What is a Virus?
This post was not originally written by me, I’m just reposting it as this article points out some very good do’s, don’ts, and how come’s of what modern virus’s are. The original article is a bit old, but still completely valid to this day.
THE BASIC CONCEPTS OF PC VIRUSES
written by: paranoidxe
date: 04/22/04
email: paranoidtsi@hotmail.com
DEFINITIONS…
Virus: a virus is a program that replicates itself and "injects" its code into other programs on your computer without the user's knowledge or permission. For a human example, when a human virus enters the body it attaches to a cell, it then injects its DNA coding into the cell and tells it to make copies... essentially the same concept, the computer virus attaches to a program. as defined in this guide a virus replicates on purpose NOT as a side effect.
Trojan: a program that is advertised as having a legit function, but when the user launches it it either has alternative motives or it runs fine but does something in the background. The important difference between a trojan and a virus is that a trojan is a program that DOES NOT infect other files or spread like a virus.
Worm: the third virus-like program, a worm spreads usually through security holes, it does NOT require user intervention and does not infect files on a computer. A worms primary function is to spread and under normal circumstances it causes overload on network systems causing them to crash. A worm will dissappear if the computer is turned off. The general prevention measure is to patch the security flaw the worm uses.
Bug: a bug is a unintentional flaw in software products. The reason this is mentioned is because bugs usually cause a computer to act funky on the user, and just because this happens does not mean its a virus.
Droppers: usually a shell of a virus, this is a program that has a virus encrypted into it to avoid detection. Once a dropper is launched the virus is decrypted and launched on the targeted machine.
[MISC. MEANINGS]
AV - antivirus: either refering to a program that combats and eliminates viruses, or a company that produces antivirus products.
MBR - master boot record: this is the program that tells you hard drive how to work and how to understand to retrieve/write data.
file system: if MBR is the program to give direction (like a ref in a football game) then the file system is the field. file system is what organizes data on a drive.
false positive: this is when a antivirus program reports a file as being infected when its really not.
false negative: this is when a antivirus program reports the file uninfected, yet really it is.
VIRUS MECHANISMS
Viruses can use various technologies to infect the targeted machine, these are some of the common methods used:
Boot Sector/MBR Infector: These viruses pray on the boot program that is on every single hard drive/floppy drive. The boot program essentially tells the size of the disk and tells the disk how to read the data...viruses have found a way to get here which insures that the virus is launched at every boot.
Polymorphic: Polymorphic is a method used by virus writers to avoid detection, the way it works is normally a virus will infect a file with the same size and code..polymorphism will actually change the codes appearance as well as size. This makes detection more difficult and antivirus companies must rely on the patterns instead of code signatures.
Stealth: This technology makes it so when reporting file sizes the virus reports the uninfected file size...this essentially means the virus makes the file appear unaltered.
Encryption: A method that seems to be getting more and more complex, encryption makes it so antivirus companies cannot decypher the viruses code, this makes it harder for antivirus companies to understand the virus and provide fixes if the virus damages anything.
TSR - terminate/stay resident: this is a virus that enters memory and stays in memory generally infecting any program written or read. This is a part of almost every virus now.
Macro virus: a 1995 invention, a macro virus thrives off microsoft word, it infects the global setting file on word and every document after the initial infection is launched it too becomes infected.
File Infector: this is the most common type of virus, it infects programs as they are launched but does NOT infect boot sectors. This is the most basic of viruses.
multi-partite: these are viruses that use both file infection and boot sector infection. This is what most viruses will use now that are non-macro viruses.
UNDERSTANDING TROJANS.
As stated in the definitions, a trojan is a program that appears to have a desireable function..but instead it has a hidden agenda.
It is important to understand that trojans do NOT infect other files. They also may function as advertised with the malicious code taking effect in the background.
Trojans can also load at every boot, however not in the same manner. Trojans rely on your operating system to load themselves everytime, unlike viruses which can get into the boot record, trojans generally cannot.
Trojans often have various malicious functions such as:
* Steal passwords
* Format Hard Drives
* Random Reboots
* Used as a server program for another user
A special type of trojan known as a "backdoor" trojan opens a port on your internet connection that allows the remote user to use his program and connect to your computer and do various functions. This could be just to annoy you, other times it could be used to take your data. Backdoor Trojans are generally able to do the following:
* rename/delete/edit files
* upload/download files
* open/close cdrom drive
* run floppy drive
* reboot computer
* send messages
Backdoor trojans can have there uses as a remote adminstrative tool, but this is rarely the case.
WHY WRITE VIRUSES
There are many reasons people want their viruses out there. The more common ones include:
a) Revenge, the virus was ment to infect one computer but instead it ends up infecting more than just one. It was designed to get revenge on someone that apparently pissed the author off.
b) Accidental, sometimes a virus is released accidently..the virus was just something to do in their spare time and was never meant to get released.
c) Make a Statement, sometimes viruses are out to make statements, like stoned made the statement "Legalize Marijuana"...Tequila was obviously made by one who liked tequila <go figure).
d) Fame, some love to see their creation make it to the media and on TV, although this rarely happens.
e) Challenge, to make a virus is challenging, one might want to make one just to see if he/she could do it.
f) Education, some do it simply to learn more complex programming. Virus writing is easily one project that requires excellent advanced programming skills.
COMMON WAYS OF INFECTION
Back in the day, floppies and BBS were probably the most common ways to get a virus. However, times have changed and there are plenty of new and "exciting" ways to contract one:
- NETWORK, this can be on a local network one user may get infected and the virus will spread to other nodes on the network.
- FLOPPY/CD, a computer infected with a virus may burn a CD unknownly writing it onto the CD, you launch it and get it. Floppies work the same way.
- WEBSITES, downloading from websites you really don't know, the webmastercould have deliberately infected the file you downloaded or was done by accident.
- P2P NETWORKS, this is probably the #1 source of viruses right now, right up there with newsgroups. P2P Networking is tricky because the description can be labeled as something else yet the file could be something completely different from the description..and generally you don't see the filename until after it has been downloaded, a good example would be Kazaa.
- EMAIL, sometimes viruses spread themselves through email programs. The virus may compose itself from one of your friends email boxes, you thinking it is safe after all it is your friend right? you run it and get infected.
COMMON MYTHS
[VIRUSES ALWAYS CAUSE MALICIOUS DAMAGE]
This is not true, in fact some viruses cause malicious damage because of a bug in the coding, go figure. Anyway, some viruses are simply around to replicate and spread, others are designed to display political messages or annoy the user. There are viruses out there that are hell bent on destroying computers, yes but there are some that don't.
[MY COMPUTER CRASHED, I MUST HAVE A VIRUS!]
98% of the time the computer crashes because of faulty hardware, faulty hardware drivers, faulty or conflicting software, corrupted files, or corrupted operating system...just because your computer crashes DOES not mean you have a virus. Viruses like to hide before they do any damage to your computer, so the chances are you will not realize unless you have a antivirus if you have a virus active on your system.
[I NEED MORE THAN 2 ANTIVIRUS PRODUCTS TO KEEP MY MACHINE SAFE]
What people don't understand is that having more than one antivirus doesn't make you safer, in fact it could cause conflicts on your computer. I recommend only using one antivirus at a time.
[I CAN GET A VIRUS FROM READING EMAIL]
With the exception of the Outlook Express vulnerability, NO you cannot. The Outlook Express vulnerability was a bug that allowed execution of code through the preview window, this has been fixed with recent patches. Otherwise, you can NOT get a virus by simply reading your email using your eyeballs, but you can get a virus if you selectively download a virus infected file and run it.
[MY CDS CAN GET INFECTED BY A VIRUS]
No, this is because cds are read-only. There is no currently known virus that can write itself using a cd burner or otherwise. HOWEVER, viruses can come from CDR media that came from an infected computer. Commercial software has maybe a 1 in a trillion chance of being infected by a virus, most companies are VERY careful about infection but it doesn't mean it can't happen. CDs can carry viruses yes, but a virus cannot infect a CD.
[VIRUSES ARE WRITTEN BY SCRIPT KIDDIES]
No, in fact adults write viruses almost as much as kids do. Virus writers are very intelligent they just choose to waste their talent on viruses.
[I CAN GET A VIRUS THROUGH A VIDEO]
No, video formats such as .WMV, .WMA, .AVI, .MPG, .MPEG, .ASF, etc. etc. do not contain any "executable" code to modify other files. video files CANNOT WILL NOT contain viruses. The exception is when the file has a double extension, such as home.wmv.exe...this means the file was designed to appear as a video but really isn't.
[I CAN GET A VIRUS THROUGH MP3s]
Not true, however a bug in Winamp 2.79 may cause a executable code to be run through a mp3 data stream. MP3 files themselves CANNOT contain viruses because once again there is no executable code.
[I CAN GET A VIRUS THROUGH PICTURE FILES]
Same as video, you cannot get a virus through a picture file. These extensions include, but not limited to: .JPG, .JPEG, .TIFF, .PIC, .BMP, .TIF, .GIF, .PSD, .PSP, etc.
[TROJAN/WORM FILES CAN BE CLEANED BY ANTIVIRUS PRODUCTS]
This is untrue, before you mouth drops let me explain something. A virus injects its code into other programs for example:
01010101010 << orignal code
010101010103333 << orignal code with virus attached at the end
01010101010 << cleaned by antivirus product
Trojans and Worms work differently because the WHOLE program is the problem.
33333333333 << trojan/worm
There is NO good useful code in the program, thus there is nothing for the antivirus software to recover data from. The antivirus program CAN delete the trojan/worm and get the infection off of your computer, but it cannot clean it.
[ANTIVIRUS PRODUCTS ARE 100% I AM SAFE]
No you are not. antivirus products can in fact be a false sense of security, no antivirus product is perfect. New viruses are created all the time and antivirus programs can't detect these unless they have a sample. Yes av products do reduce the chance of getting an infection but they are not fool proof.
PROTECTING YOURSELF
[ANTI-VIRUS PRODUCTS]
There are many different products out on the market, at this point there is NO product that is really superior to the other. There are free antivirus products and pay products. here is the list of some common antivirus products used at present time:
Symantec Norton Antivirus - www.symantec.com
Mcafee Antivirus - www.mcafee.com
F-Secure Antivirus - www.f-secure.com
PC-Cillin - housecall.trendmicro.com
AVG Antivirus (free version) - www.grisoft.com
NOD32 Antivirus System - www.nod32.com
Avast Antivirus (free) - www.alwil.com
It is recommended that you have at least one antivirus product on your computer at all times. It is recommended that you have the constant virus monitor on if you do not have common knowledge about computers and how to identify a virus from a regular program.
[ANTI-TROJAN PRODUCTS]
Many antivirus products do provide trojan protection, however they are generally not as good as antitrojan products available. You may or may not have a anti-trojan product on your computer..it is simply optional.
Trojan Hunter - www.misec.net/trojanhunter/
The Cleaner - www.moosoft.com
[GENERAL TIPS]
* Never download attachments in email from people you don't know, in fact don't download attachments from people you DO know. Viruses can spread through friends address books and the virus could be sent to you.
* Check file sizes, if you are downloading say..AOL Instant Messenger and the file size is only 20K big..think about it..is AIM really on 20K in size? I don't think so.
* .COM/.SHS/.BAT/.VBS/.DOC are generally bad news. These files types usually contain viruses.
* Always check extensions, if there are two extensions the file is normally bad news..and the second extension is what the file REALLY is.
* Viruses are usually launched through .exe, .com, .shs, .vbs, .doc and files in .zip files can contain them.
* If unsure, use your antivirus scanner on the questionable file this should give you a good idea what you are working with.
* make sure you keep your antivirus up-to-date, a virus scanner can only be effective if it has up-to-date patterns to look for.
I am hoping this helped someone out there with a introduction to viruses and how to protect yourself from them.
RIGHT! So there you have it. Obviously some of the information and links are outdated, but all the major concepts hold true to this day. So I hope this has cleared a bit up for you and you can now browse the web with confidence and intelligence.
- Panopticon36 -
