Professional Documents
Culture Documents
Virus
Submitted by:
Babasa, Maria Cecilia Beatriz
Dakay, Princess Dianne
Gonzaga, Khareen
Miranda, Angelo Marco
(Group 8)
II – BSITE
Submitted to:
Prof. Rosalie Muñoz
2
COMPUTER VIRUS
Computer Virus is a short computer program, hidden within another, that makes copies of itself and spreads
them, disrupting the operation of a computer that receives one.
A virus may be transmitted on diskettes and through networks, on-line services, and the Internet.
Viruses are most easily spread by attachments in e-mail messages or instant messaging messages as funny
images, greeting cards, or audio and video files. It also spreads through downloads on the Internet. They can be
hidden in illicit software or other files or programs you might download.
HISTORY OF VIRUS
1986
The first PC virus was created. Known as the Brain virus, it was written in Pakistan.
1987
In November, the Lehigh virus was discovered at Lehigh University in the U.S.
In December, the Jerusalem virus appeared at Hebrew University in Israel.
1988
In March, the first anti-virus virus was written. It was designed to detect and remove the Brain virus and
immunized disks against Brain infection.
The Cascade virus is found in Germany.
Viruses started getting media attention, with articles in magazines like Business Week, Newsweek, Fortune,
PC Magazine and Time
1989
On September 17, the Washington Post reports that a computer virus "that springs to life destructively on
Friday the 13th is on the loose". The virus was called DataCrime and ended up being blown way out of
proportion.
A virus called Dark Avenger introduced a new feature. It was designed to damage a system slowly, so it
would go unnoticed at first and damaged files would be backed up.
In October, the Frodo virus turned up in Israel. If was the first full-stealth file infector, designed to damage
the hard drive if run on or after September 22 of any year.
1990
Many anti-virus products were introduced, including ones from IBM, McAfee, Digital Dispatch and Iris.
Viruses combining various characteristics spring up. They included Polymorphism (involves encrypted
viruses where the decryption routine code is variable), Armoring (used to prevent anti-virus researchers
from dissembling a virus) and Multipartite (can infect both programs and boot sectors).
1991
Symantec releases Norton Anti-Virus software.
In April, the Tequlia virus is discovered. It is Stealth, Polymorphic and Multipartite!
1992
Media mayhem greeted the virus Michaelangelo in March.
Predictions of massive disruptions were made and anti-virus software sales soared. As it turned out, the
cases of the virus were far and few between.
1993
The SatanBug virus appears around Washington DC. The anti-virus industry helped the FBI find the person
who wrote it - it was a kid.
Cruncher was considered a "good" virus because it compressed infected programs and gave users more
disk space.
1994
1995
Macro viruses appeared. These viruses worked in the MS-Word environment, not DOS.
1996
Concept, a macro-virus, becomes the most common virus in the world.
Boza, a weak virus, is the first virus designed for Windows 95
Laroux is the first virus to successfully infect Microsoft Excel spreadsheets.
1999
The Melissa virus, a macro, appears.
2000
The "I Love You Virus" wreaks havoc around the world. It is transmitted by e-mail and when opened, is
automatically sent to everyone in the user's address book.
Boredom
Curiosity
Rebellion
Peer Pressure
Attracted to the rush of causing damage
Boot viruses: A virus that replaces or implants itself in the boot sector - an area of the hard drive (or any other
disk) accessed when you first turn on your computer. This kind of virus can prevent you from being able to boot
your hard disk.
Example 1: FORM
ALIAS: FORM_A
ORIGIN: Switzerland
INFECTION MECHANISM
Unlike most other boot sector viruses, Form infects the DOS boot sector on hard drives instead of the
Master Boot Record.
Form is only able to infect a hard disk when you try to boot the machine from an infected diskette. At this
time Form infects boot sector, and after that it will go resident to high DOS memory during every boot-up from
the hard disk. Once Form gets resident to memory, it will infect practically all non-write protected diskettes
used in the machine. Form will create bad sectors on disks it infects.
Form activates on the 18th of any month.
SYMPTOMS
Form infects hard disks as well as floppies, and stores the rest of itself, as well as the original boot sector
on the last track of the hard disk, or in clusters marked as "bad" on a diskette. It contains the following text:
The FORM-Virus sends greetings to everyone who's reading this text.
FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.
On the 18th of any month, it will cause a 'click' from the PC speaker every time a key is pressed.
*On most machines this activation routine will not be heard, because the routine will fail if a keyboard driver
(typically keyb.com) is loaded.
SOLUTION
If you have Form on a NTFS partition under NT, you need to repair the boot sector with a separate utility.
A free program called BOOTPART can do this easily with this command:
BOOTPART WINNT BOOT:C:
BOOTPART can be downloaded from ftp://ftp.F-Secure.com/misc/anti-vir/bootpa20.zip
Example 2: MICHELANGELO
INFECTION MECHANISM
When a Michelangelo-infected diskette is placed in the A: drive and the machine is booted, the virus is
loaded into memory from the infected floppy disk.
It then quickly infects the machine by moving the hard disk's original boot sector to another location on the
disk, and installs itself as the boot sector. From then on, any access to another disk spreads the virus to that
disk
On March 6 of any year this virus will destroy all data on any disk from which the machine is booted. This
occurs by overwriting hard disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette with random
characters, thus making recovery questionable at best.
SYMPTOM
CHKDSK reports "total bytes memory" 2048 bytes less than expected
SOLUTION
A backup prior to eradication will enable full recovery of all user data and programs.
ALIAS: Ogre
ORIGIN: USA
SOLUTION
Start looking for a recovery program; or
You can of course reformat the disk and restore everything from a backup, but it is not necessary
because the virus only encrypts everything on the disk, but does not actually destroy anything. At least,
this seems to have been the intention of the author, but there are a few errors in the encryption code,
which may make recovery impossible.
Program or File viruses: These infect executable program files, such as those with extensions like .BIN, .COM,
.EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution,
taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Example 1: SUNDAY
On each Sunday the virus displays one of the following messages during 30 minute intervals:
Today is SunDay! Why do you work so hard?
All work and no play make you a dull boy!
Come on! Let's go out and have some fun!
The variant is intended to delete every program as it is run. Software bugs prevent this from happening.
Example 2: CASCADE
Example 1: INVADER
INFECTION MECHANISM
Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay
Resident (TSR). The TSR is 5,120 bytes and interrupts 08, 09, 13, and 21 are hooked.
At this time, the virus also infects the boot sector of the drive where the infected file was executed. The
new boot sector is an MS-DOS 3.30 boot sector, and can be easily identified because the normal DOS error
messages found in the boot sector are now at the beginning of the boot sector instead of the end.
Once the virus has become memory resident, any .COM or .EXE file opened is infected by the virus.
Additionally, any non-write protected diskettes which are exposed to the infected system will have their
boot sectors infected.
SYMPTOMS
The Invader virus activates after being memory resident for 30 minutes. At that time, a melody may be
played on the system speaker. On systems which play the melody, it will continue until the system is rebooted.
If the user presses CTL-ALT-DEL to reboot the system, the first track of the system's hard disk will be
overwritten with an unencrypted copy of the virus. The melody isn't played on all systems as it is configuration
dependent. The melody was originally composed by Mozart.
Example 2: FLIP
INFECTION MECHANISM
It attacks not only COM and EXE files but also hard disk’s MBR. When it is installed into memory it finds
out the original address of interrupts services by means of tunneling, and attacks MBR. Before the virus writes
its body, it encrypts it using always a different decryptor.
SYMPTOMS
The virus presents itself as follows: on the second day in a month, after 4 o’clock in the afternoon, it will
turn the contents of the screen upside down around an imaginary centre. By doing so the first line becomes
the last one; at the same time everything from the right side is moved to the left side.
When infecting MBR the virus has difficulties with disks of capacity higher than 32 MB {at time of its origin
disk like that were rare}; while manipulating the partition table it can reduce their size below 32 MB.
Example 3: TEQUILA
ALIAS: Stealth
ORIGIN: Switzerland
INFECTION MECHANISM
Tequila is a memory resident, encrypting, stealth, multi-partite virus. It infects Master Boot Record (MBR)
and .EXE files. Tequila uses a complex encryption method and garbling to avoid disassembly and detection.
Upon infection, the virus writes an unencrypted copy of itself to the last six sectors of the system hard disk,
as well as modify the hard disk MBR so that it is infectious. Tequila does not become memory resident at this
time, and does not infect files at this time.
Later, when the system is rebooted from the system hard disk, Tequila becomes memory resident. It is
located at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved,
preventing the virus from being overwritten in memory. Interrupts 13 and 21 are hooked by the virus.
SYMPTOMS
Tequila activates four months after the initial date of infection of the system hard disk. At that time, and
every month thereafter on the anniversary date, the virus displays a graphic and the following message:
"Execute: mov ax, FE03 / int 21.Key to go on!"
If the user executes a file containing this sequence of instructions, the following message which is found
on the last sectors of the system hard disk is displayed.
"... T.TEQUILA's latest production. Contact T.TEQUILA/P.o.Box 543/6312
St'hausen Switzerland. Loving thought to L.I.N.D.A. BEER and TEQUILA
forever !"
Systems infected with Tequila have file allocation errors detected with the DOS CHKDSK command when
the virus is memory resident. If CHKDSK is executed with the /F option, file corruption may result.
Total system memory and available free memory decreases 3,072 bytes. Infected .EXE files increase in
size by 2,468 bytes, but this increase is hidden when the virus is memory resident (Stealth techniques). The
virus is located at the end of infected files. The infected file's date and time in the disk directory are not altered.
Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head
to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s
size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus
subtracts the same number of bytes (9216) from the size given in the directory.
Example 1: FRODO
INFECTION MECHANISM
The virus has a very odd way of finding out whether a file, which it intends to attack, is executable – it
implements a check sum of the file extension. But this activity causes that the virus can attack also files with
different extensions (e.g. *.MEM, *.BMP, *.LOG, *.TBL, *. PIF). If the virus successfully attacks a file it would
mark it so that it increases the year of origin by 100 and sets seconds to a nonsensical value of 62.
Stealth of the virus is almost perfect but when the program CHKDSK is used and the virus is present in
memory, the CHKDSK program will detect a disagreement between the number of memory blocks allocated
for the infected file and its length. The virus reinstalls the original length of the file as well as the original time
and date of origin. When the file is opened the virus disinfects it, and when the file is closed, the virus attacks
it again.
SYMPTOM
After September 22 the virus writes a code into hard disc MBR. This code should display the following text
on the monitor:
FRODO LIVES!
(The text should be surrounded by moving rectangles.)
Example 1: JOSHI
INFECTION MECHANISM
After a system has been booted from a Joshi-infected diskette, the virus will be resident in memory. Joshi
takes up approximately 6K of system memory, and infected systems will show that total system memory is 6K
less than is installed if the DOS CHKDSK program is run.
SYMPTOMS
On January 5th of any year, the Joshi virus activates. At that time, the virus will hang the system while
displaying the message:
“type Happy Birthday Joshi"
If the system user then types "Happy Birthday Joshi", the system will again be usable.
Systems infected with Joshi may experience problems when attempting to access programs or data files
on write-protected diskettes.
DETECTION
This virus may be recognized on infected systems by powering off the system and then booting from a
known-clean, write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of
suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the disk is infected. The EB 1F
is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 40, sectors 1
through 5 on 360K 5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 80,
sectors 1 through 5. It will also be located on the last track of 3.5" diskettes.
To determine if a system's hard disk is infected, you must look at the hard disk's master boot sector. If the
first two bytes of the master boot sector are EB 1F hex, then the hard disk is infected. The remainder of the
virus can be found at cylinder 0, side 0, sectors 2 through 6. The original master boot sector will be located at
cylinder 0, side 0, sector 9.
SOLUTION
The Joshi virus can be manually removed from an infected system by first powering off the system, and
then booting from a known-clean, write-protected master DOS diskette. If the system has a hard disk, the
hard disk should have data and program files backed up, and the original master boot sector copied back to
cylinder 0, side 0, sector 1 from sector 9. Diskettes are easier to remove Joshi from, the DOS SYS command
can be used. There are also several disinfector programs available.
Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each
infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or
template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects
the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every
document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus
attaches itself to documents, the infection can spread if such documents are opened on other computers.
Example 1: MELISSA
Trojan horses: A Trojan horse is simply a computer program. The program claims to do one thing (it may claim
to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way
to replicate automatically.
Example 1: AIDS
Worms: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A
copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the
new machine using the security hole, and then starts replicating from there, as well.
Example 1: “ILOVEYOU”
The password stealing trojan is also installed via the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to autorun at system startup. After it has been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE
This virus will run if Windows Scripting Host is installed. Running the email attachment received either
accidentally or intentionally will install to the local system, and also to all available drives, send via email
message as an attachment and also via IRC if installed.
Hoaxes: The virus hoax sends out fake warnings rather than real viruses. They do a great deal of damage to the
Internet as a whole. Not only do they slow down traffic and clog up email servers, but they also cause people to
panic.
I called Microsoft and this is for real. They are mailing me a Y2K update CD which is not available on the Web.
Paul B.
----------
You may or may not need these numbers, but pass it on to people who do!
Windows 95 and 98 both need CD's to ready them for y2k. I called the numbers and it's TRUE.
For no charge they mail you what is needed....the MS lady told me it makes them MORE y2k compliant or
something like that....so I sent for one for my neighbor too, they don't mind sending more than 1 in a package.
Here is the info. she sent me below:
Notice to anyone running Windows 98 - it is NOT year 2000 compliant. Call Microsoft at 1-888-219-1302 to
order the upgrade on CD-ROM. [Windows 95 see below]
When you call, do not use the digital telephone number access. STAY on the line until the recording is done,
and you'll get an operator to take your order..
If you are using Windows 95 you must call 1-888-673-8925, option # 4 for 2000 update, which is free.
THERE APPEARED A HOAX MESSAGE ABOUT QUICK Y2K FIX. IT IS IMPOSSIBLE TO MAKE A COMPUTER Y2K COMPLIANT
BY JUST MODIFYING SOME SETTINGS IN W INDOWS. HERE'S HOW THE HOAX MESSAGE LOOKS LIKE:
Hey all,
If you haven't heard of this, you need to do it. It is simple and quick. Send it to everyone else you know.
I received this and checked my computer and found it to be set up to fail. I recommend you check and fix your
computers. If you are running Windows, this is a fix for a small Y2K problem almost everyone should do. After
running this quick little test, much to my surprise, I learned that my computer would have failed on 01-01-2000
due to a computer clock glitch.
Fortunately, a quick fix is provided, should your computer fail the test. I submit the following for your
consideration:
TEST
1. Double click on "My Computer".
2. Double click on "Control Panel".
3. Double click on "Regional Settings" icon.
4. Click on the "Date" tab at the top of the page.
5. Where it says, "Short Date Sample", look and see if it shows a "two digit" year. Of course it does. That's the
default setting for Windows 95, Windows 98 and NT. This date RIGHT HERE is the date that feeds application
software and WILL NOT rollover in the year 2000. It will roll over to 00.
NOW TO FIX IT :
6. Click the drop-down arrow to the right of "Short Date Style"
7. Select the option mm/dd/yyyy. (Be sure your selection has four Y's, not two)
8. Click "OK"
Easy enough to fix. However, every single installation of Windows worldwide is defaulted to fail Y2K rollover.
Makes you wonder. Please feel free to pass this on to your friends and associates.
Hi All -
I think you all know that I don't send out hoaxes and don't do the reactionary thing and send out anything that
crosses my path. This one, however, is a friend of a friend and I've given it enough credibility in my mind that
I'm writing it up and sending it out to all of you. My friend's friend was dating a guy from Afghanistan up until a
month ago. She had a date with him around 9/6 and was stood up. She was understandably upset and went
to his home to find it completely emptied. On 9/10, she received a letter from her boyfriend explaining that he
wished he could tell her why he had left and that he was sorry it had to be like that. The part worth mentioning
is that he BEGGED her not to get on any commercial airlines on 9/11 and to not to
go any malls on Halloween. As soon as everything happened on the 11th, she called the FBI and has since
turned over the letter.
This is not an email that I've received and decided to pass on. This came from a phone conversation with a
long-time friend of mine last night. I may be wrong, and I hope I am. However, with one of his warnings being
correct and devastating, I'm not willing to take the chance on the second and wanted to make sure that people
I cared about had the same information that I did..
__________________________________
FURTHER VERSIONS
My friend Colleen arrived for a facial when FBI agents were leaving Murad on Sunday, October 7, 2001. They
were there to interrogate a girl who worked there to find out if she knew anything. The reason for their lead
was she was best-friends with a girl who was dating an Arab man, who disappeared and was involved in the
terrorist attacks on the WTC. He disappeared this summer and left her a note, saying the following in the
effect of: "I have to go away and will not be able to see you again. Please do me a favor and do not fly in any
planes on September 11, 2001 nor shop at any shopping malls on October 31, 2001 ......... "
Don't know about you but I live across the street from a shopping mall, and my in-laws do too. Given my
daughter is usually at their house on a Wednesday afternoon, right near the mall, am thinking of where else to
go.
Please send this to anyone that you know. Let's hope this isn't for real, but since it was actually left in a letter
to a loved one from one of the people involved in the attacks of September 11, 2001, I am not taking it too
lightly
Active X: ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to
control there web browser to enable or disable the various functions like playing sound or video and so, by
default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot
of commotion behind this and with the amount of power that JAVA imparts things from the security angle seem a
bit gloom.
Spyware: Spyware are programs, cookies, or registry entries that track your activity and send that data off to
someone who collects this data for their own purposes. Usually, those people are marketing companies trying to
collect information to help them sell better.
Spyware is usually installed quietly, or even secretly, when you install shareware applications.
Many people feel that spyware is a violation of their privacy.
Example 1: CoolWebSearch
Example 2: DyFuCa
Example 4: HUNTBAR
Microsoft® Encarta® Premium Suite 2005. © 1993-2004 Microsoft Corporation. All rights reserved.
http://www.microsoft.com/protect/computer/basics/virus.mspx
http://www.boloji.com/computing/security/015.htm
http://www.tml.tkk.fi/Opinnot/Tik-110.501/1997/viruses.html
http://www.howstuffworks.com/
http://www.bbc.co.uk/science/hottopics/computerviruses/types.shtml
http://www.online.tusc.k12.al.us/tutorials/viruses/viruses.htm
http://www.tech-faq.com/spyware.shtml
http://en.wikipedia.com/
http://www.mtholyoke.edu/~rmcorriv/webproj/topic5.html
http://www.f-secure.com/
http://www.ciac.org/ciac/bulletins/c-15.shtml
http://vil.nai.com/
http://ve.nod32.ch/
http://wiw.org/~meta/vsum/view.php?vir=712
http://www.cert.org/
http://home.fuse.net/tschmick/security.html
http://virusall.com/hoaxexamples.shtml