Вы находитесь на странице: 1из 11

VIRUS

In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded file, or diskette you've received is usually unaware that it contains a virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm.

How does a Computer Virus Work?


There are millions of viruses present these days, and new viruses originating every day. It is awfully tricky to provide you with a standard explanation of how viruses function, because they all have differences in the manner they infect or the method they spread. Hence, in this article, I have explained it bearing in mind few broad groups that are usually used to illustrate different types of viruses.

File Viruses or Parasitic Viruses


File viruses are pieces of code that attach themselves to executable files, driver files or compressed files, and they are triggered when the host program is executed. Once the file virus or parasitic virus is activated, it may spread by attaching to new programs in the system, and also perform out the wicked actions it was programmed for. A large number of file/parasitic viruses spread by loading themselves in the system memory, and they start searching for additional programs located on the drive. If it locates one, it transforms the programs code so that it encloses the virus code. Then it activates the viruss code next time it runs. It keeps doing this yet again until it crawls all over the system, and probably to additional systems that share the infected program. Besides spreading themselves, these viruses also hold various types of destructive elements that can be activated instantly or by a specific trigger. The triggers could possibly be specific dates, or the number of times the virus has been replicated, or anything equally small. Examples of file/parasitic viruses are Randex, Meve and MrKlunky.

VIRUS

Page 1

Boot Sector Viruses


A boot sector virus infects the boot sector of a hard drive, which is a very critical component for the booting process. The boot sector is where all the information concerning the drive is stored, along with a program that makes it possible for the operating system to boot up. By introducing the virus code into the boot sector, the virus ensures that it loads into the system memory at each boot cycle. A boot virus does not infect files; instead, it infects the drive on which they are saved. Possibly this is the reason for their collapse. In earlier days, when the programs were carried around in floppy disks, the virus used to spread like a wild fire. However, with the upcoming of CD drives and CD ROMs, it became impossible for the boot sector virus to infect pre-written information on a CD, which in due course stopped such viruses from spreading and infecting. Although the boot sector viruses still survive in the computer world, they are very rare compared to the new eras malicious software. An additional cause why boot sector viruses are not so common is that the new age operating systems guard the boot sector, which makes it hard for the virus to infect it. Examples of boot sector viruses are Polyboot.B and AntiEXE.

Multipartite Viruses
Multipartite viruses are a mixture of boot sector viruses and file viruses. These viruses enter the system through infected media and dwell in the system memory. They then travel onto the boot sector of the hard drive. From there, the multipartite virus infects the executable files on the hard drive and spreads throughout the system. There arent many multipartite viruses present these days, but in their era, they were responsible for a number of vital troubles due to their ability to combine different infection practices. A significant example of a multipartite virus is Ywinz. More on Multipartite Viruses

Macro Viruses
Macro viruses infect files that are formed using certain applications or programs that include macros. Such applications comprises of Microsoft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations, Access databases and other related application files such as Corel Draw, AmiPro, etc. As macro viruses are programmed in the language of the application and not in that of the operating system, they are recognized to be platform-independent, i.e. they can spread across
VIRUS Page 2

operating systems such as Windows, Macintosh or any other systems, as long as they are running the necessary application. With the ever rising abilities of macro languages in applications, and the risk of hazardous infection spreading over the networks, this macro virus has become a critical threat. The earliest macro virus was programmed for Microsoft Word and was exposed back in August 1995. At present, there are thousands of macro viruses in existence. Examples of macro viruses are Relax, Melissa.A and Bablas.

Network Viruses
A network virus is very much skilled in rapidly spreading across a Local Area Network (LAN) or even over the internet. Generally, it circulates through shared resources, such as shared drives and folders. When it infects a fresh system, it hunts for possible victims by scanning the network for other defenseless systems. When a defenseless system is found, the network virus infects the additional systems and thus spreads over the network. Examples of some most dangerous viruses are Nimda and SQLStammer.

E-Mail Viruses
An e-mail virus can probably be a type of a macro virus that spreads itself to all the contacts located in the hosts e-mail address book. If any of the e-mail recipients open the attachment of the infected mail, it spreads to the new hosts address book contacts, and then proceeds to send itself to all those contacts as well. Nowadays, e-mail viruses can infect hosts even if the infected e-mail is previewed in a mail client. One of the most widespread and destructive e-mail viruses is the ILOVEYOU virus. There are many methods by which a virus can infect or stay inactive on your computer. However, whether active or inactive, its dangerous to let one free on your system, and should be dealt with instantaneously.

VIRUS

Page 3

ANTIVIRUS
"antivirus" is protective software designed to defend your computer against malicious software. Malicious software, or "malware" includes: viruses, Trojans, keyloggers, hijackers, dialers, and other code that vandalizes or steals your computer contents. In order to be an effective defense, your antivirus software needs to run in the background at all times, and should be kept updated so it recognizes new versions of malicious software.

How Does Antivirus Software Work?


Almost everyone, even those with the slightest of knowledge about computers are aware of the crucial role played by antivirus software in curbing down potential threat-elements originating from malicious software floating around in the cyberspace. These virus-hating tools relentlessly keep on functioning in the background of your system, and maintain a close eye on virtually all the running processes in order to find and nullify any potential mischievous element. The cat and mouse game between computer viruses and anti virus tools have been going on for a while now, and it is likely to carry on like that even in the years to come, unless of course sanity prevails upon the dark-forces in the digital world and they refrain from continuing with their misadventures. But have you ever pondered over how exactly these watchdogs of your computers operate or what mechanism they follow in order to keep your back safe from the evil-entities in the virtual world? If not, you just happened to be on the right place, at the right time I was just going to explain in simple terms the complexities involved in the modes of operation of an antivirus tool. Basically there are only a couple of approaches which almost all antivirus software use in order to protect your system from viruses, they are- the suspicious behavior approach, and the dictionary approach. Lets dig a little deeper into both the approaches:

The dictionary approach


In case you were not aware of it, as soon as a new virus or other form of malicious threat is discovered by security experts, they instantly add the new threat to the virus dictionary. The virus dictionary features thousands of virus names, their behavior, and their threat levels as well the detailed aspects of their modes of operation. This dictionary is quite dynamic in nature and is kept updated by adding newly discovered threats on a regular basis. And hence, due to its dynamism and an up to date database of threat signatures, a handful of antivirus tools use the virus dictionary as a guide book in order to detect suspicious and potentially harmful files or activities. Once a particular file is accessed by the operating system in your computer, the antivirus tool instantly analyses it and then compare the various aspects of the file in question to the threat signatures featured in the built-in virus dictionary. If there is a match, the antivirus immediately

VIRUS

Page 4

takes precautionary measures and follows a set of standard procedures. In most cases, the antivirus, will first try to heal the culprit-file, and if it fails to do so it tries to quarantine it. For some reason, if it can not even quarantine the infected file, the last option is to delete it permanently. However, off late it has been seen that hackers and virus creators are more successfully coming up with new and complicated polymorphic viruses which are actually sort of hybrids of two or more viruses. These improvised, polymorphic viruses are not featured by the virus dictionary, and hence most antivirus tools based on the dictionary approach find themselves helpless while countering these threats.

Suspicious Behavior Approach


Unlike the virus dictionary approach, the suspicious behavior methodology does not depend upon a standard database for the detection of threats. Instead, this approach involves an extensive analysis of the behavior of a running program or activity by the antivirus tool. On detecting any suspicious behavior, the antivirus tool instantly notifies the user with an alert message, and takes all precautionary measure. Needless to say, this approach is far more effective than the virusdictionary one. However, it can also prove to be quite annoying as many a time, it issues alert messages even during non-suspicious and regular computer activities. Having said that, none of these approaches are capable of providing you with a 100 percent accurate, and fully effective results, and neither there is a possibility of that happening ever.

VIRUS

Page 5

VIRUS

ANTIVIRUS

Backdoor:OSX/Olyx.C
Detection Names: Category: Type: Platform: Backdoor:OSX/Olyx.C MAC.OSX.Trojan.Lamadai.B Malware Backdoor OS X

F-Secure Anti-Virus for Mac

Backdoor:OSX/Olyx.C connects to a remote server to receive further instructions, without the knowledge or permission from the user

Trojan:W32/Reveton
Category: Type: Platform: Malware Trojan W32

F-Secure Anti-Virus.

Trojan:W32/Reveton is a Ransomware application. It fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access

Exploit:Java/Blackhole
Detection Names: Aliases: Category: Type: Platform: Exploit.java.blacole.f Java.Exploit.CVE-2010-0840, JAVA_BLACOLE, TROJ_VOTERAI.A Malware Exploit Java

F-Secure Anti-Virus

Exploit:Java/Blackhole identifies a Java class module used as part of an exploit kit known as Blackhole

VIRUS

Page 6

Rootkit:W32/ZAccess
Detection Names : Category: Type: Platform: Rootkit.ZAccess.A, Trojan.sirefef.k, Trojan:w64/zaccess Malware Trojan W32

F-Secure Rescue CD

Rootkit:W32/ZAccess constantly displays advertisements on the infected machine and may silently contact remote servers to retrieve additionaly advertising information

Worm:W32/Morto.A
Detection Names : Category: Type: Platform: Morto Worm:W32/Morto.A Malware Worm W32

F-Secure Anti-Virus

Worm:W32/Morto.A propagates through Remote Desktop Services on Windows servers by bruteforcing the login credentials of the server.

Spyware:Android/Flexispy.K
Name : Detection Names : Category: Type: Platform: Spyware:Android/Flexispy.K Flexispy Flexispy.K Spyware Spyware Android

F-Secure's Mobile Security


F-Secure's Mobile Security product blocks installation of this program with default settings (starting with db version 365).

Spyware:Android/Flexispy.K is a commercially available monitoring program, On installation, the program does not display an icon in the Applications menu. The program is only visible under the 'Manage Applications' menu under Settings, but in that location uses the name
VIRUS Page 7

'Mobile backup' or 'Sync Manager', with a generic icon.

Rogue:OSX/FakeMacDef.A
Detection Names : Category: Type: Platform: Rogue:OSX/MacDefender.A Rogue:OSX/FakeMacDef.A Trojan-Downloader:OSX/FakeMacDef.A Malware Rogue W32

F-Secure Antivirus

The rogue is installed in the Applications directory, as per normal Mac applications. It also adds its own menulet to the desktop menu bar. The rogue is also added to the Login Items for the user, so that it will automatically launch every time the user logs in.

Virus:W32/Ramnit.N
Name : Detection Names : Category: Type: Platform: Virus:W32/Ramnit.N Win32.Ramnit.N Virus:Win32/Ramnit.I Malware Virus W32

F-Secure Anti-Virus

A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run. When a Ramnit.Ninfected file is first executed, it will drop a copy of itself to the following location:

%programfiles%\Microsoft\WaterMark.exe It then create the following mutex, which is used to ensure only a single instance of the
VIRUS Page 8

virus copy is running on the machine at any time:

{061D056A-EC07-92FD-CF39-0A93F1F304E3} In order to automatically execute itself if the system is rebooted, the virus also creates the following registry launchpoint:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe

Packed:W32/PeCan.A
Category: Type: Platform: Malware Packed W32

F-Secure Anti-Virus

This program is packed using a packer program associated with numerous other malware. This program has been packed by the PeCancer packer program (hence the name of the detection). Samples identified by the same detection perform one or more of the following activities: o o o o Drop suspicious files or a copy of itself onto the system. Set launch points to itself, or to the files it drops. Some samples attempt to connect to and download from suspicious/malicious websites, for example: hxxp://downxml.[..].cn/iepop/list/[..] hxxp://downxml.[..].cn/iepop/update/[..] hxxp://soft.jajaca.com/[..] hxxp://news.huigezi.net/[..]

VIRUS

Page 9

Backdoor:W32/Zxshell.A
Name : Detection Names : Category: Type: Platform: Backdoor:W32/Zxshell.A Backdoor:W32/Zxshell.A Malware Backdoor W32

F-Secure Anti-Virus

Backdoor:W32/Zxshell.A is a DLL file with an exported function ("Install"), which is called to install the backdoor. It will connect to the remote host of the attacker machines. The URL of the remote host is set by the attacker to where the backdoor wants to connect to.

VIRUS

Page 10

REFERENCE
http://www.f-secure.com/en/web/labs_global/threats/descriptions http://searchsecurity.techtarget.com/definition/virus http://www.antivirussoftwaremax.com/how-does-antivirus-software-work/

VIRUS

Page 11

Вам также может понравиться