Operating system and security Cleaning viruses

Transcription

Faculty of Science and Bio-engineering Sciences
Operating system and security
Cleaning viruses
Titularis
:
Prof. Dr. Martin Timmerman
Students
:
Seyed Pejman Sajjadi
Date
:
January 2th, 2012
Rolnr. 98519
Table of Contents
What is computer malware?......................................................................................................................... 3
What is a computer virus? ............................................................................................................................ 3
Virus propagation: ........................................................................................................................................ 4
Virus classification:........................................................................................................................................ 5
Virus replication: ........................................................................................................................................... 7
Virus payload: ............................................................................................................................................... 7
Virus concealment strategies:....................................................................................................................... 8
Protection from viruses and other malware:.............................................................................................. 11
Detection methods: .................................................................................................................................... 12
Static Detection Methods: ...................................................................................................................... 12
Dynamic Detection Methods: ................................................................................................................. 13
Practical example: ....................................................................................................................................... 14
1.
USB_vlad Trojan: ............................................................................................................................. 14
2.
Aadrive Trojan: ................................................................................................................................ 17
3.
Dropper.generic.baby Trojan .......................................................................................................... 19
4.
Virus:Win32 Virus: .......................................................................................................................... 22
Conclusion: .................................................................................................................................................. 31
Appendix: .................................................................................................................................................... 32
List of famous viruses:......................................................................................................................... 32
Bibliography ................................................................................................................................................ 34
What is computer malware?
Computer Malware which is the short for “malicious software” are computer programs designed for the
sole purpose of damaging and gathering information, exploiting privacy or gaining unauthorized access
to system resources, without the owner’s awareness or intervention. Malware is a general term and it
covers all different types of threats to computers such as Computer Viruses, Worms, Trojan Horses and
etc.
What is a computer virus?
A computer virus which is a category of computer malware simply speaking is: “a computer
program that can replicate itself and spread from one computer to another” (computer virus, 2011).
This characteristic of replication is what makes a virus distinct from other computer malwares; keeping
in mind that the significance of a computer virus is to replicate and spread, the term "virus" is wrongly
realized and equalized to other forms of computer malware including Trojan horse, worms, root-kits and
spywares . A real computer virus can spread from one computer to another when it is executed through
some mean of sharing for example caused by sending over a local network or internet, or reaching the
victim’s computer by any other mean.
Computer malware includes computer viruses, computer worms, Trojan horses, most root kits (not all
root kits are malwares), spyware, and some adware (not all adwares are malicious, some are legitimate).
As mentioned above the term “virus” is usually misunderstood and then interpreted wrongly to cover all
kinds of computer malware; Worms and Trojan horses, like viruses, may harm a computer system's data
or performance and of course there are different types of worms and Trojans as well. To make a better
distinction between these two terms, perhaps it is a good idea to define them as well, since we will be
seeing more of these two terms in the “report of the practical” part of this documentation. A Trojan
horse is a piece of software (normally malicious) hidden inside a harmless program. They way a Trojan
horse works, is that it performs its malicious objective and then starts its host program (which is an
ordinary program that the Trojan horse has attached itself to, and appears to be harmless). A Trojan
horse does not replicate itself and does not infect other programs or files on the system; its damage is
localized. Normally, deleting the host program eliminates the Trojan horse and solves the problem. A
computer worm is a program that executes independently of other programs, replicates itself, and
spreads through a network from computer to computer. The main difference between a worm and a
virus is that a virus embeds itself in another file, whereas a worm doesn’t hide in another file and resides
in the computer as an independent program.
A computer virus is a usually a small computer program (usually in .exe format but there are various
ways to mask it with different extensions and icon images) that injects its content into a host computer
when it is executed, thereby infecting it; there are different approaches a virus can use to perform this
infection. When the computer executes the virus code, it affects files on the computer basically in two
different ways. One is the replication process which can be performed in various ways, and the second is
some kind of destructive operation, for example damaging essential kernel files so the operating system
cannot start. The combination of the two is what makes viruses distinct from other kind of malwares.
“The idea of a program that replicates itself may have originated in the early days of computing, when
programmers amused themselves by trying to write the shortest program that prints itself. Such
programs have since been written in many programming languages.” The example here is in the C
language. (D.Salomon, Virus classification, 2010)
--------------------------------------------------------------------------------------------------------------Example:
char*a="char*a=%c%s%c;main(){printf(a,34,a,34);}";
main()
{printf(a,34,a,34);}
----------------------------------------------------------------------------------------------------------------
Virus propagation:
A virus can propagate from file to file inside a computer and between different computers in various
ways; some of these will be mentioned here:
1. Once a virus has infected a file on a computer, it will be re-executed each time the infected file is
executed again; this way, at each execution the virus can look for an executable file that is not
infected yet and infect it. It is only logical to assume that the chances of executing an infected file
grows by each execution; This is one way that a virus propagates inside a computer and in this way
all the executable files will get infected after some time.
2. Another method would be to use interrupts in the operating system. Some viruses they just copy
themselves into the hard disk of a computer; but in order to infect a computer, the virus should be
executed. This means that the CPU should be somehow directed to the virus file and executes it.
one way to do this is for viruses to use interrupts, for example when an external device (a USB flash
memory) is attached to the computer, the virus can be executed as part of the I/O interrupt
handling routine and therefore infect the files on the external device. As we will discuss in this
paper, we will realize that this method is quite dangerous since the virus can reside for some time in
the computer until an interrupt is invoked.
3. Of course the most obvious way a virus can propagate to other system is by sharing a corrupted
(infected) file. The virus writer may program an application that looks like something useful and
harmless (a scientific calculator, a music player, etc.), embed a virus or a Trojan horse in it, and then
share it over a local network or internet. When someone downloads and executes this program they
will unconsciously execute the malicious part as well and usually they do not see any immediate
effect since the host program is still performing its original operation. This way the virus can
replicate inside the victim’s computer and later infect other files within the same computer and over
the network. This is one way of propagation from one computer to another.
4. Perhaps nowadays the most probable way to get infected by a virus in through internet,
downloading a virus which masks itself as a harmless file, is one way but some very famous viruses
propagated using email attachments. Even though this method uses the same technique as above
for propagation (over a network) but since it is very popular, I will mention it as a separate point. A
virus writer can send a virus in various forms (such as an image file) as an attachment inside an
email and send it to thousands of recipients. A famous example for this kind of infection is the “I
love you!” virus which was an email attachment and automatically forwarded the message to the
entire address book of all its recipients.
To sum up the propagation, we can say that viruses propagate inside a computer by execution and
between computers through sharing; this is sharing resources such as files, libraries and etc (over a
network or other medium like USB drives or external hard disks). When a program is written, a virus may
be embedded (hided) as part of the program in it by the programmer, and then spread when it is
executed. It is also probable that updating or modifying a file infects it, if it is done by an illegitimate
party. (D.salomon, Virus propagation, 2010, pp. 49-51)
Virus classification:
The classification of viruses in this section is based on their infection strategy. A virus can be a boot
sector infector, a file infector, an email virus, or a macro virus. Combination of the above is also possible.
1. A File infector virus attaches itself to an executable file (this is normally referred to as a host file) and
is executed when the host file is executed. There are different ways that file infector viruses attach
themselves to the host program. Few of those are listed here:
 A shell virus forms a shell around the original program.
 A non-overwriting virus appends its malicious code to the host program and performs
some modification to make sure that the virus is executed each time the host program is
being executed. The infected program is therefore modified a little, but it still can be
executed and perform its intended task without raising any suspicion.
 As it is obvious from its name, an overwriting virus overrides the code in some parts of
the host program (usually deleting them and replace the virus code) so when the
program is executed, it will perform its job incompletely and then the virus is executed
and since the program is incomplete it will crash.
 An intrusive virus is somehow similar to the overriding virus; the difference is it replaces
a procedure of the host program with another one, for example an interrupt-handling
procedure.
 A simple virus which is part of a host program selects a candidate file each time it is
executed for infection, and infects it by overwriting some part of it. When the candidate
file is executed later on, as expected the virus is executed and the candidate crashes
because it has been damaged. The original virus (which now has more than one host
files) remains in the system and infects more candidates.
2. A boot sector virus embeds itself in the boot sector part of a disk (either removable or not), and
therefore resides in the memory when the computer is booted from the disk (if the disk is bootable)
or when the removable disk (e.g a DVD) is inserted into a disk drive and is read. The virus is in
memory while the computer is turned on, so it can infect any newly inserted disk in the computer.
This type of virus can propagate only when a removable device which has a boot sector virus is
being moved from computer to computer. Most decent antivirus programs perform a boot sector
scan.
3. A multipartite virus is a combination of boot infectors and file infectors. In theory such a virus could
be very effective and dangerous, and propagate really fast. However, in practice this type of virus is
rarely seen because it is quite difficult to be designed and implemented.
4. A macro virus are programmed in micro languages, since some applications (namely Microsoft
office) allows micro programs to be embedded in office file and then be automatically executed
when the file is opened, micro viruses can use this strategy to infect computers.
5. An operating system virus is a virus that infects operating system files. This type of virus is
potentially very dangerous and spreads quite fast since the operating system files are executed
quite rapidly. If the mechanism for infection is to do over-writing to the files this means that some
essential kernel files could be damaged and thus the operating system could not be booted. Another
example of an operating virus could be a virus that embeds itself in the launcher, therefore it will be
executed each time the user launches a program.
6. A general application virus is a form of virus that attaches itself to an application and is executed
each time the infected application is executed. The propagation strength of such virus is from one
point of view high since users tend to share application files. However inside a computer the
propagation rate is relatively mush lower that operating system viruses for instance since
application files are only executed by users and there is chance that an application does not get
executed for some time.
(D.Salomon, Virus classification, 2010)
Virus replication:
A computer virus is a computer program. Therefore it is not a complicated task to write the program in
way that it copies a set of instructions over and over. so an active virus in the memory can create copy
of itself and save it as a file on the disk and then attach this file (in different ways like appending, over
writing and etc) to a host file, therefore infecting other files on the system or even send this infected file
as an attachment inside an email to hundreds of recipients (without the user not knowing that the file
being attached is infected) when it is executed. As mentioned before viruses can also use I/O interrupts
to infect removable devices such as USB flash memories and thus infect other computers. This “fast
replication” characteristic of viruses makes it quite difficult to delete them manually. The replication
rate for some viruses are sometimes so fast that thinking about deleting the infected files manually
would be almost an impossible task. (D.Salomon, Virus classification, 2010)
Virus payload:
The payload is the main destructive and malicious operation a virus performs. It is performed when the
virus is executed. Followings are various types of destructive operations that viruses can perform:






The virus may do “nothing”; this can happen when the virus is simply not written for the version
of the operating system it resides in. this can make the virus ineffective since the instructions of
the virus do not work in its environment.
It may want to gain access to a sensitive or private file to read its content. So each time the
operating system is started it will check to see if the current user has for instance the “read”
privilege for that specific file or not. Such a virus is in fact a spyware.
It may slow the computer down by extensive use of limited resources. Such viruses may use
large quantities of CPU power by executing loops that do nothing. Another side effect of
resource abuse could be extensive replication and thus occupy large portions of memory or the
disk. It may slow down a connection by endlessly sending messages. It may cause system
crashes and other kind of problems, and in general annoy the user rather than damaging the
data. A virus of this type does not attach itself to other files and is referred to as a “rabbit”.
It may completely destroy all the services and functionalities given to the user by the operating
system. It will infect all the files on the system so each time the user starts the operating system,
(depending on the operations of the virus) it may go to an infinite loop and since all the files are
infected therefore the virus is executed again and causes system crash.
It may cause serious damage such as deleting files from the host computer. There are variants of
this kind of damage; sometimes a virus renames the files as well. Usually this sort of damage is
reparable if the user keeps regular backups.
The virus may replicate itself and create copies in a stealth mode until a certain date, and then it
makes itself known by executing and doing damages. This kind of viruses are referred to as time-




bomb viruses and they are quite dangerous, because all the backups prior to the execution of
the virus actually DO include the virus! The “Michelangelo” virus is a well-known example of this
type.
It may choose a file at random and then change some bits in that file again randomly. This type
of damage, referred to as “data diddling”. This type of destructive operation is relatively
dangerous because the errors caused by these damages might indicate a hardware failure.
It may randomly delete files from an operating system. Usually most modern operating system
maintains a history of modifications to the files. A virus may search for the files that have not
been modified recently and then delete it. a file that was not modified recently implies that the
file has not been used for some time. Therefore this type of destructive operation is potentially
quite harmful since there might be some time before the user realizes that a file has been
deleted.
The virus may replicate itself very fast in a network, and thus consume most of the network
resources and therefore deny services to users.
Read-Only. The user can only read the file. Or the users can only write to the files but not read
them. Or neither is possible but the user can still execute the files.
(D.Salomon, Virus classification, 2010)
Virus concealment strategies:
Recovering from a virus can be a time consuming and annoying process. In some cases the only practical
solution would be to re-install the operating system even if the virus is identified and the files
responsible for causing the problems are deleted. This is due to the fast replication characteristic of
computer viruses; however, most of the times it is quite difficult to identify viruses as they employ
different strategies to conceal themselves from antivirus software. Some viruses try to avoid detection
by killing the tasks associated with antivirus software before it can detect them. Different concealment
methods which are taken from different resources are listed as follow:
No concealment: as it appears from its name, no effort is taken to conceal the virus, therefore detection
of it is fairly an easy task for an anti-virus software or for expert users who intend to detect it manually.
Encryption: this strategy is based on encrypting the virus body including its infection, trigger, and
payload, so it would become harder to detect. This "encryption" is not in the “cryptography encryption”
sense. Virus encryption actually means obfuscation (creating confusion in understanding). When the
virus is encrypted it is not runnable until it gets decrypted. What executes first in the virus, then, is a
decrypter loop, which decrypts the virus body and transfers control to it. The idea in this concealment
strategy is that the decrypter loop is small compared to the virus body, and thus makes it difficult for
antivirus software to detect it as malicious.
Figure 1
There are varieties of encryption; here I will merely mention the names of these different types which
go as follow: simple encryption, static encryption key, variable encryption key, substitution cipher and
strong encryption. For more detail on these approaches, one can always refer to the references.
Stealth: the idea of the stealth is to not just hide the virus body but the infection itself. A stealth virus
tries to hide from everything, not just antivirus software. Some examples of stealth techniques are
below:



An infected file's original timestamp can be restored after infection, so that the file doesn't look
freshly-changed.
The virus has the capability of regenerating all the information prior to the infection about a file.
For example: timestamp, file size, and the file’s contents.
Hiding inside a boot loader. There are two kinds of boot loaders (primary and secondary) the
secondary boot loader are saved in some systems as consecutive disk blocks, to make the tasks
for primary boot loader simpler. The secondary boot loaders can be viewed as a file in the
filesystem. A virus can insert itself into the secondary boot loader’s blocks and then relocate the
original block to somewhere else in the system. This results in that the filesystem view shows no
obvious changes, but the virus is hidden and gains control over the real primary boot loader.
Oligomorphism: An oligomorphic virus is an encrypted virus which has a small, finite number of
different decrypter loops that can be used. The virus selects a new decrypter loop from this pool for
each new infection. In terms of detection, oligomorphism makes a virus only a little bit more difficult to
be spotted by an antivirus. Since the antivirus software will get familiar with the decrypter loop the virus
uses, the viruses changes this each time it is executed. However, the antivirus software can have all of
the virus’s possible decryptor loops listed, and look for them all.
Polymorphism: A polymorphic virus is almost the same as an oligomorphic virus. They are both
encrypted viruses and they both change their decrypter loop on each infection. The difference is that a
polymorphic virus has an infinite number of decrypter loop variations. The virus “Tremor” for example,
has almost six billion possible decrypter loops. Obviously Polymorphic viruses cannot be detected by
antivirus software by listing all the possible combinations.
Avoiding bait files: some viruses are programmed not to infect host files that are known to be part of
anti-virus software because of the integrity check that exists in most antivirus software and therefore
the virus would be detected fast. Another type of host that viruses usually avoid to infect is bait files.
Bait files (or goat files) are files that are specially created by antivirus software to be infected by a virus.
These files can be created for various reasons, all of which are related to the detection of the virus.
Self-modification: the idea in the concealment strategy is that the virus modifies the code so each time
there is a new variant of the virus; this is done so the signature based detection method used by
antivirus applications cannot detect the “similar” pattern of that virus or that family of virus. However,
this only makes the detection a bit more difficult but certainly not impossible.
Metamorphic code: to avoid detection some viruses rewrite themselves completely each time they
infect new executable files; this method is called metamorphic. A metamorphic engine is needed to
perform this. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted
of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.
(computer virus, 2011) (D.salomon, Virus hiding methods, 2010) (Aycock, 2006)
Protection from viruses and other malware:
Removing computer malwares and specially viruses can be a tedious and time consuming task. However
there are good means of protection against infections. Perhaps the easiest steps to protect against
computer malwares could constitute the followings:
1. Installing an antivirus application on the computer.
2. Configuring the antivirus application to perform scheduled scans and maintain the application’s
signature database up to date.
3. Use instant scanning of files being downloaded or saved on the computer by the antivirus program.
A relevant question that could be asked at this point is: what an antivirus is and what does is it does
exactly? Antivirus programs are the most effective means of protection against computer malwares. But
it is important to mention that there are no antivirus programs guaranteeing 100 percent protection
against malwares. Such antivirus application simply do not exist because for each antivirus algorithm it is
always possible to suggest a virus counter algorithm that makes a particular virus invisible to a particular
antivirus. Moreover, the impossibility of the existence of the absolute antivirus has been mathematically
proved based on the theory of finite slot machines the author of this proof is Fred Cohen1.
1. The most commonly used method by antivirus applications is using a list of virus
signature definitions or simply speaking having a database of known viruses and compare it
against the files on the system mostly the contents in RAM and boot sectors and other files
store in non-volatile memory. As one can logically deduce, this approach is not full proof since
the system is immune only from known viruses that exist in the signature database.
2. The other approach would be to use heuristic analysis, which is looking for similar patterns that
exist among viruses. This method is mostly used to detect viruses that are yet classified or
inserted into a signature database. The behavior of a certain virus or a family of viruses can be
detected in this method.
3. Some antivirus applications provide “on the fly” scan as well which can better help protecting
the system than scanning the entire computer once in a while. Anti-virus software also needs to
be regularly updated in order to recognize the latest threats. (Antivirus software, 2011)
One may also minimize the damage done by viruses by making regular backups of data.
1
Frederick B. Cohen (born 1957) is an American computer scientist and best known as the inventor of computer virus defense techniques.
Detection methods:
Static Detection Methods:
Static detection method uses pattern recognition to identify viruses based on certain characteristics
after proper analysis without actually executing the virus code, some of these methods are follow:
• String Scanning method: Search for a sequence of bytes that are common to a virus and are not likely
to be found in other programs.
• Wildcards method: allows skipping bytes or byte ranges. For example "?" character are skipped and
the wildcard % means that the scanner will try to match the next byte.
• Mismatches method: allows any given number of bytes in a string to be of arbitrary value, regardless
of their position.
• Generic Detection method: This technique uses one common string to detect several or all known
variants of a family of viruses.
• Bookmarks method: calculates the distance between the start of the virus body and the detection
string.
• Smart Scanning: Smart scanning could skip junk instructions, such as NOPs, in the host file and also did
not store them in the virus signature. To enhance the likelihood of detecting related variants of viruses,
an area of the virus body was selected which had no references to data or other subroutines.
• Skeleton Detection: The scanner parses the statements of the virus line-by-line and drops all
nonessential statements. What is left is the skeleton of the body that has only essential macro code
common in macro virus.
• Heuristics Analysis: Heuristic analysis is an expert based analysis that determines the susceptibility of a
system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria
analysis (MCA) is one of the means of weighing.
• Virus specific detection: There are cases when the standard algorithm of the virus scanner cannot deal
with a virus. In cases like this, a new detection code must be introduced to implement a virus-specific
detection algorithm. This method includes Filtering, Decrypter Detection and X-Ray scanning.
(Essam Al Daoud, 2008)
Dynamic Detection Methods:
In contrast to static detection, dynamic method evaluates a file to be infected or not by executing it. The
antivirus program looks for known methods for infection and detection avoidance. As it was mentioned
before most virus activity eventually need to direct the CPU to itself to actually execute the virus, to do
so they use other operations like interrupt handlers for I/O. even though these calls are somehow
unclear, when they are executed they will become apparent and detectable. There are several methods
for dynamic detection which are mentioned as follow:
• Opening an executable, with both “read” and “write” permission.
• Reading the portion of the file header containing the executable's start address.
• Writing the same portion of the file header.
• Seeking to the end of the file.
• Appending to the file.
Some antivirus programs have a feature called “behavior blocker” that will monitor the behavior of the
application while it is working and will terminate or quarantine the operation if it suspects it to be
harmful and dangerous. Most antivirus tools run the suspected files on a sand box for testing to see if
they are malicious or not. This way the safety of the system is intact
Detection Methods have some major problems:
1. They are only good against known viruses and not very good against evolutionary or new
viruses.
2. They tend to take a noticeable amount of time to scan a system or networks for the patterns.
3. A scanner or its virus pattern database must be updated very often to remain effective.
(Essam Al Daoud, 2008)
To conclude this section, it’s perhaps a good idea to suggest a few good free tools for malware detection
and removal. I would personally suggest the combination of the following tools in which all are free and
quite effective. Tdsskiller, Gmer, Hijackthis, Autoruns, Process Explorer, MalwareBytes, AVG antivirus.
Practical example:
Disinfecting operating systems from malware, especially viruses are a troublesome and time consuming
task. If the idea is to do the mentioned manually it will become even more difficult since the person
trying to accomplish the mentioned has to have a great knowledge both about the operating system
(the file systems and …) and the malware itself. In order to accomplish this section, I have downloaded a
few computer malware, some of which are pure viruses and some are combination of viruses, Trojans
and etc. I have executed them on my virtual machine and observed the results. Here I will give a few
examples of these malwares and the procedure I went through to delete them. In order to do so, I have
used different tools and applications to disinfect the operating system.
1. USB_vlad Trojan:
I downloaded a malware called “USB_vlad”. This malware was programmed with C++, and it creates a
process with the name “raidhost”. It is a trojan horse and downloads more malware into the victim’s
computer. After executing the Trojan, the mentioned process was created and was observable.
Figure 2
This process creates a registry entry with the same name in the path:
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] “
Figure 3
In order to remove this Trojan, I could take two approaches, one would be to kill the process, delete the
file created by the process in its location and then delete the mentioned registry entry; the second
approach would be to use a single strong anti-virus with additional cleaning tools, or use a combination
of different tools (anti-viruses, registry cleaners and etc.) to create the same effect.
Just to show how dangerous this thread is rated by AVG anti internet security suite, I have chosen the
second approach to delete this malware; of course the first choice is valid and quite practical. As it is
apparent in the picture below, the risk level of this threat is quite high.
Figure 4
Figure 5
It’s noticeable that just removing the threat does not clean the registry entry of the malware, however
without the existence of an executable file; the existence of the registry entry is useless. Using the pc
analyzer tool of AVG internet security suite, I have scanned for registry errors and the result was as
follow:
Figure 6
This is the log for the registry analysis; it is noticeable that the registry for our Trojan is detected and
removed.
Figure 7
2. Aadrive Trojan:
For the second example, I infected my operating system with a Trojan called “aadrive”. This Trojan
creates a file in the windows folder called “aadrive32.exe”.
On start up, a cmd window will pop up and the CPU usage will reach and stay 100%.
Figure 8
This Trojan downloads a lot of file off internet and stores some of them in system32 folder and
consumes a lot of internet speed. It also runs at startup as it appears on the screen shot below:
Figure 9
One key feature of this Trojan is that it restricts access to antivirus websites, after getting infected I was
able to access any website except for ones regarding an antivirus. Even after manually deleting the
“aadrive32.exe” the effects of the malware are not completely gone, I could have access to antivirus
websites, but still the connection speed was awfully low and I could not track the registry entry for this
Trojan. I had to use an antivirus to get rid of this malware. Even though I deleted the file manually, the
antivirus still detected a threat with the same exact name “aadrive.exe” and removed it.
Figure 10
3. Dropper.generic.baby Trojan
For the third example I have downloaded a Trojan which I don’t know the exact name of. It is named as
setup.exe in the source I got it from. After opening the file, I got an error saying that the file could not be
opened. In less than 30 seconds the CPU usage exceeded 100 percent, and the theme of the windows
changed to basics and the internet connection was lost.
Figure 11
After rebooting the operating system, the following message was shown.
Figure 12
As it appears from the screen shot above, the hal.dll file is removed. Windows Hardware Abstraction
Layer (HAL), a file that hides hardware complexities from Windows applications. hal.dll is a system
process that is needed for your Windows system to work properly. This problem could be solved my
using a windows installation CD to copy the missing file, perhaps a better option would be to run a virus
scan on the disk before restoring the missing file, this could be done using various tools, I would
personally use “Trinity Rescue Kit” which has an anti virus that can be used to scan the disk and get rid
of the malwares, however even after fully scanning the disk and resting the OS some feature were gone
including the shutdown and restart button.
Out of curiosity I executed this malware again on a new operating system to see if it creates the same
effect, and amazingly it did not. The preliminary effects were the same (no internet connection, errors
and change in theme) however after rebooting the system; the missing hal.dll file error was not shown.
But the OS kept its previous state with the same error message shown as the one when I executed the
file for the first time, this time I killed the processes related to it and the theme did not change and CPU
usage remained normal and once again I had access to internet. So I installed an anti virus and it
detected a Trojan horse called “Dropper.generic.baby” and was able to remove it completely, and the
system was once again safe but still some features were gone including shutdown and restart. I could
not find a decent solution to this malware. Perhaps re-installing the windows could be the only option.
I tried to analyze this Trojan to see how it works, it turned out that it’s a famous Trojan and has so many
aliases; the following analysis is taken from threatexpert website:
Memory Modifications
 There were new processes created in the system:
Process Name
Process Filename
Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 73,728 bytes
svchost.exe
c:\svchost.exe
73,728 bytes
System.exe
%System%\system.exe
73,728 bytes

Note:
o
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System
(Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows XP).
 The following system services were modified:
Service
Display Name
Name
New
Status
ALG
Application Layer Gateway Service
"Stopped" %System%\alg.exe
AudioSrv
Windows Audio
"Stopped" %System%\svchost.exe -k netsvcs
Dhcp
DHCP Client
Service Filename
SharedAccess Windows Firewall/Internet Connection Sharing
(ICS)
Themes
Themes
WebClient
WebClient
"Stopped" %System%\svchost.exe -k
LocalService
wscsvc
Security Center
Registry Modifications

The following Registry Keys were created:
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o

HKEY_LOCAL_MACHINE\SOFTWARE\Microsaft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsaft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsaft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsaft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ekrn
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekrn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NOD32krn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\AVP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\ekrn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\NOD32krn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\AVP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\ekrn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\NOD32krn
HKEY_CURRENT_USER\z:
The newly created Registry Values are:
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


(Default) = "[file and pathname of the sample #1]"
egui = ""
so that [file and pathname of the sample #1] runs every time Windows starts
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsaft\Windows\CurrentVersion\Run]

AVP = ""
o
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVP]
o
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ekrn]


ImagePath = ""
ImagePath = ""
o
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn]
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVP]


ImagePath = ""
ImagePath = ""
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekrn]
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NOD32krn]
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\NOD32krn]
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\ekrn]




ImagePath = ""
ImagePath = ""
ImagePath = ""
ImagePath = ""
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\AVP]
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\NOD32krn]


ImagePath = ""
ImagePath = ""
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\ekrn]
o
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\AVP]


o
ImagePath = ""
[HKEY_CURRENT_USER]



o
ImagePath = ""
NoDrives = 0x00000000
NoRun = 0x00000000
NoViewOnDrive = 0x00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]



NoLogOff = 0x00000001
NoFolderOptions = 0x00000001
NoClose = 0x00000001
to prevent users from logging off and remove all menu items and buttons that log the user off
to remove the Folder Options item from all Windows Explorer menus and from Control Panel
o
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
o
[HKEY_CURRENT_USER\z:]




Lord4u = "%System%\Explorer.exe"
NoDrives = 0x00000000
NoRun = 0x00000000
NoViewOnDrive = 0x00000000
4. Virus:Win32 Virus:
For the fourth example, I have infected my operating system with a virus which is called Virus:Win32, and
is know with many other aliases, after the infection I have uploaded the virus to the
http://www.virustotal.com/ and after analysis of the file, Virustotal detected the file as a virus with the
mentioned name. The followings are the characteristics of the mentioned virus which are taken from
Microsoft’s website:
Aliases:
Win32/Virut.F (AhnLab)
W32/Virut.AI!Generic (Command)
W32/Virut.gen (Avira)
Win32.Virtob.Gen.12 (BitDefender)
Win32/Virut.17408 (CA)
Win32.Virut.56 (Dr.Web)
Win32/Virut.NBP (ESET)
Virus.Win32.Virut.ce (Kaspersky)
W32/Virut.n.gen (McAfee)
W32/Virut.CX (Norman)
W32/Sality.AO (Panda)
Win32.Virut.cl (Rising AV)
W32.Virut.CF (Symantec)
PE_VIRUX.J-2 (Trend Micro)
Description: Virus:Win32/Virut.BN is a detection for a polymorphic file infector that targets .EXE and
.SCR Windows files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote
attacker to download and execute arbitrary files on the infected computer.
Symptoms: There are no common symptoms associated with this threat. Alert notifications from
installed Antivirus software may be the only symptom(s).
Technical Information (Analysis): Virus:Win32/Virut.BN is a detection for a polymorphic file infector
that targets .EXE and .SCR Windows files. This virus also opens a backdoor by connecting to an IRC
server, allowing a remote attacker to download and execute arbitrary files on the infected computer.
Spreads via:
Executable File Infection: Win32/Virut.BN disables Windows System File Protection (SFP) by injecting
code into the Windows process "winlogon.exe". The injected code patches the system file "sfc_os.dll" in
memory which in turn allows the virus to infect files protected by SFP.
The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with
Explorer, including on shares (with write access) will result in files being infected, and the virus
spreading from machine to machine.
The virus injects its own code into a system process such as "explorer.exe" or "winlogon.exe", and hooks
low-level (NTDLL layer) Windows API calls in order to stay in memory. It hooks the following functions in
each running process (NTDLL.DLL):
NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx
Thus, every time an infected process calls one of these functions, execution control is passed to the virus.
HTML File Infection: It writes code to HTML files that adds a hidden IFrame pointing to the domain
"zief.pl". When the HTML file is opened, the browser connects to this server without the user's
knowledge. The HTML page hosted at this location attempts to exploit a number of different
vulnerabilities (including those affecting the user's browser and other applications) in order to run a
copy of the virus. These modified HTML files are detected as Virus:HTML/Virut.BH.
The virus also modifies the local machine's hosts file, redirecting the domain "zief.pl" to localhost
(127.0.0.1) so that already-infected machines will not run the remotely-hosted copy of the virus.
Payload:
Backdoor Functionality: Virut.BN connects to Internet Relay Channel (IRC) server "irc.zief.pl" via port 80
using a particular channel. Should this fail, it instead attempts to connect to " proxim.ircgalaxy.pl" also using
port 80.
It contains functionality to download and execute arbitrary files on the affected system. This may
include additional malware. The backdoor can also be used to change the host that it connects to for
control.
Registry modifications:

The newly created Registry Values are:
o
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
o


ProxyEnabled = "FALSE"
Microsoft Windows Update Client = "%Windir%\services.exe"
so that services.exe runs every time Windows starts
o
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
o
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
o
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]



UpdateHost = 00 50 5E 3F 95 96
ProxyEnable = 0x00000000
Run = "%Windir%\services.exe"
so that services.exe runs every time Windows starts

The following Registry Values were deleted:
o


o
VMware User Process = "%ProgramFiles%\VMware\VMware Tools\VMwareUser.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


VMware Tools = "%ProgramFiles%\VMware\VMware Tools\VMwareTray.exe"
MSMSGS = ""%ProgramFiles%\Messenger\msmsgs.exe" /background"
The following Registry Value was modified:
o
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]



Cookies =
Cache =
History =
After the infection, I rebooted my operating system expecting the virus to have made its effects. I
installed the free version of “avira” antivirus and started scanning my system. Right after installing avira I
got notifications that my OS is infected with a virus called “w32/virut.gen
Figure 13
After finishing the scan, avira reported 81 detections of the same virus.
Figure 14
It was very interesting to see that this virus affected 81 different files in “boot sector” and some
“executable file”. The addresses of the infected files are reported by avira antivirus.
Start of the scan: Wednesday, January 04, 2012 16:43
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
C:\WINDOWS\system32\ieudinit.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
C:\WINDOWS\inf\unregmp2.exe
C:\WINDOWS\system32\ie4uinit.exe
C:\WINDOWS\system32\shmgrate.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Outlook Express\setup50.exe
C:\WINDOWS\system32\help.exe
C:\WINDOWS\system32\setup.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\ntsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\control.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\magnify.exe
C:\WINDOWS\system32\narrator.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\utilman.exe
C:\Program Files\Outlook Express\wab.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mobsync.exe
C:\WINDOWS\system32\tourstart.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\rcimlby.exe
C:\WINDOWS\system32\accwiz.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\fsquirt.exe
C:\Program Files\Windows NT\hypertrm.exe
Starting to scan executable files (registry).
C:\WINDOWS\system32\wbem\wmiapsrv.exe
[WARNING] The file was not repaired as requested!
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\ups.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\smlogsvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\dmadmin.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\wupdmgr.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\WINDOWS\system32\spider.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
C:\WINDOWS\system32\winmine.exe
C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe
C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe
C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe
C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe
C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe
C:\WINDOWS\system32\mshearts.exe
C:\WINDOWS\system32\sndrec32.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\system32\charmap.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\system32\usmt\migwiz.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
C:\WINDOWS\system32\restore\rstrui.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\odbcad32.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\mshearts.exe
C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe
C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe
C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe
C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe
C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe
C:\WINDOWS\system32\winmine.exe
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\WINDOWS\system32\wupdmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\dmadmin.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\smlogsvc.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\ups.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\odbcad32.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\restore\rstrui.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
C:\WINDOWS\system32\usmt\migwiz.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\system32\charmap.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\sndrec32.exe
C:\Program Files\Windows NT\hypertrm.exe
C:\WINDOWS\system32\fsquirt.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\accwiz.exe
C:\WINDOWS\system32\rcimlby.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\tourstart.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Outlook Express\wab.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\narrator.exe
C:\WINDOWS\system32\magnify.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntsd.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\WINDOWS\system32\setup.exe
C:\WINDOWS\system32\help.exe
C:\Program Files\Outlook Express\setup50.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\shmgrate.exe
C:\WINDOWS\system32\ie4uinit.exe
C:\WINDOWS\inf\unregmp2.exe
C:\WINDOWS\system32\ieudinit.exe
End of the scan: Wednesday, January 04, 2012 16:45
Used time: 01:52 Minute(s)
As the virus was replicating so fast, after a few minutes the infected files were about 419. I asked the
antivirus to do a system repair. In order to do that I had to restart my machine, but after rebooting I
received an error saying “the end point format is invalid”. Even booting with safe mode brought up the
same error.
Figure 15
At this stage, there is not much one can do except for using rescue kits. I have downloaded a rescue kit
called “trinity” and booted from there, this rescue kit has some interesting tools and features especially
designed to detect and remove viruses. There are several anti viruses embedded in trinity rescue kit
including, bitdefender, avira and Calm antivirus. I have used all of them to scan and disinfect my
operating system.
Figure 16
Even after deleting all the detected malwares by these anti viruses, I still could not have access to my OS
and the same error appeared on start up. I decided to use bitdefender bootable rescue CD to scan and
disinfect my computer. To make sure that all the traces of the virus will be gone I used Kaspersky
bootable CD as well.
Figure 17
Figure 18
Even after using two antivirus software and one rescue kit, my OS was not recovered. In my opinion
some essential system files are damaged and deleting them, which are marked and recognized by anti
viruses as virus, disabled me from recovering my OS. Perhaps the proper solution would be to re-install
windows. Keep in mind that most the essential files and personal information can be copied using these
rescue kits and then be used on a clean OS to get them disinfected and archived. This virus has no effect
on windows vista and seven.
Conclusion:
In this paper we have seen the definition of a malware, and the differentiation between different forms
of malwares. Since the main focus of the paper was on viruses, we have seen infection, replication, and
detection strategies especially for viruses, based on the practical examples shown, one can conclude
that some of the malwares are completely removable by different tools and the chances to recover the
infected operating systems are fairly high, however as I have shown with another example, there are
situations where reinstalling the operating system seems to be the only solution. To conclude this paper,
the main objectives of the paper which was providing information to the readers about the sources of
infections and tools and applications that can be used to recover from these situations were introduced
successfully.
Appendix:
List of famous viruses:
1. Jerusalem - 1987
For the first time it was discovered in 1987 on October 1. The virus was dubbed Jerusalem because it
was identified in a Hebrew university, but in 1991 antivirus experts found that Italy is the country were
the first traces of the computer virus were noticed. Jerusalem is believed to be one of the oldest
computer viruses in history, being able to infect both .EXE and .COM files. Initially the Jerusalem virus
included a bug that led to a repeat infection of the files that continued until the size of the files
overcome computer resources. In addition, each Friday 13 it deleted all programs in the infected system
as a result of a malicious payload that set off on the respective day. Jerusalem considerably slowed
down the machine. A person could identify the virus but noticing two lines on the monitor.
2. Morris (a.k.a. Internet Worm) - 1988
Previously at www.InfoNIAC.com we wrote about this computer worm, which is believed to be one of
the first worms that spread over the Internet. The name of the virus comes from its developer Robert
Tappan Morris, who was a student at Cornell University. The computer worm was set off on November
2, 1988 and after some time it managed to infect 6,000 to 9,000 machines. It overloaded the whole
Internet, leading to the failure of a large number of servers. According to its developer, the goal was to
discover just how far and fast a computer worm can spread all over the network. Robert Tappan Morris
was found guilty and sentenced to 3 years of probation along with 400 hours of community service. In
addition, he had to pay a $10,000 fine.
3.
Barrotes - 1993
This is believed to be the first popular computer virus developed in Spain. As soon as it infected the
system, it would remain there until January the 5th, when it would set off showing a series of bars on
the screen. It infected .COM, .EXE and overlay files. The Barrotes computer virus represents a resident
virus - it becomes a resident of the computer memory each time the machine starts up. Due to a series
of vertical lines that appear on the monitor, it was easy to identify the virus. It could also overwrite the
Master Boot Record of the HDD, thus making it impossible for the uses to access the hard disk.
4.
Solar Sunrise - 1998
This is not the name of the computer virus; it is the name of the situation that occurred in 1998 when a
team of hackers managed to take control of more than 500 computer system of the army, government
as well as private sector of the United States. The name Solar Sunrise comes after the well-known
vulnerabilities in machines that run on the Sun Solaris OS. At first the attack was believed to have been
organized by hackers from Iraq, but later it was discovered that the ones to blame were two American
youngsters from California.
5.
CIH (a.k.a. Chernobyl) - 1998
Our list of the most dangerous computer viruses on the 20th century continues with CIH virus that
caused an estimated damage of $20 to $80 million around the globe. After its launch, the computer
virus managed to affect huge amounts of data stored on computers. Later it was discovered that the
computer virus was launched in Taiwan. It has been recognized to be one of the most dangerous
computer viruses in history. It infected Windows 95, 98, and ME executable files. In addition, CIH
remained resident in the memory of the machine, being able to carry on infecting other executables.
After being activated, the virus overwrote data on the HDD of the infected PC, making the latter
inoperable. CIH could also overwrite the BIOS of the infected computer, thus preventing boot-up. The
second name of the virus - Chernobyl - was given because some of the biggest damages occurred on the
day when the nuclear reactor exploded.
6.
Melissa - 1999
This computer virus managed to cause a damaged estimated between $300 and $600 million. The
famous computer virus gained huge fame on March 26, 1999. Experts claimed that this computer virus
managed to infect between 15 and 20 percent of all business PCs on the planet. Melissa virus spread so
fast that a number of big companies, including Intel and Microsoft, that used Outlook, had to shut down
their email systems to hold up the damage. The computer virus took advantage of Microsoft outlook to
send email messages of itself to 50 names on the contact list of a user. The message in the email read:
"Here is that document you asked for don’t show anyone else." It featured an attached Word document,
which, when opened, unleashed the virus that infected the computer and then repeated the replication.
When the virus was activated it changed Word documents by leaving quotes from the popular animated
show "The Simpsons".
7.
ILOVEYOU - 2000
Considered to be one of the most dangerous computer worms in history, ILOVEYOU was for the first
time detected in Philippines on May 4. In just one day it spread worldwide, with about 10 percent of all
Internet users being affected by the worm. ILOVEYOU also caused $5.5 billion damage. Its name comes
from the subject of the email that a user received. The email included an attachment that said "LOVELETTER-FOR-YOU.TXT.vbs". When activated, the computer worm overwrote all files on the host,
attacking a copy of itself to each file. In addition, the worm sent a copy of itself to everyone in a user's
contact list.
Bibliography
Antivirus software. (2011, 12 21). Retrieved 12 29, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Antivirus_software
Aycock, J. (2006). Computer Viruses and Malware. Springer.
computer virus. (2011, 12 14). Retrieved 12 24, 2011, from wikipedia:
http://en.wikipedia.org/wiki/Computer_virus
D.Salomon. (2010). Virus classification. In D.salomon, Elements of Computer Security (pp. 51-53).
London: Springer.
D.salomon. (2010). Virus hiding methods. In D.salomon, Elements of Computer Security (pp. 83-84).
London: Springer.
D.salomon. (2010). Virus propagation. In D.salomon, Elements of Computer Security (pp. 49-51). London:
Springer.
D.Salomon. (2010). Virus replication. In D.Salomon, Elements of Computer Security (p. 72). London:
Springer.
Essam Al Daoud, I. H. (2008). Computer Virus Strategies and Detection . 8.

Operating system and security Cleaning viruses

Transcription

Similar documents

ResReport1934-33-35 - e-RA, the electronic Rothamsted Archive

October 2000

CNS Viral Infections (Johnson) - Johns Hopkins Bloomberg School

Blended Lifestyle

Set McAfee to Auto Update .DAT files Auto

The Hammerling Experiment The Hammerling Experiment

Hemophilia Headlines - Hemophilia Foundation of Oregon

Fruity Loops.indd

Misery from Social Media (and other thoughts)