A Seminar Report On

c
 


Submitted at:
  
c

    

Institute of Diploma Studies
Nirma University


 

  
 
!"#c"$#%
›



!"#c"$&%

 
'  
c

    


('
)*"&"+&&

',',-,./'01.,-'
' -' ',)
2!-3 ,+''%4#*$#&

c
 
  
 î
î 


î     
2!-3 ,+''%4#*$#&

c
 c 
This is to certify that      Reg. No. "#c"$# of
Semester VI Diploma in Electronics & Communication Engineering has
satisfactorily completed the practical work in the course of '
at institute. He has prepared the seminar entitled c
 
and
presented the same.


?


 

c
 
  
 î
î 


î     
2!-3 ,+''%4#*$#&

c
 c 
This is to certify that 0
) 
5 Reg. No. "#c"$& of
Semester VI Diploma in Electronics & Communication Engineering has
satisfactorily completed the practical work in the course of '
at institute. He has prepared the seminar entitled c
 
and
presented the same.




?
?
?
?
c
 
  
 Ô
 
?

In the accomplishment of any task there is not a contribution of a single person but many
people contribute in it. My Seminar is also not different than this. So now I got the chance
to acknowledge those people who contributed significantly throughout my Seminar. First
of all I would like to heartily thank my seminar guide, Mr. AmitRaval. He gave me basic
and primary knowledge about my topic and also guided me how to prepare seminar with
report. He also gave me important tips in improving presentation skills. Thank you Sir for
your support and sir without your support this seminar presentation would have been
unimaginable. At this occasion I would also like to thank my colleagues. I have learnt
many things about my topic through discussing with them.

I would also like to thank our Head of the Department, Prof. Jayesh Patel and Electronics
& Communication Engineering Department, Institute of Diploma Studies, Nirma
University for providing me this golden opportunity. Regardless of the source, I wish to
express my gratitude to those who may have contributed to this work even though
anonymously.





c
 
  


c
 

?

??Vital Information Resources Under Seize?
In recent years the detection of computer viruses has become common place. It
appears that for the most part these viruses have been µbenign¶ or only mildly
destructive. However, whether or not computer viruses have the potential to cause
major and prolonged disruptions of computing environments is an open question.

c
 
  
 À

?
  , 
 0 
& History of Computer Virus 7

* What is Computer Virus & How it works? 8

4 How Does A Computer Get A Virus ? 9

$ Symptoms Of A Computer Virus 11

6 Different Types Of Computer Virus 12

1. Trojan Horse & Resident Visrus

2. Direct Action & Overwrite Virus
3. Boot Virus
4. Macro Virus & Worms
5. Email Virus
6. Stealth Virus
7. Companion Virus
7 Difference Between A Virus, Worm & Trojan Horse 16

8 Top 5 Deadliest Viruses 17

# How Antivirus Software Works? 19

9 Different Antivirus Software 20

&" Reference 21

c
 
  
 ÿ
 

?
Before 1988, the word "virus" had a strictly biological meaning. In that year, Robert Morris
wrote and released the first "Internet worm", forcing everyone in the computer community to
immediately consider this new electronic threat. While Morris created his virus to demonstrate a
security flaw in ARPANET,(Advanced Research Projects Agency Network) the predecessor to
the Internet, today's virus writers often have a more malicious intent. The Internet today spans
the globe and serves billions of users, providing an environment in which a single virus can
conceivably cause rapid and widespread damage to systems throughout the world.






c
 
  
 Î
À
 
 ÿ À
Î


?
Computer Virus is a kind of malicious software written intentionally to enter a computer without
the user¶s permission or knowledge, with an ability to replicate itself, thus continuing to spread.
Some viruses do little but replicate others can cause severe harm or adversely effect program and
performance of the system.

A file virus attaches itself to a file usually an executable application (e.g. a word processing
program or a DOS program). In general, file viruses don't infect data files. However, data files
can contain embedded executable code such as macros, which may be used by virus or Trojan
writers. Recent versions of Microsoft Word are particularly vulnerable to this kind of threat. Text
files such as batch files, postscript files, and source code which contain commands that can be
compiled or interpreted by another program are potential targets for malware (malicious
software), though such malwares not at present common.
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?

c
 
  
 ÿ 

 

?
There are literally dozens of different ways a computer can become infected with spyware,
viruses, and other malware. Below is a list of the most common ways a computer can contract
these infections listed in the order we believe are most commonly done.

1. Accepting without reading

By far one of the most common ways a computer becomes infected is the user accepts what he or
she sees on the screen without reading the prompt or understand what it's asking.

Some common examples:

1.? While browsing the Internet, an Internet advertisement or window appears that says your
computer is infected or that a unique plug-in is required. Without fully understanding
what it is you're getting, you accept the prompt.
2.? When installing or updating a program, you're prompted (often checkboxes already
checked) if it's ok to install additional programs that you may not want or are designed to
monitor your usage of the program.

2. Opening e-mail attachments

Another very common way people become infected with viruses and other spyware is by
opening e-mail attachments, even when from a co-worker, friend, or family member. E-mail
addresses can be easily faked and even when not faked your acquaintance may unsuspectingly be
forwarding you an infected file.

When receiving an e-mail with an attachment, if the e-mail was not expected or from someone
you don't know delete it. If the e-mail is from someone you know, be cautious when opening the
attachment.

3. Not running the latest updates

Many of the updates, especially those associated with Microsoft Windows and other operating
systems and programs, are security updates. Running a program or operating system that is not
up-to-date with the latest updates can be a big security risk and can be a way your computer
becomes infected.

c
 
  
4. Pirating software, music, or movies

If you or someone on your computer is participating in underground places on the Internet where
you're downloading copyrighted music, movies, software, etc. for free, often many of the files
can contain viruses, spyware or malicious software.

5. No anti-virus spyware scanner

If you're running a computer with Microsoft Windows it's highly recommended you have some
form of anti-virus and spyware protection on that computer to help clean it from any infections
currently on the computer and to help prevent any future infections.

6. Downloading infected software

Finally, downloading any other software from the Internet can also contain viruses and other
malware. When downloading any software (programs, utilities, games, updates, demos, etc.),
make sure you're downloading the software from a reliable source and while installing it you're
reading all prompts about what the program is putting on your computer.

?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?

c
 
  
 
 

?
The following are some primary indicators that a computer may be infected:

3? The computer runs slower than usual.

3? The computer stops responding, or it locks up frequently.
3? The computer crashes, and then it restarts every few minutes.
3? The computer restarts on its own. Additionally, the computer does not run as usual.
3? Applications on the computer do not work correctly.
3? Disks or disk drives are inaccessible.
3? Gou cannot print items correctly.
3? Gou see unusual error messages.
3? Gou see distorted menus and dialog boxes.
3? There is a double extension on an attachment that you recently opened, such as a .jpg,
.vbs, .gif, or .exe. extension.
3? An antivirus program is disabled for no reason. Additionally, the antivirus program
cannot be restarted.
3? An antivirus program cannot be installed on the computer, or the antivirus program will
not run.
3? New icons appear on the desktop that you did not put there, or the icons are not
associated with any recently installed programs.
3? Strange sounds or music plays from the speakers unexpectedly.
3? A program disappears from the computer even though you did not intentionally remove
the program.

?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?

c
 
  

  
 


a



As mentioned earlier on, the term "Trojan horse" was taken from a clever Greek plan described
by Homer in the Iliad. After seemingly abandoning the siege of Troy, the Greeks placed armed
men inside a huge wooden horse. The horse was Welcomed into the city by the Trojans, who
believed it was a symbol of peace; they slept while the Greeks exited the Horse and opened the
gates allowing the Greek army into Troy, conquering the city.

Operations that could be performed by a hacker on a target computer system include:

* Use of the machine as part of a botnet

* Data theft (e.g. retrieving passwords or credit card information)
* Installation of software, including third-party malware
* Downloading or uploading of files on the user's computer
* Modification or deletion of files
* Keystroke logging
* Watching the user's screen
* Crashing the computer

Trojan horses in this way require interaction with a hacker to fulfill their purpose, though the
hacker need not be the individual responsible for distributing the Trojan horse. It is possible for
individual hackers to scan computers on a network using a port scanner in the hope of finding
one with a malicious Trojan horse installed, which the hacker can then use to control the target
computer.
?
Œ







A resident virus is a computer virus which embeds itself into the memory on a computer,
activating whenever the operating system performs a specific function so that it can infect files
on the computer. This method of viral infection is in contrast with a non-resident virus, which
actively seeks out files to infect. Resident viruses can be quite pernicious, as they may spread
through a system so thoroughly that they even attach to antivirus programs, infecting the very
things they scan for signs of viral infection. Removing a resident virus which has embedded
itself in a computer's memory can be a challenge. The virus may be designed to resist the actions
of conventional antivirus software, or as discussed above, to exploit the software. A specialized
virus removal tool may be needed to extract the virus from memory. In some cases, the services
of an information technology professional may be needed to completely clear a computer of
infection. When a resident virus is identified by an antivirus company or a designer of operating
systems, a patch is often released. This may be an update to an antivirus program which allows
the program to remove the virus, or it may take the form of a virus removal tool which the
computer user can run to get the resident virus out of memory¦?
c
 
  
?
-







The main purpose of this virus is to replicate and take action when it is executed. When a
specific condition is met, the virus will go into action and infect files in the directory or folder
that it is in and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch
file is always located in the root directory of the hard disk and carries out certain operations
when the computer is booted¦?






Virus of this kind is characterized by the fact that it deletes the information contained in the files
that it infects, rendering them partially or totally useless once they have been infected. The only
way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the
original content.
Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.
?






This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk,
in which information on the disk itself is stored together with a program that makes it possible to
boot the computer from the disk. The best way of avoiding boot viruses is to ensure that floppy
disks are write-protected and never start your computer with an unknown floppy disk in the disk
drive.







Macro viruses infect files that are created using certain applications or programs that contain
macros. These mini-programs make it possible to automate series of operations so that they are
performed as a single action, thereby saving the user from having to carry them out one by one.






Computer worms are programs that reproduce, execute independently and travel across the
network connections. The key difference between a virus and worm is the manner in which it
reproduces and spreads. A virus is dependent upon the host file or boot sector, and the transfer of
files between computers to spread, whereas a computer worm can execute completely
independently and spread on its own accord through network connections.

c
 
  
The security threat from worms is equivalent to that of viruses. Computer worms are skilled of
doing an entire series of damage such as destroying crucial files in your system, slowing it down
to a large degree, or even causing some critical programs to stop.

Two types:
&%
,:. ;+c
: 


Network worms consist of multiple parts, called "segments.³ They each run on different
machines (and possibly perform different actions) using the network for several
communication purposes.
Moving a segment from one machine to another is only one of their purposes. Network
worms that have only one main segment will coordinate the work of the other segments;
which are sometimes called "octopuses."
*%
2.,+c
: 


Host computer worms are entirely contained in the computer they run on and use
network connections only to copy themselves to other computers.
Host computer worms are the original terminates after it launches a copy on to another
host (so there is only one copy of the worm running somewhere on the network at any
given moment). They are sometimes called "rabbits."

ë





The virus was originally created as a Word document and was then uploaded via email to an
internet newsgroup. Any recipient who opened the email, downloaded the document and opened
it on their computer, unknowingly triggered Melissa's payload. From there, the virus sent itself
as a document to the first 50 contacts in the victim's address book. The email was attached with
a friendly note which included the recipient's name. This was done to make the virus appear
harmless and trick them into opening it. It then created 50 new infected documents from that
victim's machine. At this continuous rate, Melissa quickly became the fastest spreading virus
seen by anyone at the time. The virus was so severe that it resulted in a number of large
commercial companies disabling their email systems.
Melissa was so powerful because it capitalized on a vulnerability found in the Microsoft Word
programming language known as VBA (Visual Basic for Applications). VBA is a complete
language that can be programmed to perform actions such as modifying files and distributing
emails. It also includes a rather useful yet dangerous function known as "auto-execute". The
Melissa virus was programmed by inserting malicious code into a document, enabling it to be
executed whenever someone opened it.
The ILOVEGOU virus, which was first detected in May of 2000, was much more simple than
Melissa. The malicious code it contained came in the form of an attachment. Any recipient who
clicked on the attachment unknowingly executed the code. This email virus then distributed
copies of itself to contacts in the user's address book, enabling the infection to spread at a rapid
rate. Because ILOVEGOU was also known to unload different types of infections, some experts
have labeled it a Trojan rather than a virus.

c
 
  
U

!




In computer security, a stealth virus is a computer virus that uses various mechanisms to avoid
detection by antivirus software.

Typically, when an antivirus program runs, a stealth virus hides itself in memory, and uses
various tricks to also hide changes it has made to any files or boot records. The virus may
maintain a copy of the original, uninfected data and monitor system activity. When the program
attempts to access data that's been altered, the virus redirects it to a storage area maintaining the
original, uninfected data. A good antivirus program should be able to find a stealth virus by
looking for evidence in memory as well as in areas that viruses usually attack.

a"
#$


The COMPANION virus is one that, instead of modifying an existing file, creates a new
program which is executed instead of the intended program.
On exit, the new program executes the original program so that things appear normal. On PCs
this has usually been accomplished by creating an infected .COM file with the same name as an
existing .EXE file.
Integrity checking anti-virus software that only looks for modifications in existing files will fail
to detect such viruses.








?












c
 
  

   
 
Î



ÿ


Virus cannot replicate themselves but worm and Trojan can do that.
A virus cannot be spread without a human action such as running an infected file or program but
worm and Trojan have the capabilities to spread themselves automatically from computer to
computer through network connation.
A virus does not consume system memory but worm consumes too much system memory and
network bandwidth because of their copying nature.
Trojans are used by malicious users to access your computer information but viruses and worms
can¶t do so, they simply infect your computer.

c
 
  
 


 
 


a
%
&

'




If you receive email with a subject line with the phrase I LOVE GOU (all one word, no spaces)
in it« DON'T OPEN the attachment named Love-Letter-For-Gou.txt.vbs.

Over a five-hour period, during May 4, 2000, this virus spread across Asia, Europe and the
United States via e-mail messages titled "ILOVEGOU." The menace clogged Web servers,
overwrote personal files and caused corporate IT managers to shut down e-mail systems.

A scan of the Visual Basic code included in the attachment reveals that the virus may be
corrupting MP3 and JPEG files on users' hard drives, as well as mIRC, a version of Internet
Relay Chat. It also appears to reset the default start page for Internet Explorer.

This virus arrives as e-mail with the subject line "I Love Gou" and an attachment named "Love-
Letter-For-Gou.txt.vbs." Opening the attachment infects your computer. The infection first scans
your PC's memory for passwords, which are sent back to the virus's creator (a Web site in the
Philippines which has since been shut down). The infection then replicates itself to everyone in
your Outlook address book. Finally, the infection corrupts files ending with .vbs, .vbe, .js, .css,
.wsh, .sct, .hta, .jpg, .jpeg, .mp2, .mp3 by overwriting them with a copy of itself.

Œ





SQL Slammer is a computer worm that caused a denial of service on some Internet hosts and
dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It
spread rapidly, infecting most of its 75,000 victims within ten minutes. So named by Christopher
J. Rouland, the CTO of ISS, Slammer was first brought to the attention of the public by Michael
Bacarella (see notes below). Although titled "SQL slammer worm", the program did not use the
SQL language; it exploited a buffer overflow bug in Microsoft's flagship SQL Server and
Desktop Engine database products, for which a patch had been released six months earlier in
MS02-039. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire
Worm, SQL_HEL, W32/SQLSlammer and Helker

-




The latest virus on our list is the dreaded Storm Worm. It was late 2006 when computer security
experts first identified the worm. The public began to call the virus the Storm Worm because one
of the e-mail messages carrying the virus had as its subject "230 dead as storm batters Europe."
Antivirus companies call the worm other names. For example, Symantec calls it Peacomm while
McAfee refers to it as Nuwar. This might sound confusing, but there's already a 2001 virus
called the W32.Storm.Worm.
c
 
  

(

)*

+,-



The w32 bagle malware is part of a family of different viruses and Trojans. It continues to spread
itself via email attachments and infects other computers.This malware installs itself when you
download an email attachment. It executes and creates a file in your system directory called
bbeagle.exe. It is particularly dangerous because the files look legitimate when downloading, and
someone who isn¶t familiar with the internet may download them without knowing. It infects
your computer by the attacker sending fake emails, and infecting other computers. It spreads like
a chain to continuously damage even more computers. When you download one of the virus
files, it executes, installs, and wrecks havoc on your system.


* 



The Nimda worm retrieves the list of addresses found in the address books of Microsoft Outlook
and Eudora, as well as email addresses contained in HTML files found on the infected machine's
hard drive.

Next, the Nimda virus sends all of these recipients an email with an empty body and a subject
chosen at random (and often very long). It adds to the message an attachment named
Readme.exe or Readme.eml (file containing an executable). The viruses use an .eml extension to
exploit a security flaw in Microsoft Internet Explorer 5.

What's more, in Microsoft Windows the Nimda virus can spread over shared network folders,
infecting executable files found there.

Viewing Web pages on servers infected by the Nimda virus may lead to infection when a user
views pages with the vulnerable Microsoft Internet Explorer 5 browser.

The Nimda virus is also capable of taking control of a Microsoft IIS (Internet Information
Server) Web server, by exploiting certain security holes.

Finally, the virus infects executable files found on the contaminated machine, meaning that it can
also spread by file transfers.

c
 
  
 ÿ    

Î



Antivirus software typically uses a variety of strategies in detecting and removing viruses,
worms and other malware programs.

The following are the two most widely employed identification methods:

a
(






This is the most commonly employed method which involves searching for known patterns of
virus within a given file. Every antivirus software will have a dictionary of sample malware
codes called signatures in its database. Whenever a file is examined, the antivirus refers to the
dictionary of sample codes present within its database and compares the same with the current
file.
If the piece of code within the file matches with the one in it¶s dictionary then it is flagged and
proper action is taken immediately so as to stop the virus from further replicating. The antivirus
may choose to repair the file, quarantine or delete it permanently based on it¶s potential risk.
As new viruses and malwares are created and released every day, this method of detection cannot
defend against new malwares unless their samples are collected and signatures are released by
the antivirus software company. Some companies may also encourage the users to upload new
viruses or variants, so that the virus can be analyzed and the signature can be added to the
dictionary.

Œ

 .







Heuristic-based detection involves identifying suspicious behavior from any given program
which might indicate a potential risk. This approach is used by some of the sophisticated
antivirus softwares to identify new malware and variants of known malware. Unlike the
signature based approach, here the antivirus doesn¶t attempt to identify known viruses, but
instead monitors the behavior of all programs.
For example, malicious behaviors like a program trying to write data to an executable program is
flagged and the user is alerted about this action. This method of detection gives an additional
level of security from unidentified threats.
File emulation: This is another type of heuristic-based approach where a given program is
executed in a virtual environment and the actions performed by it are logged. Based on the
actions logged, the antivirus software can determine if the program is malicious or not and carry
out necessary actions in order to clean the infection.

c
 
  

    



1)? AVG Anti-Virus
2)? Avira Antivirus
3)? Bit Defender
4)? ESET NOD32
5)? Kaspersky Anti-Virus
6)? McAfee Antivirus
7)? Norton Antivirus
8)? Panda Antivirus
9)? Quick Heal Antivirus
10)?Trend Micro Antivirus etc«.



c
 
  
 O 


3? http://www.mines.edu/academic/computer/viri-sysadmin.htm
3? http://www.google.com
3? http:// www.shashachu.com
3? http://www.wikipedia.org
3? http://www.youtube.com

c