruses are sent as attachments to e-mails. This is a particularly insidious method of transmission because often people will open attachments that have been sent by acquaintances, co-workers, or friends, only to find that the attachment is in fact a virus.

* Install patches for the software you use in a timely manner.

o There are viruses that exploit 'holes' or vulnerabilities in operating systems and applications. Anti-virus programs are generally able to protect you from this kind of 'malware' even if you have not installed the appropriate patch for that vulnerability.

* Always scan floppy disks and CDs for viruses before using them.

o Despite the fact that approximately 85% of all registered cases of computer infection are transmitted through e-mail, we should not ignore the traditional transport for malware: the mobile media (diskettes, compact disks, etc.).

o Users should always check these external media for viruses before using it on their computers. It is a simple, straightforward procedure to scan a disk with an anti-virus program. It takes just a few seconds, and can save hours of aggravation.

* Be careful with software, even from a credible source.

o It is not just pirated software that may be infectious. Sometimes even licensed CDs with software from well-established, credible vendors may contain viruses. Also, software downloaded from the Internet may carry a virus.

* Another source of infection may be a computer that has been taken in for maintenance that may be returned to its owner with a hard drive that is infected with a virus.

* Create a virus-free start-up disk for your computer and keep it in a safe place.

* Sometimes an infected computer cannot be started. This does not mean that a virus has deleted data from your hard drive; it only means that your operating system cannot be loaded any more.

* To solve this problem, you should use a virus-free start-up diskette containing an anti-virus program that has been developed for your operating system. This diskette will help you to start your computer and delete any viruses in your operating system.

* Back up your files regularly.

o Although this rule will not protect against virus infection, it will allow you to protect your valuable data in case your computer becomes infected (or, as an added bonus, if you have any other problems with your hardware).

o It is advisable to back up your most valuable data using external media, such as diskettes, magnetic tapes, CDs, etc. In this case, whatever might happen, you will always be prepared.

* Make file extensions visible.

o It is safe to run non-executable file content, such as JPGs, MPGs, GIFs, WAVs, etc. You just need to make sure they aren't executables in disguise.

o Most Windows versions will hide known file extensions. Thus, a seemingly harmless file, PICTURE.JPG, may be PICTURE.JPG.EXE. In Windows Explorer, look for the file extension hiding option under Folder Options.

* Don't share your hard drive (disable file sharing on your hard drive).

o If you do need to provide some file and print sharing, don't give the keys to the kingdom; use a password, and ONLY give the minimum that you have to a directory (folder) is much better than giving all of the C:\, read only is better than full access. If you have to give a C:\ administrative share, limit the number of people who can use it.

 

------------------------------------------------------------------------------------------------

 

Steps To Remove A Virus

 

* DON?T PANIC.

* Don?t do anything drastic without checking with knowledgeable support staff.

* Contact your computer support staff.

* Gather as much information as you can about the virus. Search anti-virus sites for info about the virus you are seeking, or the suspicious activity you are seeing.

* Follow the directions for disinfecting your computer that you find from reputable sources.

* If you need to replace files, recover them from an uninfected source.

* The original software media is a good source.

* Once removed, verify that it is truly gone by first verifying that your anti-virus software is working and is up to date. Then run a manual scan of your whole system. If it reports back as clean, the end of tunnel is near.

* Finally, follow the recommendations from the prevention section above to help prevent this from occurring in the future.

 

------------------------------------------------------------------------------------------------

 

Disclaimer:

 

* All the information provided above is for educational and awareness purposes only.

* Any misuse of the above information is not the responsibility of the author or of TechEnclave.

* Though the article is free and open to copy, it is requested that you link back to the article or atleast have a link back to the site

( http://www.helionet.org ) in references or as the primary source. Along with the link, it is also requested that you write the name of the author ie is me "MAX".

 

=====================================================

 

4 those few who think my sharing of knowledge to be SPAM I won't post such things any more if any one reading this thread says it to br SPAM and USELESS

 

Plz do post if u think its SPAM or usefull

[nilayz]

I think its useful... do u have a sample working virus code?

[Ali]

Nilayz, thinking of infecting us with viruses? =P

[nilayz]

I'm just curious