Virus – Antivirus Software

Page 2

Many thought (including experts in the field) that it was simply a myth invented a science fiction book, and that the media is trying to solidify in the minds of people a reality Although it does not correspond to reality. It is no more than a few viruses on the number of fingers in the first year to more than (15000) virus in the present day.

The Creeper virus was first detected on ARPANET, in early 1970s

The first pc virus was a boot sector virus called “brain”, created by Basit and Amjad Farooq Alvi, in 1986, Lahore, Pakistan.

This virus copies itself from the software.

History

Page 3

Computer viruses are small software programs designed to transfer from one computer to another.

“A virus is simply a computer program that is intentionally written to attach itself to other programs and replicate whenever those programs are executed ”.

Viruses can easily spread by e-mail attachment or instant messaging messages. Virus can be spread by downloading unnecessary files from Internet. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.

Virus

Page 4

1. Reduction of copies of programs, as in the brain or virus. Pakistani .

2. Scientific research as in the virus STONED. Written by the famous and a graduate student in New Zealand and robbed by his brother, who eluded his friends wanted to transfer the virus to

3. The desire to challenge and highlight the intellectual capability of some people who mock their intelligence and abilities are bad, such as viruses. V2P.

4. The desire for revenge by some expelled from their programmers.

5. To encourage the purchase of anti-virus programs, as some companies to deploy the programming of new viruses, and then announce the new product to detect.

  Reasons for writing viruses

Page 5

When we run infected program it loads into the memory and stars running as well. It also has an ability to infect other programs.

When virus runs unidentified programs it adds itself to it.

When we transfer some programs and files to our friend either through email, cd, and floppy disk, our friend’s computer can also be affected as well.

How Virus Works?

Page 6

In fact, the cases of the virus in the file by adding the same at the beginning or the end of the infected

file, without actually is any change in the components of the original file. To consider the following picture

shows the format of the non-infected?? Note that when the program call, it works normally??

Now imagine that the HIV infection. In fact, the same virus Paste As we have said in the program without

changing anything in the contents of the file. And how to be a paste, either by pasting the same at the

beginning of the program, is to be operated by the same program??? Enrollment may be a way that the

virus file itself in the end of the program involved. And mark at the beginning, then?? That this virus is

hiding at the end of the infected file, and put a sign in the introduction to the program so that when they

are called in the program and its operation, prevents the control of the virus, rather than the operation

of the program? In both cases, the virus may return after the completion of the the implementation of

work harmful to the operation of the program, but may not return as well. And cause damage to the

device.

How Virus Works?

Page 7

Worm: affects computers connected to the network automatically and non-human intervention, and this makes them spread faster and wider on the viruses. The difference between them is that the worms do not change or delete the files but the destroy system resources and the use of memory is terrible, which leads to a very noticeable slow system.

Disseminated through email in a very large

Trojan: It is a program of the temptation of the importance of the user name or form or, if attractive, and in fact is the program opened a back door so to speak once the operation, and through the back door by breaking the system is broken and can control the device significantly.

virus : virus needs to be intervention by the user in order to spread, of course, is to intervene after the operation had been downloaded from email or downloaded from the Internet or through the exchange of floppy disks .

The difference between…

Page 8

(1) start-up virus or Boot Sector Virus This type of boot sector viruses infect the body, may prevent the user from access to the system.

(2) virus files or File Virus: Usually affects the programs, the spread between the other files and other programs at the operation.

(3) virus or Micro Macro Virus These viruses affect Microsoft Office programs such as camping materials and Alixl,

(4) multi-parts of the virus Multipartite Virus And that file is infected with a boot at the same time and be devastating in many cases, if not prevent it.

(5) the evolving virus Polymorphic Virus Viruses rather sophisticated in that they change the code as it moved from one organ to another.

(6) the virus disappeared Stealth Virus The same mask that the patient makes a sound file and fool anti-virus and a sound file that is infected with a virus. With the development of anti-virus has become easy to detect this type.

Type

Page 9

Type : Virus

Category : Win32

Also known as:  W32.HLLP.Sality (Symantec)

Characteristics

Page 10

Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.

Description

Page 11

When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code.

Many variants of Sality also attempt to infect executable files referenced by values in the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

the virus to run at each Windows start.

Method of Infection

Page 12

Via File Infection

Via Network Shares

Method of Distribution

Page 13

Steals System Information Some Sality variants collect information about the infected system and e-mail this information to

the domain mail.ru.

The information sent includes, but is not limited to, the following: OS version IP address Computer name Recent URLs visited Passwords ISP Dial up Connection details and Password

Payload

Page 14

Sality searches subdirectories on drives C:\ to Y:\ for files with the following extensions

.vdb .avc .exe

Deletes files

Page 15

Sality searches for and terminates any processes which match a list contained in its code; the following is an example of such a list:

When a processes is terminated Sality displays an error message to indicate a fake error condition.

Terminates Processes

Page 16

Some Sality trojan components modify the Windows Firewall settings to add themselves as authorized applications. This effectively allows these components to bypass the firewall.

Changes Firewall Settings

Page 17

Some Sality variants run an HTTP proxy on port 80 of the affected machine. The trojan contacts the domain shared-admin.com, and receives instructions to connect to the domain connect2me.org, which then returns an IP address. All requests sent to the proxy running on the affected machine are forwarded to the previously returned IP address.

HTTP Proxy

Page 18

- Must be found of the virus protection program on your computer. - Must be updated by periodically, and not only benefit from its existence. - Do not open attachments in any email sent is not known. - Do not open attachments in e-friends, if found end with exe or bat, or any extension you do not. - Update your operating system.

- Enable a firewall

How protect to your computer?

Page 19

Software's that attempt to identify and eliminate computer viruses and other malicious software (malware).

Sophisticated - But virus creators are always one step ahead.

Detection - This is the key to antivirus software.

Antivirus-Software

Page 20

Scanning

Integrity Checking

Interception/ Heuristic Detection

Scanning is the most commonly used technique in antivirus software.

Detection Techniques

Page 21

Also known as Virus Dictionary Approach.

Scanner scans the hard disk, memory, boot sector for code snippets.

If code snippet in a file matches any virus in the dictionary, appropriate action is taken.

Scanning

Page 22

Keeps track of threats by monitoring changes to files.

Maintains information about important files on disk, usually by calculating checksums

If a file changes due to virus activity, its checksum will change.

E.g. Norman Virus Control.

Integrity Checker

Page 23

Generic mechanism for virus detection.

Rule based.

Rules differentiate a virus from a non virus.

If a code snippet follows the defined rules, it is marked as a virus.

E.g. F-secure antivirus software.

Heuristic Virus Checking

Page 24

Zyoome.com

Microsoft .com

Wikepidia.com

Reference