WELCOME TO THE SEMINAR

ON

COMPUTER
VIRUSPREPARED BY

SUSMITA HORROW
VIRUS =
VITAL

RESOURCES

UNDER

SIEZE
 Viruses are………
They are executable computer programs,
intended to alter the behavior of the system
without the permission or knowledge of the
user.
 Attach themselves to computer startup area
and an executable file.
 When activated, may damage files, cause
erratic system behavior or display messages,
corrupt programs, delete or erase the disk.
STRUCTURE OF A BIOLOGICAL VIRUS

PROTEIN SHEATH
PROTECTS FROM
DEFENCE SYSTEM OF HOST

GENETIC
MATERIAL(DNA/RNA)
DETERMINES THE
BEHAVIOUR OF VIRUS
 VIRAL CYCLE

INFECTED HOST

Genetic
material

PRODUCES
NEW VIRUS VIRUS

HOST

VIRUS
 ANATOMY OF COMPUTER VIRUS

BIOLOGICAL VIRUS COMPUTER VIRUS

CONCEALER
PROTEIN SHEATH
PAY LOAD
DNA/RNA
REPLICTOR
 VIRUS ANATOMY
 Computer virus consists of codes, written in any programming
language. Various parts of program perform various tasks and
accordingly they are named.
REPLICATOR
Ensures the survival of the virus on a system.
Appends itself to legitimate programs
Each time the program is run the virus 'wakes
up' and starts to reproduce.
CONCEALER
Hides the virus so that the antivirus cannot catch
it. Techniques used: Polymorphism
PAYLOAD
Designed to alter system behavior.
 Sources of infection
•A virus can be attached to any file that you copy to your
computer.
•If you download files from the Internet. It becomes active
when you execute the infected downloaded file.
•Copy programs or files from friends on floppy disks , pen
drives , CDs which are virus infected.
•Many viruses are spread through e-mail, messenger
messages, attachments, files. Today's viruses, like Klez, are
very dangerous because you do not even have to open an e-
mail attachment to release the virus. Just opening the e-mail
itself can release the dangerous bug.
•By using pirated soft wares.
 What do viruses do?
INFECT.......................
Executable program files
word processing
spreadsheet
operating system programs
By causing change
length of executable (*.com/*.exe) files
file date/time in the Directory listing
In the file content
Master boot records
Disks used to transfer programs

•Some viruses can avoid showing changes they've

made to files, especially if they're active in RAM.
 First generation: simple viruses
• Do nothing very significant other than replicate.
• Do nothing to hide their presence on a system.
• They can be detected by an increase in size of files or the
presence of a distinctive pattern in an infected file.
Problem with simple virus:
• Repeated infection of the host, leads to depleted memory
and early detection.
• In the case of boot sector viruses, this could (depending
on strategy) cause a long chain of linked sectors.
• In the case of a program-infecting virus, repeated infection
may result in continual extension of the host program each
time it is re-infected.
• These leads to early detection of the virus.
 Second generation: Self-recognition
• Implant a unique signature to CHECK FOR SIGNATURE
signal that the file or system
is infected. SIGNATURE
• A virus signature can be a YES
PRESENT
NO
characteristic sequence of
bytes at a known offset on DONOT INFECT INFECT
disk or in memory, a specific
feature of the directory entry Signature of Jerusalem
(e.g., alteration time or file virus is
length), or a special system 0xE9,0X92,0,0X20,0X20,0X20,
call available only when the 0X20,0X20,0X20,0X20.
virus is active in memory.

ADVANTAGE: The signature provides a method of detection.

 Third Generation: Stealth
These viruses try to conceal themselves by various techniques as
follows:
• Trick anti-virus software by intercepting its requests to the
operating system.
•Example: When an anti-virus software requests to read the file,
the request is passed to the virus, instead of the OS. The virus can
then return an uninfected version of the file to the anti-virus
software, so that it seems that the file is "clean". The only
completely reliable method to avoid stealth is to boot from a
medium that is known to be clean.
• They may either redirect the disk head to read another sector
instead of the one in which they reside or they may alter the
reading of the infected file’s size shown in the directory listing.
•Example: The Whale virus adds 9216 bytes to an infected file;
then the virus subtracts the same number of bytes (9216) from the
size given in the directory.
Examples: Frodo, Joshi, Whale
 Fourth Generation: Armored
•This “armoring” includes adding confusing and unnecessary
code to make it more difficult to analyze the virus code.
•The defenses may also take the form of directed attacks against
anti-virus software, if present on the affected system. These
viruses starting appeared in 1990.
Fifth Generation: Polymorphic
•These viruses infect their targets with a modified or encrypted
version of themselves. The virus in the altered file will not be
identifiable through the use of simple byte matching.
•This is done by:
1.Varying the code sequences written to the file (but still
functionally equivalent to the original)
2.Generating a different, random encryption key
• Some virus authors have released virus “toolkits” that can be
incorporated into a complete virus to give it polymorphic
capabilities.
•Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil,
GENERATION OF VIRUS (SUMMARY)
Fifth Generation: Polymorphic
Infect the targets with encrypted version

Fourth Generation: Armored

Add confusing codes & make
Difficult to understand the virus

Third Generation: Stealth

Try to conceal themselves by certain techniques

Second generation: Self-recognition

signature
First generation: Simple
replication
 CLASSIFICATION OF VIRUSES
BASIS: The way virus attaches to the host

Add-on Intrusive
Shell viruses viruses viruses

They append
their code
A shell virus to the host code, Intrusive viruses
forms and/or by relocating overwrite
a “shell” the host code some or all of the
around and inserting original host code
the original code. their own code with viral code.
to the beginning.
 SHELL VIRUS

107 HOST
107
106 106
105 105
104 HOST VIRUS 104
103 103
102 102
101 101
100 100

The virus moves the original code to a

VIRUS new location When the virus is
finished executing, it retrieves the host
program code and begins its execution.
 SHELL VIRUSES
HOST PROGRAM INFECTED PROGRAM
main()
main()
{ {
//genuine code //Virus code
----------------
---------------- --------------
-------------
}
genuine_code();
}
•It forms a “shell” around the
genuine_code()
original code.
{
•In effect, the virus becomes the
program, and the original host ----------------
program becomes an internal ---------------
subroutine of the viral code. }
EX:BOOT PROGRAM VIRUS
 ADD ON VIRUSES
•They function by
appending their code to the
host code, and/or by
UNINFECTTED PROGRAM
relocating the host code and
inserting their own code to
the beginning.
•They then alters the startup
INFECTED PROGRAM information of the program,
executing the viral code
before the code for the main
program.
•The host code is left almost
completely untouched; the
VIRUS CODES growth of file indicates the
presence of virus.
 INTRUSIVE VIRUS
 Intrusive viruses operate by
overwriting some or all of the
original host code with viral
code. UNINFECTTED PROGRAM
 The replacement might be
1.Selective, as in replacing a
subroutine with the virus,
2.Insertion of a new interrupt INFECTED PROGRAM
vector and routine.
3.Extensive, as when large
portions of the host program
are completely replaced by
the viral code.
VIRUS CODES
BASIS: how viruses are activated & select new targets
TRANSIENT
( DIRECT VIRUSES)
•They operate only for a
short time when the infected
program is executing viral
code and they go directly to
disk to seek out programs to
infect.
RESIDENT
(INDIRECT VIRUSES)
•They remain resident in
memory once their code has
been executed and their host
program has terminated.
• The virus potentially can
spread to any or all programs in
the system during the entire
work session (until the system is
rebooted to clear the virus from
memory), These viruses are also
known as TSR (Terminate and
Stay Resident) viruses.
BASIS: HOST WHICH IS AFFECTED BY VIRUS
BOOT SECTOR VIRUS
Affects boot sector
PARTITION TABLE VIRUS
Affects partition table
FILE VIRUS
Affects program files
MACRO VIRUS
Affects macros
NETWORK VIRUS
Affects files coming from internet

MULTIPARTITE VIRUS
Both program and boot virus
 BOOT SECTOR VIRUS
It is also called as bimodal virus. These viruses infect floppy
disk boot records or master boot records in hard disks.
Booting means restarting the computer. It is done by
BOOTSTRAP LOADER PROGRAM.
It loads BOOT SECTOR to memory. NORMAL INFECTED
EX: Form, Disk Killer, Michelangelo,
and Stone virus D.B.P

D.B.P VIRUS
BOOT BOOT
PARAMETER PARAMETER

TRACK 0,SIDE 0,SECTOR 1

BOOT SECTOR D.B.P=DISK BOOTSTRAP PROGRAM

BOOT PARAMETER DISK BOOTSTRAP PROGRAM

NORMAL MEMORY MEMORY INFECTED
414 50 40
BOOTING 413 BOOTING
150
150
BASE VIRUS SIZE=10
MEMORY BASE MEMORY
SIZE=50 SIZE=50-10=40
1OO DISK BOOTSTRAP PROG VIRUS 100
BIOS BIOS
IVT IVT
D.B.P

D.B.P VIRUS
BOOT 150 BOOT
150
PARAMETER VIRUS 140 PARAMETER

BOOTING
DISK
DISK
100
100
BIOS BIOS
IVT IVT
 Spreading of virus from one disk to another.
If we copy files from an infected disk to a clean disk…..

VIRUS
TRANSFERS
ROM BIOS ROM BIOS CONTROL
TO ROM

CALL TO CALL TO
VIRUS BIOS
ROUTINE
ROM BIOS ROM BIOS
SUBROUTINE ROUTINE
DOS INTERRUPT DOS
BY TSR
VIRUS
IVT IVT

IVT=INTERRUPT VECTOR TABLE

 PARTITATION TABLE VIRUS
•This virus infects the partition table.
•Partition table is generally present in side 0,track 0 and sector 1
of hard disk
446 BYTES 64 BYTES 2
CODE PART DATA PART 55
MASTER BOOT PROGRAM AA
512 BYTES
•Master boot program does booting of the system.
•Data part contains the following information:
1.where a partition begins or ends.
2.which is bootable partition. Bootable partition contains
boot sector.
BOOTABLE PARTITION
BOOT PARAMETER DISK BOOTSTRAP PROGRAM
Working of Partition Table Virus
MASTER BOOT
PROGRAM
AA AA
55 55
CODE PART CODE PART

MASTER BOOT
VIRUS
PROGRAM
DISK DISK
 Working of Partition Table Virus
Bootstrap Loader Program loads infected boot sector

Hence virus gets loaded to memory

Loads itself high end of memory
Reduces the RAM size in location 0x413 & 0x414
Steals interrupt 19 by altering the interrupt vector table
Loads the Master Boot Program
from the displaced position
Control passes to Disk Bootstrap Program
and normal booting process
NORMAL MEMORY MEMORY INFECTED
414 50 40
BOOTING 413 BOOTING
150
150
BASE VIRUS SIZE=10
MEMORY BASE MEMORY
SIZE=50 SIZE=50-10=40
1OO DISK BOOTSTRAP PROG VIRUS 100
BIOS BIOS
IVT IVT
D.B.P

D.B.P VIRUS
BOOT 150 BOOT
150
PARAMETER VIRUS 140 PARAMETER

BOOTING
DISK
DISK
100
100
BIOS BIOS
IVT IVT
 Spreading of virus from one disk to another.
If we copy files from an infected disk to a clean disk…..

VIRUS
TRANSFERS
ROM BIOS ROM BIOS CONTROL
TO ROM

CALL TO
VIRUS BIOS
ROUTINE
ROM BIOS CALL TO
SUBROUTINE ROM BIOS
DOS ROUTINE DOS
INTERRUPT
BY TSR
IVT IVT

IVT=INTERRUPT VECTOR TABLE

#include<dos.h>
void interrupt our(); void interrupt (*prev)();
char far *scr=(char far *)0xB8000000L;
main() R
{ E
P
unsigned long int far *p; L
p=(char far*)36; I //subroutine to handle interrupt 9(keyboard
prev=*p; C handler)
*p=our; A
T //virus reserves 500 *16 bytes memory
keep(0,500); O
} R
void interrupt our() 100 500 100
{
int i; p prev p prev
P for(i=0;i<=3999;i+=2) 500
A 500
{
Y our our
if(*(scr+i)>=‘A’&&*(scr+i)<=‘Z’)
L *(scr+i)+=32;
O else if(*(scr+i)>=‘a’&&*(scr+i)<=‘z’)
A *(scr+i)-=32;
D }
(*prev)();
 FILE VIRUSES
 They attach themselves with any number of system files having
extensions, .EXE, .COM, .SYS, .PRG, .OVL, and .MNU.
 As these files run on the machine, viruses get activated and start
duplicating. Eventually, viruses spread in the whole of your
machine.
 Some file infector viruses may stay in your system’s memory and
keep infecting files from even there.
 Some may change the content of the file.
 Only way to detect is to check the reduction in base memory size.
 The antivirus soft wares look for the signature of the virus to
detect it.
 Example-signature of Jerusalem virus is
0xE9,0X92,0,0X20,0X20,0X20,0X20,0X20,0X20,0X20.
 MACRO VIRUSES
 Macro viruses: They are the commonest, simplest and the
easiest to spread of all the computer viruses.
 Usually they affect MS Office files such as MS Word files,
Excel sheets, Access databases, and PowerPoint.
 Macro viruses are coded in Visual Basic (VB) and blight
your system when the application with which they are
associated is running.
 An example of macro virus impact is insertion of some data
in the spreadsheet your system processes.
 Melissa.A and Bablas. Pc,DMV, Nuclear, Word Concept.
is a couple of common macro viruses.
 NETWORK VIRUSES
They originate from and affect computer networks such as LAN and
WAN.
Network viruses defile any shared computer resources such as
folders, files, drives etc.
These viruses keep spreading from one system of an infected
network to another.
Nimda and SQLSlammer are two examples of network viruses.
MULTIPARTITE VIRUSES
Multipartite viruses are both program and boot viruses.
Their nature is a mix of more than one type of viruses and spread
through infected media.
For example, viruses acting both as MBR virus as well as file infector
virus. Examples: Invader, Flip, and Tequila
For example, if you run a word processing program infected with
the Tequila virus, the virus activates and infects your hard disk boot
record. Then, the next time you boot your computer, the Tequila
virus activates again and starts infecting every program you use,
whether it is on a hard or floppy disk.
 TROJAN HORSE
•Trojan horses are programs that appear to serve some useful
purpose or provide entertainment, which encourages you to
run them. But the program also serves a covert purpose, which
may be to damage files or place a virus on your computer.
•For example a saxophone.wav file that interests a person
collecting sound samples of instruments. But it can steal his
passwords and sends an E-mail to the hackers fake name and
then the hacker has his account in his hands.
•A Trojan horse is not a virus because it does not replicate and
spread like a virus. To ensure the safety of your computer,
Antivirus detects Trojan horses so you can delete them from
your computer
 Companion virus
•It is a form of trojan horse that uses the execution path
mechanism to execute in place of a normal program.
•It does not alter any existing code in any fashion.
• The companion viruses create new executable files with a name
similar to an existing program, and chosen so that they are
normally executed prior to the “real” program.
• They are known as companion viruses because once they get
into the system they "accompany" the other files that already exist.
•Some companion viruses create a .COM file with a name
identical to an existing .EXE file. E.g, the companion virus might
create a file named CHKDSK.COM and place it in the same
directory as CHKDSK.EXE. Whenever DOS must choose between
executing two files of the same name where one has an .EXE
extension and the other a .COM extension, it executes the .COM
file.
•Some examples include: Stator, Asimov.1539, and Terrax.1069
 WORM
 A Worm is a virus program that copies and multiplies
itself by using computer networks and security flaws.
Worms are more complex than Trojan viruses, and
usually attack multi-user systems such as Unix
environments and can spread over corporate networks
via the circulation of emails. Once multiplied, the
copied worms scan the network for further loopholes
and flaws in the network.
 They take up most of the memory space and there is
lack of space to run an application.
 A classic example of a worm is the ILOVEYOU virus.
 Worms however, proliferate as simple emails without
attachment. They cannot be spread as attachments.
 Warning Signs of Virus
Infection
•Your computer starts running sluggishly.
•Programs take longer to load. Memory-intensive operations take
a lot of time to start.
•It shuts down unexpectedly or crashes frequently. Programs
may hang the computer or not work at all.
•It experiences memory problems or runs out of disc space.
Increased use of disk space and growth in file size as the virus
attaches itself to many files.
•Unusual files or directories appear on your system.
•A change in dates against the filenames in the directory. When
the virus modifies a file the operating system changes the date
stamp.
•The floppy disk or hard disk is suddenly accessed without
logical reason.
Warning Signs of Virus
Infection
• Abnormal write-protect errors as virus tries to write
to a protected disk.
• Strange characters appear in the directory listing of
filenames.
• Strange messages like "Type Happy Birthday Joshi"
(Joshi Virus) or "Driver Memory Error" (kak.worm)
appear on the screen and in documents.
• Strange graphic displays such as falling letters or a
bouncing ball appear on screen.
• Junk characters overwrite text in document or data
files.
What viruses do not do?

•Viruses do not damage hardware, such as keyboards or

monitors. They infect the programs controlling hardware.
•The strange behaviors such as screen distortion or
characters not appearing when typed, are due to virus
infected programs.
• Not even your disks are physically damaged, only data
stored on them get infected. Viruses can only infect files
and corrupt data.
•Viruses do not infect write-protected disks or text-based
email messages.
 How to Protect Your Computer from Viruses
 Work on a more secure operating system like unix, linux.
 For an unsecured operating system, then buy virus protection software
 Make sure automatic protection is turned on at all times
 Perform a manual scan (or schedule a scan to occur automatically) of your
hard disks weekly.
 Enable automatic live update to update your virus definition files.
 Buy legal copies of all software you use and make write-protected backups.
 Avoid programs from unknown sources (like the internet), and instead stick
with commercial software purchased on cds.
 Create and maintain an antivirus rescue disk set to facilitate recovery from
certain boot viruses.
 You should make sure that Macro Virus Protection is enabled in all
Microsoft applications, and you should NEVER run macros in a document
unless you know what they do. There is seldom a good reason to add
macros to a document, so avoiding all macros is a great policy.
 Protection against email viruses
•Don’t open email messages and email attachments from people you
don’t know. Newer viruses can send email messages that appear to be
from a person you know
•Do not set your email program to "auto-run" attachments.
•Disable email preview in MS Outlook and Outlook Express.
•Passwords protect your shared network drives.
• You should never double-click on an e-mail attachment that contains
an executable. Attachments that come in as Word files (.DOC),
spreadsheets (.XLS), images (.GIF), etc., are data files and they can do
no damage unless there is a macro-virus). However, some viruses can
now come in through .JPG graphic file attachments.
• If you run a file with an extension like EXE, COM or VBS then the
executable can do any sort of damage it wants.
•So never to run executables that arrive via e-mail.
THANK YOU