compatible with DOS and can host DOS viruses with varying degrees of success. Program viruses infect program files, which commonly have extensions such as .COM, .EXE, .SYS, .DLL, .OVL, or .SCR. Program files are attractive targets for virus writers because they are widely used and have relatively simple formats to which viruses can attach.
Malicious Programs and Scripts
Viruses that infect agent programs (such as those that download software from the Internet; for example, JAVA and ActiveX).
WORM
A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. An entire LAN or corporate e-mail system can become totally clogged with copies of a worm, rendering it useless. Worms are commonly spread over the internet via e-mail message attachments and through internet relay chat channels.
For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001.
A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft’s SQL server.
Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent. A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.
The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.
The Code Red worm was designed to do three things:
•Replicate itself for the first 20 days of each month
•Replace Web pages on infected servers with a page that declares “Hacked by Chinese”
•Launch a concerted attack on the White House Web server in an attempt to overwhelm it
The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001.
TROJAN HORSES
Trojans, another form of malware, are generally agreed upon as doing something other than the user expected, with that “something” defined as malicious. Most often, Trojans are associated with remote access programs that perform illicit operations such as password-stealing or which allow compromised machines to be used for targeted denial of service attacks. One of the more basic forms of a denial of service (DoS) attack involves flooding a target system with so much data, traffic, or commands that it can no longer perform its core functions. When multiple machines are gathered together to launch such an attack, it is known as a distributed denial of service attack, or DDoS.
Because Trojan horses do not make duplicates of themselves on the victims disk (or copy themselves to other disks), they are not technically viruses. But because they can do harm, many experts consider them to be a type of virus. Trojan horses are often used as by hackers to create a back door to an infected system. Trojans, such as BackOrrifice are very dangerous. If anyone runs this program and his computer is connected to the internet, then the hacker can take control of that computer – transfer files to or from the computer, capture screen contents, run any program or kill any running process, etc.
Once a Trojan is installed onto the system this program has the same privileges as the user of the computer and can exploit the system to do something the user did not intend such as:
?Delete files
?Transmit to the intruder any files that the user can read
?Change any files that the user can modify
?Install other programs with the user’s privileges
?Execute privilege-elevation attacks—the Trojan can attempt to exploit a weakness to raise the level of access beyond the user running the Trojan. If successful, the Trojan can operate with increased privileges.
?Install viruses
?Install other Trojans
The Following Tips Will Help The User To Minimize Virus Risk:
?If the users are truly worried about traditional (as opposed to e-mail) viruses, they should be running a more secure operating system like UNIX. One should never hear about viruses on these operating systems because the security features keep viruses (and unwanted human visitors) away from the hard disk.
?If the users are using an unsecured operating system, then buying virus protection software is a nice safeguard. Some popular anti virus programs include:
•McAfee Virus Scan
•Norton Anti Virus
•Virex
•PC—cillin
•Avast!
•AVG Anti Virus System
?Automatic protection of anti-virus software should be turned on at all times.
?The users should perform a manual scan (or schedule a scan to occur automatically) of their hard disks weekly. These scans supplement automatic protection and confirm that the computer is virus-free.
?Scan all floppy disks before first use.
?Disable floppy disk booting — most computers now allow the user to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive.
?The users should Enable Automatic Update option of their anti-virus software in order to update their virus definition files.
?Creation and maintenance of a rescue disk should be done by the user in order to facilitate recovery from certain boot viruses.
?Periodic backups of the hard disk should be done.
?Users’ should buy legal copies of all software they use and make write-protected backups.
? Email messages and email attachments from unknown people should not be opened. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Further it should be verified that the “author” of the email has sent the attachments. Newer viruses can send email messages that appear to be from a person user know.
?The potential users should make sure that Macro Virus Protection is enabled in all Microsoft applications, and they should never run macros in a document unless they know specifically the functionality of the macros.
?Appropriate Passwords should be assigned to the shared network drives.
Things that are not viruses!
Joke programs
Joke programs are not viruses and do not inflict any damage. Their purpose is to frighten their victims into thinking that a virus has infected and damaged their system. For example, a joke program may display a message warning the user not to touch any keys or else the computer’s hard disk will be formatted.
Droppers
A dropper is a program that is not a virus, nor is it infected with a virus but when run it installs a virus into memory on to the disk, or onto a file. Droppers have been written sometimes as a convenient carrier for a virus and sometimes as an act of sabotage.
Hoaxes
There must be very few people on email who haven’t received a chain letter with the subject line warning of a virus doing the rounds. These are often hoaxes and meant to scare people and have fun at their expense. The warnings encourage the recipient of the e-mail to pass the warning to the netizens and thus create an unnecessary furor, besides clogging mailboxes, as it usurps an air of credibility.
Methodology of virus detection applied by antivirus softwares:
Three main methods exist for detecting viruses: integrity checking (also known as checksumming), behavior monitoring and pattern matching (scanning).
Integrity checking
Antivirus programs that use integrity checking start by building an initial record of the status (size, time, date, etc.) of every application file on the hard drive. Using this data, checksumming programs then monitor the files to see if changes have been made. If the status changes, the integrity checker warns the user of a possible virus.
However, this method has several disadvantages, the biggest being that false alarms are altogether too common. The records used by checksumming programs are often rendered obsolete by legitimate programs, which, in their normal course of operations, make changes to files that appear to the Integrity checker to be viral activity. Another weakness of integrity checking is that it can only alert the user after a virus has infected the system.
Behavior monitoring
Behavior Monitoring programs are usually terminate and stay resident (TSR) and constantly monitor requests that are passed to the interrupt table. These programs are on the lookout for activities that a virus might engage in–requests to write to a boot sector, opening an executable program for writing, or