A Seminar Report On

Computer Virus
Submitted at:
Electronics & Communication Engineering Department Institute of Diploma Studies Nirma University

Submitted By:
DarjiNirav M (08DEC048) ParmarYogesh N. (08DEC041)

Guided By:
Mr. AmitRaval

Diploma In Electronics & Communication Engineering Semester VI Year 2010-11

INSTITUTE OF DIPLOMASTUDIES NIRMA UNIVERSITY

AHMEDABAD (GUJARAT-INDIA) 382481

Computer Virus

Page 1

NIRMA UNIVERSITY INSTITUTE OF DIPLOMA STUDIES

AHMEDABAD (GUJARAT-INDIA) 382481

CERTIFICATE
This is to certify that Mr.DarjiNirav M A Reg. No. 08DEC048 of Semester VI Diploma in Electronics & Communication Engineering has satisfactorily completed the practical work in the course of SEMINAR at institute. He has prepared the seminar entitled Computer Virus and presented the same.

Computer Virus

Page 2

NIRMA UNIVERSITY INSTITUTE OF DIPLOMA STUDIES

AHMEDABAD (GUJARAT-INDIA) 382481

CERTIFICATE
This is to certify that Mr.ParmarYogesh N. A Reg. No. 08DEC041 of Semester VI Diploma in Electronics & Communication Engineering has satisfactorily completed the practical work in the course of SEMINAR at institute. He has prepared the seminar entitled Computer Virus and presented the same.

Computer Virus

Page 3

ACKNOWLEDGEMENT

In the accomplishment of any task there is not a contribution of a single person but many people contribute in it. My Seminar is also not different than this. So now I got the chance to acknowledge those people who contributed significantly throughout my Seminar. First of all I would like to heartily thank my seminar guide, Mr. AmitRaval. He gave me basic and primary knowledge about my topic and also guided me how to prepare seminar with report. He also gave me important tips in improving presentation skills. Thank you Sir for your support and sir without your support this seminar presentation would have been unimaginable. At this occasion I would also like to thank my colleagues. I have learnt many things about my topic through discussing with them. I would also like to thank our Head of the Department, Prof. Jayesh Patel and Electronics & Communication Engineering Department, Institute of Diploma Studies, Nirma University for providing me this golden opportunity. Regardless of the source, I wish to express my gratitude to those who may have contributed to this work even though anonymously.

Computer Virus

Page 4

Abstract
COMPUTER VIRUS Virus = [Vital Information Resources Under Seize]

In recent years the detection of computer viruses has become common place. It appears that for the most part these viruses have been benign or only mildly destructive. However, whether or not computer viruses have the potential to cause major and prolonged disruptions of computing environments is an open question.

Computer Virus

Page 5

Index
Sr. No. 1 2 3 4 5 History of Computer Virus What is Computer Virus & How it works? How Does A Computer Get A Virus ? Symptoms Of A Computer Virus Different Types Of Computer Virus 1. 2. 3. 4. 5. 6. 7. 6 7 8 9 10 Trojan Horse & Resident Visrus Direct Action & Overwrite Virus Boot Virus Macro Virus & Worms Email Virus Stealth Virus Companion Virus 16 17 19 20 21 Topics Page no. 7 8 9 11 12

Difference Between A Virus, Worm & Trojan Horse Top 5 Deadliest Viruses How Antivirus Software Works? Different Antivirus Software Reference

Computer Virus

Page 6

History Of Computer Virus

Before 1988, the word "virus" had a strictly biological meaning. In that year, Robert Morris wrote and released the first "Internet worm", forcing everyone in the computer community to immediately consider this new electronic threat. While Morris created his virus to demonstrate a security flaw in ARPANET,(Advanced Research Projects Agency Network) the predecessor to the Internet, today's virus writers often have a more malicious intent. The Internet today spans the globe and serves billions of users, providing an environment in which a single virus can conceivably cause rapid and widespread damage to systems throughout the world.

Computer Virus

Page 7

What Is Computer Virus & How Its Works?

Computer Virus is a kind of malicious software written intentionally to enter a computer without the users permission or knowledge, with an ability to replicate itself, thus continuing to spread. Some viruses do little but replicate others can cause severe harm or adversely effect program and performance of the system. A file virus attaches itself to a file usually an executable application (e.g. a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files can contain embedded executable code such as macros, which may be used by virus or Trojan writers. Recent versions of Microsoft Word are particularly vulnerable to this kind of threat. Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware (malicious software), though such malwares not at present common.

Computer Virus

Page 8

How Does A Computer Get A Virus

There are literally dozens of different ways a computer can become infected with spyware, viruses, and other malware. Below is a list of the most common ways a computer can contract these infections listed in the order we believe are most commonly done.

1. Accepting without reading By far one of the most common ways a computer becomes infected is the user accepts what he or she sees on the screen without reading the prompt or understand what it's asking. Some common examples: 1. While browsing the Internet, an Internet advertisement or window appears that says your computer is infected or that a unique plug-in is required. Without fully understanding what it is you're getting, you accept the prompt. 2. When installing or updating a program, you're prompted (often checkboxes already checked) if it's ok to install additional programs that you may not want or are designed to monitor your usage of the program. 2. Opening e-mail attachments Another very common way people become infected with viruses and other spyware is by opening e-mail attachments, even when from a co-worker, friend, or family member. E-mail addresses can be easily faked and even when not faked your acquaintance may unsuspectingly be forwarding you an infected file. When receiving an e-mail with an attachment, if the e-mail was not expected or from someone you don't know delete it. If the e-mail is from someone you know, be cautious when opening the attachment.

3. Not running the latest updates Many of the updates, especially those associated with Microsoft Windows and other operating systems and programs, are security updates. Running a program or operating system that is not up-to-date with the latest updates can be a big security risk and can be a way your computer becomes infected.

Computer Virus

Page 9

4. Pirating software, music, or movies If you or someone on your computer is participating in underground places on the Internet where you're downloading copyrighted music, movies, software, etc. for free, often many of the files can contain viruses, spyware or malicious software. 5. No anti-virus spyware scanner If you're running a computer with Microsoft Windows it's highly recommended you have some form of anti-virus and spyware protection on that computer to help clean it from any infections currently on the computer and to help prevent any future infections. 6. Downloading infected software Finally, downloading any other software from the Internet can also contain viruses and other malware. When downloading any software (programs, utilities, games, updates, demos, etc.), make sure you're downloading the software from a reliable source and while installing it you're reading all prompts about what the program is putting on your computer.

Computer Virus

Page 10

Symptoms Of A Computer Virus

The following are some primary indicators that a computer may be infected:
y y y y y y y y y y y y y y y

The computer runs slower than usual. The computer stops responding, or it locks up frequently. The computer crashes, and then it restarts every few minutes. The computer restarts on its own. Additionally, the computer does not run as usual. Applications on the computer do not work correctly. Disks or disk drives are inaccessible. You cannot print items correctly. You see unusual error messages. You see distorted menus and dialog boxes. There is a double extension on an attachment that you recently opened, such as a .jpg, .vbs, .gif, or .exe. extension. An antivirus program is disabled for no reason. Additionally, the antivirus program cannot be restarted. An antivirus program cannot be installed on the computer, or the antivirus program will not run. New icons appear on the desktop that you did not put there, or the icons are not associated with any recently installed programs. Strange sounds or music plays from the speakers unexpectedly. A program disappears from the computer even though you did not intentionally remove the program.

Computer Virus

Page 11

Different Types Of Computer Virus

1. Trojan Horse
As mentioned earlier on, the term "Trojan horse" was taken from a clever Greek plan described by Homer in the Iliad. After seemingly abandoning the siege of Troy, the Greeks placed armed men inside a huge wooden horse. The horse was Welcomed into the city by the Trojans, who believed it was a symbol of peace; they slept while the Greeks exited the Horse and opened the gates allowing the Greek army into Troy, conquering the city. Operations that could be performed by a hacker on a target computer system include: * Use of the machine as part of a botnet * Data theft (e.g. retrieving passwords or credit card information) * Installation of software, including third-party malware * Downloading or uploading of files on the user's computer * Modification or deletion of files * Keystroke logging * Watching the user's screen * Crashing the computer Trojan horses in this way require interaction with a hacker to fulfill their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. It is possible for individual hackers to scan computers on a network using a port scanner in the hope of finding one with a malicious Trojan horse installed, which the hacker can then use to control the target computer.

2. Resident Virus
A resident virus is a computer virus which embeds itself into the memory on a computer, activating whenever the operating system performs a specific function so that it can infect files on the computer. This method of viral infection is in contrast with a non-resident virus, which actively seeks out files to infect. Resident viruses can be quite pernicious, as they may spread through a system so thoroughly that they even attach to antivirus programs, infecting the very things they scan for signs of viral infection. Removing a resident virus which has embedded itself in a computer's memory can be a challenge. The virus may be designed to resist the actions of conventional antivirus software, or as discussed above, to exploit the software. A specialized virus removal tool may be needed to extract the virus from memory. In some cases, the services of an information technology professional may be needed to completely clear a computer of infection. When a resident virus is identified by an antivirus company or a designer of operating systems, a patch is often released. This may be an update to an antivirus program which allows the program to remove the virus, or it may take the form of a virus removal tool which the computer user can run to get the resident virus out of memory. Computer Virus Page 12

3. Direct Action Virus

The main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

4. Overwrite Virus
Virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected. The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content. Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

5. Boot Virus
This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information on the disk itself is stored together with a program that makes it possible to boot the computer from the disk. The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive.

6. Macro Virus
Macro viruses infect files that are created using certain applications or programs that contain macros. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one.

7. Worms
Computer worms are programs that reproduce, execute independently and travel across the network connections. The key difference between a virus and worm is the manner in which it reproduces and spreads. A virus is dependent upon the host file or boot sector, and the transfer of files between computers to spread, whereas a computer worm can execute completely independently and spread on its own accord through network connections.

Computer Virus

Page 13

The security threat from worms is equivalent to that of viruses. Computer worms are skilled of doing an entire series of damage such as destroying crucial files in your system, slowing it down to a large degree, or even causing some critical programs to stop. Two types: 1) NETWORK- Computer Worms Network worms consist of multiple parts, called "segments. They each run on different machines (and possibly perform different actions) using the network for several communication purposes. Moving a segment from one machine to another is only one of their purposes. Network worms that have only one main segment will coordinate the work of the other segments; which are sometimes called "octopuses." 2) HOST- Computer Worms Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Host computer worms are the original terminates after it launches a copy on to another host (so there is only one copy of the worm running somewhere on the network at any given moment). They are sometimes called "rabbits."

8. E-Mail Virus
The virus was originally created as a Word document and was then uploaded via email to an internet newsgroup. Any recipient who opened the email, downloaded the document and opened it on their computer, unknowingly triggered Melissa's payload. From there, the virus sent itself as a document to the first 50 contacts in the victim's address book. The email was attached with a friendly note which included the recipient's name. This was done to make the virus appear harmless and trick them into opening it. It then created 50 new infected documents from that victim's machine. At this continuous rate, Melissa quickly became the fastest spreading virus seen by anyone at the time. The virus was so severe that it resulted in a number of large commercial companies disabling their email systems. Melissa was so powerful because it capitalized on a vulnerability found in the Microsoft Word programming language known as VBA (Visual Basic for Applications). VBA is a complete language that can be programmed to perform actions such as modifying files and distributing emails. It also includes a rather useful yet dangerous function known as "auto-execute". The Melissa virus was programmed by inserting malicious code into a document, enabling it to be executed whenever someone opened it. The ILOVEYOU virus, which was first detected in May of 2000, was much more simple than Melissa. The malicious code it contained came in the form of an attachment. Any recipient who clicked on the attachment unknowingly executed the code. This email virus then distributed copies of itself to contacts in the user's address book, enabling the infection to spread at a rapid rate. Because ILOVEYOU was also known to unload different types of infections, some experts have labeled it a Trojan rather than a virus.

Computer Virus

Page 14

9. Stealth Virus
In computer security, a stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. Typically, when an antivirus program runs, a stealth virus hides itself in memory, and uses various tricks to also hide changes it has made to any files or boot records. The virus may maintain a copy of the original, uninfected data and monitor system activity. When the program attempts to access data that's been altered, the virus redirects it to a storage area maintaining the original, uninfected data. A good antivirus program should be able to find a stealth virus by looking for evidence in memory as well as in areas that viruses usually attack.

10. Companion Virus

The COMPANION virus is one that, instead of modifying an existing file, creates a new program which is executed instead of the intended program. On exit, the new program executes the original program so that things appear normal. On PCs this has usually been accomplished by creating an infected .COM file with the same name as an existing .EXE file. Integrity checking anti-virus software that only looks for modifications in existing files will fail to detect such viruses.

Computer Virus

Page 15

Difference Between a Virus, Worm and Trojan Horse

Virus cannot replicate themselves but worm and Trojan can do that. A virus cannot be spread without a human action such as running an infected file or program but worm and Trojan have the capabilities to spread themselves automatically from computer to computer through network connation. A virus does not consume system memory but worm consumes too much system memory and network bandwidth because of their copying nature. Trojans are used by malicious users to access your computer information but viruses and worms cant do so, they simply infect your computer.

Computer Virus

Page 16

Top 5 Deadliest Virus

1. I Love You Virus
If you receive email with a subject line with the phrase I LOVE YOU (all one word, no spaces) in it DON'T OPEN the attachment named Love-Letter-For-You.txt.vbs. Over a five-hour period, during May 4, 2000, this virus spread across Asia, Europe and the United States via e-mail messages titled "ILOVEYOU." The menace clogged Web servers, overwrote personal files and caused corporate IT managers to shut down e-mail systems. A scan of the Visual Basic code included in the attachment reveals that the virus may be corrupting MP3 and JPEG files on users' hard drives, as well as mIRC, a version of Internet Relay Chat. It also appears to reset the default start page for Internet Explorer. This virus arrives as e-mail with the subject line "I Love You" and an attachment named "LoveLetter-For-You.txt.vbs." Opening the attachment infects your computer. The infection first scans your PC's memory for passwords, which are sent back to the virus's creator (a Web site in the Philippines which has since been shut down). The infection then replicates itself to everyone in your Outlook address book. Finally, the infection corrupts files ending with .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, .mp3 by overwriting them with a copy of itself.

2. Slammer
SQL Slammer is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes. So named by Christopher J. Rouland, the CTO of ISS, Slammer was first brought to the attention of the public by Michael Bacarella (see notes below). Although titled "SQL slammer worm", the program did not use the SQL language; it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products, for which a patch had been released six months earlier in MS02-039. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, W32/SQLSlammer and Helker

3. Storm
The latest virus on our list is the dreaded Storm Worm. It was late 2006 when computer security experts first identified the worm. The public began to call the virus the Storm Worm because one of the e-mail messages carrying the virus had as its subject "230 dead as storm batters Europe." Antivirus companies call the worm other names. For example, Symantec calls it Peacomm while McAfee refers to it as Nuwar. This might sound confusing, but there's already a 2001 virus called the W32.Storm.Worm. Computer Virus Page 17

4. Bagel (Net Sky)

The w32 bagle malware is part of a family of different viruses and Trojans. It continues to spread itself via email attachments and infects other computers.This malware installs itself when you download an email attachment. It executes and creates a file in your system directory called bbeagle.exe. It is particularly dangerous because the files look legitimate when downloading, and someone who isnt familiar with the internet may download them without knowing. It infects your computer by the attacker sending fake emails, and infecting other computers. It spreads like a chain to continuously damage even more computers. When you download one of the virus files, it executes, installs, and wrecks havoc on your system.

5. Nimda
The Nimda worm retrieves the list of addresses found in the address books of Microsoft Outlook and Eudora, as well as email addresses contained in HTML files found on the infected machine's hard drive. Next, the Nimda virus sends all of these recipients an email with an empty body and a subject chosen at random (and often very long). It adds to the message an attachment named Readme.exe or Readme.eml (file containing an executable). The viruses use an .eml extension to exploit a security flaw in Microsoft Internet Explorer 5. What's more, in Microsoft Windows the Nimda virus can spread over shared network folders, infecting executable files found there. Viewing Web pages on servers infected by the Nimda virus may lead to infection when a user views pages with the vulnerable Microsoft Internet Explorer 5 browser. The Nimda virus is also capable of taking control of a Microsoft IIS (Internet Information Server) Web server, by exploiting certain security holes. Finally, the virus infects executable files found on the contaminated machine, meaning that it can also spread by file transfers.

Computer Virus

Page 18

How Anti-Virus Software Works

Antivirus software typically uses a variety of strategies in detecting and removing viruses, worms and other malware programs. The following are the two most widely employed identification methods:

1. Signature-Based Detection
This is the most commonly employed method which involves searching for known patterns of virus within a given file. Every antivirus software will have a dictionary of sample malware codes called signatures in its database. Whenever a file is examined, the antivirus refers to the dictionary of sample codes present within its database and compares the same with the current file. If the piece of code within the file matches with the one in its dictionary then it is flagged and proper action is taken immediately so as to stop the virus from further replicating. The antivirus may choose to repair the file, quarantine or delete it permanently based on its potential risk. As new viruses and malwares are created and released every day, this method of detection cannot defend against new malwares unless their samples are collected and signatures are released by the antivirus software company. Some companies may also encourage the users to upload new viruses or variants, so that the virus can be analyzed and the signature can be added to the dictionary.

2. Heuristic-based detection
Heuristic-based detection involves identifying suspicious behavior from any given program which might indicate a potential risk. This approach is used by some of the sophisticated antivirus softwares to identify new malware and variants of known malware. Unlike the signature based approach, here the antivirus doesnt attempt to identify known viruses, but instead monitors the behavior of all programs. For example, malicious behaviors like a program trying to write data to an executable program is flagged and the user is alerted about this action. This method of detection gives an additional level of security from unidentified threats. File emulation: This is another type of heuristic-based approach where a given program is executed in a virtual environment and the actions performed by it are logged. Based on the actions logged, the antivirus software can determine if the program is malicious or not and carry out necessary actions in order to clean the infection.

Computer Virus

Page 19

Different Anti-Virus Software

1) AVG Anti-Virus 2) Avira Antivirus 3) Bit Defender 4) ESET NOD32 5) Kaspersky Anti-Virus 6) McAfee Antivirus 7) Norton Antivirus 8) Panda Antivirus 9) Quick Heal Antivirus 10) Trend Micro Antivirus etc.

Computer Virus

Page 20

References
y y y y y http://www.mines.edu/academic/computer/viri-sysadmin.htm http://www.google.com http:// www.shashachu.com http://www.wikipedia.org http://www.youtube.com

Computer Virus

Page 21