Ingrīda Irguļska
ii05006
About Computer Viruses
The virus writing business - and it is a business - is becoming a powerful weapon in the hands of the
spammers. Infect a few thousand PCs with a backdoor then use their combined power to send
advertisements. Jump from 5 million emails per day to a couple of billion. Free to spammers, but very
costly for end users.
The Internet is no longer a safe place for everybody to do business. Spammers, virus writers and
hackers victimise legitimate users. Without up-to-date protection, everyone is vulnerable to
cybercrime.
Costin Raiu
Head of Research and Development
Kaspersky Labs Romania
The Beginning of the Computer Viruses
The term ``computer virus'' was formally defined by Fred Cohen in 1983, while he performed
academic experiments on a Digital Equipment Corporation VAX system. Viruses are
classified as being one of two types: research or ``in the wild.'' A research virus is one that has
been written for research or study purposes and has received almost no distribution to the
public. On the other hand, viruses which have been seen with any regularity are termed ``in
the wild.'' The first computer viruses were developed in the early 1980s. The first viruses
found in the wild were Apple II viruses, such as Elk Cloner, which was reported in 1981.
Viruses have now been found on the following platforms:





Apple II
IBM PC
Macintosh
Atari
Amiga
Viruses have ``evolved'' over the years due to efforts by their authors to make the code more
difficult to detect, disassemble, and eradicate. This evolution has been especially apparent in
the IBM PC viruses; since there are more distinct viruses known for the DOS operating
system than any other. The first IBM-PC virus appeared in 1986, this was the Brain virus.
Brain was a boot sector virus and remained resident. In 1987, Brain was followed by
Alameda (Yale), Cascade, Jerusalem, Lehigh, and Miami (South African Friday the 13th).
These viruses expanded the target executables to include COM and EXE files. Cascade was
encrypted to deter disassembly and detection. Variable encryption appeared in 1989 with the
1260 virus. Stealth viruses, which employ various techniques to avoid detection, also first
appeared in 1989, such as Zero Bug, Dark Avenger and Frodo (4096 or 4K). In 1990, selfmodifying viruses, such as Whale were introduced. The year 1991 brought the GP1 virus,
which is ``network-sensitive'' and attempts to steal Novell NetWare passwords. Since their
inception, viruses have become increasingly complex.Examples from the IBM-PC family of
viruses indicate that the most commonly detected viruses vary according to continent, but
Stoned, Brain, Cascade, and members of the Jerusalem family, have spread widely and
continue to appear. This implies that highly survivable viruses tend to be benign, replicate
many times before activation, or are somewhat innovative, utilizing some technique never
used before in a virus. Note that all viruses found in the wild target personal computers. As of
today, the overwhelming number of virus strains are IBM PC viruses. However, as of August
1989, the number of PC, Atari ST, Amiga, and Macintosh viruses were almost identical (21,
22, 18, and 12 respectively). Academic studies have shown that viruses are possible for multitasking systems, but they have not yet appeared. It has been suggested that viruses for multiuser systems are too difficult to write. However, Fred Cohen required only ``8 hours of expert
work'' to build a virus that could penetrate a UNIX system. The most complex PC viruses
required a great deal more effort.
Yet, if we reject the hypothesis that viruses do not exist on multi-user systems because they
are too difficult to write, what reasons could exist? Perhaps the explosion of PC viruses (as
opposed to other personal computer systems) can provide a clue. The population of PCs and
PC compatibles is by far the largest. Additionally, personal computer users exchange disks
frequently. Exchanging disks is not required if the systems are all connected to a network. In
this case large numbers of systems may be infected through the use of shared network
resources.
One of the primary reasons that viruses have not been observed on multi-user systems is that
administrators of these systems are more likely to exchange source code rather than
executables. They tend to be more protective of copyrighted materials, so they exchange
locally developed or public domain software. It is more convenient to exchange source code,
since differences in hardware architecture may preclude exchanging executables.
The following additional conclusions can be made: to spread, viruses require a large
population of homogeneous systems and exchange of executable software.
Evolution of the Computer viruses
1986
The first PC virus was created. Known as the Brain virus, it was written in Pakistan. The
Brain virus was a boot-sector virus, which means it only infected the boot records of 360K
floppy disks, but not hard drives. It would occupy unused space on the disk so that it could
not be used. It was also the first "stealth" virus, meaning it tried to hide itself from detection.
If a computer user tried to view the infected space on the disk, Brain would display the
original, uninfected boot sector.
1987
In November, the Lehigh virus was discovered at Lehigh University in the U.S. It was the first
"memory resident file infector". A file-infecting virus attacks executable files. It gets control
when the file is opened. The Lehigh virus attacked a file called COMMAND.COM. When the
file was run (usually by booting from an infected disk), the virus stayed in the resident
memory.
In December, the Jerusalem virus appeared at Hebrew University in Israel. It was also a
memory resident file infector. It was the first virus that contained a bug that caused it to reinfect already infected programs.
1988
In March, the first anti-virus virus was written. It was designed to detect and remove the Brain
virus and immunized disks against Brain infection.
The Cascade virus is found in Germany. It was the first encrypted virus, meaning it was
coded so that it could not be changed or removed.
Viruses started getting media attention, with articles in magazines like Business Week,
Newsweek, Fortune, PC Magazine and Time
1989
On September 17, the Washington Post reports that a computer virus "that springs to life
destructively on Friday the 13th is on the loose". The virus was called DataCrime and ended
up being blown way out of proportion.
A virus called Dark Avenger introduced a new feature. It was designed to damage a system
slowly, so it would go unnoticed at first and damaged files would be backed up.
In October, the Frodo virus turned up in Israel. If was the first full-stealth file infector,
designed to damage the hard drive if run on or after September 22 of any year.
1990
Many anti-virus products were introduced, including ones from IBM, McAfee, Digital
Dispatch and Iris.
Viruses combining various characteristics spring up. They included Polymorphism (involves
encrypted viruses where the decryption routine code is variable), Armoring (used to prevent
anti-virus researchers from dissembling a virus) and Multipartite (can infect both programs
and boot sectors).
1991
Symantec releases Norton Anti-Virus software.
In April, the Tequlia virus is discovered. It is Stealth, Polymorphic and Multipartite!
1992
Media mayhem greeted the virus Michaelangelo in March. Predictions of massive disruptions
were made and anti-virus software sales soared. As it turned out, the cases of the virus were
far and few between. The Michelangelo virus also referred to by some virus watchers as
Stoned.Michelangelo. Since then, a number of strains have been introduced, and it is now also
known by a variety of other names. This virus was also responsible for the founder of Trend
Micro entering the anti-virus business.
This virus was entitled after the very famous Italian Renaissance artist Michelangelo
Buonarroti. It gets activated every year on the artist's birthday - 6th March. The person
responsible for giving the name was the researcher not the writer of the virus.
The Michelangelo is a boot record virus and on the date that it gets triggered it destroys files
by overwriting certain critical areas of the hard disk or floppy disk. These areas are
overwritten with garbage, making the disk or floppy completely useless. If this virus infects a
bootable floppy (a floppy that can be used to boot a computer), the floppy no longer remains a
bootable floppy.
An infection with this virus is caused by using infected disks for a system boot-up. After
being installed in the memory of the computer, Michelangelo then goes on to infect all
nonwrite protected disks that are used in the computer.
1993
The SatanBug virus appears around Washington DC The anti-virus industry helped the FBI
find the person who wrote it - it was a kid.
Cruncher was considered a "good" virus because it compressed infected programs and gave
users more disk space.
1994
A virus called Kaos4 was posted on a pornography news group file. It was encoded as text
and downloaded by a number of users.
A virus called Pathogen appeared in England. The writer was tracked down by Scotland
Yard's Computer Crime Unit and convicted.
1995
Anti-virus companies worried nobody would need them anymore because of Windows 95.
The most common viruses were still boot viruses that worked on DOS, but wouldn't replicate
on Windows 95. But, later in 1995, macro viruses appeared. These viruses worked in the MS-
Word environment, not DOS. The anti-virus industry was caught off-guard, but was happy at
the same time.
1996
Concept, a macro-virus, becomes the most common virus in the world.
Boza , a weak virus, is the first virus designed for Windows 95
Laroux is the first virus to successfully infect Microsoft Excel spreadsheets.
1998
The Chernobyl, or PE CIH, virus activates itself every year on the 26th of April - on the
anniversary of the Chernobyl, Ukraine nuclear power plant tragedy. It was allegedly written
by a Taiwanese citizen in 1998.
The virus wipes the first megabyte of data from the hard disk of a personal computer thus
making the rest of the files of no use. In addition to this it also deletes the data on the
computer's Basic Input-Output System (BIOS) chip so that the computer cannot function till a
new chip is fitted or the data on the old one is restored. Fortunately only those BIOSes, which
can be changed or updated, face a threat from this virus.
This virus affects only executable files. Since these are distributed less often than documents,
the spread of Chernobyl is more confined than that of most macro viruses.
1999
The Melissa virus, a macro, appears. It uses Microsoft Word to infect computers and is passed
on to others through Microsoft Outlook and Outlook Express e-mail programs. ExploreZip in
its activities it was similar to Melissa, but there was one major difference. ExploreZip, first
discovered in June 1999, was not a virus. It was a Trojan. This means that it was incapable of
replicating itself. Thus, the Melissa virus had more far reaching presence.
In addition to this dissimilarity, ExploreZip was more active. It not only hijacked Microsoft
Outlook but also selected certain files and made their file size zero - reduced their data to
nothing. Those files were then of no use to the user and they could not be recovered.
2000
The "I Love You Virus" wreaks havoc around the world. It is transmitted by e-mail and when
opened, is automatically sent to everyone in the user's address book.
Stoned-Marijuana
Originally reported to have been written in New Zealand, this was another boot sector virus
with a difference. It would infect the boot sector of floppy disks. The File Allocation Table
(FAT) on the hard disk drive - the system used by DOS to identify and locate files on a disk would also be affected. The virus would most often regularly display a message, which said,
"Your PC is stoned. Legalize Marijuana." Moreover, it would damage the File Allocation
Table on hard disk drives with more than one partition. The FAT on floppy disks, which had
been formatted as high density, would also be harmed so that access to files on both the hard
disk and the floppy disk would become nearly impossible to achieve.
Clasification
The major groups of viruses on PCs are boot sector viruses (BSV), program viruses (EXE) and
application viruses (Macros).
BSV Virus:
A BSV infects boot sectors on diskettes and/or hard disks. On diskettes, the boot sector
normally contains code to load the operating system files. The BSV replaces the original boot
sector with itself and stores the original boot sector somewhere else on the diskette or simply
replaces it totally. When a computer is then later booted from this diskette, the virus takes
control and hides in RAM. It will then loads and execute the original boot sector, and from
then on everything will be as usual. Except, of course, that every diskette inserted in the
computer will be infected with the virus, unless it is write-protected. A BSV will usually hide at
the top of memory, reducing the amount of memory that the DOS sees. For example, a computer
with 640K might appear to have only 639K. Most BSVs are also able to infect hard disks, where
the process is similar to that described above, although they usually infect the master boot record
instead of the DOS boot record.
EXE Virus: Program viruses:
The second type of computer viruses, infect executable programs, usually .COM and .EXE
files, but they sometimes also infect overlay files, device drivers or even object files.
An infected program will contain a copy of the virus, usually at the end, in some cases at the
beginning of the original program, and in a few cases the virus is inserted in the middle of the original
program.
When an infected program is run, the virus may stay resident in memory and infect every program run.
Viruses using this method to spread the infection are called "Resident Viruses".
Other viruses may search for a new file to infect, when an infected program is executed. The
virus then transfers control to the original program. Viruses using this method to spread the
infection are called "Direct Action Viruses". It is possible for a virus to use both methods of
infection.
Most viruses try to recognize existing infections, so they do not infect what has already been infected.
This makes it possible to inoculate against specific viruses, by making the "victim" appear to be
infected. However, this method is useless as a general defense, as it is not possible to inoculate the
same program against multiple viruses.
MACRO Virus:
The third type of viruses are application viruses, which do not infect normal programs, but
instead spread as "macros" in various types of files, typically word-processor documents or
spreadsheets. This type of viruses can easily spread through E-mail, when users unknowingly
exchange infected documents. In general, viruses are just program - rather unusual programs
perhaps, but written just like any other program. It does not take a genius to write one - many
ten year old kids can easily create viruses.
Stealth virus
A stealth virus is one that hides the modifications it has made in the file or boot record,
usually by monitoring the system functions used by programs to read files or physical blocks
from storage media, and forging the results of such system functions so that programs which
try to read these areas see the original uninfected form of the file instead of the actual infected
form. Thus the viral modifications go undetected by anti-viral programs. However, in order to
do this, the virus must be resident in memory when the anti-viral program is executed.
The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and
redirects any attempt to read a Brain-infected boot sector to the disk area where the original
boot sector is stored. The next viruses to use this technique were the file infectors Number of
the Beast and Frodo.
Fast and slow infectors
A typical file infector (such as the Jerusalem) copies itself to memory when a program
infected by it is executed, and then infects other programs when they are executed. A fast
infector is a virus which, when it is active in memory, infects not only programs which are
executed, but also those which are merely opened. The result is that if such a virus is in
memory, running a scanner or integrity checker can result in all (or at least many) programs
becoming infected all at once.
The term "slow infector" is sometimes used for a virus that, if it is active in memory, infects
only files as they are modified (or created). The purpose is to fool people who use integrity
checkers into thinking that the modification reported by the integrity checker is due solely to
legitimate reasons. An example is the Darth Vader virus.
Companion virus
A companion virus is one that, instead of modifying an existing file, creates a new program,
which (unknown to the user) gets executed by the command-line interpreter instead of the
intended program. (On exit, the new program executes the original program so things will
appear normal.) This is done by creating an infected .COM file with the same name as an
existing .EXE file. Note that this type of malicious code is not always considered to be a
virus, since it does not modify existing files.)
Armored virus
An armored virus is one that uses special tricks to make the tracing, disassembling and
understanding of its code more difficult. A good example is the Whale virus.
Virus hoax
A virus hoax generally appears as an email message that describes a particular virus that does
not exist. These emails almost always carry the same basic story: that if you download an
email with a particular subject line, your hard drive will be erased (an impossibility because
the text of an email cannot harbor a virus).
Such messages are designed to panic computer users. The writer or writers email the warning
and include a plea for the reader to forward it to others. The message then acts much like a
chain letter, propagating throughout the Internet as individuals receive it and then innocently
forward it. An example of a virus hoax is the "Good Times" virus -- which was written in
1994 and since then has circled the globe many times over. The best thing to do on receipt of
such an email is to ignore and delete it.
How Can the Computer Virus Harm Your PC
Personal computer viruses exploit the lack of effective access controls in these systems. The
viruses modify files and even the operating system itself. These are ``legal'' actions within the
context of the operating system. While more stringent controls are in place on multi-tasking,
multi-user operating systems, configuration errors, and security holes (security bugs) make
viruses on these systems more than theoretically possible.
This leads to the following initial conclusions:



Viruses exploit weaknesses in operating system controls and human patterns of system
use/misuse.
Destructive viruses are more likely to be eradicated.
An innovative virus may have a larger initial window to propagate before it is
discovered and the ``average'' anti-viral product is modified to detect or eradicate it.
A virus is a program that is able to replicate, that is create (possibly modified) copies of itself.
The replication is intentional, not just a side-effect.
At least some of replicants in turn are also viruses by the same definition.
A virus has to attach itself to a "host", in the sense that execution of the host implies execution
of the virus.
distinguishes viruses from non-replicating malware, such as ANSI bombs.
distinguishes between viruses and programs such as DISKCOPY.COM that can replicate.
is needed to exclude certain "intended viruses", that attempt to replicate, but fail - they simply
do not qualify as "real" viruses.
is necessary to distinguish between viruses and worms, which do not require a host.
A Trojan is a program that pretends to do something useful (or at least interesting), but when
it is run, it may have some harmful effect, like scrambling your FAT (File Allocation Table),
formatting the hard disk or releasing a virus.
Viruses and Trojans may contain a "time-bomb", intended to destroy programs or data on a
specific date or when some condition has been fulfilled. A time bomb is often designed to be
harmful, maybe doing something like formatting the hard disk. Sometimes it is relatively
harmless, perhaps slowing the computer down every Friday or making a ball bounce around
the screen. However, there is really no such thing as a harmless virus. Even if a virus has
been intended to cause no damage, it may do so in certain cases, often due to the
incompetence of the virus writer or unexpected hardware or software revisions.
Damages
The damage caused by a virus may consist of the deletion of data or programs, maybe even
reformatting of the hard disk, but more subtle damage is also possible. Some viruses may
modify data or introduce typing errors into text. Other viruses may have no intentional effects
other than just replicating.
Viruses Cannot Do
A virus cannot appear all by itself, it has to be written, just like any other program.
 Not all viruses are intentionally harmful - some may only cause minor damage as a
side effect - however, there is no such thing as a "harmless" virus.
 Reading plain data from an infected diskette cannot cause an infection. (However, it
is not trivial to determine what "plain data" is)
Ways to protect your computer from viruses







Keep good backups (more than one) of everything you do not want to lose. This will
not only protect you from serious damage caused by viruses, but is also necessary in
the case of a serious hardware failure.
Never boot a computer with a hard disk from a diskette because that is the only way
the hard disk could become infected with a boot sector virus. (Well, strictly speaking,
it can happen if you run a "dropper" program too, but that happens extremely rarely).
If your BIOS allows you to change the boot sequence to "C:; A:", do it. This will give
you very good protection against boot sector virus infections.
Keep all diskettes write-protected unless you need to write to them. When you obtain
new software on a diskette, write-protect the diskette before you make a backup copy
of it. If it is not possible to make a backup of the diskette, because of some idiotic
copy-protection, I do not recommend using the software.
Be really careful regarding your sources of software. In general, shrink-wrapped
commercial software should be "clean", but there have been a few documented cases
of infected commercial software and even Microsoft has occasionally distributed
infected files. Public-Domain, Freeware and Shareware packages do not have to be
any more dangerous than "regular" commercial programs - it all depends on the
source. If you obtain software from a BBS, check what precautions the SysOp takes
against viruses. If he does not screen the software made available for downloading,
you should find another source.
Check all new software for infection before you run it for the first time. It may even
be advisable to use a couple of scanners from different manufacturers, as no single
scanner is able to detect all viruses.
Obtain Shareware, Freeware and Public-Domain software from the original author or
reliable distribution sites, if at all possible.
Antivirus Software
AVG Anti-Virus
The heart of AVG Anti-Virus is the checking engine - you can imagine it as a "black box"
into which requests to check objects enter and the box returns information indicating if these
objects are virus-free or infected.The checking engine includes an application interface for
communication with other AVG Anti-Virus components (Resident Shield, Tests, E-mail
scanner modules and plug-ins etc.) which use this service. It was created with an emphasis on
AVG Anti-Virus modularity and is common for all mentioned components. Efficiency in
detecting infected files is guaranteed by using a combination of different detection levels.
Before the check itself, the file is pre-processed, which involves removing any parts
unnecessary for virus analysis. A quick scanning process is achieved by this technique.
Known virus detection
This is the simplest technique in which files are checked for the presence of virus identifiers
(a sequence of bytes characteristic for an exact virus). Based on this kind of detection,
detailed analysis is performed to identify the exact infection.
Generic detection
This is a more common method for the detection of known viruses and is used to determine
new variants of known viruses. If no known virus is identified, generic detection looks for
sequences within the file typical for certain viruses. Such sequences usually don't change
within the virus when it is modified, even if the behavior of the new variant is different. This
method is effective especially in the detection of macro-viruses and script-viruses.
Heuristic analysis
The last method for detecting viruses (where previously mentioned methods were not
successful) is Heuristic analysis. Its skillfulness lies in its capacity to (in some cases) detect a
virus which is not included in the internal virus database. During Heuristic Analysis, two
methods are used:
Static Heuristic analysis - looking for suspicious data constructions
Dynamic Heuristic analysis - code emulation: this means the file is started inside the protected
environment of a virtual computer inside AVG Anti-Virus. The file is analyzed for actions
typical for viruses. An example being an application which when run looks for other
executable files in order to modify them.
McAfee® VirusScan® Enterprise 8.0i
McAfee® VirusScan® 8.0i takes anti-virus protection to the next level, integrating elements
of intrusion prevention and firewall technology into a single solution for PCs and file servers.
This powerful combination delivers truly proactive protection from the newest of today’s
threats including buffer-overflow exploits and blended attacks—and features advanced
outbreak management responses to reduce the damage and costs of outbreaks. Everything is
managed by McAfee ePolicy Orchestrator® or ProtectionPilot™ for scalable security policy
compliance and graphical reporting.
Key Benefits
ProductsIntegrated firewall and IPS technology – Addition of firewall and intrusion
prevention technology delivers maximum proactive protection in a single, integrated package
Enhanced coverage for emerging threats – VirusScan 8.0i provides protection from the
newest potentially unwanted program security threats (e.g., spyware), application-specific
buffer overflow attacks, and blended attacks
Lowered TCO during outbreak response – Advanced outbreak functionality closes the
window of vulnerability before DAT files are available, limiting damage by blocking the
entrance and spread of the outbreak
McAfee scanning technology – Award-winning McAfee scan engine performs in-memory
scanning to block threats such as Netsky and CodeRed, which don’t write their code to disk
Centralized management and reporting – Integration with McAfee ePolicy Orchestrator and
ProtectionPilot provides a complete security management solution, including detailed
graphical reporting, from a single console.
Product Features
Comprehensive McAfee anti-virus protection
The McAfee anti-virus scan engine stops every type of virus and malicious code threat,
including macro viruses, Trojans, Internet worms, advanced 32-bit viruses, and even hostile
ActiveX and Java objects. Using technology that drills down into compressed data, VirusScan
is also able to find hidden threats buried in .zip and other compressed file types. Proactive
protection is delivered through advanced heuristics and generic detection, which allow
VirusScan to protect—in advance—against new, unseen viruses and other threats.
Potentially unwanted program security
Automatic detection of potentially unwanted programs helps keep businesses and users safe
from hidden programs that track Internet usage, access personal data such as passwords and
account information, or open security holes. Users or administrators can select one of several
responses (Alert, Clean, Remove, and Quarantine) for VirusScan to take when it detects a
potentially unwanted program. Administrators can even define a custom list of companyspecific unwanted programs such as adware, dialers, or joke programs to help keep company
end-point systems COE compliant.
Buffer overflow prevention (IPS feature)
VirusScan 8.0i protects against buffer overflows for approximately 20 of the most commonly
used and exploited software applications and Microsoft® Windows® OS services, including
Microsoft Word, Excel, Internet Explorer, Outlook, and SQL Server. Administrators have the
ability to create exceptions by process when necessary.
Complete outbreak response
The built-in outbreak response features in VirusScan 8.0i provide protection from new viruses
before DAT files are available, enabling administrators to take action in the crucial
vulnerability window that exists after a virus is identified but before a DAT has been released.
Outbreak response functionality includes:
Port blocking/lockdown (firewall feature)
Allows the administrator or user to "turn off" (block) specified ports from either outbound or
inbound network traffic (for example, for MyDoom port #3196 should have been blocked;
Bagel.n was port #2556)
Application monitoring: email engines (firewall feature)
Allows administrators to block outbound ports, but set rules that allow certain processes to
communicate through a closed port. For example, administrators could block port 25 to
outbound traffic but allow outlook.exe to communicate outbound through the port. NetSky
and MyDoom would not have gotten out of the system with this feature turned on.
File blocking, directory lockdown, folder/share blocking (IPS feature)
Creation of a policy (or policies) that controls the permitted actions that can occur to a
specified file, directory, or folder/share (or group of files, folders, etc., with matching name
pattern composed of text and wildcard symbols) by system or incoming network processes.
For example, the policy for the Sasser worm would have blocked avserve*.exe,
skynetave.exe, lsasss.exe, napatch.exe, *_up.exe, cmd.ftp, ftplog.txt, winlog2.*, and win*.log.
Powerful memory scanning
VirusScan 8.0i has enhanced scanning functionality to include on-demand and scheduled inmemory scanning for viruses, worms, and Trojans. This protects your systems from threats
such as CodeRed and SQLSlammer, which don’t write their code to disk, by removing the
process from memory.
Panda Virus Maps
Panda has different types of virus maps that show the percentage of infected computers in
different situations.
Virus Infection Map: gives live graphic coverage of the percentage of computers infected by
viruses in a geographic zone. This map includes Alert Mode, which complements the Virus
Infection Map during alerts, as it allows you to view how the threat causing the alert spreads,
from the moment it appears until the alert is lifted. Get more information about the Alert
Mode. In addition to the percentage of computers infected by viruses, or the combination of
viruses in a geographic zone (worldwide, continent or country), the Virus Infection Map
provides the following information:
Top viruses: list of the most active viruses in a region.
Top countries: list of the areas most-affected by a single virus.
Proliferation of infections graph: displays the development of PCs infected by a virus or all
viruses, in each area from the last 24 hours to the past 12 months.
Usually, the map will open as a world map, displaying continents and indicating the level of
infection using the color code.
The map has two options in the top section. The first of these, Region, allows you to select
the geographic area of interest to you, or you can simply click the area you want on the map.
The second option, Infections by, allows you to choose the type of infection to display: those
caused by a specific virus (you can choose from the top most virulent in the region) or the
total result of all viruses in a region.
It is easy to become familiar with the Virus Infection Map once you begin using it. We hope
that you find it both useful and easy to use and we appreciate any feedback may have to
improve our product.
Kaspersky Labs
Kaspersky Labs provides downloadable removal tools, product upgrades, antivirus and
antispam databases, extra secure databases and product documentation on our web site.
Antivirus database updates
In this section you can manually download the latest antivirus databases for your antivirus
software and find out about the different antivirus updates currently available. You can also
read about the different methods of updating antivirus databases - both for individual PCs and
for centralized updates across networks.
Free removal tools
Kaspersky Labs reacts proactively to all new threats. Occasionally there are viruses that
require special treatment. In such cases we provide removal tools for each specific virus.
Trial versions
It is always a good idea to try before you buy. You can download trial versions of our solutions
and decide which product fits your requirements. Our trial versions are valid for 30 days.
Product downloads
All current product downloads are located in this section: product upgrades, patches and
documentation.
Documentation
For your convenience product documentation is also available in a separate section, listed
according to products.
Extra database options
Some people prefer to be extra sure. Our standard antivirus databases protect you from all
viruses. However, if you want additional protection from other threats such as riskware, pornware
and other illegal programs, this section is for you.
The World's Most Famous Hackers
Vladimir Levin
His claim to fame is that this mathematician who graduated from St. Petersburg
Tekhnologichesky University was the brain behind the Russian hacker gang that cheated
Citibank's computers into giving out $10 million. Although his first use of a computer is
unknown Vladimir was allegedly using his office computer at AO Saturn, a computer firm in
St. Petersburg, Russia, to break into Citibank computers.
Vladimir Levin was arrested at the Heathrow airport in 1995. Tools used by him included
computer, computer games and disks, a camcorder, music speakers and a TV set all of which
were found by the Russian police at his apartment. During his trial, Levin alleged that one of
his defence lawyers was actually an FBI agent.
Johan Helsingius
He was known to run the world's most popular remailer programme called penet.fi.
Surprisingly, this remailer, the busiest in the world, was run on an ordinary 486 with a 200megabyte hard drive. His other idiosyncrasy was that he never tried to remain anonymous.
The Finnish police raided Johan in 1995 due to a complaint by the Church of Scientology that
a penet.fi customer was posting the "church's" secrets on the Net. At that time Johan had to
abandon the remailer.
Kevin Mitnick
Kevin Mitnick alias on the Net was Condor. As a teenager Kevin Mitnick could not afford his
own computer. He would therefore go to a Radio Shack store and use the models kept there
for demonstration to dial into other computers.
One of the unusual things about Mitnick was that he used the Internet Relay Chat (IRC) to
send messages to his friends. A judge sentenced him to one year in a residential treatment
center. There, Kevin enrolled in a 12-step program to rid him of what the judge also termed
his "computer addiction". Mitnick was immortalized when he became the first hacker to have
his face put on an FBI "most wanted" poster. His repeated offences - and an image of a
teenage hacker who refused to grow up - made him The Lost Boy of Cyberspace.
Robert Morris
He was known to the Internet community as "rtm". But he was distinguished by much more
than his fame as a hacker. He was the son of the chief scientist at the National Computer
Security Center -- part of the National Security Agency (NSA), USA. In addition, this
graduate from Cornell University rocketed to fame because of the Internet worm, which he
unleashed in 1988, practically maiming the fledgling Internet. Thousands of computers were
infected and subsequently crashed. Suddenly, the term "hacker" became common in every
household in America.
Surprisingly, Robert's father is to be held responsible for introducing him to the world of
computers. He brought the original Enigma cryptographic machines home from the NSA.
Later, as a teenager, Morris was recognized as a star user at the Bell Labs network where he
had an account. This recognition was due to his earlier forays into hacking.
Dennis Ritchie and Ken Thompson
He was also known as dmr and Ken were the legendary coders who designed the UNIX
system for mini-computers in 1969. They were the creative geniuses behind Bell Labs'
computer science operating group. UNIX really helped users and soon became a standard
language. One of the tools used by them included Plan 9, the next-generation operating
system, created after UNIX by Rob Pike, their colleague at bell Labs. Dennis also has the
distinction of being the author of the C programming language.
References







http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1_1.html
http://www.exn.ca/nerds/20000504-55.cfm
http://www.educomp.esc.edu.ar/doc02002.htm
http://www.grisoft.com/doc/39/lng/us/tpl/tpl01
http://www.mcafee.com/us/http://www.pandasoftware.com/virus_info/map/map.htm#
e0
http://www.hackershomepage.com/
http://cybercrime.planetindia.net/intro.htm
The virus writing business - and it is a business - is becoming a powerful weapon in the hands of the spammers.
Infect a few thousand PCs with a backdoor then use their combined power to send advertisements. Jump from 5
million emails per day to a couple of billion. Free to spammers, but very costly for end users.
The Internet is no longer a safe place for everybody to do business. Spammers, virus writers and hackers
victimise legitimate users. Without up-to-date protection, everyone is vulnerable to cybercrime.
Costin Raiu
Head of Research and Development
Kaspersky Labs Romania