Pages

Monday, August 13, 2012

Virus Details

  Its impossible to explain why some people get a kick out of destroying other's computer systems. It’s the same with any kind of vandalism, perhaps they get a sense of power, or they may feel it’s an indication of their intelligence (which it is!), or maybe they just crave the notoriety (bragging often gets them caught). There’s absolutely no money in writing viruses. The money’s in developing Anti-Virus software. In fact, the idiots that write the viruses are solely responsible for making millionaires out of the AV developers.
    Destructive and damaging programs have been around since the early computers. They’ve caused different amounts of damage, from displaying a small annoying message on your monitor, to destroying your MBR or FAT and rendering your computer completely useless. But, they never used to replicate or clone themselves. They caused damage to the host computer and that was it. Distribution was the author's problem.
    Now, true 'viruses' can clone themselves. They can fill up your hard drive with garbage files and slow your computer down to a crawl. They can attach to files and keep copies of the original to fool 'anti-virus' programs. They can travel and infect other computers through floppy disks, CDs, shared network files, e-mail attachments and other files downloaded from the internet or over modem lines. They can 'morph' or change their signature (distinct properties or coding) as they infect, making it harder for anti-virus programs to detect.
    It is important to note that a virus does not destroy your actual hardware, just the programs, drivers and files associated with your hardware. However, with the popularity of 'Flash ROMs' being used on video cards, hard drives, NICs, and even your system BIOS, it's only a matter of time. A good anti-virus program is a must for your computer. But, don't think you can just install it and forget about it. There are hundreds of new virus signatures discovered every month. Most AV programs, like Mcafee or Norton Anti-Virus, will allow you to download and update your virus data and information files off the Internet for free. The virus data files available from these websites are updated every two-three months.
Something new, are the different online virus scanners and computer maintenance clinics. One I use is McAfee's. I have scanned and removed viruses using this online product. The virus information files are always up-to-date, and you don't have to worry about constantly downloading new signatures. Some may find it a little frustrating to set up at first, but hang in there, the product is well worth it.
Logic Bombs
    These are small but damaging programs that sit on your computer system and wait for a certain key combination, or a specific file access, or a certain date before releasing its payload.
Software Bombs
    This type of program generally releases its payload and causes damage as soon as it arrives on your computer.
Trojan Horses
    Trojan Horses, like their namesake, try to tempt or trick the user into activating the program themselves. They have innocent names, like 'IMPORTANT.EXE', 'README.EXE', 'URGENT.EXE', or appear to be a game or application. The user clicks on them and releases the payload.
Worms
    Usually found on intranets or internets, these files would gather information as they sat on the system. Maybe recording passwords
or access codes when they were typed in, or leaving 'back doors' open, allowing for unauthorized accesses.     Another type of worm is a file that just keeps replicating itself over and over. By constantly reproducing itself it can slow a computer or an entire network to a standstill.

    All these types of 'miscreant software' are often lumped together and called viruses. And, a lot of viruses do contain these in some form or another. However, a true virus usually has a 'host' file. In other words, it can attach itself to a file already on your system. It has the ability to clone itself. It can reproduce itself and infect other files or drives and computer systems. Viruses can also hide themselves from detection in several different ways.
Avoiding Detection
Encryption
    Virus detection programs will look for programming code that allows programs to replicate or clone. This is one way that it searches for and recognizes possible viruses. Using encryption, virus programs can change from replication code and back, trying to avoid this type of detection.
Polymorphism
    Another way that a virus can be detected is by its signature. Each virus has a signature, or a piece of code that is specific to that individual program. Virus detection programs look for these signatures when scanning the files on your drive. Polymorphic viruses are created with the ability to change their signature each time they clone or reproduce.
Stealth
    Detection programs note the characteristics of files and watch for any changes, which might indicate an infection. When a Stealth virus infects a file, it can modify the characteristics of that file so that it still reports the same date, time, checksum, and size. It can also monitor the Operating Systems call for a file and remove itself temporarily, or load an uninfected copy of the file that it has made for just that purpose.
Targets
Boot Sector Virus
    Boot Sector Viruses write themselves into the Boot Sector of a Hard Drive or Floppy Diskette. Every disk has a boot partition that contains coded information.
The hard drive has a Master Boot Record that contains partition information as well as another boot record for the operating system. The boot sector on a bootable floppy disk contains the code necessary to load the operating system files. The boot sector on a non-system disk contains the information that will display the message 'Non-system disk or disk error, remove and press any key when ready'. The boot sector of an infected floppy contains the coding that will infect the hard drive's partition sector.
If an infected floppy is left in the drive at boot up, it loads the virus into memory and copies itself to the partition sector of the hard drive. Now, everytime the computer is booted from the hard drive, the virus in the partition sector loads itself into memory, then passes control to the original boot sector that it has stored elsewhere on the disk. Any floppy inserted into its drive will become infected every time a read or write operation takes place. This is one of the most common results. There are also boot sector viruses that, once they've infected a HD, will completely scramble the partition sector or destroy the FAT. Boot Sector Viruses are difficult to remove and usually require the use of an anti-virus program. If not caught in time, infection can advance to the point where the hard drive has to be re-partitioned and reformatted. At this stage, all your files and data are lost. Hopefully, you've made backups!

File Infector Virus
    These files wait in memory for a suitable program file to be loaded. When the file makes a disk write operation the virus will replicate itself inside the disk file or will create another file with the same name but a .COM extension. When the operating system starts the program, the .COM file is executed, loading the virus into memory. Then the virus loads the real program. Many, many files can be infected before detection. These viruses often target files such as COMMAND.COM, IO.SYS and MSDOS.SYS. Anti-virus programs are the only way to get rid of these viruses. The only sure-fire prevention is to completely isolate your machine from the Internet, floppy disks, CD's, and any other type of removable media.
Multipartite Virus
    These viruses contain properties of both boot sector and file infector viruses.
Infection
Local Memory Infection

    At this stage the virus is loaded into memory and probably has not infected too many files. If your Virus Detection Program finds a virus in memory then you should perform a cold boot to a clean boot disk. A warm boot does not re-initialize the memory and may leave the virus there. Files that may have become corrupted by not closing down properly may have to be repaired or deleted using CHECKDISK or SCANDISK. These files will probably have to be replaced.


Local Disk Infection

    This is a very aggressive stage. Your computer could experience loss of data, scrambled FAT, damaged partitions and corrupted files. If caught in time, you can run an anti-virus program from an uninfected emergency boot disk and remove the virus. You will have to re-install affected files and applications, probably the Operating System, and use a data recovery tool of some sort. If left too long however, your system could be destroyed to the point of having to repartition, reformat, reinstall the OS, and then using a data recovery tool (your backups, for one).
* Backups are generally used to recover your data in the event of a virus infection. If you've backed up after virus infection, then the backups could also be infected. Data files are less likely to be affected by a virus but should be scanned before they are replaced. Do Not use backups to recover the Operating System however, as these files could be infected too.
Shared File Infection
    Networks and Intranets use shared files. If these are infected, every work station on the network could become infected as it uses the shared file. This involves closing down the entire network and cleaning, removing, and re-installing on each workstation and all servers.
    Again, it's very important to keep your AV files up to date. If your computer should happen to get a virus, document everything you see and any information that your virus detection program gives you. Information on how to remove the virus should be obtained from a reputable source. On another computer you can visit your AV manufacturer's website. They can offer support and virus removal information, even if removal has to be done manually. In fact, it's probably a good idea to get to know the site now, before it becomes necessary.
 

No comments: