Computer Virus and Antivirus

A presentation by Sumon chakreborty

Roll no-91/CSE/060024
Reg.no-0028438 of 2002-2003

Agenda
Computer Virus Concept
Analyze three common computer viruses
Antivirus Technologies
Conclusion

Computer Virus Concept

What is Computer Virus?
Computer Virus Time Line
Types of Computer Virus
How does computer virus works?

Computer virus concept

What is Computer Virus?

Definition -- Virus: A self-replicating piece of computer code that

can partially or fully attach itself to files or applications, and can
cause your computer to do something you don't want it to do.

Similarities between biological virus (like " HIV " )

and computer virus:

Need a host for residence.

Capable of self-replicate

Cause damage to the host.

Difference: Computer viruses are created by human.

Computer virus concept

Computer Virus Time Line

1949 - Theories for self-replicating programs was first developed.

1981 - Apple Viruses 1, 2, and 3 was some of the first viruses in

public.

1988 Jerusalem was detected. Activated every Friday the 13th, the
virus affects both .EXE and .COM files and deletes any programs run on
that day.

1991 - Tequila is the first widespread polymorphic virus found.

1999 - The Melissa virus, W97M/Melissa, executed a macro in a

document attached to an email. Melissa spread faster than any other
previous virus.

2000 - The Love Bug, also known as the ILOVEYOU virus, sent itself
out via Outlook, much like Melissa.

2001 - The Code Red I and II worms attacked computer networks in

July and August. They affected over 700,000 computers and caused
upwards of 2 billion in damages.
5

Computer virus concept

Types of Computer Virus

Boot Sector Virus - Michelangelo

Boot sector viruses infect the boot sectors on floppy disks and hard disks, and can
also infect the master boot record on a user's hard drive.

File Infector Virus - CIH

Operate in memory and usually infect executable files.

Multi-partite Virus

Multi-partite viruses have characteristics of both boot sector viruses and file infector
viruses.

Macro Virus - Melissa Macro Virus

They infect macro utilities that accompany such applications as Microsoft Word, Excel
and outlook.

Computer virus concept

Types of Computer Virus - Continue

Trojan / Trojan Horse Back Orifice

A Trojan or Trojan Horse is a program that appears legitimate, but

performs some malicious and illicit activity when it is run.

Worm Red Code

A worm is a program that spreads over network. Unlike a virus, worm

does not attach itself to a host program. It uses up the computer
resources, modifies system settings and eventually puts the
system down.
Worms are very similar to viruses in that they are computer programs
that replicate themselves. The difference is that unlike viruses,
worms exist as a separate small piece of code. They do not attach
themselves to other files or programs.

Computer virus concept

Virus Characteristics
Memory Resident:
Loads in memory where it can easily replicate itself into programs of boot
sectors. Most common.

Non-Resident:
Does not stay in memory after the host program is closed, thus can only infect
while the program is open. Not as common.

Stealth:
The ability to hide from detection and repair in two ways.
- Virus redirects disk reads to avoid detection.
- Disk directory data is altered to hide the additional bytes of the virus .

Computer Virus Concept

Virus Characteristics

Encrypting:
Technique of hiding by transformation. Virus code converts itself into cryptic
symbols. However, in order to launch (execute) and spread the virus
must decrypt and can then be detected.

Polymorphic:
Ability to change code segments to look different from one infection to
another. This type of virus is a challenge for ant-virus detection methods.

Computer virus concept

How does computer virus work?

The Basic Rule: A virus is inactive until the infected program is run or
boot record is read. As the virus is activated, it loads into the computers
memory where it can spread itself.

Boot Infectors: If the boot code on the drive is infected, the virus will
be loaded into memory on every startup. From memory, the boot virus
can travel to every disk that is read and the infection spreads.

Program Infectors: When an infected application is run, the virus

activates and is loaded into memory. While the virus is in memory, any
program file subsequently run becomes infected.

10

Analyze three common viruses

CIH

Type: Resident, EXE-files

Origin: Taiwan

History: The CIH virus was first located in Taiwan in early June
1998. After that, it has been confirmed to be in the wild
worldwide. It has been among the ten most common viruses for
several months.

Infects Windows 95 and 98 EXE files, but it does not work

under Windows NT.

After an infected EXE is executed, the virus will stay in memory

and will infect other programs as they are accessed.

11

Analyze three common viruses

Macro Virus
What is Macro virus

A type of computer virus that is encoded as a macro embedded in a

document.

According to some estimates, 75% of all viruses today are macro

viruses.

Once a macro virus gets onto your machine, it can embed itself in all
future documents you create with the application.

In many cases macro viruses cause no damage to data; but in some

cases malicious macros have been written that can damage your work.

The first macro virus was discovered in the summer of 1995. Since
that time, other macro viruses have appeared.

12

Analyze three common viruses

Macro Virus

How does it spread?

When you share the file with another user, the attached macro or
script goes with the file. Most macro viruses are designed to run, or
attack, when you first open the file. If the file is opened into its related
application, the macro virus is executed and infect other documents.

The infection process of the macro virus can be triggered by opening

a Microsoft Office document or even Office Application itself, like
Word, Excel. The virus can attempt to avoid detection by changing or
disabling the built-in macro warnings, or by removing menu commands

13

Analyze three common viruses

I LOVE YOU
VBS/LoveLetter is a VBScript worm. It spreads through email as a chain letter.
This worm sends itself to email addresses in the Microsoft
Outlook address book and also spreads to Internet
chatrooms.
This worm overwrites files on local and remote drives,
including files with the extensions .html, .c,.bat,.mp3 etc.

14

Antivirus Technologies

How to detect virus?

How to clean virus?

Best Practices

15

Antivirus technology
How to detect virus?

Some Symptoms
Program takes longer to load.
The program size keeps changing.
The drive light keeps flashing when you are not doing
anything.
User created files have strange names.
The computer doesn't remember CMOS settings.

16

Antivirus technology
How to detect virus?

Use Antivirus Software to scan the computer memory and

disks.
A memory-resident anti-virus software can be used to
continuously monitor the computer for viruses.
Scan your hard disk with an anti-virus software. You
should make sure that an up-to-date virus definition
data have been applied.
Use server-based anti-virus software to protect your
network.

17

Antivirus Technology
How to clean virus?

All activities on infected machine should be stopped and it

should be detached from the network.

Recover from backup is the most secure and effective way

to recover the system and files.

In some cases, you may recover the boot sector, partition

table and even the BIOS data using the emergency recovery
disk.

In case you do not have the latest backup of your files, you
may try to remove the virus using anti-virus software.

18

Antivirus Technology
How to clean virus?
The steps to reinstall the whole system
1.

Reboot the PC using a clean startup disk.

2.

Type in MBR to rewrite the Master Boot Record.

3.

Format DOS partitions.

4.

Reinstall Windows XP or other os and other applications.

5.

Install Antivirus Software and apply the latest virus

definition data.

19

Antivirus Technology
Best Practices
Regular Backup
Backup your programs and data regularly. Recover from backup is the most
secure way to restore the files after a virus attack.
Install Anti-virus Software
Install an anti-virus software to protect your machine and make sure that an
up-to-date virus definition file has been applied.

Daily Virus Scan

Schedule a daily scan to check for viruses. The schedule scan could be done
in non-peak hours, such as during the lunch-break or after office hour.
Check Downloaded Files And Email Attachments
Do not execute any downloads and attachment unless you are sure what it
will do

20

Conclusion
Be careful when use new software and files
Be alert for virus activities
Be calm when virus attacks

21

Thank You

22