Professional Documents
Culture Documents
2008 Batch-I
Module XV
Virus
Scenario
Virus Incident
Virus detection Countermeasures
Response
Viruses in 2004
Introduction
Worms
• A worm does not require a host to replicate.
• Worms are a subset of virus programs.
Logic Bomb
• A code surreptitiously inserted into an application or operating
system that causes it to perform some destructive or security-
compromising activity whenever specified conditions are met is
known as a Logic bomb.
Time Bomb
• A time bomb is considered a subset of logic bomb that is
triggered by reaching some preset time, either once or
periodically.
Trojan
• A Trojan is a small program that runs hidden on an infected
computer.
How is a Worm different from a Virus?
There is a difference
between a general virus
and worms.
A worm is a special
type of virus that can
replicate itself and use
memory, but cannot
attach itself to other
programs.
A worm spreads
through the infected
network automatically
while a virus does not.
Indications of a Virus attack
1. Lack of control
2. Difficulty in distinguishing the nature of attack.
3. Draining of resources.
4. Presence of bugs.
5. Compatibility problems.
Virus Damage
• Internet
• e-mail
Modes of Virus Infection
Like its biological counterpart the computer virus also has a life
cycle from its birth, i.e. creation, to death, i.e. eradication of the virus.
Design
Reproduction
Launch
Detection
Incorporation
Elimination
Virus Classification
1. System Sectors
2. Files
3. Macros
4. Companion Files
5. Disk Clusters
6. Batch Files
7. Source Code
8. Worms using
Visual Basic
How does a Virus Infect?
1. Polymorphic Virus
2. Stealth Virus
3. Fast and Slow Infectors
4. Sparse Infectors
5. Armored Virus
6. Multipartite Virus
7. Cavity (Space filler) Virus
8. Tunneling Virus
9. Camouflage Virus
10. NTFS ADS Virus
Famous Virus /Worms
W32.CIH.Spacefiller (a.k.a Chernobyl)
The body of the message reads: Here's the document you asked for...don't show
anyone else ;-)
Double clicking the attached Word document (typically named LIST.DOC) will
infect the machine.
Famous Viruses/Worms: Pretty Park
A combination of text strings: setup, card, docs, news, Image, images, pics, resume, photo,
video, music or song data; with any of the extensions: SCR, PIF, or EXE. An existing
system file appended with any of the following extensions: SCR, PIF or EXE.
Famous Viruses/Worms: SirCam Worm
The worm collects a list of files with certain extensions ('.DOC', '.XLS',
'.ZIP') into fake DLL files named 'sc*.dll‘ and sends itself out with one of
the document files it finds in the users' "My Documents“ folder.
Famous Viruses/Worms: Nimda
Source: http://www.fwsystems.com/nimda/nimda.gif
Famous Viruses/Worms: SQL Slammer
The worm carried no destructive payload, and the very speed of the
worm hampered its spread, as the noticeable slowdown in Internet
traffic also slowed the Slammer's spread
Writing a simple virus program
• Scanning
• Integrity Checking
• Interception
Virus Incident Response
Worm.Win32.Bizex
Virus Encyclopedia
I-Worm.Moodown.b
I-Worm.Bagle.b
I-Worm.Bagle.a
I-Worm.Klez
Worm.Win32.Welchia.a Picture source:
http://www.geeklife.com/images/wallpaper
s/bug-hot1.jpg
Worm.Win32.Welchia.b
Worm.Win32.Doomjuice.a
Worm.Win32.Doomjuice.b
Summary
Viruses come in different forms.
Some are mere nuisances, some come with devastating
consequences.
E-mail worms are self replicating and clog networks with
unwanted traffic.
Virus codes are not necessarily complex.
It is necessary to scan the systems/networks for infections
on a periodic basis for protection against viruses.
Antidotes to new virus releases are promptly made
available by security companies and this forms the major
counter measure.