WHAT IS A COMPUTER VIRUS?
Computer virus is a computer program which is not designed to help or make your life easy. PC Viruses can replicate itself and spread from one computer to another. Some viruses affect computers as soon as their code is executed, where some other viruses stay still until a preconfigured condition is met.
Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Computer viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download.They can exist in numerous forms like backdoors, worms , Trojans ,rootkits etc.
What are the Characteristics of the PC Viruses ?
How Computer Viruses Work?
Once the virus arrives the system ( from one of many possible ways) Computer Viruses will replicate itself and will attach to any .EXE file ( randomly garnered name) Each virus has different characteristic and may work different in each variation.
How does the Virus effect your Computers ?
The computer viruses will not be able to infect your computers without its permitted to execute its code to the memory. And to get your permission , the Computer viruses will be attached with a Software Wrapping Program ( more info about Wrapper here)in to most “FREE” wanted “commercial” programs In the infection phase, the virus will replicate itself and attaches to an .EXE file in the system. This can change every time when the virus executed or triggered.
As you can see in the below figure, in a clean Computer (left ) the .EXE IP will start the Program , where in a infected system, the Virus will start before the infected program starts.
How does a Computer get Infected by Viruses ?
How can you protect your Computers from Viruses ?
Virus Analysis
As viruses are difference from each other and there are many virus types, I will just deep dive in few of them, and give you some info about them, so you can understand how they are designed and worked.
KLEZ
The Klez virus appeared in late 2001 and infected a victim’s computer through an e-mail message. The virus replicated itself and was sent itself to all the contacts in the victim’s address book.
The virus could disable virus-scanning software and could falsely act as a virus-removal tool. The modified version of this virus could take any name from the contact list of the victim and can place that address in the “From” field. This technique is called spoofing.
By spoofing the e-mail appears to come from a source when it’s actually coming from somewhere else. Spoofing will prevent the user’ s chance to block email from a suspected recipient.
Melissa
Melissa showed up in mid-1999 and was one of the first viruses designed to spread from computer to computer without relying on action on the user’s part.
The virus prompts the recipient to open a document and by doing so the virus gets activated. The activated virus replicates itself and will be transferred to 50 persons whose address is present in the recipient’s e-mail address book.
MyDoom
The MyDoom creates a backdoor in the OS of the victim’s computer. The MyDoom virus had two triggers. One of them began a denial of service (DoS) attack on Feb. 1, 2004. In Feb. 12, 2004 the second trigger was initiated which stopped the virus distributing itself.
Later that year, MyDoom virus outbreak occurred for a second time, which targeted several search engine companies. The virus would send a search request to a search engine and will use e-mail addresses obtained in the search results. Such a type of attack slowed down search engine services and caused some website crash.
W32/Virut
Virut virus, writes its initial code into a GAP in the end of the original file’s code section and redirects the entry point address to that “malicious code” .
Types of Viruses
For more info about Virus types please visit my blog.
Virus Detection Methods :
1) Scanning : This will make a virus detected. A scanning program will look for virus signatures compare it with its database and can take the necessary action.
2) Integrity Checking : It works by reading the entire disk & recording integrity and recording data that acts as signature for the files and system sectors.
3) Interception: It monitors the operating system requests that are written to the disk.
What is a Computer Worm ?
Computer worms are malicious programs that replicate, execute and spread across the network connections independently without human interaction.
A worm is a special type of a computer virus, that can replicate itself and use memory, but cannot attach itself to other programs.
A worm spreads itself through network automatically.
Conficker Worm
The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.
What does the Conficker worm do?
It might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.
The Conficker worm can also disable important services on your computer.
Virus & Worm Countermeasures:
Online Malware Analysis Services:
Microsoft Malware Protection Center
The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support the Microsoft range of security products and services.
http://www.microsoft.com/security/portal/
Virus Total
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
https://www.virustotal.com/
Threat Expert
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.
http://threatexpert.com/
More Computer Virus and related Terminologies :
Anti Virus Tools :
Windows Sysinternals Utilities : http://download.sysinternals.com/Files/SysinternalsSuite.zip
Microsoft Security Essentials : http://www.microsoft.com/en-au/security/pc-security/mse.aspx
How can I tell if my computer has a virus?
You have to be suspicions of some activates in your computer, such as
How do I remove a computer virus? (source Microsoft.com)
If you can reach a website using your web browser, run an online scan.
Go to the Microsoft Safety Scannerwebpage to download the scanner.
Click Download Now, and then follow the instructions on the screen.
If you can't get to the Microsoft Safety Scanner online, try restarting your computer in safe mode with networking enabled.
Restart your computer.
When you see the computer manufacturer's logo, press and hold the F8 key.
On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
Log on to your computer with a user account that has administrator rights.
Follow the steps above to run the Microsoft Safety Scanner.
For more information about different startup modes, see Start your computer in safe mode.
If you still can't access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. The following steps reset the proxy settings in the Windows registry so that you can access the Internet again.
In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
-or-
In Windows Vista, click the Start button , and then click Run.
In Windows XP, click Start, and then click Run.
Copy and paste or type the following text in the Open box in the Run dialog box:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
Click OK.
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
Restart Internet Explorer and then follow the steps listed previously to run the scanner.
Source for the above section: Microsoft.com
Remove a virus manually
This might be challenging. Please follow my blog to read the article about how to remove a virus manually.
Sample Flowchart on how to fight with a Virus
Great post Erdal, awesome work as usual
Thank you for taking the time to post this.
Hello Sir. Extremely liked that. if you have a presentation copy of it, plz do send it to me, i will present it in my campus. aryans14@yahoo.com
Great article, but seems something a bit off on these lines.
[...]
•If your Internet browser acts usual.
very well written and i think
supposed to be UNUSUAL ;)
Excellent post and more awesome your live presentation some days earlier! Keep the good work!!!
I am going to use this in my User Group
Thank you rdal Ozkaya
Very good post. I've never seen a diagram such as this. Do you have that on your professionally written resume www.rightfitresumes.com?
The virus removal flowchart is way too complicated, removing a virus is very simple if you follow the following advice:
technet.microsoft.com/.../cc512587.aspx