www.jntuworld.

com

CS-0276
COMPUTER VIRUSES

INTRODUCTION:

A computer virus is a computer program, written by “mean people”, that can copy itself and infect
a computer without permission or knowledge of the user. These virus programs are placed into a
commonly used program so that program will run the attached virus program as it boots, therefore, it is said
that the virus "infects" the executable file or program. Viruses work the same ways in Windows or DOS
machines by infecting zip or exe files.
A virus is inactive until you execute an infected program or application OR start your computer from
a disk that has infected system files. Once a virus is active, it loads into your computer's memory and may
save itself to your hard drive or copies itself to applications or system files on disks you use.
Some viruses are programmed specifically to damage the data on your computer by corrupting
programs, deleting files, or even erasing your entire hard drive. Many viruses do nothing more than display
a message or make sounds / verbal comments at a certain time or a programming event after replicating
themselves to be picked up by other users one way or another. Other viruses make your computer's
system behave erratically or crash frequently. Sadly many people who have problems or frequent crashes
using their computers do not realize that they have a virus and live with the inconveniences.

The most common are:

 Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a
virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet
program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other
programs) or wreak havoc.

 E-mail viruses - An e-mail virus travels as an attachment to e-mail messages, and usually
replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address
book. Some e-mail viruses don't even require a double-click -- they launch when you view the
infected message in the preview pane of your e-mail software.

 Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing
but instead does damage when you run it. Trojan horses have no way to replicate automatically.

 Worms - A worm is a small piece of software that uses computer networks and security holes to
replicate itself. A copy of the worm scans the network for another machine that has a specific
security hole. It copies itself to the new machine using the security hole, and then starts replicating
from there, as well.

ORIGIN:
Computer viruses are called viruses because they share some of the traits of biological viruses. A
computer virus passes from computer to computer like a biological virus passes from person to person. A
virus can only spread from one computer to another when its host is taken to the uninfected computer, for
instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such
www.jntuworld.com

as a floppy disk, CD, or USB drive. Additionally, viruses can spread to other computers by infecting files on
a network file system or a file system that is accessed by another computer.
Since the dawn of the computer age the potential for computer viruses to harm your system has
been a reality. Though virus attacks seem like a relatively new concept, the vulnerability to those attacks
have been around as long as computers could connect to a network, whether a simple computer to
computer connection or the wide web connection that is the Internet. In any case the advent of virus attacks
seems to have surged because of more media coverage and more users logging on to the Internet.
Historically, viruses were directed at a variety of operating systems. Currently though, viruses prey mainly
on Microsoft Windows systems. Another difference between viruses of the past and those of the present is
the severity of the effect. Pre-1990's viruses affected computers by causing erratic behavior. Today, not
only do viruses cause computers to operate differently, they also steal valuable user information like credit
card numbers and social security numbers. You can probably understand now why the virus creation
industry is bigger now than it ever was before. The new generations of viruses are more dangerous and
thus more lucrative to its creators.

HISTORY:
Traditional computer viruses were first widely seen in the late 1980s, and they came about
because of several factors. The first factor was the spread of personal computers (PC’s). Prior to the
1980’s, home computers were nearly non-existent or they were toys. Real computers were rare, and
“experts” locked them away for use. During the 1980s, real computers started to spread to businesses and
homes because of the popularity of the IBM PC (released in 1982) and the Apple Macintosh (released in
1984). By the late 1980s, PCs were widespread in businesses, homes and college campuses.

The second factor was the use of computer bulletin boards. People could dial up a bulletin board
with a modem and download programs of all types. Games were extremely popular, and so were simple
word processors, spreadsheets and other productivity software. Bulletin boards led to the precursor of the
virus known as the Trojan horse. A Trojan horse is a program with a cool-sounding name and description.
So you download it. When you run the program, however, it does something uncool like erasing your
disk. You think you are getting a neat game, but it wipes out your system. Trojan horses only hit a small
number of people because they are quickly discovered, the infected programs are removed and word of the
danger spreads among users.

The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs
were small, and you could fit the entire operating system, a few programs and some documents onto a
floppy disk or two. Many computers did not have hard disks, so when you turned on your machine it would
load the operating system and everything else from the floppy disk. Virus authors took advantage of this to
create the first self-replicating programs.

Early viruses were pieces of code attached to a common program like a popular game or a popular
word processor. A person might download an infected game from a bulletin board and run it. A virus like
this is a small piece of code embedded in a larger, legitimate program. When the user runs the legitimate
program, the virus loads itself into memory and looks around to see if it can find any other program on the
disk.
If it can find one, it modifies the program to add the virus's code into the program. Then the virus
launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the
www.jntuworld.com

virus has now reproduced itself, so two programs are infected. The next time the user launches either of
those programs, they infect other programs, and the cycle continues.

If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a
bulletin board, then other programs get infected. This is how the virus spreads.
The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised if all they
did was replicate themselves. Most viruses also have a destructive attack phase where they do damage.
Some sort of trigger will activate the attack phase, and the virus will then do something -- anything from
printing a silly message on the screen to erasing all of your data. The trigger might be a specific date, the
number of times the virus has been replicated or something similar.

How a Computer Works:

To understand how a computer virus works, it is important to understand how a computer operates.
A computer is a tool that is used to execute instructions. A user must supply the proper instructions for a
computer to execute in a manner needed by the user. These instructions are known as software. With
software, a user may manipulate the procedure of a computer to his desired need.
The main application of software is called the operating system. The operating system is a library
of commands for which a user can execute. The more commands available, the more complicated the
operating system becomes. This complexity provides an excellent opportunity for a well skilled virus
creator.

How a Computer Virus Works:

A biological virus cannot thrive on its own; instead it must infect a host. A
Computer virus has similarities to a biological virus, except that it cannot be classified as a living entity.
With regards to infection, the computer is committing no flaw by executing the virus code. A virus is
computer code that runs like other software on one's computer, except it executes in a way that is not
intended by the user.

As the complexity of a computer program increases the possibility of exploitable code does as well.
An exploit is the unintended abuse of a feature in a program. When a program is written, the emphasis is
on functionality, rather than possibility of code exploitations. When the knowledge of the exploitable code
reaches one who is willing to exploit the code, a computer virus is engineered. These exploits can be found
in all computer programs, and if the exploits are powerful enough, they may obstruct or even damage
computer operations.

TYPES OF COMPUTER VIRUSES:

Computer Virus is a kind of malicious software written intentionally to enter a computer without the
user’s permission or knowledge, with an ability to replicate itself, thus continuing to spread. Most common
types of viruses are:
www.jntuworld.com

RESIDENT VIRUSES:

This type of virus is a permanent, which dwells in the RAM memory. From there it can overcome
and interrupt all of the operations executed by the system: corrupting files and programs that are opened,
closed, copied, renamed etc.

Examples include: Randex, CMJ, Meve, and MrKlunky.

DIRECT ACTION VIRUSES:

The main purpose of this virus is to replicate and take action when it is executed. When a specific
condition is met, the virus will go into action and infect files in the directory or folder that it is in and in
directories that are specified in the AUTOEXEC.BAT file PATH. This batch file is always located in the root
directory of the hard disk and carries out certain operations when the computer is booted.

OVERWRITE VIRUSES:
Virus of this kind is characterized by the fact that it deletes the information contained in the files
that it infects, rendering them partially or totally useless once they have been infected. The only way to
clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content.

Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

BOOT VIRUSES:
This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in
which information on the disk itself is stored together with a program that makes it possible to boot (start)
the computer from the disk. The best way of avoiding boot viruses is to ensure that floppy disks are write-
protected and never start your computer with an unknown floppy disk in the disk drive.

Examples of boot viruses include: Polyboot.B, AntiEXE.

MACRO VIRUSES:

Macro viruses infect files that are created using certain applications or programs that contain
macros. These mini-programs make it possible to automate series of operations so that they are performed
as a single action, thereby saving the user from having to carry them out one by one.

Examples of macro viruses: Relax, Melissa.A, Bablas, O97M/Y2K.

DIRECTORY VIRUSES:

Directory viruses change the paths that indicate the location of a file. By executing a program (file
with the extension .EXE or .COM), which has been infected by a virus, you are unknowingly running the
virus program, while the virus has previously moved the original file and program. Once infected it becomes
impossible to locate the original files.

POLYMORPHIC VIRUSES:
www.jntuworld.com

Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms
and encryption keys) every time they infect a system. This makes it impossible for anti-viruses to find them
using string or signature searches (because they are different in each encryption) and also enables them to
create a large number of copies of themselves.

Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

FILE INFECTORS:

This type of virus infects programs or executable files (files with an .EXE or .COM extension).
When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging
effects it is programmed to carry out. The majority of existing viruses belong to this category, and can be
classified depending on the actions that they carry out.

COMPANION VIRUSES:
Companion viruses can be considered file infector viruses like resident or direct action types. They
are known as companion viruses because once they get into the system they "accompany" the other files
that already exist. In other words, in order to carry out their infection routines, companion viruses can wait
in memory until a program is run (resident viruses) or act immediately by making copies of themselves
(direct action viruses).

Some examples include: Stator, Asimov.1539, and Terrax.1069

FAT VIRUSES:

The file allocation table or FAT is the part of a disk used to connect information and is a vital part of
the normal functioning of the computer. This type of virus attack can be especially dangerous, by
preventing access to certain sections of the disk where important files are stored. Damage caused can
result in information losses from individual files or even entire directories.

WORMS:
A worm is a computer program that has the ability to copy itself from machine to machine. Worms
use up computer time and network bandwidth when they replicate, and often carry payloads that do
considerable damage.

Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson, Code Red.

TROJANS OR TROJAN HORSES:

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses do
not reproduce by infecting other files, nor do they self-replicate like worms.

LOGIC BOMBS:
They are not considered viruses because they do not replicate. They are not even programs in
their own right but rather camouflaged segments of other programs. Their objective is to destroy data on
www.jntuworld.com

the computer once certain conditions have been met. Logic bombs go undetected until launched, and the
results can be destructive.

HOAXES:
The virus hoax came about after friends sent each other emails about a new virus threat. Someone
decided that they could cause just as much trouble by sending out fake warnings rather than real viruses.
Hoaxes may seem harmless, but they do a great deal of damage to the Internet as a whole. Not only do
they slow down traffic and clog up email servers, but they also cause people to panic. Companies can
spend money and time investigating what is just someone's idea of a joke.

MOBILE PHONE VIRUSES:

Although rare, mobile phones are the latest technology to be hit by virus problems. Some people
have discovered that it is possible to crash certain types of mobile by sending them a coded text message.

WHO WRITES COMPUTER VIRUSES?

Virus authors are normally 14-26 year old males who spend a lot of time on their computers. Some
of them want to prove they are good programmers. Others want to show that they have the power to cause
large-scale problems. But most viruses don't constitute good programming, as many fail to deliver their
payload. Many are re-hashed versions of old programs that require little skill to produce.

HOW DO YOU CATCH A VIRUS WRITER?

Although the Internet allows computer viruses to spread quickly, it also helps to catch the authors.
Each computer connected to the Internet has an address, similar to a phone number. This is called an IP
www.jntuworld.com

address and looks like this: 128.5.10.64. Every email you send is marked with your IP address and this
information is hard to remove.
Your IP address reveals what company (or Internet Service Provider) holds your account. The
company can then find out which customer sent the mail. So if you send a virus to a Member of Parliament,
it won't be long before the police are knocking on your door asking questions.
Sophisticated virus authors would be able to cover their tracks to some degree, but there is usually some
way to track them down.
THE ROLE OF SOFTWARE DEVELOPMENT:
Software is designed with security features to prevent unauthorized use of system resources, many
viruses exploit software bugs in a system or application to spread. Software development strategies that
produce large numbers of bugs will also generally produce potential exploits.
ANTI-VIRUS SOFTWARE AND OTHER PREVENTIVE MEASURES:
Many users install anti-virus software that can detect and eliminate known viruses after the
computer downloads or runs the executable. There are two common methods that an anti-virus software
application uses to detect viruses. The first, and by far the most common method of virus detection is using
a list of virus signature definitions. This works by examining the content of the computer's memory the files
stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a
database of known virus "signatures". The disadvantage of this detection method is that users are only
protected from viruses that pre-date their last virus definition update. The second method is to use a
heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect
viruses that anti-virus security firms’ have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and received e-mails 'on
the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not
change the underlying capability of host software to transmit viruses. Users must update their software
regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent
the latest threats.

YOU CAN PROTECT YOURSELF AGAINST VIRUSES WITH FEW SIMPLE STEPS:

 If you are truly worried about traditional (as opposed to e-mail) viruses, you should be running a
more secure operating system like UNIX. You never hear about viruses on these operating
systems because the security features keep viruses (and unwanted human visitors) away from
your hard disk.
 If you are using an unsecured operating system, then buying virus protection software is a nice
safeguard.
 If you simply avoid programs from unknown sources (like the Internet), and instead stick with
commercial software purchased on CDs, you eliminate almost all of the risk from traditional
viruses.
 You should make sure that Macro Virus Protection is enabled in all Microsoft applications, and
you should NEVER run macros in a document unless you know what they do. There is seldom a
good reason to add macros to a document, so avoiding all macros is a great policy.
 You should never double-click on an e-mail attachment that contains an executable.
Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF), etc., are data
files and they can do no damage (noting the macro virus problem in Word and Excel documents
mentioned above). However, some viruses can now come in through .JPG graphic file
attachments. A file with an extension like EXE, COM or VBS is an executable, and an executable
www.jntuworld.com

can do any sort of damage it wants. Once you run it, you have given it permission to do anything
on your machine. The only defense is never to run executables that arrive via e-mail.

Recovery methods:

Once a computer has been compromised by a virus, it is usually unsafe to continue using the same
computer without completely reinstalling the operating system. However, there are a number of recovery
options that exist after a computer has a virus. These actions depend on severity of the type of Virus.

VIRUS REMOVAL:
One possibility on Windows XP and Vista is a tool known as System Restore, which restores the
registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a
subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from
previous days should work provided the virus is not designed to corrupt the restore files. Some viruses,
however, disable system restore and other important tools such as Task Manager and Command Prompt.
An example of a virus that does this is CiaDoor.
Administrators have the option to disable such tools from limited users for various reasons. The
virus modifies the registry to do the same, except, when the Administrator is controlling the computer, it
blocks all users from accessing the tools. When an infected tool activates it gives the message "Task
Manager has been disabled by your administrator.", even if the user trying to open the program is the
administrator.
www.jntuworld.com
www.jntuworld.com

COMPUTER VIRUS DETECTION AND REMOVAL

OPERATING SYSTEM REINSTALLATION:
Reinstalling the operating system is another approach to virus removal. It involves simply
reformatting the OS partition and installing the OS from its original media, or imaging the partition with a
clean backup image.
This method has the benefits of being simple to do, can be faster than running multiple anti-virus
scans, and is guaranteed to remove any malware. Downsides include having to reinstall all other software
as well as the operating system. User data can be backed up by booting off of a LiveCD or putting the hard
drive into another computer and booting from the other computer's operating system.

HOW TO AVOID CATCHING A VIRUS:

DO’s DON’Ts
Stay calm. A computer virus isn't dangerous until the Don't open any attachment you are not sure
infected email is opened. about, even if you have a virus scanner.
Delete any mail you think is infected and empty your
deleted items folder.
Read the email. Check that the contents of the Don't forward any attachment to a friend without
message makes sense before you open any being sure it is safe.
attachments.
Look out for hoaxes. There are many emails warning Don't send an email about a "new virus" without
of "the most destructive virus ever", but often these checking it out.
viruses don't exist.
Send any email you think is infected to an anti-virus Don't send mail that may contain a virus to
company (you may have to own a copy of their virus anyone other than official virus companies. Mail
software). They can tell you if it is a virus or not. filtering systems will probably delete it anyway.
Make sure you have a recent backup of your most Don't place backup floppy disks in your computer
important work. if you think you have a virus, as the virus could
spread to your backups.
If you get a computer virus you'll need to use a virus Don't be blasé just because you have a virus
scanner to get rid of it. scanner. You will still need to keep your eyes
open in case a new virus emerges.

Conclusion:

A computer virus can cause devistation and chaos among the computer industry if dangerous
enough. For this reason, the majority of the world has made it punishable under the law to create computer
viruses for the intent to cause disruption. Viruses have been around since binary was first invented, and will
remain a threat to unmaintained and ill formed software programs. Only through proper measures can an
individual become educated of possible damages of viruses, and procedures at which to prevent them.
www.jntuworld.com

Viruses are commiting no illegal action with regards to the computers interworkings, but only through the
eyes of the user, are viruses effective.