-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

-->]OO[:[ Computer Virii ]::::::[OO--[ by [JaSuN] ]--[ jasun@phreaker.net ]::

-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
--oOo--> Computer Virii And Other Malicious Programs ]------oOo--> ---------------------------------------------------oOo--> Main Article Introduction
]----oOo--> Introduction To Virii
--oOo--> What Can Be Affected
--oOo--> Virus Threat
--oOo--> Types Of Virii
--oOo--> --* Boot Sector

]--]--]--]--]--

--oOo--> --* File Infecting

]--

--oOo--> --* Multi-Partite

]--

--oOo--> --* Polymorphic

]--

--oOo--> --* Stealth

]--

--oOo-->
--oOo-->
--oOo-->
--oOo-->
--oOo-->
--oOo-->
--OoO-->

Worms
Trojan Horses
Logic Bombs
Legal Issues
Conclusion
Disclaimer
=============================================

]--]--]--]--]--]--]---

Main Article Introduction:

==========================
In this article I will explain what different types of destructive computer
programs exist and what problems they can sometimes cause. People often get
confused with the different terms commonly used, so you should have more
of an accurate idea by the time you have finished reading this article.
Introduction To Virii:
======================
A virus is a computer program that executes when an infected program is run,
therefore only executable files can be infected. That fact alone confuses
many people, some people assume that any file can be infected, which is not
the case. On Windows based systems, executable files have the extensions of
.exe, and .com, although other files can be run such as .bat files which can
also be modified to run arbitrary commands or operations.
A virus infects other programs with a copy of itself. Each one has the
ability to clone itself so that it can multiply, constantly seeking new files
to infect. Some of the most harmless Virii do nothing but multiply,
replicating and spreading around onto new uninfected computer systems.
More dangerous Virii, not only replicate themselves, they also damage or
modify other programs. These Virii are more annoying, as they can cause
data loss and are more time consuming to remove. When these Virii
start causing damage to a system, they have activated their built in payload.
Some Virii have a very dangerous payload, others are just designed to be
annoying, by displaying a message on screen or playing a funny sound.
Virus programs and other malicious programs are often very small, sometimes

only a few kilobytes in size. This enables the virus to be easily hidden
from Anti-Virus scanners. Virii can infect any computer, it does not make
any difference if it is a laptop or a network server. Different Virii
exist for different Operating Systems, there are Virii for all of them,
although more exist for Windows than any other.
Once a virus has been written, it can be distributed very easily be the
author, the main means of doing this today would be to use the Internet.
Once on the Internet, it will be available to anybody, to either distribute
to others with knowledge of what it is, or by accidental means. The Internet
is not the only way for the new virus to replicate. It may be given to
people on disk, who then use it in their computer, which is on a company
network, for example.
These factors make it harder to trace the virus back to the author, or the
person that actually released it into the pubic domain. Once a virus is
active on a host computer, it could spread onto large networks. One of the
main protections against this, is using good Anti Virus Software. If the
virus is detected before its payload is released or is it able to spread
then the results will be better than if the virus had discharged its payload.
Virii enter computer systems from external sources, Virii are made to be
attractive. An example would be a new application that is available for
download from the Internet. People may download it, run the installation
program, then the new virus is out on their system. During the time before
the virus was undetected by conventional Anti Virus Software, it may have
caused a lot of damage. For this reason, it is important to keep the
database patterns that the anti viral software uses upto date.
A virus can also be programmed to activate straight away or it can be
made to lie dormant for a certain period of time, until a certain date or
action triggers it. There are also many other variations that can be
made to activate a virus or its payload. Timer functions of a virus
are provided by the Logic Bomb.
There are a lot of ways a virus can spread, although some methods are
more common than others. For example, if you download a piece of software
from the Internet, then take it into work on a disk without checking it for
any infections, you may risk infecting the company network.
If the downloaded software was in fact clean, it could still be infected
once it is on your computer. Floppy disks were the main method of
transporting Virii, today they are not used as much as before, because of
the constantly expanding Internet, files can be sent quickly and easily
by using email.
What Can Be Affected:
=====================
There are a number of characteristics that need to be in place for a
virus infection to take place. For example, the file must be:
****-> Executable
****-> Stored on a write-enabled disk
****-> Have individual write properties
Write protecting a disk can stop some infections, but at some point
you will want to write to a disk so you would need to remove the
read-only property. At this point the files on the disk are open
to being written to.

In the case of a Hard Disk Drive, it would

not be an option to write protect it, as the operating system will
need to write to it. If you wanted to do this, setting the read only
properly on executable files would be more appropriate.
This is not the only protection, the most important step is the anti virus
software. If a virus were to attach itself to a file, then the file size
would change, most scanners would notice this, the checksum of the file
will change as well, which is another thing to look out for.
Some Virii will cause the checksum to report as being what it should be,
so that test can be bypassed. Another difficult location to detect a
virus would be on the first physical sector of a Hard Disk Drive, known
as the (FAT) File Allocation Table.
Virus Threat:
=============
Some people have never encountered a virus infection or seen any
evidence of what an infection has done to anybody. Some people that use
anti-virus scanning software, have never had a warning about an infection
either. So is this problem just over speculated or is the threat as big
as the anti-virus scene makes it out to be?
There are Virii out there, the threat is large if you don't take the
correct precautions. The real problem is that once a virus is released
into the computing world, it is still a problem as long as one copy exists.
As Virii replicate, one copy of a virus can literally turn into thousands.
If the threat is so big, where are all the reports of virus attacks?
There are a few that hit the news, most never make it into the headlines
unless they cause a lot of damage or spread rapidly. Most companies
don't like to report their encounters with Virii, as they don't want it
to be broadcast publicly.
There are opinions that anti-virus companies release the Virii into the
community to help sell their products. Some people will agree with this,
but if you are into the virus scene, you will know that this in the most
part is not true, as if you are in the scene you will know people that
code and release Virii, either for educational purposes or to cause
infections.
Either way, the virus programmers will continue to release Virii and
the anti-virus community will continue to make a large amount of money
from it. Usually, the virus programmers get a sense of power, when they
know that their new virus is out there, undetected by commercial software.
In one respect, it is a fight between the virus programmers to beat the
anti-virus companies by trying to release a virus that stays undetected
for a long period of time.
Types Of Virii:
===============
There are a number of types of Virii that can infect computer systems.
The more common types are:
****->
****->
****->
****->
****->

Boot Sector
File Infecting
Multi-Partite
Polymorphic
Stealth

Boot Sector Virii:

==================
Boot sector Virii infect the boot sector, which is also known as the
master boot record. Firstly, the original boot sector would be
overwritten or moved, if moved it would be placed on another sector
of the hard disk, which would then be marked as bad, so it would
not be used in the future. A boot sector virus can be difficult
to detect, since they are usually programmed well. As the boot sector
is the first thing read from a hard disk on booting the computer,
it is usually more difficult to detect boot sector Virii.
Out of all the Virii infections that are reported, three out of every
four are boot sector Virii. The only real way to become infected
with a boot sector virus is to boot the computer with an infected floppy
disk in the floppy drive. The boot sector is protected more now,
by using built in protection in the BIOS, it will warn you if anything
tries to modify the boot sector. As the boot sector is only usually
modified when a new operating system is installed, if your BIOS
warns you that the boot sector is about to be modified you should run a
complete anti virus scan and make sure you have the latest updates
for you scanner.
File Infecting Virii:
=====================
These Virii only infect executable files, which have the extensions
of .exe and .com, they are also usually memory resident. Some file
infecting Virii are programmed to only infect *.com or *.exe and others
are designed to only infect files with certain letters in them,
for example. In comparison to boot sector Virii, they act in much the
same way by moving the original code to another part of the file and
replacing it with its own infection code.
The size of the infected file would increase after that process,
which enables detection to become easier in same cases as anti-virus
software could alert you that the size of the file has changed, even if
it does not detect that it is infected with a known virus.
Sometimes the virus would change the extension of the infected file,
to hide it from detection until a later date, as some anti-virus scanner
software only checks files with the extensions of .exe or .com.
Most newer software is more advanced and you can configure it to scan
whichever file types that you want.
Polymorphic Virii:
==================
Polymorphic Virii are probably the most advanced Virii of all.
They can change their appearance with each infection, which makes it
more difficult to detect them. Also, they usually have an encryption
routine to help hide themselves and it also acts as an anti-debugging
mechanism, to stop an-Virii companies finding out how it infects
and it also stops people from taking the code without permission from the
author and using it in their own Virii.
Not only do they have the ability to encrypt, they can also change the
encryption algorithm with each infection as well as the way they infect.
As this makes detection more difficult, anti-virus software must be able
to perform algorithmic scanning as well as string based scanning
methods to successfully detect an infection from a Polymorphic virus.
Stealth Virii:

==============
These Virii attempt to hide, without being noticed from the Operating
System and any installed anti-virus scanning software. To achieve this,
the virus must stay resident in memory (TSR). By staying in memory,
it can make changes to files and directories easily.
As the virus is memory resident, there will be less memory available to the
system, although this type of virus is usually small, so would not take up
memory. Good anti-virus software will detect and remove resident Virii from
memory, which needs to be completed before the disk based components of the
virus can be removed.
Multi-Partite Virii:
====================
These type of Virii infect the boot sector and executable files.
They are also the most difficult to detect, as they can combine
techniques from the other types of Virii. The damage caused from an
infection from one of these types of Virii can be the most damaging,
sometimes causing a total loss of data on computer systems. Some of the
more advanced Virii, can also spread over a network, which when combined
with the other techniques used to avoid detection and removal, can cause
a company network to grind to a halt. For this reason, it is always a good
idea to keep important data backed up, as it is better to be safe than sorry.
Introduction To Worms:
======================
Apart from Virii, there are a number of other programs that are designed
to be destructive to computer systems. Worms are also programmed to alter or
destroy data, but their main difference from Virii is that they can be
programmed to exploit holes in various operating systems in order to gain
access to the system. In that sense, they do replicate to other hosts
but they do not spread in the same way as Virii do by simply spreading
onto floppy disks.
The damage that worms can cause can be just as serious as a virus attack,
especially if not discovered in time. For example, a worm could be
programmed to exploit mountd, to gain access to a vulnerable host.
Firstly, the worm would have to be released on a system, once on that
system, it could scan an IP subnet and find hosts that are open to being
exploited. Once into a system, it could then patch the hole that allowed
it to gain access originally, then proceed to backdoor the system and run
a scan on another IP class. It could also email a list of exploited hosts
hosts to an account that had been set-up by the author, or another
individual that releases it.
This process of replication could continue, as long as there are hosts
to exploit. Considering that a lot of systems are not patched against
new exploits straight away, it would be quite a field day for a new worm that
uses that new hole to gain access.
Introduction To Trojan Horses:
==============================
A Trojan Horse is a destructive program that has been concealed inside
another genuine piece of software. In addition to this, a worm or virus
would be hidden inside a Trojan Horse. The main reason a Trojan Horse is not
a virus, is because they do not replicate like Virii. There is a long
history behind the origin of the Trojan Horse. When Greek warriors built a
large, attractive wooden horse they were able to hide their warriors inside.
They left it outside the gates of the city of Troy. When the Trojans saw it,
they thought it was part of a peace offering and gladly opened the gates and

took it into their city. Once inside the Greek warriors jumped out and
started fighting with the Trojans and destroying their city.
Trojan Horse software works in the same way. The software package might look
good and seem genuine, which gives the user the piece of mind they want, so
they download and run the executable. The software package itself is
legitimate but the Trojan Horse is lurking inside and will be able to get out
once the executable is run. Once out, it could continue with what it was
programmed to do, at this point it may act like some Virii and wait until a
certain date or other activation method, before proceeding to release its
payload.
Trojan Horses can also be programmed to self-destruct, leaving no trace of
their existence, apart from the damage that they have caused if not
discovered in time. A Trojan Horse is particularly good for the once common
banking crime known as Salami Slicing, in which small sums of money are
transferred from a number of accounts into another account operated by an
intruder. Due to increasing security, that and other schemes are harder to
complete successfully as time goes on.
Introduction To Logic Bombs:
============================
A Logic Bomb is similar to a Trojan Horse. Each has the ability to damage
or destroy data, the difference is that a Logic Bomb has a timing device
so that it can be programmed to go off at a particular date or time.
For example, the Michelangelo virus is embedded inside a Logic Bomb.
Logic Bombs can still be very destructive on their own, as they usually
are developed in much the same manner as Virii are, even if they lack the
ability to replicate as Virii can.
Logic Bombs are timed to do maximum damage. Once example of this would be
an ex-employee, that wants to cause some damage to the company network.
They could install a Logic Bomb on the network computers and set it to
activate months after they have left.
Legal Issues:
=============
There are a number of legal issues related to Virii and other malicious
programs. To program and virus and put it up on your website for
educational purposes in source/binary form should not be illegal.
Of course, people will download it and then distribute it to people to
cause damage to their systems, this would be illegal.
Regardless or being illegal or not, people will still continue to write
and distribute Virii and other infecting programs that allow
unauthorised access to computer systems.
Conclusion:
===========
I hope that you enjoyed reading this article and that you actually learned
some new information from it. If you have any comments or suggestions about
this article, please feel free to send me an email: jasun@phreaker.net
I hope this gave you a little insight into the world of the virus and other
related programs.
Look out for more articles from me in the future. I have made this
information as accurate as possible to my knowledge, but don't complain if I
made an error, most of this was written at times around 4am in the morning.
Disclaimer:

===========
This document is for educational *INTERNAL USE ONLY*
It is for educational purposes only, the information contained within it must
not be used to cause damage to any person/system. What you do with this
information is your business, but anything that arises from its misuse cannot be
held against anybody, apart from yourself.