COMPUTER VIRUS

• Abinaya M
• Aarish Ramesh
• Adithya
 What is a virus??
* “A virus is a program or piece
of code that is loaded onto
your computer without your
knowledge and runs against
your wishes.”
* Virus is an abbreviation for
Vital Information Resources
Under Siege.
* Computer virus share some
of the traits of biological
virus.
 INTRODUCTION
The term "virus" is commonly but erroneously used to refer
to different types of malware, including adware and
spyware programs that have the reproductive ability. A
true virus can spread from one computer to another (in
some form of executable code) when its host is taken to
the target computer; for instance because a user sent it
over a network or the Internet, or carried it on a
removable medium such as a floppy disk, CD, DVD, or USB
drive. Viruses can increase their chances of spreading to
other computers by infecting files on a network file system
or a file system that is accessed by another computer.
 HISTORY
A program called "Elk Cloner" is credited with being the
first computer virus to appear "in the wild" — that is,
outside the single computer or lab where it was created.
Written in 1982 by Rich Skrenta, it attached itself to the
Apple DOS 3.3 operating system and spread by floppy disk.
This virus was originally a joke, created by the high school
student and put onto a game. The game was set to play,
but release the virus on the 50th time of starting the
game. Only this time, instead of playing the game, it would
change to a blank screen that read a poem about the virus
named Elk Cloner. The computer would then be infected.
• David gerrold used the term virus first time.
• It is was defined by the Fred Cohen in 1983.
• Then Jerusalem, dark average, ping-pong ball,
raindrop etc have come.
• In 1992 Basit and Amjad Farooq alvi
developed the first virus called Brain.
 ETYMOLOGY
The word virus is derived from and used in the
same sense as the biological equivalent. The
term "virus" is often used in common parlance
to describe all kinds of malware (malicious
software), including those that are more
properly classified as computer worms or
trojan horse!!
 Computer viruses are called viruses because they share some of the
traits of biological viruses. A computer virus passes from computer to
computer like a biological virus passes from person to person . There
are similarities at a deeper level, as well. A biological virus is not a
living thing. A virus is a fragment of DNA inside a protective jacket.
Unlike a cell, a virus has no way to do anything or to reproduce by itself
-- it is not alive. Instead, a biological virus must inject its DNA into a
cell. The viral DNA then uses the cell's existing machinery to reproduce
itself. In some cases, the cell fills with new viral particles until it bursts,
releasing the virus. In other cases, the new virus particles bud off the
cell one at a time, and the cell remains alive. A computer virus shares
some of these traits. A computer virus must piggyback on top of some
other program or document in order to get executed. Once it is
running, it is then able to infect other programs or documents.
Obviously, the analogy between computer and biological viruses
stretches things a bit, but there are enough similarities that the name
sticks.
 Different phases of a Virus
• Most viruses have two phases to their existence, the infection
phase and the attack phase.  All viruses have an infection phase,
but not all have an attack phase.
• During the infection phase, the virus spreads itself.  If a virus
infects too fast, it is usually easy for anti-virus programs to
spot. Therefore many try to be subtle about it.
• Viruses can be spread by innocent people that are just doing
their daily routine.  Infected files can be spread in the following
ways:  by diskettes, networks, bulletin boards, or e-mail
attachments.  Infected files can be stored on servers, floppy
disks, hard drives, and CDs.  Infected files can even be found on
new hardware or software.
• Example:  File Virus Infection Phase
• "Your friend gives you a game on a disk. The game has an
infected file that you don't know about.  Each time you
play the game, the virus copies itself into another
program without you knowing.  Now, whenever either of
the programs are executed, the virus is copied.  This
continues as the virus infects the rest of the computer.  If
any of the files are transferred to a floppy disk or e-mail
attachment, and they are put on another computer, the
process starts again" 
• On viruses that do have an attack phase, the attack phase
is set off by a trigger, such as a time or date. The attack
phase is when the virus causes damage or other unwanted
system behavior.  In order to make sure it has spread,
viruses often delay the attack phase, sometimes for years.
• The attack phase has a wide range of severity. Although all
viruses take up space and use system resources, some do
little more damage.  Some viruses display messages but
then others can crash your hard drive completely. They
can even corrupt your backup files if you're not careful.
 Sources
Virus may enter a pc through many ways like:
• Through corrupted cds,floppies or infected
hardware.
• Through network connection: e-mail
attachment
• Through computer game. Etc
SPREADING OF e-mail VIRUS
 Virus side effects(Payload)
Virus side-effects are often called the payload. Viruses can disable our computer
hardware, Can change the figures of an accounts spreadsheets at random, Adversely
affects our email contacts and business domain, Can attack on web servers…
• Messages -WM97/Jerk displays the message ‘I think (user’s name) is a big stupid
jerk!’
• Denying access -WM97/NightShade password-protects the current document on
Friday 13th.
• Data theft- Troj/LoveLet-A emails information about the user and machine to an
address in the Philippines.
• Corrupting data -XM/Compatable makes changes to the data in Excel spreadsheets.
• Deleting data -Michelangelo overwrites parts of the hard disk on March 6th.
• Disabling Hardware -CIH or Chernobyl (W95/CIH-10xx) attempts to overwrite the
BIOS on April 26th, making the machine unusable.
• Crashing servers-Melissa or Explore Zip, which spread via email, can generate so
much mail that servers crash.
There is a threat to confidentiality too. Melissa
can forward documents, which may contain
sensitive information, to anyone in your
address book. Viruses can seriously damage
your credibility. If you send infected
documents to customers, they may refuse to
do business with you or demand
compensation. Sometimes you risk
embarrassment as well as a damaged
business reputation. WM/Polypost, for
example, places copies of your documents in
your name on alt.sex usenet newsgroups.
 Symptoms of virus infection
• The computer runs slower than
usual.
• The computer crashes, and then it
restarts every few minutes.
• Applications on the computer do
not work correctly.
• Disks or disk drives are inaccessible.
• You see unusual error messages.
• An antivirus program cannot be
installed on the computer, or the
antivirus program will not run.
• New icons appear on the desktop
that you did not put.
 Classification
• A Virus has a target cell i.e an area or a
program it has been designed to attack.
• Such targets are boot sector of o.s., o.s.
utilities or executable file of application s/w.
• The viruses that attack these component of
the computer system are divided into
following classes
 BOOT SECTOR VIRUS
• Boot sector viruses infect/alters the boot sector
on floppy and hard disks
• Boot sector is a small program which is the first
part of OS that the computer loads
• Thus, by putting the virus code on the boot
sector, it can guarantee that the code gets
executed, leading to infection
• By this way, these viruses infect the boot sector
of any floppy disks inserted into the machine
 BOOT SECTOR VIRUS

• Uninfected disk
• 0 1 2 . . . (sector No)
• +-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
• |.....| | | | | | | | |
• +-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
• |
• +-- Boot sector or Master Boot Record
• Infected disk (replaced boot/MBR)
• 0 1 2 ...
• +-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
• |XXXXX| | | | |.....|XXXXX|XXXXX|XXXXX|
• +-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
• | | | | ... |
• +-- Virus top | +---+-----+-----+
• | +-- The rest of virus
• |
• +-- Original Boot or Master Boot Record
• Infected disk (modified address of active boot sector)
• 0 1 2 ...
• +-----+-----+-----+--- --+-----+-----+-----+-----+---
• |....X| | | | |XXXXX|XXXXX|XXXXX|
• +-----+-----+-----+--- --+-----+-----+-----+-----+---
 FILE VIRUS(PARASITIC VIRUS)

• This virus infect files containing application

program.
• When a user runs an infected application like
games the virus code is executed first and
attaches itself in the computer’s memory and
then copy itself within the file.
• “Fast infector” and “Slow infector”
• File virus: Sunday and cascade.
 MACRO VIRUS
• This viruses infect the files regarded as data.
• The virus code can be attached to d.b. of word
processing program.
• When user accesses document containing a
viral macro then this virus can then copy itself
into that application’s startup file.
• Any document that uses the same application
can then become infected.
 TROJAN HORSE
• Needs Host program for
its execution.
• Mainly used to access
files of other users on an
multi-user operating
system.
• Another motivation is data
destruction, which deletes
files on an computer.
• Examples: Back-orifice.
 POLYMORPHIC VIRUS
When this virus infect the program, it
scrambles its virus code in the program body.
This makes the detection more difficult.
The first polymorphic virus was “chameleon”
Then bootache , civilwar ,crusher ,fly ,freddy ,
ginger etc. have come.
 COMPANION VIRUS
• A companion virus does not modify its host
directly.
• Instead it maneuvers the operating system to
execute itself instead of the host file.
• Sometimes this is done by renaming the host
file into some other name, and then grant the
virus file the name of the original program.
 OTHER VIRUSES
• Multipartite viruses are both program and boot virus.
• Tunneling viruses finds the interrupt handlers in dos and
bios and call them directly.
• Retro virus is any virus that attacks antivirus programs.
• Cluster viruses change the directory so that when you try
to run a program you first run it.
• Network viruses make a use of net. Protocols and
capabilities of local and global access net.
• This virus is capable to transfer the code to a remote
server or workstation on its own through network.
An artist’s imagination of computer virus

An artist’s imagination of computer viruses

 REAL WORLD VIRUSES:TYPES
Pretty Park Virus

• The Pretty.virus is yet another one of those which spread by

email
• This virus infects only Windows 9x and NT users. It is believed
to have been originated in France almost a year ago.
• This virus arrives by email and its structure is something like
below.
• Subject: C:\CoolProgs\Pretty Park.exe
• Test: Pretty Park.exe :)
• As soon as you execute this prettypark.exe attachment, the
dreaded virus Will start its process of infecting your system
 Disk Killer
• The disk killer is a boot sector virus and the most destructive of
to emerge in late 1989. When it activates, it displays the
following
• message:
• Disk killer version 1.
• Now killing disk.
• Please do not power
• Down your system

• Ten seconds before the message is displayed, disk killer has

initiated a low level format of the hard disk.
 DARK AVENGER
• Dark avenger is a .COM and .EXE file infector
that
• promises to be a steadily increasing problem
because it is both very infectious and
destructive.
 BRAIN

• Brain another boot sector infector that is also called as

• “Pakistani brain” or the “Basit” .
• its creators in Lahore, Pakistan, who were the only ones ever
to put there names, address, and telephone number in the
copyright on a virus
• Basit and Amjad Alvi installed the brain on pirated software
• that they sold from their Brain software &computer services
shop in Lahore.
• One pirated program can breed many others and so the brain
spread like a bushfire around the world
 Protection against virus
• If you are truly worried about traditional (as opposed to e-mail)
viruses, you should be running a more secure operating system like
UNIX. You never hear about viruses on these operating systems
because the security features keep viruses (and unwanted human
visitors) away from your hard disk.
• If you are using an unsecured operating system, then buying virus
protection software is a nice safeguard.
• If you simply avoid programs from unknown sources (like the
Internet), and instead stick with commercial software purchased on
CDs, you eliminate almost all of the risk from traditional viruses. In
addition, you should disable floppy disk booting -- most computers
now allow you to do this, and that will eliminate the risk of a boot
sector virus coming in from a floppy disk accidentally left in the drive.
• You should make sure that
Macro Virus Protection is
enabled in all Microsoft
applications, and you
should NEVER run macros
in a document unless you
know what they do. There
is seldom a good reason
to add macros to a
document, so avoiding all
macros is a great policy.
• You should never double-click on an attachment that
contains an executable that arrives as an e-mail
attachment. Attachments that come in as Word files
(.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc.,
are data files and they can do no damage (noting the
macro virus problem in Word and Excel documents
mentioned above). A file with an extension like EXE, COM
or VBS is an executable, and an executable can do any sort
of damage it wants. Once you run it, you have given it
permission to do anything on your machine. The only
defense is to never run executables that arrive via e-mail.
 Methods of removal
• To remove a virus you will need to obtain an anti-virus software package;
there are numerous programs available on the market, ranging in price
from $30-60 (more depending on the number of updates included with
the package). Such as McAfee , Norton ,Avast, Quick Hill, Kasper sky etc.
• Most viruses are rather innocuous and can easily be detected and
removed from your computer without any subsequent damage to your
system. Nonetheless, it is imperative that you scan your system
frequently to minimize the chance of data loss and security
compromises.
• Anti-virus software is covered by copyright law and is not considered
shareware, hence HDS Information Technology Services will be unable to
provide you with copies of such programs. You will have to obtain your
own copy through a software vendor.
 CONCLUSION
In just over a decade, most of us have been familiar with the term
computer virus. Even those of us who don't know how to use a
computer have heard about viruses through Hollywood films such as
Independence Day or Hackers (though Hollywood's depiction of
viruses is usually highly inaccurate). International magazines and
newspapers regularly have virus-scares as leading stories. There is no
doubt that our culture is fascinated by the potential danger of these
viruses. Many people believe the worst a virus can do is format your
hard disk. In fact, this type of payload is now harmless for those of us
who back up our important data. Much more destructive viruses are
those which subtly corrupt data. Consider, for example, the effects of
a virus that randomly changes numbers in spreadsheet applications
by plus or minus 10% at stockbrokers.
But don’t lay the blame for viruses on the technology or
the machines that executes that technology. The
fundamental truth about computer viruses is that they
are a people problem. People create viruses for various
reasons. People disseminate virus infections either
deliberately or as a result of the very human traits of
innocence, ignorance, or carelessness. And the people
who are the potential victims of this phenomenon can
acquire the knowledge to turn a real threat into a
reasonably calculated risk that they can handle.
THANK YOU