Viruses
&
Worms
P.CHANAKYA.
Y9MC95008,
IV Semester, II MCA,
St.Ann’s College of P.G. Studies,
Chirala – 523 187,
Contact: funnychanu@gmail.com
www.funnychanu.weebly.com/seminor
Contents

History

Introduction

Definition

Naming

Different Types

Spreading

Effect on Software

Prevention

Conclusion

References
History
Introduction
Introduction to Viruses, Worms & Trojans:
What is a Virus?
A computer virus is a small program written to
alter the way a computer operates, without the permission
or knowledge of the user. A virus must meet two criteria: It
must execute itself. It will often place its own code in the
path of execution of another program. It must replicate
itself. For example, it may replace other executable files
with a copy of the virus-infected file. Viruses can infect
desktop computers and network servers alike. Some viruses
are programmed to damage the computer by damaging
programs, deleting files or reformatting the hard disk.
Others are not designed to do any damage, but simply to
replicate themselves and make their presence known by
presenting text, video and audio messages. Even these
benign viruses can create problems for the computer user.
They typically take up computer memory used by
legitimate programs. As a result, they often cause erratic
behaviour and can result in system crashes. In addition,
many viruses are bug-ridden, and these bugs may lead to
system crashes and data loss.
Types of viruses and worms
There are five recognized types of viruses:
File-infector viruses: File-infector viruses infect
program files. These viruses normally infect executable
code, such as .com and .exe files. They can infect other
files when an infected program is run from floppy, hard
drive or from the network. Many of these viruses are
memory resident. After memory becomes infected, any
noninfected executable that runs becomes infected.
Examples of known file-infector viruses include
Jerusalem and Cascade.
Boot-sector viruses: Boot-sector viruses infect the
system area of a disk--that is, the boot record on floppy
disks and hard disks. All floppy disks and hard disks
(including disks containing only data) contain a small
program in the boot record, which is run when the
computer starts up. Boot-sector viruses attach
themselves to this part of the disk and activate when the
user attempts to start up from the infected disk. These
viruses are always memory resident in nature. Most
were written for DOS, but, all PCs, regardless of the
operating system, are potential targets for this type of
virus. All that is required to become infected is to
attempt to start up your computer with an infected
floppy disk Thereafter, while the virus remains in
memory, all floppy disks that are not write-protected
will become infected when the floppy disk is accessed.
Examples of boot-sector viruses are Form, Disk Killer,
Michelangelo, and Stoned.
Master-boot-record viruses: Master-boot-record viruses
are memory-resident viruses that infect disks in the
same manner as boot-sector viruses. The difference
between these two virus types is where the viral code is
located. Master-boot-record infectors normally save a
legitimate copy of the master boot record in an different
location. Windows NT computers that become infected
by either boot-sector viruses or master-boot sectorviruses will not boot. This is due to the difference in
how the operating system accesses its boot information,
as compared to Windows 95/98. If your Windows NT
systems is formatted with FAT partitions you can
usually remove the virus by booting to DOS and using
antivirus software. If the boot partition is NTFS, the
system must be recovered by using the three Windows
NT Set-up disks. Examples of master-boot-record
infectors are NYB, AntiExe, and Unashamed.
Multi-partite viruses: Multi-partite (also known as
polypartite) viruses infect both boot records and
program files. These are particularly difficult to repair.
If the boot area is cleaned, but the files are not, the boot
area will be reinfected. The same holds true for cleaning
infected files. If the virus is not removed from the boot
area, any files that you have cleaned will be reinfected.
Examples of multi-partite viruses include One_Half,
Emperor, Anthrax and Tequilla.
Macro viruses: These types of viruses infect data files.
They are the most common and have cost corporations
the most money and time trying to repair. With the
advent of Visual Basic in Microsoft's Office 97, a macro
virus can be written that not only infects data files, but
can also infect other files as well. Macro viruses infect
Microsoft Office Word, Excel, PowerPoint and Access
files. Newer strains are now also turning up in other
programs. All of these viruses use another program's
internal programming language, which was created to
allow users to automate certain tasks within that
program. Because of the ease with which these viruses
can be created, there are now thousands of them in
circulation. Examples of macro viruses include
W97M.Melissa, WM.NiceDay and W97M.Groov.
What is a Trojan Horse?
Trojan Horses are impostors--files that claim to be
something desirable but, in fact, are malicious. A very
important distinction from true viruses is that they do not
replicate themselves as viruses do. Trojans contain malicious
code, that, when triggered, causes loss, or even theft, of
data. In order for a Trojan Horse to spread, you must, in
effect, invite these programs onto your computers--for
example, by opening an e-mail attachment. The
PWSteal.Trojan is a Trojan.
Definition
What is a Worm?
Worms are programs that replicate themselves
from system to system without the use of a host file. This is
in contrast to viruses, which require the spreading of an
infected host file. Although worms generally exist inside of
other files, often Word or Excel documents, there is a
difference between how worms and viruses use the host file.
Usually the worm will release a document that already has
the "worm" macro inside the document. The entire
document will travel from computer to computer, so the
entire document should be considered the worm. PrettyPark.
Worm is a particularly prevalent example.
What is a Virus Hoax?
Virus hoaxes are messages, almost always sent by e-mail,
that amount to little more than chain letters. Some of the
common phrases used in these hoaxes are: If you receive an
e-mail titled [e-mail virus hoax name here], do not open it!
Delete it immediately! It contains the [hoax name] virus. It
will delete everything on your hard drive and [extreme and
improbable danger specified here]. This virus was
announced today by [reputable organization name here].
Forward this warning to everyone you know! Most virus hoax
warnings do not deviate far from this pattern.
How Can I Keep My Computer Safe?
With all the hype, it is easy to believe that viruses lurk in
every file, every e-mail, every Web site. However, a few
basic precautions can minimize your risk of infection. As well
as the using the relevant protection software, practice safe
computing and encourage everyone you know to do so as
well. General precautions include: do not leave a floppy disk
in the floppy disk drive when you shut down or restart the
computer. Write-protect your floppy disks after you have
finished writing to them. Be suspicious of e-mail
attachments from unknown sources. Verify that attachments
have been sent by the author of the e-mail. Newer viruses
can send e-mail messages that appear to be from people
you know. Do not set your e-mail program to "auto-run"
attachments. Obtain all available security updates. Back up
your data frequently. Keep the (write protected) media in a
safe place--preferably in a different location than your
computer. Scan all new software before you install it..
Because boot-sector viruses spread by floppy disks and
bootable CDs, every floppy disk and CD should be scanned
for viruses. Shrink-wrapped software, demo disks from
suppliers, and trial software are not exempt from this rule.
Viruses have been found even on retail software. Scan all
media that someone else has given you. Use caution when
opening e-mail attachments. E-mail attachments are a
major source of virus infections. Microsoft Office
attachments for Word, Excel, and Access can be infected by
Macro viruses. Other attachments can contain file infector
viruses. Norton AntiVirus Auto-Protect will scan these
attachments for viruses as you open or detach them.
Introduction to Viruses, Worms & Trojans
What is the difference between viruses, worms and
Trojans, and how can you prevent them? Symantec's
guide to all things infectious will guide you through
the often confusing world of computer security.
What is a Virus?
A computer virus is a small program written to alter the way
a computer operates, without the permission or knowledge
of the user. A virus must meet two criteria: It must execute
itself. It will often place its own code in the path of execution
of another program. It must replicate itself. For example, it
may replace other executable files with a copy of the virusinfected file. Viruses can infect desktop computers and
network servers alike. Some viruses are programmed to
damage the computer by damaging programs, deleting files
or reformatting the hard disk. Others are not designed to do
any damage, but simply to replicate themselves and make
their presence known by presenting text, video and audio
messages. Even these benign viruses can create problems
for the computer user. They typically take up computer
memory used by legitimate programs. As a result, they
often cause erratic behaviour and can result in system
crashes. In addition, many viruses are bug-ridden, and
these bugs may lead to system crashes and data loss.
There are five recognized types of viruses:
File-infector viruses: File-infector viruses infect program
files. These viruses normally infect executable code, such as
.com and .exe files. They can infect other files when an
infected program is run from floppy, hard drive or from the
network. Many of these viruses are memory resident. After
memory becomes infected, any noninfected executable that
runs becomes infected. Examples of known file-infector
viruses include Jerusalem and Cascade.
Boot-sector viruses: Boot-sector viruses infect the system
area of a disk--that is, the boot record on floppy disks and
hard disks. All floppy disks and hard disks (including disks
containing only data) contain a small program in the boot
record, which is run when the computer starts up. Bootsector viruses attach themselves to this part of the disk and
activate when the user attempts to start up from the
infected disk. These viruses are always memory resident in
nature. Most were written for DOS, but, all PCs, regardless
of the operating system, are potential targets for this type of
virus. All that is required to become infected is to attempt to
start up your computer with an infected floppy disk
Thereafter, while the virus remains in memory, all floppy
disks that are not write-protected will become infected when
the floppy disk is accessed. Examples of boot-sector viruses
are Form, Disk Killer, Michelangelo, and Stoned.
Master-boot-record viruses: Master-boot-record viruses
are memory-resident viruses that infect disks in the same
manner as boot-sector viruses. The difference between
these two virus types is where the viral code is located.
Master-boot-record infectors normally save a legitimate copy
of the master boot record in an different location. Windows
NT computers that become infected by either boot-sector
viruses or master-boot sector-viruses will not boot. This is
due to the difference in how the operating system accesses
its boot information, as compared to Windows 95/98. If your
Windows NT systems is formatted with FAT partitions you
can usually remove the virus by booting to DOS and using
antivirus software. If the boot partition is NTFS, the system
must be recovered by using the three Windows NT Set-up
disks. Examples of master-boot-record infectors are NYB,
AntiExe, and Unashamed.
Multi-partite viruses: Multi-partite (also known as
polypartite) viruses infect both boot records and program
files. These are particularly difficult to repair. If the boot
area is cleaned, but the files are not, the boot area will be
reinfected. The same holds true for cleaning infected files. If
the virus is not removed from the boot area, any files that
you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and
Tequilla.
Macro viruses: These types of viruses infect data files.
They are the most common and have cost corporations the
most money and time trying to repair. With the advent of
Visual Basic in Microsoft's Office 97, a macro virus can be
written that not only infects data files, but can also infect
other files as well. Macro viruses infect Microsoft Office
Word, Excel, PowerPoint and Access files. Newer strains are
now also turning up in other programs. All of these viruses
use another program's internal programming language,
which was created to allow users to automate certain tasks
within that program. Because of the ease with which these
viruses can be created, there are now thousands of them in
circulation. Examples of macro viruses include
W97M.Melissa, WM.NiceDay and W97M.Groov.
What is a Trojan Horse?
Trojan Horses are impostors--files that claim to be
something desirable but, in fact, are malicious. A very
important distinction from true viruses is that they do not
replicate themselves as viruses do. Trojans contain malicious
code, that, when triggered, causes loss, or even theft, of
data. In order for a Trojan Horse to spread, you must, in
effect, invite these programs onto your computers--for
example, by opening an e-mail attachment. The
PWSteal.Trojan is a Trojan.
What is a Worm?
Worms are programs that replicate themselves from system
to system without the use of a host file. This is in contrast to
viruses, which require the spreading of an infected host file.
Although worms generally exist inside of other files, often
Word or Excel documents, there is a difference between how
worms and viruses use the host file. Usually the worm will
release a document that already has the "worm" macro
inside the document. The entire document will travel from
computer to computer, so the entire document should be
considered the worm. PrettyPark.Worm is a particularly
prevalent example.
What is a Virus Hoax?
Virus hoaxes are messages, almost always sent by e-mail,
that amount to little more than chain letters. Some of the
common phrases used in these hoaxes are: If you receive an
e-mail titled [e-mail virus hoax name here], do not open it!
Delete it immediately! It contains the [hoax name] virus. It
will delete everything on your hard drive and [extreme and
improbable danger specified here]. This virus was
announced today by [reputable organization name here].
Forward this warning to everyone you know! Most virus hoax
warnings do not deviate far from this pattern. If you are
unsure if a virus warning is legitimate or a hoax, additional
information is available at:
http://www.symantec.com/avcenter/hoax.html
How Can I Keep My Computer Safe?
With all the hype, it is easy to believe that viruses lurk in
every file, every e-mail, every Web site. However, a few
basic precautions can minimize your risk of infection. As well
as the using the relevant protection software, practice safe
computing and encourage everyone you know to do so as
well. General precautions include: do not leave a floppy disk
in the floppy disk drive when you shut down or restart the
computer. Write-protect your floppy disks after you have
finished writing to them. Be suspicious of e-mail
attachments from unknown sources. Verify that attachments
have been sent by the author of the e-mail. Newer viruses
can send e-mail messages that appear to be from people
you know. Do not set your e-mail program to "auto-run"
attachments. Obtain all available security updates. Back up
your data frequently. Keep the (write protected) media in a
safe place--preferably in a different location than your
computer. Scan all new software before you install it..
Because boot-sector viruses spread by floppy disks and
bootable CDs, every floppy disk and CD should be scanned
for viruses. Shrink-wrapped software, demo disks from
suppliers, and trial software are not exempt from this rule.
Viruses have been found even on retail software. Scan all
media that someone else has given you. Use caution when
opening e-mail attachments. E-mail attachments are a
major source of virus infections. Microsoft Office
attachments for Word, Excel, and Access can be infected by
Macro viruses. Other attachments can contain file infector
viruses. Norton AntiVirus Auto-Protect will scan these
attachments for viruses as you open or detach them.
Computer Virus is the generic term used to describe the many little
programs and various types of script files and macros that have been
and are being created for one major purpose: to inconvenience the
reciever. Sometimes this ”inconvenience” can be quite serious. They can
be transmitted via diskettes, embedded into application programs, sent
by email, and planted on network/Internet servers by hackers.
The range of “dirty work” performed by these malicious
entities varies from: displaying a prank message, to
destroying all the data on a hard drive. Some only
perform maliciously on the host computer, while others
propagate themselves and mail themselves out to all names
in the users email address book and then does the same
again and again. Thus creating a “cyber plague”.
The consensus for minimally protecting your computer
from viruses is to:

Make backups of all software (including operating systems),
so if a virus attack has been made, you can retrieve safe copies
of your files and software.

Practice & inform others of the following: test all exchanged
floppy diskettes for viruses, check all WEB downloaded
files for viruses before installing or using, and check all
email attachments for viruses before opening.

Install Anti-Virus Software and update the virus database
regularly to detect, report and disinfect viruses.
Various Categories of Viruses
Trojans or Trojan Horses: Like the wooden Trojan horse, full of soldiers,
was taken into the city of Troy in days of antiquity, so through deceptive
disguise, unauthorized executable code is introduced into a computer
system and then performs malicious actions such as displaying messages,
erasing files or formatting a disk. A Trojan horse doesn’t infect other host
files, thus cleaning is not necessary. To get rid of a Trojan, simply delete
the program.
Worms: A computer worm is a self-contained program (or set of
programs) that is able to spread copies of itself to other computer
systems via network connections or email attachments. To get rid of a
worm you just need to delete the program.
Script Viruses (JavaScript, VBScript, HTML): Script viruses are written
in script programming languages, such as VBScript and JavaScript.
VBScript (Visual Basic Script) and JavaScript viruses make use of
Microsoft's Windows Scripting Host to activate themselves and infect other
files. Since Windows Scripting Host is available on Windows 98 and
Windows 2000, the viruses can be activated simply by double-clicking the
*.vbs or *.js file from Windows Explorer.
HTML viruses use the scripts embedded in HTML files to do their damage.
These embedded scripts automatically execute the moment the HTML page
is viewed from a script-enabled browser. To detect vbs or js scripts I
use ScriptSentry.
Java Applets: Java applets are small, portable Java programs embedded in
HTML pages. They can run automatically when a WEB page is viewed.
Those who wish to cause mischief may use Java malicious code to attack the
system. Check your Web browser to see if you can configure the security
settings to “high” so that these applets do not execute. This is where a good
Firewall comes in handy. Through my firewall, I filter out all Java
scripts, applets & activeX from entering my computer through the
Internet. I can also select which site I wish to give permission to use any
one of these scripts.
Some Anti-Virus Products to Consider:

AVG – I use this one myself. It does a good job on
scanning downloaded files, and email. It’s free with
automatic updates of virus signature files.

Panda Software – I use the demo version of this
one also. It has a good reputation. The virus signature
files cannot be updated until purchased.

Norton Antivirus 2002 – Norton’s products have
always been competitive.

McAfee – Used by many people, McAfee offers a
good demo.
Rootkits
Rootkits are used to cover an attacker's tracks. If an
attacker installs a backdoor or other malicious program, the
system administrator may notice the new program and
remove it, ending the hacker's ability to access the system
in the future. The goal of a rootkit is to disguise the
existence of malicious programs on a system.
By replacing certain system programs with modified versions
of those same programs, rootkits mask the presence of
backdoors or other malicious programs. For example, the
UNIX program "ls" prints a directory listing of the file
system. This would normally allow a sysadmin to see files
left by an attacker. The rootkit installs a modified version of
"ls" that displays all the files and programs in the directory
except the backdoor program and any other files left by the
attacker. This effectively masks the evidence of the system
compromise. Rootkits generally replace "ls" as well as many
other operating system programs to cover their tracks.
Worms
Worms are malicious programs that spread themselves
automatically, as opposed to viruses, which are malicious
programs that are spread by human intervention (inserting
an infected floppy disk into a computer, double-clicking on
an email attachment, etc.) Recent worms such as Code Red
and Nimda have caused billions of dollars of damage,
cleanup costs, and loss of business. Lately, attackers are
using worms more frequently, since they can do so much
damage so quickly.
Worms are very dangerous for several reasons. First, they
spread very quickly. Code Red infected over 100,000
machines in 24 hours. Second, they can generally perform
any malicious activity the attacker desires if the worm is
able to gain sufficient privileges. Third, they are becoming
easier to develop, with worm-generating programs known to
be circulating on the Internet.
A worm has three main parts:



Enabling Vulnerability - The "hole" that the worm
exploits in order to gain access to the system
Spreading Mechanism - The method by which the
worm chooses and communicates with its victims
Malicious Payload - The actual damage that the
worm does once it compromises a system.
These three parts differ from worm to worm, but all worms
have these three elements.
email virus
E-mail Viruses
The latest thing in the world of computer viruses is the e-mail
virus, and the Melissa virus in March 1999 was spectacular.
Melissa spread in Microsoft Word documents sent via e-mail,
and it worked like this:
Someone created the virus as a Word document uploaded to an
Internet newsgroup. Anyone who downloaded the document and
opened it would trigger the virus. The virus would then send the
document (and therefore itself) in an e-mail message to the first 50
people in the person's address book. The e-mail message contained
a friendly note that included the person's name, so the recipient
would open the document thinking it was harmless. The virus would
then create 50 new messages from the recipient's machine. As a
result, the Melissa virus was the fastest-spreading virus ever seen!
As mentioned earlier, it forced a number of large companies to shut
down their e-mail systems.
The ILOVEYOU virus, which appeared on May 4, 2000, was even
simpler. It contained a piece of code as an attachment. People who
double clicked on the attachment allowed the code to execute. The
code sent copies of itself to everyone in the victim's address book
and then started corrupting files on the victim's machine. This is as
simple as a virus can get. It is really more of a Trojan horse
distributed by e-mail than it is a virus.
The Melissa virus took advantage of the programming language built
into Microsoft Word called VBA, or Visual Basic for Applications. It is
a complete programming language and it can be programmed to do
things like modify files and send e-mail messages. It also has a useful
but dangerous auto-execute feature. A programmer can insert a
program into a document that runs instantly whenever the document
is opened. This is how the Melissa virus was programmed. Anyone
who opened a document infected with Melissa would immediately
activate the virus. It would send the 50 e-mails, and then infect a
central file called NORMAL.DOT so that any file saved later would
also contain the virus! It created a huge mess.
Microsoft applications have a feature called Macro Virus Protection
built into them to prevent this sort of thing. With Macro Virus
Protection turned on (the default option is ON), the auto-execute
feature is disabled. So when a document tries to auto-execute viral
code, a dialog pops up warning the user. Unfortunately, many people
don't know what macros or macro viruses are, and when they see the
dialog they ignore it, so the virus runs anyway. Many other people
turn off the protection mechanism. So the Melissa virus spread
despite the safeguards in place to prevent it.
In the case of the ILOVEYOU virus, the whole thing was humanpowered. If a person double-clicked on the program that came as an
attachment, then the program ran and did its thing. What fueled this
virus was the human willingness to double-click on the executable.
Buffer overflow exploit
Buffer Overflow Exploits
Buffer overflow exploits are one of the largest problems in
computer security today. In all application programs, there
are buffers that hold data. These buffers have a fixed size. If
an attacker sends too much data into one of these buffers,
the buffer overflows. The server then executes the data that
"overflowed" as a program. This program may do any
number of things, from sending passwords to Russia to
altering system files, installing backdoors, etc., depending
on what data the attacker sent to the buffer.
Programmers can prevent buffers overflows by checking the
length of the data submitted to the buffer before storing it in
the buffer. If the data is too large, it returns an error.
Unfortunately, many programmers forget to check the
length of the data before saving it to a buffer. Thus,
applications contain a large number of "unchecked buffers,"
which are vulnerable to attack. Microsoft has released at
least five bulletins in the past six months regarding
unchecked buffers that exist in their products. When a
vendor (Microsoft or any other vendor) releases a patch to
stop these potential buffer overflows, the patch simply adds
code that checks the length of the data before it saves it to
the buffer. Thus, if a patch is available, a patch will prevent
a buffer from being overflowed.
Buffer overflow exploits are such a large problem for several
reasons:



Buffer overflow exploits are very common. There are
hundreds of known unchecked buffers that can be
overflowed by hackers with more being
discovered all the time. Over 50% of the CERT
advisories deal with buffer overflow exploits.
Buffer overflow exploits are easy to use. Anyone (10year olds and script kiddies included) can
download buffer overflow attack code and follow
a simple "recipe" to execute it. No advanced
technical knowledge is necessary to run prewritten buffer overflow exploit programs.
Buffer overflow exploits are very powerful. In many
cases, the malicious code that executes as a
result of a buffer overflow will run with
administrator-level privileges, and therefore can
do anything it wants to the server.
Backdoors
When attackers obtain root-level access to a server (using a
buffer overflow exploit or a privilege escalation exploit, for
example) they will want to do two things:
1. Install a backdoor
2. Cover their tracks
Backdoors allow attackers to remotely access a system
again in the future. For example, the attacker may have
used a particular security hole to get root-level access to a
computer. However, over time, that particular security hole
may be closed, preventing the attacker from accessing the
system again. In order to avoid being shut out in the future,
attackers install backdoors. These backdoors take different
forms, but all allow an attacker to access the server again
without going through the standard login procedures and
without having to repeat the attack that gave them access in
the first place.
Many worms install backdoors as a part of their malicious
payload. Code Red II, for example, installed a backdoor that
provided access to the C and D drives of the compromised
Web server from anywhere on the Internet. Other common
backdoor programs are Netbus and BackOrifice, which allow
attackers to remotely control a compromised server.