`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'
THE BASIC CONCEPTS OF PC VIRUSES
`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'
written by: paranoidxe
date: 04/22/04
email: paranoidtsi@hotmail.com
+----------------------+
| DEFINITIONS... |
+----------------------+
Virus: a virus is a program that replicates itself and "injects" its code
into other programs on your computer without the user's knowledge
or permission. For a human example, when a human virus enters the
body it attaches to a cell, it then injects its DNA coding into
the cell and tells it to make copies...essentially the same concept,
the computer virus attaches to a program. as defined in this guide
a virus replicates on purpose NOT as a side effect.
Trojan: a program that is advertised as having a legit function, but when
the user launches it it either has alternative motives or it runs
fine but does something in the background. The important difference
between a trojan and a virus is that a trojan is a program that
DOES NOT infect other files or spread like a virus.
Worm: the third virus-like program, a worm spreads usually through security
holes, it does NOT require user intervention and does not infect files
on a computer. A worms primary function is to spread and under normal
circumstances it causes overload on network systems causing them to
crash. A worm will dissappear if the computer is turned off. The
general prevention measure is to patch the security flaw the worm
uses.
Bug: a bug is a unintentional flaw in software products. The reason this is
mentioned is because bugs usually cause a computer to act funky on the
user, and just because this happens does not mean its a virus.
Droppers: usually a shell of a virus, this is a program that has a virus
encrypted into it to avoid detection. Once a dropper is launched
the virus is decrypted and launched on the targeted machine.
[MISC. MEANINGS]
AV - antivirus: either refering to a program that combats and eliminates
viruses, or a company that produces antivirus products.
MBR - master boot record: this is the program that tells you hard drive
how to work and how to understand to retrieve/
write data.
file system: if MBR is the program to give direction (like a ref in a
football game) then the file system is the field. file system
is what organizes data on a drive.
false positive: this is when a antivirus program reports a file as being
infected when its really not.
false negative: this is when a antivirus program reports the file uninfected,
yet really it is.
+-------------------------+
| VIRUS MECHANISMS |
+-------------------------+
Viruses can use various technologies to infect the targeted machine, these
are some of the common methods used:
Boot Sector/MBR Infector: These viruses pray on the boot program that is on
every single hard drive/floppy drive. The boot
program essentially tells the size of the disk and
tells the disk how to read the data...viruses have
found a way to get here which insures that the
virus is launched at every boot.
Polymorphic: Polymorphic is a method used by virus writers to avoid detection,
the way it works is normally a virus will infect a file with the
same size and code..polymorphism will actually change the codes
appearance as well as size. This makes detection more difficult
and antivirus companies must rely on the patterns instead of
code signatures.
Stealth: This technology makes it so when reporting file sizes the virus
reports the uninfected file size...this essentially means the virus
makes the file appear unaltered.
Encryption: A method that seems to be getting more and more complex, encryption
makes it so antivirus companies cannot decypher the viruses code,
this makes it harder for antivirus companies to understand the virus
and provide fixes if the virus damages anything.
TSR - terminate/stay resident: this is a virus that enters memory and stays
in memory generally infecting any program written
or read. This is a part of almost every virus now.
Macro virus: a 1995 invention, a macro virus thrives off microsoft word, it
infects the global setting file on word and every document after
the initial infection is launched it too becomes infected.
File Infector: this is the most common type of virus, it infects programs as
they are launched but does NOT infect boot sectors. This is
the most basic of viruses.
multi-partite: these are viruses that use both file infection and boot sector
infection. This is what most viruses will use now that are
non-macro viruses.
+-------------------------+
| UNDERSTANDING TROJANS.. |
+-------------------------+
As stated in the definitions, a trojan is a program that appears to have a
desireable function..but instead it has a hidden agenda.
It is important to understand that trojans do NOT infect other files. They
also may function as advertised with the malicious code taking effect in
the background.
Trojans can also load at every boot, however not in the same manner. Trojans
rely on your operating system to load themselves everytime, unlike viruses
which can get into the boot record, trojans generally cannot.
Trojans often have various malicious functions such as:
* Steal passwords
* Format Hard Drives
* Random Reboots
* Used as a server program for another user
A special type of trojan known as a "backdoor" trojan opens a port on your
internet connection that allows the remote user to use his program and
connect to your computer and do various functions. This could be just to
annoy you, other times it could be used to take your data. Backdoor trojans
are generally able to do the following:
* rename/delete/edit files
* upload/download files
* open/close cdrom drive
* run floppy drive
* reboot computer
* send messages
Backdoor trojans can have there uses as a remote adminstrative tool, but this
is rarely the case.
+-------------------------+
| WHY WRITE VIRUSES |
+-------------------------+
There are many reasons people want their viruses out there. The more common
ones include:
a) Revenge, the virus was ment to infect one computer but instead it ends up
infecting more than just one. It was designed to get revenge on someone
that apparently pissed the author off.
b) Accidental, sometimes a virus is released accidently..the virus was just
something to do in their spare time and was never meant to get released.
c) Make a Statement, sometimes viruses are out to make statements, like
stoned made the statement "Legalize Marijuana"...Tequila was obviously
made by one who liked tequila <go figure).
d) Fame, some love to see their creation make it to the media and on TV,
although this rarely happens.
e) Challenge, to make a virus is challenging, one might want to make one
just to see if he/she could do it.
f) Education, some do it simply to learn more complex programming. Virus
writing is easily one project that requires excellent advanced
programming skills.
+--------------------------+
| COMMON WAYS OF INFECTION |
+--------------------------+
Back in the day, floppies and BBS were probably the most common ways to get
a virus. However, times have changed and there are plenty of new and
"exciting" ways to contract one:
- NETWORK, this can be on a local network one user may get infected and the
virus will spread to other nodes on the network.
- FLOPPY/CD, a computer infected with a virus may burn a CD unknownly
writing it onto the CD, you launch it and get it. Floppies work the
same way.
- WEBSITES, downloading from websites you really don't know, the webmaster
could have deliberately infected the file you downloaded or was done
by accident.
- P2P NETWORKS, this is probably the #1 source of viruses right now, right
up there with newsgroups. P2P Networking is tricky because the description
can be labeled as something else yet the file could be something completely
different from the description..and generally you don't see the filename
until after it has been downloaded, a good example would be Kazaa.
- EMAIL, sometimes viruses spread themselves through email programs. The
virus may compose itself from one of your friends email boxes, you thinking
it is safe after all it is your friend right? you run it and get infected.
+-------------------------+
| COMMON MYTHS |
+-------------------------+
[VIRUSES ALWAYS CAUSE MALICIOUS DAMAGE]
This is not true, in fact some viruses cause malicious damage because of a
bug in the coding, go figure. Anyway, some viruses are simply around to
replicate and spread, others are designed to display political messages or
annoy the user. There are viruses out there that are hell bent on destroying
computers, yes but there are some that don't.
[MY COMPUTER CRASHED, I MUST HAVE A VIRUS!]
98% of the time the computer crashes because of faulty hardware, faulty
hardware drivers, faulty or conflicting software, corrupted files, or
corrupted operating system...just because your computer crashes DOES not
mean you have a virus. Viruses like to hide before they do any damage to
your computer, so the chances are you will not realize unless you have a
antivirus if you have a virus active on your system.
[I NEED MORE THAN 2 ANTIVIRUS PRODUCTS TO KEEP MY MACHINE SAFE]
What people don't understand is that having more than one antivirus doesn't
make you safer, in fact it could cause conflicts on your computer. I
recommend only using one antivirus at a time.
[I CAN GET A VIRUS FROM READING EMAIL]
With the exception of the Outlook Express vulnerability, NO you cannot.
The Outlook Express vulernability was a bug that allowed execution of
code through the preview window, this has been fixed with recent patches.
Otherwise, you can NOT get a virus by simply reading your email using
your eyeballs, but you can get a virus if you selectively download
a virus infected file and run it.
[MY CDS CAN GET INFECTED BY A VIRUS]
No, this is because cds are read-only. There is no currently known virus
that can write itself using a cd burner or otherwise. HOWEVER, viruses
can come from CDR media that came from an infected computer. Commercial
software has maybe a 1 in a trillion chance of being infected by a virus,
most companies are VERY careful about infection but it doesn't mean it
can't happen. CDs can carry viruses yes, but a virus cannot infect a
CD.
[VIRUSES ARE WRITTEN BY SCRIPT KIDDIES]
No, in fact adults write viruses almost as much as kids do. Virus writers
are very intelligent they just choose to waste their talent on viruses.
[I CAN GET A VIRUS THROUGH A VIDEO]
No, video formats such as .WMV, .WMA, .AVI, .MPG, .MPEG, .ASF, etc. etc.
do not contain any "executable" code to modify other files. video files
CANNOT WILL NOT contain viruses. The exception is when the file has a
double extension, such as home.wmv.exe...this means the file was designed
to appear as a video but really isn't.
[I CAN GET A VIRUS THROUGH MP3s]
Not true, however a bug in Winamp 2.79 may cause a executable code to be
run through a mp3 data stream. MP3 files themselves CANNOT contain viruses
because once again there is no executable code.
[I CAN GET A VIRUS THROUGH PICTURE FILES]
Same as video, you cannot get a virus through a picture file. These
extensions include, but not limited to:
.JPG, .JPEG, .TIFF, .PIC, .BMP, .TIF, .GIF, .PSD, .PSP, etc.
[TROJAN/WORM FILES CAN BE CLEANED BY ANTIVIRUS PRODUCTS]
This is untrue, before you mouth drops let me explain something. A virus
injects its code into other programs for example:
01010101010 << orignal code
010101010103333 << orignal code with virus attached at the end
01010101010 << cleaned by antivirus product
Trojans and Worms work differently because the WHOLE program is the
problem.
33333333333 << trojan/worm
There is NO good useful code in the program, thus there is nothing for
the antivirus software to recover data from. The antivirus program CAN
delete the trojan/worm and get the infection off of your computer, but
it cannot clean it.
[ANTIVIRUS PRODUCTS ARE 100% I AM SAFE]
No you are not. antivirus products can in fact be a false sense of security,
no antivirus product is perfect. New viruses are created all the time and
antivirus programs can't detect these unless they have a sample. Yes av
products do reduce the chance of getting an infection but they are not
fool proof.
+-----------------------+
| PROTECTING YOURSELF.. |
+-----------------------+
[ANTI-VIRUS PRODUCTS]
There are many different products out on the market, at this point there is
NO product that is really superior to the other. There are free antivirus
products and pay products. here is the list of some common antivirus
products used at present time:
Symantec Norton Antivirus - www.symantec.com
Mcafee Antivirus - www.mcafee.com
F-Secure Antivirus - www.f-secure.com
PC-Cillin - housecall.trendmicro.com
AVG Antivirus (free version) - www.grisoft.com
NOD32 Antivirus System - www.nod32.com
Avast Antivirus (free) - www.alwil.com
It is recommended that you have at least one antivirus product on your
computer at all times. It is recommended that you have the constant virus
monitor on if you do not have common knowledge about computers and how to
identify a virus from a regular program.
[ANTI-TROJAN PRODUCTS]
Many antivirus products do provide trojan protection, however they are
generally not as good as antitrojan products available. You may or may not
have a anti-trojan product on your computer..it is simply optional.
Trojan Hunter - www.misec.net/trojanhunter/
The Cleaner - www.moosoft.com
Tauscan - www.agnitum.com/
[GENERAL TIPS]
* Never download attachments in email from people you don't know, in fact
don't download attachments from people you DO know. Viruses can spread
through friends address books and the virus could be sent to you.
* Check file sizes, if you are downloading say..AOL Instant Messenger and
the file size is only 20K big..think about it..is AIM really on 20K in
size? I don't think so.
* .COM/.SHS/.BAT/.VBS/.DOC are generally bad news. These files types usually
contain viruses.
* Always check extensions, if there are two extensions the file is normally
bad news..and the second extension is what the file REALLY is.
* Viruses are usually launched through .exe, .com, .shs, .vbs, .doc and
files in .zip files can contain them.
* If unsure, use your antivirus scanner on the questionable file this should
give you a good idea what you are working with.
* make sure you keep your antivirus up-to-date, a virus scanner can only be
effective if it has up-to-date patterns to look for.
I am hoping this helped someone out there with a introduction to viruses and
how to protect yourself from them.
