B.

, ,
. ,
, . :
,
. .
,
.
( , ,
), .
software
hardware BIOS, SMOS
setting, hard disk
. :

Basic Input Output System (BIOS) .

. BIOS motherboard
chip- . W95/CIH-10xx
.

CMOS settings . motherboard

chip- . chip motherboard
, , , , CD-ROM
. CMOS settings- .
trojan (Troj/KillCMOS-E .) CMOS settings-
.

,
,
, , .
.
.
..
1981 . Apple II- Elk
Cloner .
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
anti-virus- Fridrik Skulason
.
1986 , boot sectr- .
.

.
. 360KB- .
1990 200 500 1991 600 - 1,000, 1992 1,000 - 2,300
virus, 1994 4,500 - 7,500 virus, 1996 10,000, 1998 20,000
2000 50,000- .
.

.
a) System Sector virus -
. .
Dos Boot Sector (DBS), Partition Sector (Master Boot Record MBR) 2 system sector

, .

.
.
b) File virus , com .
c) Macro virus data file word, excel, powerpoint
.
.
d) Companion File virus ,
.
com .
e) Disk Cluster virus .
.
f)

Source Code virus .

g) Worm virus .
.
:
Joke
:
.
virus, trojan- .
:

:
"Joke/" .
Trojan
:
Trojan- Trojan Horse. ,
update .
. .
:
"Troj/" .
Access 97 macro virus
:
MS Access 97 .
:
VBA macro language.
:
Access- .
:
"AM97/" "A97M", "AM" .
Batch file worm
:
DOS, Windows 95/98/Me, Windows NT/2000
.
:
share- .
:
"Bat/" .
Companion virus
:

:
ompanion virus
. GAME.EXE GAME.EX .-.
:
, .
Corel Script virus

, .

:
Corel SCRIPT .
:
Corel SCRIPT macro language.
:
Corel SCRIPT .
:
"CSC/" .
DOS Boot Sector virus
:
DOS Boot Sector (DOS Boot Record) boot sector.
DOS Boot Sector virus Intel
.
:
Intel 80x86 Assembler.
:

.
:
,
.
DOS executable file virus
:
DOS/Windows- .
:
.
.
.
:
,
.
Excel formula virus
:
MS Excel 5 .
:
Excel formula language.
:
XLSTART .
.
:
"XF/", "XF97/" .
Excel macro virus
:
MS Excel 5 .
:
VBA3 macro language.
:
XLSTART .
.
:
"XM97/", "X97M", "XM/" .
JavaScript virus
:
JavaScript scripting , HTML , Microsoft Outlook, Internet Explorer.
:
JavaScript
:
.
:
"JS/" .
3

, .

JavaScript worm
:
JavaScript scripting file, HTML file, Microsoft Outlook, Internet Explorer.
:
JavaScript
:
IRC, Outlook-
.
:
"JS/" .
Linux worm
:
Linux .
:
Linux worm .
:
"Linux/", "Unix" .
Macromedia Flash infector
:
Macromedia Flash .
:
Flash file- .
Master Boot Sector virus
:
Master Boot Sector (Master Boot Record) boot sector.
Master Boot Sector virus Intel
.
:
Intel 80x86 Assembler.
:

.
:
There is no standard naming convention for this type of virus.
MIRC, pIRCH script worm
:
IRC .
:
IRC Script.
:
Exe SCRIPT.INI .
:
"mIRC/", "pIRC/"
Office 97 macro virus
:
MS Office 97 .
:
VBA5 macro language.
:
Word, Excel, PowerPoint, Project .
:
"OF97/" .
PalmOS based executable virus
:
PalmOS Palm (PRC) .
:
, Palm .
:
"Palm/" .
PowerPoint 97 macro virus
4

, .

:
MS PowerPoint 97 .
:
VBA5 macro language.
:
PowerPoint main template (Blank Presentation.pot)-
presentation
.
:
"PM97/", "PP97M" .
Visual Basic Script virus
:
Visual Basic , HTML , Microsoft Outlook, Internet
Explorer.
:
Visual Basic Script.
:
. VBS/Dismissed-B Outlook .
:
"VBS/" .
Visual Basic Script worm
:
Visual Basic , HTML , Microsoft Outlook, Internet
Explorer.
:
Visual Basic Script.
:
IRC Outlook- .
:
"VBS/" .
Win32 executable file virus
:
MS Windows 95/98/Me, NT, 2000 PE (Portable Executable) .
:
. W32/ExploreZip Outlook .
:
"W32/", "Win32" .
Win32 worm
:
MS Windows 95/98/Me, NT, 2000 PE (Portable Executable) .
:
Win32 worm Windows API, MAPI email
client Microsoft Outlook- .
worm .
:
"W32/", "Win32" .
Windows 95 executable file virus
:
MS Windows 95/98/Me PE (Portable Executable) .
:
.
.
.
W95/Babylonia .
:
"W95/", "Win95" .
Windows 98 executable file virus
:
5

, .

MS Windows 98 PE (Portable Executable) .

:
.
.
.
:
"W98/", "Win98" .
Windows NT executable file virus
:
MS Windows NT, 2000 PE (Portable Executable) .
:
.
:
"WNT/", "WinNT" .
Windows 2000 executable file virus
:
MS Windows 2000 PE (Portable Executable) .
:
.
.
.
:
"W2K/" .
Word macro virus
:
MS Word- .
:
Word Basic macro language (Word 6 95- ).
:
global template ( NORMAL.DOT) macro-
. .
:
"WM/", "Winword", "WM97/", "W97M" .
Word 97 macro worm
:
MS Word 97 .
:
VBA5 macro language.
:
mail program- MS Outlook-
address book- . worm- Word macro virus-
.
:
"WM97/", "W97M" .
.
Back Orifice
Back Orifice Trojan- , .
Windows 95/98- Cult of the Dead Cow (cDc) 1998
8 . -2000 NT- .
Microsoft- Back Office . TCP/IP
. remote *!*QWTY?
. , ,
, cache-
. HTTP
web browser- . remote download
.
CIH Spacefiller

, .

1998 6 Chernobyl
.
4- 26- .
26- . Falsh BIOS
.
BIOS- .
Kakworm
Kakworm (KAK) worm- . Microsoft- Internet Explorer browser
Outlook Express mail program- . .
KAK HTML- signature . .
KAK JavaScript .
. attachment- .
worm Windows- Startup KAK.HTA .
KAK.HTA Windows KAK.HTM
. KAK.HTM- registry-
signature . .
\AUTOEXEC.BAT . \AE.KAK- .
1- 5 "Kagou-Anti-Kro$oft says not today"
.
.
Laroux
Laroux Microsoft Excel macro virus excel- , macro
. AUTO_OPEN CHECK_FILES 2 .
Exel , .
CHECK_FILES Excel- startup path ( XLSTART
) PERSONAL.XLS- . .
PERSONAL.XLS Exel- (Word- NORMAL.DOT ). Excel-
.
Laroux Visual Basic- Visual Basic for Applications (VBA)
.
Love Letter
Visual Basic Script worm worm-
. worm "ILOVEYOU" "kindly check the
attached LOVELETTER coming from me." . LOVELETTER-FOR-YOU.TXT.vbs .
.

IE download directory- WinFAT32.exe IE- Startup page-

registry- .
website- WIN-BUGSFIX.exe .

IE- start page- .

2 .

Outlook- address book- .

VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA

VBS .

JPG, JPEG u VBS

.

M MP2, MP3
.

, .

mIRC client- , HTM mIRC chat-

.

Melissa
Melissa Word macro virus E-mail worm 2- . 1999 3-
26- . Word macro virus
. .
Outlook address book- 50 .
"Important Message From <your username>" , "Here is that document you
asked for ...don't show anyone else ;-)" .
Word- NORMAL.DOC- .
Nimda
Nimda virus/worm- . E-mail, Web site,
. EXE Web
.
worm. Nimda .
E-mail- EXE . share-

web server- web server- Web site- .

:

File Infection. .

. . WININIT.INI Windows- .
Nimda EXE :
[SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths],
[Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
WINZIP32.EXE .

E-mail Worm. worm- . E-mail client- address book HTML

E-mail address-
. E-mail- 2 .
"text/html" MIME .
. "audio/x-wav" MIME README.EXE
. Microsoft Internet Explorer
5.5 SP1- HTML
.
. Nimda SMTP server- E-mail .

Web Worm. Nimda Microsoft IIS Web server- .

Nimda Web JavaScript- .
Web browser- README.EML- .

File Share Propagation.

share- . Nimda hidden/system
(RICHED20.DLL)- . Word, WordPad, Outlook
RICHED20.DLL .

Pretty Park
worm, Trojan- . 1999 6 . . E-mail
PRETTY PARK.EXE .
. Windows- System FILES32.VXD
. exe registry- .
. 3D Pipes
screen saver (SSPIPES.SCR)- .
CANALISATION3D.SCR screen saver- .

, .

30 - routing .
13 IRC chat .
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
.
30 roiting . Outlook- address book-
. "C:\CoolProgs\Pretty Park.exe"
worm .
W32.SirCam
2001-07-21- worm. Windows- .
. Melissa mailbox-
eamil . 2 .
.
: Hola como estas ? Nos vemos pronto, gracias.
: Hi! How are you? See you later. Thanks
2 .
: Te mando este archivo para que me des tu punto de vista Espero me puedas
ayudar con el archivo que te mando Espero te guste este archivo que te mando Este es el archivo
con la informaci=n que me pediste
: I send you this file in order to have your advice I hope you can help me with this
file that I send I hope you like the file that I sendo you. This is the file with the information that you
ask for.
.bat, .com, .lnk, .pif, .doc, .xls, .zip . .
.

C:\Windows\Temp\ C:\Recycled\- . dc
word-,

C:\Recycled\Sirc32.exe

C:\Windows\System\Scam32.exe .

2 registry key- .
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Driver32="<Windows System>\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\
command=""C:\recycled\SirC32.exe""%1" %*"
registry- windows worm
. 2 registry- worm
.

registry- :
HKEY_LOCAL_MACHINE\Software\SirCam

, .

worm share- .
.

<Computer>\Recycled\Sirc32.exe- .

<Computer>\Autoexec.bat- "@win\recycled\sirc32.exe" .

<Computer>\Windows\Rundll32.exe- C:\Windows\Run32.exe .

<Computer>\Windows\rundll32.exe- C:\Recycled\Sirc32.exe- .

(33- 1 ) :

C:\Recycled\Sirc32.exe- C:\Windows\Scmx32.exe .

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Start
up- "Microsoft Internet Office.exe"- .

(20- 1 10 26-)
.
(33- 1 ) C:\Recycled\Sircam.sys-
.

[SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]

[SirCam Version 1.0 Copyright 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

worm SMTP- email . email- 2

.
registry key- email .

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cache

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal

sho*., get*., hot*., *.htm email

%system%\sc?1.dll .
scy1.dll- %cache%\sho*., hot*., get*- , sch1.dll- %personal%\sho*., hot*.,
get*- , sci1.dll- %cache%\*.htm- , sct1.dll-
%personal%\*.htm- . %system%-
*.wab (Windows Address Books- ) email
%system%\scw1.dll . registry- .doc, .xls, .zip
%system%\scd.dll- .

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Desktop

.doc, .xls, .zip worm .

. From: registry- email .

,
. scd.dll .
:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32-
.

HKEY_LOCAL_MACHINE\Software\SirCam- .

HKEY_CLASSES_ROOT\exefile\shell\open\command- "%1" %* .
(---, , , ) Default .

10

, .

Recycled\Sircam.sys, Recycled\Sirc32.exe (Windows Recycle Bin )

Windows\System\SCam32.exe .

Autoexec.bat "@win \recycled\sirc32.exe" .

W32.Sircam.Worm@mm .

run32.exe rundll32.exe .

.
a) antivirus update .
b) antivirus safe boot disk- .
boot boot-
.
antivirus ,
. antivirus .
c) boot
. hard boot disk
.
d) Word- doc, Excel- xls .
macro .
RDF macro .
e)
. worm .
f)

.
.
.

g)
driver .

h) backup .
.
Anti-Virus-

AntiViral Toolkit Pro

http://www.avp.com/
http://www.avp.ch/
http://www.avp.tm/
http://www.avp.ru/
F-Prot
http://www.complex.is/
F-Prot Professional
http://www.commandcom.com/
http://www.DataFellows.com/
Integrity Master
http://www.stiller.com/
McAfee VirusScan
http://www.nai.com/
MIMESweeper (mail firewall)
http://www.mimesweeper.com/
Norman Virus Control
http://www.norman.com/
Norton Anti-virus, Symantec Anti-virus for Mac
http://www.symantec.com/
Trend Micro (PC-Cillin, InterScan, Scanmail, Serverprotect)
http://www.antivirus.com/
Sophos Sweep
http://www.sophos.com/
11