computer virus and anti virus full report
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
computer science technology
Active In SP
**

Posts: 740
Joined: Jan 2010
#1
22-01-2010, 03:54 PM



.doc   virus & Anti viruses full report.doc (Size: 158.5 KB / Downloads: 1,093)

.doc   virus & Anti viruses slides.doc (Size: 100 KB / Downloads: 879)

.doc   virus.doc (Size: 147.5 KB / Downloads: 721)
ABSTRACT
Viruses: A virus is basically an executable file which is designed such
that first of all it should be able to infect documents, then it has to
have the ability to survive by replicating itself and then it should
also be able to avoid detection.
Computer viruses can be classified into several different types.
File or program viruses: They infect program files like files
with extensions like .EXE, .COM, .BIN, .DRV and .SYS. Some file viruses
just replicate while others destroy the program being used at that
time. Boot Sector Viruses (MBR or Master Boot Record): Boot sector
viruses can be created without much difficulty and infect either the
Master boot record of the hard disk or the floppy drive. Polymorphic
Viruses: They are the most difficult viruses to detect. They have the
ability to mutate this means that they change the viral code known as
the signature each time it spreads or infects etc.
Antiviruses: The ideal solution to the threat of viruses is
prevention. Do not allow a virus is get into the system in first place.
This goal is in general difficult to achieve, although prevention can
reduce the no: of successful viral attacks. The next best approach is
to be able to do the following.
¢ Detection, Identification, Removal.
Basic techniques are
Scanners: Scanners are programs that scan the executable objects (files
and boot sectors) for the presence of code sequences that are present
in the known viruses.
Monitors: The monitoring programs are memory resident programs, which
constantly monitor some functions of the operating system.
Integrity Checking: A program, which can detect that the other
executable objects have been modified, will be able to detect the
infection. Such programs are usually called integrity checkers.

1. INTRODUCTION
In the mid-eighties, so legend has it, the Amjad brothers of Pakistan
ran a computer store. Frustrated by computer piracy, they wrote the
first computer virus, a boot sector virus called Brain. From those
simple beginnings, an entire counter-culture industry of virus creation
and distribution emerged, leaving us today with several tens of
thousands of viruses. In just over a decade, most of us have been
familiar with the term computer virus.
A large portion of modern computing life is to secure the information
that we are creating and processing. There are many aspects of
information security, ranging from physical access to ensuring that the
information has not been changed in any way. One of the most high-
profile threats to information integrity is the computer virus.
Surprisingly, PC viruses have been around for two-thirds of the IBM
PCâ„¢s lifetime, appearing in 1986. With global computing on the rise,
computer viruses have had more visibility in the past two years.
Despite our awareness of computer viruses, how many of us can define
what one is, or how it infects computers? This seminar and presentation aims to
demystify the basics of computer viruses, summarizing what they are,
how they attack and what we can do to protect ourselves against them.

2. VIRUSES

2.1 THE BASICS OF COMPUTER VIRUSES
Computer viruses are not inherently destructive. The essential feature
of a computer program that causes it to be classified as a virus is not
its ability to destroy data, but its ability to gain control of the
computer and make a fully functional copy of itself. It can reproduce.
When it is executed, it makes one or more copies of itself. Those
copies may later be executed, to create still more copies, ad
infinitum. Not all computer programs that are destructive are
classified as viruses because they do not all reproduce, and not all
viruses are destructive because reproduction is not destructive.
However, all viruses do reproduce. The computer virus overcomes the
roadblock of operator control by hiding itself in other programs. Thus
it gains access to the CPU simply because people run programs that it
happens to have attached itself to without their knowledge. A computer
virus attaches itself to other programs earned it the name virus.
However that analogy is wrong since the programs it attaches to are not
in any sense alive.
Virus: What exactly is a Virus?
A virus is basically an executable file which is designed such that
first of all it should be able to infect documents, then it has to have
the ability to survive by replicating itself and then it should also be
able to avoid detection. Usually to avoid detection, a Virus disguises
itself as a legitimate program which the user would not normally
suspect to be a Virus. Viruses are designed to corrupt or delete data
on the hard disk i.e. on the FAT (File Allocation Table).
2.2 TYPES OF VIRUSES
Computer viruses can be classified into several different types.
1. File or program viruses:
Some programs are viruses in disguise, when executed they load the
virus in the memory along with the program and perform the predefined
steps and infect the system. They infect program files like files with
extensions like .EXE, .COM , .BIN , .DRV and .SYS. Some file viruses
just replicate while others destroy the program being used at that
time.
2. Boot Sector Viruses (MBR or Master Boot Record)
Boot sector viruses can be created without much difficulty and infect
either the Master boot record of the hard disk or the floppy drive.
3. Multipartite Viruses
Multipartite viruses are the hybrid variety; they can be best described
as a cross between both Boot Viruses and File viruses. They not only
infect files but also infect the boot sector.
4. Stealth Viruses
They viruses are stealth in nature and use various methods to hide
themselves and to avoid detection.
5. Polymorphic Viruses
They are the most difficult viruses to detect. They have the ability to
mutate this means that they change the viral code known as the
signature each time it spreads or infects.
6. Macro viruses
In essence, a macro is an executable program embedded in a word
processing document or other type of file. Typically users employ
macros to automate repetitive tasks and there by save key strokes

THE FUNCTIONAL ELEMENTS OF A VIRUS
Every viable computer virus must have at least two basic parts, or
subroutines, if it is even to be called a virus. Firstly, it must
contain a search routine, which locates new files or new areas on disk
which are worthwhile targets for infection. This routine will determine
how well the virus reproduces, e.g., whether it does so quickly or
slowly, whether it can infect multiple disks or a single disk, and
whether it can infect every portion of a disk or just certain specific
areas. As with all programs, there is a size versus functionality
tradeoff here. The more sophisticated the search routine is, the more
space it will take up .So although an efficient search routine may help
a virus to spread faster, it will make the virus bigger, and that is
not always so good.
Secondly, every computer virus must contain a routine to copy itself
into the area which the search routine locates. The copy routine will
only be sophisticated enough to do its job without getting caught. The
smaller it is, the better. How small it can be will depend on how
complex a virus it must copy. For example, a virus which infects only
COM files can get by with a much smaller copy routine than a virus
which infects EXE files. This is because the EXE file structure is much
more complex, so the virus simply needs to do more to attach itself to
an EXE file.
While the virus only needs to be able to locate suitable hosts and
attach itself to them, it is usually helpful to incorporate some
additional features into the virus to avoid detection, either by the
computer user, or by commercial virus detection software. Anti-
detection routines can either be a part of the search or copy routines,
or functionally separate from them. For example, the search routine may
be severely limited in scope to avoid detection. A routine which
checked every file on every disk drive, without limit, would take a
long time and cause enough unusual disk activity that an alert user
might become suspicious. Alternatively, an Anti-detection routine might
cause the virus to activate under certain special conditions. For
example, it might activate only after a certain date has passed (so the
virus could lie dormant for a time).

Figure 1. Functional diagram of a virus.
Alternatively, it might activate only if a key has not been pressed for
five minutes (suggesting that the user was not there watching his
computer). Search, copy, and anti-detection routines are the only
necessary components of a computer virus, and they are the components
which we will concentrate on in this volume. Of course, many computer
viruses have other routines added in on top of the basic three to stop
normal computer operation, to cause destruction, or to play practical
jokes. Such routines may give the virus character, but they are not
essential to its existence. In fact, such routines are usually very
detrimental to the virusâ„¢ goal of survival and self-reproduction,
because they make the fact of the virusâ„¢ existence known to everybody.
If there is just a little more disk activity than expected, no one will
probably notice, and the virus will go on its merry way. On the other
hand, if the screen to oneâ„¢s favorite program comes up saying Ha!
Gotcha! and then the whole
Computer locks up, with everything on it ruined, most anyone can figure
out that theyâ„¢ve been the victim of a destructive program. And if
theyâ„¢re smart, theyâ„¢ll get expert help to eradicate it right away. The
result is that the viruses on that particular system are killed off,
either by themselves or by the clean up crew.
2.4 TOOLS NEEDED FOR WRITING VIRUSES
Viruses are written in assembly language. High level languages like
Basic, C, and Pascal have been designed to generate stand-alone
programs, but the assumptions made by these languages render them
almost useless when writing viruses. They are simply incapable of
performing the acrobatics required for a virus to jump from one host
program to another. That is not to say that one could not design a high
level language that would do the job, but no one has done so yet. Thus,
to create viruses, we must use assembly language. It is just the only
way we can get exacting control over all the computer systemâ„¢s
resources and use them the way we want to, rather than the way somebody
else thinks we should.

3. VIRUSES IN DETAIL
3.1 FILE OR PROGRAM VIRUSES
Some programs are viruses in disguise, when executed they load the
virus in the memory along with the program and perform the predefined
steps and infect the system. They infect program files like files with
extensions like .EXE, .COM, .BIN, .DRV and .SYS. Some file viruses just
replicate while others destroy the program being used at that time.
Such viruses start replicated as soon as they are loaded into the
memory. As the file viruses also destroy the program currently being
used, after removing the virus or disinfecting the system, the program
that got corrupted due to the file virus, too, has to be repaired or
reinstalled.
3.1.1 A Simple COM File Infector
Some DOS Basics
EXE and COM files are directly executable by the Central Processing
Unit. To execute a COM file, DOS must do some preparatory work before
giving that program control. Most importantly, DOS controls and
allocates memory usage in the computer. So first it checks to see if
there is enough room in memory to load the program. If it can, DOS then
allocates the memory required for the program. DOS simply records how
much space it is making available for such and such a program, so it
wonâ„¢t try to load another program on top of it later.
Next, DOS builds a block of memory 256 bytes long known as the Program
Segment Prefix, or PSP.
Once the PSP is built, DOS takes the COM file stored on disk and loads
it into memory just above the PSP, starting at offset 100H. Once this
is done, DOS is almost ready to pass control to the program. Before it
does, though, it must set up the registers in the CPU to certain
predetermined values. First, the segment registers must be set
properly, or a COM program cannot run.
COM files are designed to operate with a very simple, but limited
segment structure. Namely they have one segment, cs=ds=es=ss. All data
is stored in the same segment as the program code itself, and the stack
shares this segment.

Figure 2. Memory map just before executing a COM file.
An Outline for a Virus
In order for a virus to reside in a COM file, it must get control
passed to its code at some point during the execution of the program.
The easiest point to take control is right at the very beginning, when
DOS jumps to the start of the program.
At this time, the virus is completely free to use any space above the
image of the COM file which was loaded into memory by DOS. Since the
program itself has not yet executed, it cannot have set up data
anywhere in memory, or moved the stack, so this is a very safe time for
the virus to operate. To gain control at startup time, a virus
infecting a COM file must replace the first few bytes in the COM file
with a jump to the virus code, which can be appended at the end of the
COM file.
Then, when the COM file is executed, it jumps to the virus, which goes
about looking for more files to infect, and infecting them. When the
virus is ready, it can return control to the host program. The problem
in doing this is that the virus already replaced the first few bytes of
the host program with its own code. Thus it must restore those bytes,
and then jump back to offset 100 Hex, where the original program
begins.
Step by step, it might work like this:
1. An infected COM file is loaded into memory and executed. The
viral code gets control first.
2. The virus in memory searches the disk to find a suitable COM
file to infect.
3. If a suitable file is found, the virus appends its own code to
the end of the file.
4. Next, it reads the first few bytes of the file into memory, and
writes them back out to the file in a special data area within the
virusâ„¢ code. The new virus will need these bytes when it executes.
5. Next the virus in memory writes a jump instruction to the
beginning of the file it is infecting, which will pass control to the
new virus when its host program is executed.
6. Then the virus in memory takes the bytes which were originally
the first bytes in its host, and puts them back (at offset 100H).
7. Finally, the viral code jumps to offset 100 Hex and allows its
host program to execute. Ok. So letâ„¢s develop a real virus with these
specifications. We will need both a search mechanism and a copy
mechanism.
Figure 3. Replacing the first bytes in a COM file.
3.1.2 AN EXECUTABLE VIRUS
The simple COM file infector which we just developed it only attacks
COM files in the current directory, it will have a hard time
proliferating. In this chapter, we will develop a more sophisticated
virus that will overcome these limitations. . . . a virus that can
infect EXE files and jump directory to directory and drive to drive.
Such improvements make the virus much more complex, and also much more
dangerous.

The structure of an exe file
The EXE file is designed to allow DOS to execute programs that require
more than 64 kilobytes of code, data and stack. All of this information
is stored in the EXE file itself, in the EXE Header at the beginning of
the file. This header has two parts to it, a fixed-length portion, and
a variable length table of pointers to segment references in the Load
Module, called the Relocation Pointer Table. Since any virus which
attacks EXE files must be able to manipulate the data in the EXE
Header.

Figure 4. The layout of an EXE file.
Infecting an EXE File
A virus that is going to infect an EXE file will have to modify the EXE
Header and the Relocation Pointer Table, as well as adding its own code
to the Load Module. The EXE file virus will attach itself to the end of
an EXE program and gain control when the program first starts. This
will require a routine similar to that in COM File, which copies
program code from memory to a file on disk, and then adjusts the file.
To set up segments for the virus, new initial segment values for cs and
ss must be placed in the EXE file header. All the initial segment
values must be calculated from the size of the load module which is
being infected. Also, the old initial segments must be stored
somewhere in the virus, so it can pass control back to the host program
when it is finished executing. We will have to put two pointers to
these segment references in the relocation pointer table, since they
are relocatable references inside the virus code segment.
A Persistent File Search Mechanism
As in the TIMID virus, the search mechanism and determine whether it
can be infected and make sure it has not already been infected. The
only two criteria for determining whether an EXE file can be infected
are whether the Overlay Number is zero, and whether it has enough room
in its relocation pointer table for two more pointers. To determine
whether the virus has already infected a file, we put an ID word with a
pre-assigned value in the code segment at a fixed offset (say 0).
The procedure in COM file virus could only search for files in the
current directory to attack. a good virus should be able to leap from
directory to directory, and even from drive to drive. To search more
than one directory, we need a tree search routine. For each
subdirectory found, search routine will recursively call itself using
the new subdirectory as the directory to perform a search on.

Passing Control to the Host
The final step the virus must take is to pass control to the host
program. To do that, all the registers should be set up the same as
they would be if the host program were being executed without the
virus. Except for these, only the ax register is set to a specific
value by DOS, to indicate the validity of the drive ID in the FCBâ„¢s in
the PSP. The DTA must also be moved when the virus is first fired up,
and then restored when control is passed to the host.
3.2 A BOOT SECTOR VIRUS
The boot sector virus can be the simplest or the most sophisticated of
all computer viruses. Since the boot sector is the first code to gain
control after the ROM startup code, it is very difficult to stop before
it loads. If one writes a boot sector virus with sufficiently
sophisticated anti-detection routines, it can also be very difficult to
detect after it loads, making the virus nearly invincible.
Specifically, letâ„¢s look at a virus which will carefully hide itself on
both floppy disks and hard disks, and will infect new disks very
efficiently, rather than just at boot time. Such a virus will require
more than one sector of code, so we will be faced with hiding multiple
sectors on disk and loading them at boot time.
Additionally, if the virus is to infect other disks after boot-up, it
must leave at least a portion of itself memory-resident. The mechanism
for making the virus memory resident cannot take advantage of the DOS
Keep function (Function 31H) like typical TSR programs.

Basic Structure of the Virus
Our new boot sector virus, named STEALTH, will have three parts. First,
there is a new boot sector, called the viral boot sector. This is the
sector of code that will replace the original boot sector at Track 0,
Head 0, Sector 1. Secondly, there is the main body of the virus, which
consists of several sectors of code that will be hidden on the disk.
Thirdly, there is the old boot sector, which will be incorporated into
the virus.
When the viral boot sector is loaded and executed at startup, it will
go out to disk and load the main body of the virus and the old boot
sector. The main body of the virus will execute, possibly infecting the
hard disk, and installing itself in memory (as we will discuss in a
moment) so it can infect other disks later. Then it will copy the
original boot sector over the viral boot sector at 0000:7C00H, and
execute it. The last step allows the disk to boot up in a normal
fashion without having to bother writing code for startup.
It simply gobbles up the code thatâ„¢s already there and turns it to its
own purposes. This strategy provides the added benefit that the boot
sector virus will be completely operating system independent.
The Copy Mechanism
The biggest part of designing the copy mechanism is deciding how to
hide the virus on disk. One tricky way of making the virus code totally
invisible to the user is to store the data on disk in an area that is
completely outside of anything that DOS (or other operating systems)
can understand. In the case of floppies, an alternative is to tell DOS
to reserve a certain area of the disk and stay away from it. Then the
virus can put itself in that area and be sure that DOS will not see it
or overwrite it. This can be accomplished by manipulating the File
Attribute Table. Letâ„¢s examine the 3 1/2" 720 kilobyte diskette format
in detail to see how STEALTH approaches hiding itself. This kind of
diskette has 80 tracks, two sides, and nine sectors per track. The
virus will hide the body of its code in Track 79, Side 1 and Sectors 4
through 9. Those are the last six sectors on the disk, and
consequently, the sectors least likely to contain data. STEALTH puts
the main body of its code in sectors 4 through 8, and hides the
original boot sector in sector 9. However, since DOS normally uses
those sectors, the virus will be overwritten unless it has a way of
telling DOS to stay out. Fortunately, that can be done by modifying the
FAT table to tell DOS that those sectors on the disk are bad.
If a cluster is empty, the corresponding FAT entry is 0. If it
is in the middle of a file, the FAT entry is a pointer to the next
cluster in the file; if it is at the end of a file, the FAT entry is
FF8 through FFF. A cluster may be marked as bad by placing an FF7 Hex
in its FAT entry. In the event that the diskette is full of data, the
virus should ideally be polite, and avoid overwriting anything stored
in the last clusters. This is easily accomplished by checking the FAT
first, to see if anything is there before infecting the disk.
There are non-DOS areas on every disk. In particular, the first
boot sector, which contains the partition table, is not a part of DOS.
Hence finding a single area on any hard disk that does not belong to
DOS is not too difficult. Although the first boot sector is located at
Track 0, Head 0, Sector 1, FDISK (for all the versions Iâ„¢ve tested)
does not place the start of the first partition at Track 0, Head 0 and
Sector 2. Instead, it always starts at Track 0, Head 1, and Sector 1.
That means that all of Track 0, Head 0 (except the first sector) is
free space.
Once a strategy for hiding the virus has been developed, the copy
mechanism follows quite naturally. To infect a disk, the virus must:
1) Determine which type of disk it is going to infect, a hard disk or
one of the four floppy disk types.
2) Determine whether that disk is already infected, or if there is no
room for the virus. If so, the copy mechanism should not attempt to
infect the disk.
3) Update the FAT tables (for floppies) to indicate that the sectors
where the virus is hidden are bad sectors.
4) Move all the virus code to the hidden area on disk.
5) Read the original boot sector from the disk and write it back out to
the hidden area in the sector just after the virus code.
6) Take the disk parameter data from the original boot sector (and the
partition information for hard disks) and copy it into the viral boot
sector. Write this new boot sector to disk as the boot sector at Track
0, Head 0 and Sector 1.
The Search Mechanism
Searching for uninfected disks is not very difficult. We could put an
ID byte in the viral boot sector so when the virus reads the boot
sector on a disk and finds the ID; it knows the disk is infected.
Otherwise it can infect the disk. Infecting floppy disks and hard disks
are entirely different matters. Then if a user leaves an infected
diskette in drive A and turns on his machine, his hard drive is
infected immediately.
On the other hand, once a hard disk has the virus on it, In
order to infect the floppy disk the virus must be present in memory
when the diskettes are in the floppy drive. That means when the virus
is loaded from a hard drive, it must become memory-resident and stay
there. If the virus were to trigger when the boot sector itself is
read, the disk would be infected immediately, since the boot sector on
a newly inserted floppy drive is read before anything else is done. It
will go into the infection sequence any time that the boot sector is
read. That means that when the virus is active, any time you so much as
insert a floppy disk into the drive, and do a directory listing (or any
other operation that reads the disk), it will immediately become
infected. To implement this search mechanism, the STEALTH virus must
intercept Interrupt 13H, the BIOS disk service, at boot time,
Installing the Virus in Memory
Before the virus passes control to the original boot sector, which will
load DOS, it must set itself up in memory somewhere where it wonâ„¢t get
touched. The basic idea involved here is that DOS uses a number stored
at 0040:0013 Hex, which contains the size of available memory in
kilobytes. This number is set up by the BIOS before it reads the boot
sector. It may have a value ranging up to 640 = 280H. When the BIOS set
this parameter up, it looks to see how much memory is actually
installed in the computer, and reports it here. However, something
could come along before DOS loads and change this number to a smaller
value. In such a situation, DOS will not use all the memory that is
available in the system, but only what itâ„¢s told to use by this memory
size variable. Memory above that point will be reserved, and DOS wonâ„¢t
touch it.
The two responsibilities of the viral boot sector are to load the main
body of the virus into memory, and then to load and execute the
original boot sector. When the BIOS loads the viral boot sector (and it
loads whatever is placed at Track 0, Head 0, Sector 1), that sector
first moves itself into the highest 512 bytes of memory (within the 640
kilobyte limit). In a machine with 640K of memory, the first unoccupied
byte of memory is at A000:0000. The boot sector will move itself to the
first 512 bytes just below this. Since that sector was compiled with an
offset of 7C00 Hex, it must relocate to 9820:7C00 Hex (which is right
below A000:0000), as desired. Next, the viral boot sector will read the
6 sector long main body of the virus into memory just below this, from
9820:7000 to 9820:7BFF. The original boot sector occupies 9820:7A00 to
9820:7BFF (since it is the sixth of six sectors loaded).
The viral boot sector then subtracts 4 from the byte at
0040:0013H to reserve 4 kilobytes of memory for the virus. Next, the
viral boot sector reroutes Interrupt 13H to the virus. Finally, it
moves the original boot sector from 9820:7A00 to 0000:7C00 and executes
it. The original boot sector proceeds to load DOS and get the computer
up and running, oblivious to the fact that the system is infected.
3.3 MULTIPARTITE VIRUSES
Multipartite viruses are the hybrid variety; they can be best
described as a cross between both Boot Viruses and File viruses. They
not only infect files but also infect the boot sector. They are more
destructive and more difficult to remove. First of all, they infect
program files and when the infected program is launched or run, the
multipartite viruses start infecting the boot sector too. Now the
interesting thing about these viruses is the fact that they do not
stop, once the boot sector is infected. Now after the boot sector is
infected, when the system is booted, they load into the memory and
start infecting other program files. Some popular examples would be
Invader and Flip etc.
3.4 STEALTH VIRUSES
They viruses are stealth in nature and use various methods to hide
themselves and to avoid detection. They sometimes remove themselves
from the memory temporarily to avoid detection and hiding from virus
scanners. Some can also redirect the disk head to read another sector
instead of the sector in which they reside. Some stealth viruses like
the Whale conceal the increase in the length of the infected file and
display the original length by reducing the size by the same amount as
that of the increase, so as to avoid detection from scanners. For
example, the whale virus adds 9216 bytes to an infected file and then
the virus subtracts the same number of bytes i.e. 9216 from the size
given in the directory. They are somewhat difficult to detect.
3.5 POLYMORPHIC VIRUSES
They are the most difficult viruses to detect. They have the ability to
mutate this means that they change the viral code known as the
signature each time it spreads or infects. Thus Antiviruses which look
for specific virus codes are not able to detect such viruses. Now what
exactly is a Viral Signature? Basically the Signature can be defined as
the specific fingerprint of a particular virus which is a string of
bytes taken from the code of the virus. Antiviral softwares maintain a
database of known virus signatures and look for a match each time they
scan for viruses. As we see a new virus almost everyday, this database
of Virus Signatures has to be kept updated. This is the reason why the
Antivirus vendors provide updates.
How does a Polymorphic Virus Strike?
1. The User copies an infected file to the disk.
2. When the infected file is run, it loads the Virus into the memory or
the RAM.
3. The new virus looks for a host and starts infecting other files on
the disk.
4. The virus makes copies of itself on the disk.
5. The mutation engines on the new viruses generate a new unique
encryptic code which is developed due to a new unique algorithm.
Thus it avoids detecting from Check summers.
3.6 MACRO VIRUSES
In essence, a macro is an executable program embedded in a word
processing document or other type of file. Typically users employ
macros to automate repetitive tasks and there by save key strokes. The
macro language is some type of basic programming language. A user might
define a sequence of key strokes in a macro and set it up so that a
macro is invoked when a function key is invoked. Common auto executing
events are opening a file, closing file etc. Once a macro is running
it can copy itself to other documents, deleting files etc.
How does a Macro Virus strike?
1. The user gets an infected Office Document by email or by any other
medium.
2. The infected document is opened by the user.
3. The evil Macro code looks for the event to occur which is set as the
event handler at which the Virus is set off or starts infecting other
files.
Macro viruses include Concept, Melissa, and Have a Nice Day.

4. ANTIVIRUS APPROACHES
The ideal solution to the threat of viruses is prevention. Do
not allow a virus is get into the system in first place. This goal is
in general difficult to achieve, although prevention can reduce the no:
of successful viral attacks. The next best approach is to be able to do
the following.
¢ Detection: Once the infection has occurred, determine that it
has occurred and locate the virus.
¢ Identification: Once detection has been achieved, identify the
specific virus has infected a program.
¢ Removal: Once the specific virus has been identified, remove
all traces of the virus from the infected program and restore it to its
original state.
Advances in viruses and antivirus technology go hand in hand.
As the virus arms race has evolved, both viruses and antivirus software
have grown more complex and sophisticated. There are three main kinds
of anti-virus programs [McAfee]. Essentially these are scanners,
monitors and integrity checkers.
4.1. SCANNERS

Scanners are programs that scan the executable objects (files and boot
sectors) for the presence of code sequences that are present in the
known viruses. Currently, these are the most popular and the most
widely used kind of anti-virus programs. There are some variations of
the scanning technique, like virus removal programs (programs that can
"repair" the infected objects by removing the virus from them),
resident scanners (programs that are constantly active in memory and
scan every file before it is executed), virus identifiers (programs
that can recognize the particular virus variant exactly by keeping some
kind of map of the non-modifiable parts of the virus body and their
checksums), heuristic analyzers (programs that scan for particular
sequences of instructions that perform some virus-like functions), and
so on.
The reason that this kind of anti-virus program is so widely used
nowadays is that they are relatively easy to maintain. This is
especially true for the programs which just report the infection by a
known virus variant, without attempting exact identification or
removal. They consist mainly of a searching engine and a database of
code sequences (often called virus signatures or scan strings) that are
present in the known viruses. When a new virus appears, the author of
the scanner needs just to pick a good signature (which is present in
each copy of the virus and in the same time is unlikely to be found in
any legitimate program) and to add it to the scanner's database. Often
this can be done very quickly and without a detailed disassembly and
understanding of the particular virus.
Furthermore, scanning of any new software is the only way to detect
viruses before they have the chance to get executed. Having in mind
that in most operating systems for personal computers the program being
executed has the full rights to access and/or modify any memory
location (including the operating system itself), it is preferable that
the infected programs do not get any chance to be executed.
At last, even if the computer is protected by another (not virus-
specific) defense, a scanner will still be needed. The reason is that
when the non virus-specific defense detects a virus-like behavior, the
user usually wants to identify the particular virus, which is attacking
the system - for instance, to figure out the possible side-effects or
intentional damage, or at least to identify all infected objects.
Unfortunately, the scanners have several very serious drawbacks. The
main one is that they must be constantly kept up-to-date. Since they
can detect only the known viruses, any new virus presents a danger,
because it can bypass a scanner-only based protection. In fact, an old
scanner is worse than no protection at all - since it provides a false
sense of security.
Simultaneously, it is very difficult to keep a scanner up-to-date. In
order to produce an update, which can detect a particular new virus,
the author of the scanner must obtain a sample of the virus,
disassemble it, understand it, pick a good scan string that is
characteristic for this virus and is unlikely to cause a false positive
alert, incorporate this string in the scanner, and ship the update to
the users. This can take quite a lot of time. And new viruses are
created every day - with a current rate of up to 100 per month. Very
few anti-virus producers are able to keep up-to-date with such a
production rate. One can even argue that the scanners are somehow
responsible for the existence of so many virus variants. Indeed, since
it is so easy to modify a virus in order to avoid a particular scanner,
lots of "wannabe" virus writers are doing it.
However, the fact that the scanners are obsolete as a single line of
defense against the computer viruses became obvious only with the
appearance of the polymorphic viruses. These are viruses, which use a
variable encryption scheme to encode their body and which even modify
the small decryption routine, so that the virus looks differently in
each infected file. It is impossible to pick a simple sequence of bytes
that will be present in all infected files and use it as a scan string.
Such sequence simply does not exist. Some polymorphic viruses can be
detected using a wildcard scan string, but more and more viruses appear
today, which cannot be detected even if the scan string is allowed to
contain wildcard bytes.
The only possible way to detect such viruses is to understand their
mutation engine in detail. Then one has to construct an algorithmic
"scanning engine" specific to the particular virus. However, this is a
very time-consuming and effort-expensive task, so many of the existing
scanners have problems with the polymorphic viruses. And we are going
to see more such viruses in the future. The Bulgarian virus writer
known under the handle Dark Avenger has even released a "mutating
engine" - a tool for building extremely polymorphic viruses... Very few
scanners are able to detect the viruses, which are using it, with 100
reliability.
One last drawback of the scanners is that scanning for lots of viruses
can be very time-consuming. The number of currently existing viruses is
about 1,600 and is expected to reach 3,000 at the end of 1992. Indeed,
some scanners use clever scanning methods like fixed-point scanning,
top-and-tail scanning, hashing and so on. The detailed description of
these methods is outside the scope of this paper, but as has been
proved in [Cohen90], scanning is not cost-effective in the long run,
despite the scanning method used.
4.2 MONITORS
The monitoring programs are memory resident programs, which constantly
monitor some functions of the operating system. Those are the functions
that are considered to be dangerous and indicative for virus-like
behavior. Such functions include modifying an executable file, direct
access of the disk bypassing the operating system, and so on. When a
program tries to use such a function, the monitoring program intercepts
it and either denies it completely or asks the user for confirmation.
Unlike the scanners, the monitors are not virus-specific and therefore
need not to be constantly updated. Unfortunately, they have other very
serious drawbacks - drawbacks that make them even weaker than the
scanners as an anti-virus defense and almost unusable today.
The most serious drawback of the monitors is that they can be easily
bypassed by the so-called tunneling viruses. The reason for this is the
total lack of memory protection in most operating systems for personal
computers. Any program that is being executed (including the virus) has
full access to read and/or modify any area of the computer's memory -
including the parts of the operating system. Therefore, any monitoring
program can be disabled because the virus could simply patch it in the
memory. There are other clever techniques as interrupt tracing, DOS
scanning, and so on, which allow the viruses to find the original
handlers of any operating system function. Afterwards, this function
can be called directly, thus bypassing any monitoring programs, which
watch for it.
Another drawback of the monitoring programs is that they try to detect
a virus by its behavior. This is essentially impossible in the general
case, as proven in [Cohen84]. Therefore, they cause many false alarms -
since the functions that are expected to be used by the computer
viruses usually have pretty legitimate use by the normal programs. And
if the user gets used to the false alerts, s/he will be likely to
oversee a real one.
The monitoring programs are also completely useless against the slow
viruses, described later in this paper.
4.3 INTEGRITY CHECKING PROGRAMS.
Therefore, in order to be a virus, a program must be able to infect.
And, in order to infect, the program must cause modifications to the
programs that are infected. Therefore, a program, which can detect that
the other executable objects have been modified, will be able to detect
the infection. Such programs are usually called integrity checkers.
The integrity checkers compute some kind of checksum of the executable
code in a computer system and store it in a database. The checksums are
re-computed periodically and compared with the stored originals.
Several authors point out that in order to avoid forging attempts from
the part of the virus, the checksums must be cryptographically strong.
This can be achieved by using some kind of trap-door one-way function,
which is algorithmically difficult to be inverted. Such functions
include DES, MD4, MD5, and so on. But, as has been shown by [Radai],
this is not mandatory. A simple CRC is sufficient, if implemented
correctly.
There are several kinds of integrity checkers. The most widely used
ones are the off-line integrity checkers, which are run to check the
integrity of all the executable code on a computer system. Another kind
is the integrity modules, which can be attached (with the help of a
special program) to the executable files, so that when the latter
started will check their own integrity. Unfortunately, this is not a
good idea, since not all executable objects can be "immunized" this
way. Additionally, the "immunization" itself can be easily bypassed by
stealth viruses, as described later in this paper. The third kind of
integrity software is the integrity shells. They are resident programs,
similar to the resident scanners, which check the integrity of an
object only at the moment when this object is about to be executed.
These are the least widespread anti-virus programs today, but the
specialists predict them a bright future [Cohen90].
The integrity checking programs are not virus-specific and therefore do
not need constant updating like the scanners. They do not try to block
virus replication attempts like the monitoring programs and therefore
cannot be bypassed by the tunneling viruses. In fact, as demonstrated
by [Cohen90], they are currently the most cost-effective and sound line
of defense against the computer viruses.
They also have some drawbacks. For instance, they cannot prevent an
infection - they are able only to detect and report it after the fact.
Second, they must be installed on a virus-free system; otherwise they
will compute and store the checksums of already infected objects.
Therefore, they must be used in a combination with a scanner at least
before installation. This is needed, in order to ensure that the system
they are being installed on is virus-free. Third, they are prone to
false positive alerts. Since they detect changes, not viruses, any
change in the programs (like updating the software with a new version),
is likely to trigger the alert. Sometimes this can be avoided or at
least reduced by using some intelligent heuristics and educating the
users. Fourth, while the integrity checkers are able to detect the
virus spread and identify the newly infected objects, they usually
cannot determine the initially infected object, i.e., the source of the
infection.
Despite the drawbacks mentioned, the integrity checking programs are
the currently most powerful line of defense against computer viruses
and are likely to be used more widely in the future. Therefore, we
should expect that new viruses will appear which will target the
integrity programs in the same way as the polymorphic viruses are
targeting the scanners and the tunneling viruses are targeting the
monitors. Let's see what kinds of attacks are possible against the
integrity checking programs and how these programs can be improved to
avoid them.

5. CONCLUSION
Computer viruses are not evil and that programmers have a right to
create them, posses them and experiment with them. But we should never
support those people who writing viruses with destructive nature. If
you do create a virus, though, be careful with it. Make sure you know
it is working properly or you may wipe out your own system by accident.
And make sure you donâ„¢t inadvertently release it into the world.
In order to deal with the viruses it is necessary to have a deep
knowledge of the way in which different viruses exploits our systemâ„¢s
weakness, there by causing destruction of data or hampering of
security. Furthermore, it is also impossible to create antivirus
against a particular virus with out knowing the way it affects our
system.

7. REFERENCES
1. The Little Black book of Computer Viruses (electronic edition)
By Mark A. Ludwig
2. An Undetectable Computer Virus by David Chess and Steve White,
presented at the Virus Bulletin Conference, September 2000 [PDF
version]
3. Fred Cohen, Computer Viruses - Theory and Experiments, Computer
Security: A Global Challenge, Elsevier Science Publishers B. V. (North
-Holland), 1984, pp. 143-158.
4. Fred Cohen, Models of Practical Defenses against Computer
Viruses, Computers Security, 8 (1989), 2, pp. 149-160.
5. Nachenberg, C. Computer Virus-Antivirus Coevolution.
Communications of the ACM.


CONTENTS
1. INTRODUCTION
2. VIRUSES
BASICS OF COMPUTER VIRUSES
TYPES OF VIRUSES
FUNCTIONAL ELEMENTS OF A VIRUS
TOOLS NEEDED FOR WRITING VIRUSES
3. VIRUSES IN DETAIL
FILE OR PROGRAM VIRUSES
A Simple Com Infector
An Executable Virus
A BOOT SECTOR VIRUS
MULTIPARTITE VIRUSES
STEALTH VIRUSES
POLYMORHIC VIRUSES
MACRO VIRUSES
4. ANTIVIRUS APPROACHES
SCANNERS
MONITORS
INTEGRITY CHECKING PROGRAMS
5. CONCLUSION
6. REFERENCES

ACKNOWLEDGEMENTS

I express my sincere thanks to Prof. M.N Agnisarman Namboothiri
(Head of the Department, Computer Science and Engineering, MESCE),
Mr. Zainul Abid (Staff incharge) for their kind co-operation for
presenting the seminar and presentation.
I also extend my sincere thanks to all other members of the faculty of
Computer Science and Engineering Department and my friends for their
co-operation and encouragement.

Sajeesh. K.S.
Use Search at http://topicideas.net/search.php wisely To Get Information About Project Topic and Seminar ideas with report/source code along pdf and ppt presenaion
Reply
project report helper
Active In SP
**

Posts: 2,270
Joined: Sep 2010
#2
13-10-2010, 10:28 AM


.pptx   -+apun ka virus.pptx (Size: 1.19 MB / Downloads: 239)

COMPUTER VIRUS

Detected by,
M.Nitin kumar (0701204138)
Sagar kumar sahu (0701204150

Why are they called so?

A biological virus is not living.
It’s a fragment of DNA inside a protective jacket. Unlike a cell, a virus has no way to do anything or to reproduce by itself -- it is not alive.
Computer viruses also can not reproduce by themselves
Virus : A true virus is capable of self replication on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on it’s own with out traveling to a new host.
Reply
projectsofme
Active In SP
**

Posts: 1,124
Joined: Jun 2010
#3
14-10-2010, 01:55 PM

PC Viruses
.


How they got the name
What they are
How they spread
How to prevent them

How they got that name


Computer viruses are called viruses because they share some of the traits of biological viruses.
A computer virus passes from computer to computer like a biological virus passes from person to person.

A computer virus “piggybacks” on top of a program or document
And “reproduces (gets executed)
Once running, it’s able to infect other programs or documents
PC Viruses What they are

A virus is a small piece of software (code) that piggybacks on real programs, like Excel, that have “embedded executable languages”
Macro languages -- Visual Basic, etc.
Each time the program runs the virus runs, too
and it has the chance to reproduce (by attaching to other programs) or wreak havoc.


PC Viruses What they are
E-mail viruses
An e-mail virus moves around in attachments to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book.


PC Viruses What they are

Most e-mails are sent as plain ASCII text, which cannot run programs.
Email that uses HTML coding can carry viruses embedded in the HTML coding
PC Viruses What they are

Trojan Horse
A Trojan horse is a computer program
The program claims to do one thing
but instead does damage when you run i
Trojan horses have no way to replicate automatically.


Worms
A worm is a small piece of software that uses computer networks and security holes to replicate itself.
It copies itself to the new machine and starts replicating from there
Worms and Trojan horses are actually more common today than viruses.
Antivirus programs offer protection against all viruses, worms, and Trojans
refer to all of these types of malware as viruses.

For more information about this article,please follow the link:

googleurl?sa=t&source=web&cd=2&ved=0CBkQFjAB&url=http%3A%2F%2Ftokyopc.org%2Fmeetings%2F2002%2F10%2FPCViruses.ppt&ei=t722TJStA4qgvQOw-8inCQ&usg=AFQjCNH0ViBwQkHkjwcVCRIvCfAXFXKmag
Reply
project report helper
Active In SP
**

Posts: 2,270
Joined: Sep 2010
#4
29-10-2010, 04:12 PM


.pdf   spyware.pdf (Size: 463.7 KB / Downloads: 163)

The Dangers of Spyware

by André Post
Symantec Security Response


Abstract
Spyware programs are applications that send information via the Internet to the creator of the
spyware, or the publisher. Spyware usually consists of core functionality and functionality for
information gathering. The core functionality appeals to users and entices them to install and use the
spyware. The End User License Agreement (EULA) informs users of the information-gathering
actions, but most users overlook this information. Information that is sent to the publisher is normally
used for improved direct marketing purposes. The type of sent information differs depending on the
spyware program. In order for the publisher to properly digest the gathered data, some spyware
programs send a unique identifier with the gathered information.
Users often overlook the information-gathering functionaility of spyware, leaving them unaware that
the spyware publisher is gathering data from their computers.
√ About spyware
In this paper, spyware programs are defined as applications that send information via the Internet to
the publishers for marketing purposes without obvious notification to users. In this paper, spyware
does not refer to Backdoor Trojan Horses that allow hackers to secretly gain information from
the computer. The type of gathered information differs depending on the spyware. Some spyware
sends only system-specific information; other spyware sends personal information including
browsing habits.
Most spyware programs are free programs that are available on the Internet, and in some cases are
useful tools. Some examples are:
• Download utilities
• Games
• Media players
• Accounting software
Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#5
23-02-2011, 09:34 AM


.doc   virus & Anti viruses.doc (Size: 145.5 KB / Downloads: 120)
1. INTRODUCTION
In the mid-eighties, so legend has it, the Amjad brothers of Pakistan ran a computer store. Frustrated by computer piracy, they wrote the first computer virus, a boot sector virus called Brain. From those simple beginnings, an entire counter-culture industry of virus creation and distribution emerged, leaving us today with several tens of thousands of viruses. In just over a decade, most of us have been familiar with the term computer virus.
A large portion of modern computing life is to secure the information that we are creating and processing. There are many aspects of information security, ranging from physical access to ensuring that the information has not been changed in any way. One of the most high-profile threats to information integrity is the computer virus. Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearing in 1986. With global computing on the rise, computer viruses have had more visibility in the past two years.
Despite our awareness of computer viruses, how many of us can define what one is, or how it infects computers? This seminar and presentation aims to demystify the basics of computer viruses, summarizing what they are, how they attack and what we can do to protect ourselves against them.
2. VIRUSES
2.1 THE BASICS OF COMPUTER VIRUSES

Computer viruses are not inherently destructive. The essential feature of a computer program that causes it to be classified as a virus is not its ability to destroy data, but its ability to gain control of the computer and make a fully functional copy of itself. It can reproduce. When it is executed, it makes one or more copies of itself. Those copies may later be executed, to create still more copies, ad infinitum. Not all computer programs that are destructive are classified as viruses because they do not all reproduce, and not all viruses are destructive because reproduction is not destructive. However, all viruses do reproduce. The computer virus overcomes the roadblock of operator control by hiding itself in other programs. Thus it gains access to the CPU simply because people run programs that it happens to have attached itself to without their knowledge. A computer virus attaches itself to other programs earned it the name “virus.” However that analogy is wrong since the programs it attaches to are not in any sense alive.
Virus: What exactly is a Virus?
A virus is basically an executable file which is designed such that first of all it should be able to infect documents, then it has to have the ability to survive by replicating itself and then it should also be able to avoid detection. Usually to avoid detection, a Virus disguises itself as a legitimate program which the user would not normally suspect to be a Virus. Viruses are designed to corrupt or delete data on the hard disk i.e. on the FAT (File Allocation Table).
2.2 TYPES OF VIRUSES
Computer viruses can be classified into several different types.
1. File or program viruses:
Some programs are viruses in disguise, when executed they load the virus in the memory along with the program and perform the predefined steps and infect the system. They infect program files like files with extensions like .EXE, .COM , .BIN , .DRV and .SYS. Some file viruses just replicate while others destroy the program being used at that time.
2. Boot Sector Viruses (MBR or Master Boot Record)
Boot sector viruses can be created without much difficulty and infect either the Master boot record of the hard disk or the floppy drive.
3. Multipartite Viruses
Multipartite viruses are the hybrid variety; they can be best described as a cross between both Boot Viruses and File viruses. They not only infect files but also infect the boot sector.
4. Stealth Viruses
They viruses are stealth in nature and use various methods to hide themselves and to avoid detection.
5. Polymorphic Viruses
They are the most difficult viruses to detect. They have the ability to mutate this means that they change the viral code known as the signature each time it spreads or infects.
6. Macro viruses
In essence, a macro is an executable program embedded in a word processing document or other type of file. Typically users employ macros to automate repetitive tasks and there by save key strokes
Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#6
11-03-2011, 04:32 PM

Submitted by:
Sunil Sahu


.pptx   presentation about viruses.pptx (Size: 515.85 KB / Downloads: 101)
Computer Viruses
What are computer viruses?

 Computer programs which invade a computer and try to take over its functions, rather like biological viruses do with human cells.
 Most of us must have dealt with computer viruses from time to time.
What is a virus?
 A virus is a program that self-replicates
 It is not data
 You can only catch a virus by running a program
 Your computer runs all kinds of programs
 spread of Computer Viruses
Basic virus terminology
Virus

 Self-replicating
 Also called a worm
Trojan Horse
 A program which appears to be valuable but has an unexpected consequence
 Examples of risky file types
 The following file types should never be opened:
 .EXE
 .BAT
 .VBS
 .COM
Worms
 Worm - is a self-replicating program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.
 The TROJAN HORSE Virus
Boot Sector Viruses
 Boot sector viruses reside in the part of the disk that is read into memory and is executed when your computer first boots up. Once loaded, the virus can then infect any other disk used by the computer
 Typical things that some current Personal Computer (PC) viruses do
 Erase files
 Scramble data on a hard disk
 Cause erratic screen behavior
 Halt the PC
 Many viruses do nothing obvious at all except spread!
 Prevention
 Anti-Viruses
 Updates
 More secure operating systems
e.g. UNIX
 Anti-virus warnings
 Notify the help desk when you receive a virus warning from Norton Antivirus, Mcafee Antivirus etc.
 Most of the time, the virus software will detect and prevent the infection. However, the help desk can better tell you what to do.
Basic virus defense
 Install antivirus software.
 Make sure updates are current: No more than one week old.
 Don’t open e-mail attachments.
 Install a firewall on your workstation. (XP’s firewall blocks intruders but doesn’t block already installed viruses from going out. Good software firewall: Zone Alarm has a free version) Learn file extensions.
 Scan your system regularly.
 Don’t install new programs without first notifying IT.
 Don’t visit unauthorized Web sites.
Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#7
18-03-2011, 09:22 AM


.doc   computer_viruses.doc (Size: 117 KB / Downloads: 98)
Types of Anti-Viruses
Anti-virus programs are the most effective means of fighting viruses. But I would like to point out at once that there are no anti-viruses guaranteeing 100 percent protection from viruses. Any declarations about their existence may be considered to be either an advertising trick or a sign of incompetence. Such systems do not exist, because, for each anti-virus algorithm, it is always possible to suggest a virus counter algorithm, making this particular virus invisible for this particular anti-virus (fortunately, the opposite is also true: for any anti-virus algorithm, it is always possible to create an anti-virus). Moreover, the impossibility of the existence of the absolute anti-virus has been mathematically proved based on the theory of finite slot machines - the author of this proof is Fred Cohen.
It is also necessary to pay attention to some terms used in anti-virus program discussion:
False Positive - when an uninfected object (file, sector or system memory) triggers the anti-virus program. The opposite term - False Negative - means that an infected object arrived undetected.
On-demand Scanning - a virus scan starts upon user request. In this mode, the anti-virus program remains inactive until a user invokes it from a command line, batch file or system scheduler.
On-the-fly Scanning - all the objects that are processed in any way (opened, closed, created, read from or written to etc.) are being constantly checked for viruses. In this mode, the anti-virus program is always active, it is a memory resident and checks objects without user request.
Which Anti-Virus Program is Better?
Which anti-virus program is the best? The answer is any program, if no viruses live in your computer and you use only a reliable virus-free software source and no other. However, if you like using new software or games, are an active e-mail user, using Word or exchanging Excel spreadsheets, then you should use some kind of anti-virus protection. Which one exactly - you should decide that for yourself, but there are several points of comparison of different anti-virus programs.
The quality of anti-virus programs is determined by the following points, from the most to least important:
1. Reliability and convenience of work - absence of anti-virus "hang ups" and other technical problems, requiring special technical knowledge from a user.
2. Quality of detection of all major kinds of viruses, scanning inside document files, spreadsheets (Microsoft Word, Excel, Office97), packed and archived files. Absence of false positives. Ability to cure infected objects. For scanners (see below), this means the availability of timely updates, which is the speed of tuning a scanner to new viruses.
3. Availability of anti-virus versions for all the popular platforms (DOS, Windows 3.xx, Windows95, WindowsNT, Novell NetWare, OS/2, Alpha, Linux etc.), not only on-demand scanning, but also scanning on-the-fly capabilities, availability of server versions with possibility for network administration.
4. Speed of work and other useful features, functions, bells and whistles.
Reliability of anti-virus programs is the most important criterion, because even the "absolute anti-virus" may become useless, if it is not able to finish the scanning process and hangs, leaving a portion of your disks and files unchecked, thereby leaving the virus in the system undetected. The anti-virus may also be useless if it demands some special knowledge from a user - most users are likely to simply ignore the anti-virus messages and press [OK] or [Cancel] at random, depending on which button is closer to the mouse cursor at this time. And if the anti-virus asks an ordinary user complicated questions too often, the user will most likely stop running such an anti-virus and even delete it from the disk.
Virus-detection quality is the next item, for quite an obvious reason. Anti-virus programs are called anti-virus, because their main purpose is to detect and remove viruses. Any highly sophisticated anti-virus is useless if it is unable to catch viruses, or does it with low efficiency. For example, if an anti-virus can not detect a certain polymorphic virus with 100% success, then after the system has been infected with this particular virus, such an anti-virus detects only part (say 99%) of all the infected files in a system. As little as 1% of infected files will remain undetected, but when this virus has infiltrated the system again, the anti-virus misses this 1% for the second time, but this time this will be 1% of the 99% left from the previous time, i.e., 1.99%. And so on until all the files become infected with the anti-virus being perfectly happy about it.
Therefore, detection quality is the second most important criterion of anti-virus quality; even more important than its multi-platform availability, various convenient features and so on. However, if an anti-virus with high quality of detection causes lots of false positives, then its level of usefulness drops significantly, because a user has to either delete uninfected files or analyze suspicious files all by himself, or gets used to these frequent false alarms and in the end misses the real virus warning (the boy who cried wolf?).
Multi-platform availability is the next item on the list, because for each OS, only a native for that OS program can make extensive use of these OS features. Non-native anti-viruses are often not as useful or sometimes even destructive. For example the "OneHalf" virus has infected a Windows95 or WindowsNT system. If you use a DOS anti-virus for disk decryption (this virus encrypts disk sectors), the results may be disappointing: the information on a disk will be damaged beyond repair, because Windows95/NT would not allow the anti-virus to use direct sector reads/writes while decrypting sectors, whereas a native Windows95 or NT anti-virus fulfills this task flawlessly.
On-the-fly checking capability is also a rather important feature of an anti-virus. Immediate, forced-virus checking of all incoming files and diskettes gives virtually a 100% guarantee of a virus free system, if, of course, the anti-virus is able to detect the supposed viruses. Anti-viruses capable of continuous file-server health care (for Novell Netware, Windows NT, and recently after massive invasion of macro viruses, also for email servers, that is scanning all the incoming mail) are very useful. If a file server version of an anti-virus contains network administration features, its value increases even more.
The next important criterion is working speed. If full system check requires several hours to complete, it is unlikely that most users are going to run it frequently. Also the slowness of anti-virus does not imply that it catches more viruses or does it better than its faster counterpart. Different anti-viruses utilize different virus scanning algorithms, some being faster and of higher quality while another may be slower and not so of such quality. Everything here depends on the abilities and competence of developers of a particular anti-virus.
Various additional options are last in the anti-virus quality criteria list because very often these options have no effect on overall usefulness. However these additional options make user's life much easier and maybe push him to run anti-virus more often.
Tips on Usage of Anti-Virus Programs
Always see that you have the latest antiviral software version available. If software updates are available, check them for "freshness". Usually new versions of anti-viruses are announced, so it is sufficient to visit the corresponding WWW/ftp/BBS sites.
Anti-virus "nationality" in most cases does not matter, because, at the present time, the processes of virus emigration to other countries and antiviral software immigration is limited only by the speed of the Internet, so both viruses and anti-viruses know no borders.
If a virus has been found on your computer, it is imperative not to panic (for those who "meet" viruses daily, a remark like this may seem funny). Panicing never does any good; thoughtless actions may result in bitter consequences.
If a virus is found in some newly arrived file(s) and has not infiltrated the system yet, there is no reason to worry: just kill the file (or remove the virus with your favorite antiviral program) and you may keep on working. If you have found a virus in several files at once or in the boot sector, the problem becomes more serious, but still it can be resolved - anti-virus developers are not drones.
Once more, you should pay attention to the term "false positive." If in some SINGLE file "living" in your computer system for a long time some single anti-virus has detected a virus, this is most likely a false positive. If this file has been run several times, but the virus still has not crawled to other files, then this is extremely strange. Try to check this file with some other anti-viruses. If all of them keep silent, send this file to the research lab of the company that developed the anti-virus, which was triggered by it.
However, if a virus has really been found in your computer, you should do the following:
1. In the case of a file-virus detection, if the computer is connected to a network, you should disconnect it from the network and inform the system administrator. If the virus has not yet infiltrated the network, this will protect the server and other workstations from virus attack. If the virus has already infected the server, disconnection from the network will not stop the virus from infiltrating into your computer again after its treatment. Reconnection to the network must be done only after all the servers and workstations have been cured.
If a boot virus has been found, you should not disconnect your computer from the network: viruses of this kind do not spread over it (except file-boot viruses, of course).
If the computer is infected with a macro-virus, then instead of disconnecting from network, it is enough to make sure that the corresponding editor (Word/Excel) is inactive on any computer.
2. If a file or boot virus has been detected, you should make sure that either the virus is non-resident, or the resident part of it has been disarmed: when started, some (but not all) anti-viruses automatically disable resident viruses in memory. Removal of a virus from the memory is necessary to stop its spreading. When scanning files, anti-viruses open them; many resident viruses intercept this event and infect the files being opened. As a result, the majority is infected because the virus has not been removed from memory yet. The same thing may happen in the case of boot viruses - all the diskettes being checked may become infected.
If the anti-virus you use does not remove viruses from memory, you should reboot the computer from a known uninfected and well-written, protected system diskette. You should do a "cold" boot (by pressing "Reset" or power "off/on"), because several viruses "survive" after a "warm" boot. Some viruses apply a technique allowing for their survival even after the "cold" boot (see the "Ugly" virus for example), so you should also check the item "boot sequence A:, C:" in the machine's BIOS to ensure DOS boots from the system diskette and not from infected hard drive.
In addition to resident/non-resident capabilities, it is useful to make yourself acquainted with other features of the virus: types of files it infects, its effects etc. The only known source of such information, containing data of this kind on virtually all known viruses, is "The AVP Virus Encyclopedia."
3. With the help of the anti-viral program, you should restore the infected files and check them for functionality. At the same time or before treatment, you should backup the infected files and print/save the anti-virus log somewhere. This is necessary for restoring files in case the treatment proves to be unsuccessful due to an error in anti-virus-treatment module, or because of an inability of this anti-virus to cure this kind of virus. In this case, you will have to resort to the services of some other anti-virus.
It is much more reliable, of course, to simply restore the backed up files (if available), but, still, you will need to resort to an anti-virus - what if all the copies of the virus haven't been destroyed, or some backed up files are infected, too?
It is worth mentioning that the quality of file restoration by many antiviral programs leaves much to be desired. Many popular anti- viruses often irreversibly damage files instead of curing them. Therefore, if file loss undesirable, you should execute all the previous recommendations completely.
In the case of a boot virus, it is necessary to check all the diskettes to see whether they are bootable (i.e., contain DOS files) or not. Even a completely blank diskette may become a source of viral infection - it is enough to forget it in the drive and reboot (of course, if a diskette boot is enabled in BIOS).
Besides the above-mentioned items, you should pay special attention to the cleanness of modules, compressed with utilities like LZEXE, PKLITE or DIET, files inside archives (ZIP, ARC, ICE, ARJ, etc.) and self-extracting data files (created by the likes of ZIP2EXE). If you accidentally pack a virus in an infected file, it will be virtually impossible to detect and remove the virus from it without unpacking. In this case, a situation in which all the antiviral programs, unable to scan inside archives, report that all disks are virus free (however, after some time, the virus re-emerges) will become typical.
Colonies of viruses may infiltrate backup copies of software, too. Moreover, archives and back-up copies are the main source of long known viruses. A virus may "sit" in a distribution copy of some software for ages and then suddenly appear after software installation on a new computer.
Nobody can guarantee removal of all copies of a computer virus, because a file virus may attack not only executables, but also overlay modules not having COM or EXE extensions. A boot virus may remain on some diskettes and appear suddenly after an attempt to boot from it. Therefore, it is sensible to use some resident anti-virus scanner continuously for some time after virus removal (not to mention that it's better to a use scanner at all times).
Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#8
24-03-2011, 09:47 AM

Presented By
Gaurav Sharma


.ppt   viruses.ppt (Size: 1.67 MB / Downloads: 130)
What is a virus ?
Viruses range from the harmless programs displaying a character on your screen to the malicious codes which go on to format your entire hard-disk
The difference between a computer virus and other programs is that viruses are designed to self-replicate (make copies of them). They self replicate without the knowledge of the user.
Classification of viruses
 General classification of the virus.
 Behavioral classification of the virus
GENERAL CLASSIFICATION OF VIRUSES
BEHAVIOURAL CLASSIFICATION OF VIRUSES

In addition to the general classification ,viruses can also be classified according to the following behavior patterns exhibited by them:
 Nature of attack.
 Deception techniques employed.
 Frequency of infection.
How Does a Computer Get a Virus?
On downloading files from the Internet.
On opening an e-mail attachment.
On copying programs or files from any other infected computer.
SYMPTOMS OF A VIRUS INFECTION
Viruses by nature are designed to spread unnoticed as much as possible; before carrying their payload (that is, before carrying out their activities). However, before those happen, there are a variety of symptomatic indications
Some General Tips on avoiding virus infections:
 Install anti-virus software from a well-known, reputable company, UPDATE it regularly, and USE it regularly.
 Virus scan any new programs or other files that may contain executable code before you run or open them.
 Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive.
 If your E-mail or news software has the ability to automatically execute
 JavaScript, Word macros, or other executable code contained in or attached to a message, disable this feature.
CONCLUSION
From here, we conclude that we have to take care while using different types of external data storage devices like CDs and floppy disks, the sentence is
“PREVENTION IS ALWAYS BETTER THAN CURE”.
Before inserting or extracting some data from the devices first of all, we have to scan it properly with the help of upgraded and standard anti-virus software.
Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#9
04-04-2011, 11:30 AM

PRESENTED BY:
Venugopal reddy


.ppt   venus final tech.ppt (Size: 2.02 MB / Downloads: 82)
Computer Viruses
Introduction
 Computer virus have become today’s headline news
 With the increasing use of the Internet, it has become easier for virus to spread
 Virus show us loopholes in software
 Most virus are targeted at the MS Windows OS
Definition
Þ Virus : A true virus is capable of self replication on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on it’s own with out traveling to a new host.
Background
 There are estimated 30,000 computer viruses in existence
 Over 300 new ones are created each month
 First virus was created to show loopholes in software
 Virus Languages
 ANSI COBOL
 C/C++
 Pascal
 VBA
 Unix Shell Scripts
 JavaScript
 Basically any language that works on the system that is the target
Symptoms of Virus Attack
 Computer runs slower then usual
 Computer no longer boots up
 Screen sometimes flicker
 PC speaker beeps periodically
 System crashes for no reason
 Files/directories sometimes disappear
Virus through the Internet
 Today almost 87% of all viruses are spread through the internet (source: ZDNet)
 Transmission time to a new host is relatively low, on the order of hours to days.
Classifying Virus - Types
 Trojan Horse
 Worm
 àTrojan Horse
 Covert
 Leaks information
 Usually does not reproduce
 Trojan Horse
Features of Trojans:
◦ pings and query servers
◦ reboot or lock up the system
◦ display system information
◦ logs keystrokes
◦ server control
 àWorms
 Spread over network connection
 Worms replicate
 First worm released on the Internet was called Morris worm, it was released on Nov 2, 1988.
 Worms
Features of worms:
◦ requires WSL (windows scripting language), Outlook or Outlook Express, and IE5
◦ Does not work in Windows NT
◦ Effects Spanish and English version of Windows
◦ 2 variants have been identified
◦ Is a “latent virus” on a Unix or Linux system
 Worms
How Worms works
◦ worm is embedded within an email message of HTML format.
◦ a VbScript while the user views a HTML page
◦ a file named “Update.hta” is placed in the start up directory
◦ upon reboot worms executes
 Protection/Prevention
 Knowledge
 Proper configurations
 Run only necessary programs
 Anti-virus software
 Different anti-virus programs
There are three different kind of anti-viral packages:
 activity monitors,
 authentication or change-detection software, and
 scanners.
Each type has its own strengths and weaknesses. Commercial anti-viral programs have a combination of the above mentioned functions.
Top ten Antiviral programs
 Data Fellows F-Prot
 EliaShim ViruSafe
 ESaSS ThunderBYTE
 IBM Antivirus
 McAfee Scan
 Microsoft Anti-Virus
 Symantec Norton Antivirus
 S&S Dr S&S Dr Solomon's AVTK.
 Bit Defender 2008
Conclusion
 You know know more about virus and how:
◦ viruses work through your system
◦ to make a better virus
 Have seen how viruses show us a loophole in popular software
 Most viruses show that they can cause great damage due to loopholes in programming
Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#10
19-04-2011, 12:34 PM

Presented by:
Aparna Bandge


.pptx   Presentation1.pptx (Size: 406.99 KB / Downloads: 78)
How viruses get into computers
The four most common virus infections come from:
File – A virus type that infects existing files on the computer (~40%)
Macro – A virus that runs as a macro in a host application such as the MS Office applications (~35%)
VBScript – A virus that uses Windows VisualBasic Script functionality (~10%)
Internet Worm – A virus that is primarily characterized by it’s replication across the Internet (~5%)
What is Virus ?
“ Virus : A true virus is capable of self replication on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on it’s own with out traveling to a new.”
Introduction
 Computer virus have become today’s headline news
 With the increasing use of the Internet, it has become easier for virus to spread
 Virus show us loopholes in software
 Most virus are targeted at the MS Windows OS
Virus Languages
 ANSI COBOL
 C/C++
 Pascal
 VBA
 Unix Shell Scripts
 JavaScript
 Basically any language that works on the system that is the target
Classifying Virus - Types
Trojan Horse
Worm
Macro
PC Viruses
How they spread
A virus runs first when a legitimate program is executed.
The virus loads itself into memory and looks to see if it can find any other programs on the disk.
If it can find one, it modifies it to add the virus's code to the new program.
Then the virus launches the "real program."

Reply
seminar class
Active In SP
**

Posts: 5,361
Joined: Feb 2011
#11
22-04-2011, 10:44 AM


.doc   Computer Viruses.doc (Size: 122.5 KB / Downloads: 101)
COMPUTER VIRUSES
Introduction

Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person.
There are similarities at a deeper level, as well. A biological virus is not a living thing. A virus is a fragment of DNA inside a protective jacket. Unlike a cell, a virus has no way to do anything or to reproduce by itself -- it is not alive. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the new virus particles bud off the cell one at a time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on top of some other program or document in order to get executed. Once it is running, it is then able to infect other programs or documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks.
Types Of Viruses
When you listen to the news, you hear about many different forms of electronic infection. The most common are:
 Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
 E-mail viruses - An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book.
The latest thing in the world of computer viruses is the e-mail virus, and the Melissa virus in March 1999 was spectacular. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. As a result, the Melissa virus was the fastest-spreading virus ever seen! As mentioned earlier, it forced a number of large companies to shut down their e-mail systems.
The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.
The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess.
Microsoft applications have a feature called Macro Virus Protection built into them to prevent this sort of thing. With Macro Virus Protection turned on (the default option is ON), the auto-execute feature is disabled. So when a document tries to auto-execute viral code, a dialog pops up warning the user. Unfortunately, many people don't know what macros or macro viruses are, and when they see the dialog they ignore it, so the virus runs anyway. Many other people turn off the protection mechanism. So the Melissa virus spread despite the safeguards in place to prevent it.
In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing. What fueled this virus was the human willingness to double-click on the executable.
 Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.
A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001. A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server. This article offers a fascinating look inside Slammer's tiny (376 byte) program.
Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent.
 A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.
The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.
The Code Red worm was designed to do three things:
• Replicate itself for the first 20 days of each month
• Replace Web pages on infected servers with a page that declares "Hacked by Chinese"
• Launch a concerted attack on the White House Web server in an attempt to overwhelm it
The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001. According to the National Infrastructure Protection Center:
The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permits the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST.
 Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
Examples: NetBus and BackOrifice, Subseven
 Boot Sector Viruses - As virus creators got more sophisticated, they learned new tricks. One important trick was the ability to load viruses into memory so they could keep running in the background as long as the computer remained on. This gave viruses a much more effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately, and it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and on college campuses where lots of people share machines they spread like wildfire.
In general, both executable and boot sector viruses are not very threatening any more. The first reason for the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact disc. Compact discs cannot be modified, and that makes viral infection of a CD impossible. The programs are so big that the only easy way to move them around is to buy the CD. People certainly can't carry applications around on a floppy disk like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined because operating systems now protect the boot sector.
Both boot sector viruses and executable viruses are still possible, but they are a lot harder now and they don't spread nearly as quickly as they once could. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made these viruses possible in the 1980s, but huge executables, unchangeable CDs and better operating system safeguards have largely eliminated that environmental niche.
Examples: Form, Disk Killer, and Michelangelo
 Program viruses - These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of it and infecting files on disk.
Examples: Sunday, Cascade
 Multipartite viruses - A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila
 Stealth viruses - These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Examples: Frodo, Joshi, Whale
 Polymorphic viruses - A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
 Macro Viruses - A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on another computer.
Examples: DMV, Nuclear, Word Concept.
 Active X - ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom.
Reply
seminar paper
Active In SP
**

Posts: 6,455
Joined: Feb 2012
#12
03-03-2012, 12:20 PM

to get information about the topic anti virus full report ppt and related topic refer the link bellow

topicideashow-to-computer-virus-and-anti-virus-full-report

topicideashow-to-sandboxing-for-antivirus-solutions-full-report

topicideashow-to-computer-virus-and-anti-virus-full-report?page=2

topicideashow-to-antivirus-software
Reply
seminar tips
Super Moderator
******

Posts: 8,857
Joined: Oct 2012
#13
04-12-2012, 11:47 AM

to get information about the topic"computer virus and antivirus" full report ppt and related topic refer the link bellow

topicideashow-to-computer-virus-and-anti-virus-full-report

topicideashow-to-computer-virus-and-antivirus-report%09

topicideashow-to-computer-virus-and-anti-virus-full-report?page=2

topicideashow-to-computer-virus-and-anti-virus-full-report?page=4

topicideashow-to-computer-virus-and-anti-virus-full-report?page=3

topicideashow-to-virus-and-anti-virus

topicideashow-to-anti-virus-program

Reply
Guest
Thinking To Register

 
#14
16-09-2013, 03:06 PM

Computer viruses are not inherently destructive. The essential feature
of a computer program that causes it to be classified as a virus is not
its ability to destroy data, but its ability to gain control of the
computer and make a fully functional copy of itself. It can reproduce.
When it is executed, it makes one or more copies of itself. Those
copies may later be executed, to create still more copies, ad
infinitum. Not all computer programs that are destructive are
classified as viruses because they do not all reproduce, and not all
viruses are destructive because reproduction is not destructive.
However, all viruses do reproduce. The computer virus overcomes the
roadblock of operator control by hiding itself in other programs. Thus
it gains access to the CPU simply because people run programs that it
happens to have attached itself to without their knowledge. A computer
virus attaches itself to other programs earned it the name virus.
However that analogy is wrong since the programs it attaches to are not
in any sense alive.
Virus: What exactly is a Virus?
A virus is basically an executable file which is designed such that
first of all it should be able to infect documents, then it has to have
the ability to survive by replicating itself and then it should also be
able to avoid detection. Usually to avoid detection, a Virus disguises
itself as a legitimate program which the user would not normally
suspect to be a Virus. Viruses are designed to corrupt or delete data
on the hard disk i.e. on the FAT (File Allocation Table).
2.2 TYPES OF VIRUSES
Computer viruses can be classified into several different types.
1. File or program viruses:
Some programs are viruses in disguise, when executed they load the
virus in the memory along with the program and perform the predefined
steps and infect the system. They infect program files like files with
extensions like .EXE, .COM , .BIN , .DRV and .SYS. Some file viruses
just replicate while others destroy the program being used at that
time.
2. Boot Sector Viruses (MBR or Master Boot Record)
Boot sector viruses can be created without much difficulty and infect
either the Master boot record of the hard disk or the floppy drive.
3. Multipartite Viruses
Multipartite viruses are the hybrid variety; they can be best described
as a cross between both Boot Viruses and File viruses. They not only
infect files but also infect the boot sector.
4. Stealth Viruses
They viruses are stealth in nature and use various methods to hide
themselves and to avoid detection.
5. Polymorphic Viruses
They are the most difficult viruses to detect. They have the ability to
mutate this means that they change the viral code known as the
signature each time it spreads or infects.
6. Macro viruses
In essence, a macro is an executable program embedded in a word
processing document or other type of file. Typically users employ
macros to automate repetitive tasks and there by save key strokes

THE FUNCTIONAL ELEMENTS OF A VIRUS
Every viable computer virus must have at least two basic parts, or
subroutines, if it is even to be called a virus. Firstly, it must
contain a search routine, which locates new files or new areas on disk
which are worthwhile targets for infection. This routine will determine
how well the virus reproduces, e.g., whether it does so quickly or
slowly, whether it can infect multiple disks or a single disk, and
whether it can infect every portion of a disk or just certain specific
areas. As with all programs, there is a size versus functionality
tradeoff here. The more sophisticated the search routine is, the more
space it will take up .So although an efficient search routine may help
a virus to spread faster, it will make the virus bigger, and that is
not always so good.
Secondly, every computer virus must contain a routine to copy itself
into the area which the search routine locates. The copy routine will
only be sophisticated enough to do its job without getting caught. The
smaller it is, the better. How small it can be will depend on how
complex a virus it must copy. For example, a virus which infects only
COM files can get by with a much smaller copy routine than a virus
which infects EXE files. This is because the EXE file structure is much
more complex, so the virus simply needs to do more to attach itself to
an EXE file.
While the virus only needs to be able to locate suitable hosts and
attach itself to them, it is usually helpful to incorporate some
additional features into the virus to avoid detection, either by the
computer user, or by commercial virus detection software. Anti-
detection routines can either be a part of the search or copy routines,
or functionally separate from them. For example, the search routine may
be severely limited in scope to avoid detection. A routine which
checked every file on every disk drive, without limit, would take a
long time and cause enough unusual disk activity that an alert user
might become suspicious. Alternatively, an Anti-detection routine might
cause the virus to activate under certain special conditions. For
example, it might activate only after a certain date has passed (so the
virus could lie dormant for a time).

Figure 1.

Reference: topicideashow-to-computer-virus-and-anti-virus-full-report#ixzz2f2wcyF7N
Reply
chantiammu
Active In SP
**

Posts: 2
Joined: Mar 2013
#15
20-09-2013, 02:27 PM

hi the topics are complicated to understand but they all really good.......
and u'r background was simply superb.....


Attached Files
.jpeg   fl.jpeg (Size: 5.42 KB / Downloads: 8)
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page

Quick Reply
Message
Type your reply to this message here.


Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  web spoofing full report computer science technology 13 8,921 20-05-2016, 11:59 AM
Last Post: Dhanabhagya
  Computer Memory Based on the Protein Bacteriorhodopsin seminar projects crazy 16 8,984 06-09-2015, 04:54 PM
Last Post: Larbaski
  essay about computer in tamil jaseelati 0 313 26-02-2015, 04:30 PM
Last Post: jaseelati
  seminar topics for computer networking with ppt jaseelati 0 278 18-02-2015, 02:37 PM
Last Post: jaseelati
  assembling and disassembling of computer ppt jaseelati 0 264 17-02-2015, 02:51 PM
Last Post: jaseelati
  computer oriented numerical methods ppt jaseelati 0 231 13-02-2015, 01:15 PM
Last Post: jaseelati
  basic computer knowledge pdf in marathi jaseelati 0 306 11-02-2015, 01:21 PM
Last Post: jaseelati
  basic computer knowledge pdf in marathi jaseelati 0 248 07-02-2015, 02:23 PM
Last Post: jaseelati
  advantages and disadvantages of computer in tamil language jaseelati 0 378 05-02-2015, 04:51 PM
Last Post: jaseelati
  computer science project topics and materials pdf jaseelati 0 312 05-02-2015, 01:23 PM
Last Post: jaseelati