Sunteți pe pagina 1din 28

Bilogical Virus

A virus (from the Latin virus meaning "toxin" or "poison"), is a sub-microscopic

infectious agent that is unable to grow or reproduce outside a host cell. Each viral
particle, or virion, consists of genetic material, DNA or RNA, within a protective
protein coat called a capsid. The capsid shape varies from simple helical and
icosahedral (polyhedral or near-spherical) forms, to more complex structures with
tails or an envelope. Viruses infect all cellular life forms and are grouped into animal,
plant and bacterial types, according to the type of host infected.

Examples of common human diseases caused by viruses include the common cold,
influenza, chickenpox, diarrhea and cold sores. Serious diseases such as Ebola, AIDS,
avian influenza and SARS are caused by viruses. The relative ability of viruses to
cause disease is described in terms of virulence. Viruses have different mechanisms
by which they produce disease in an organism, which largely depends on the species.
Mechanisms at the cellular level primarily include cell lysis, the breaking open and
subsequent death of the cell. In multicellular organisms, if enough cells die the whole
organism will start to suffer the effects. Although viruses cause disruption of healthy
homeostasis, resulting in disease, they may exist relatively harmlessly within an
organism. An example would include the ability of the herpes simplex virus, which
cause cold sores, to remain in a dormant state within the human body. This is called
latency, and is a characteristic of the herpes viruses including the Epstein-Barr virus,
which causes glandular fever, and the Varicella zoster virus, which causes chicken
pox. Latent chickenpox infections return in later life as the disease called shingles.

Some viruses can cause life-long or chronic infections, where the viruses continue to
replicate in the body despite the hosts' defense mechanisms, for examples the
infections by HIV and hepatitis C virus. Viral infections in human and animal hosts
usually result in an immune response and disease. Often, a virus is completely
eliminated by the immune system. Antibiotics have no effect on viruses, but antiviral
drugs have been developed to treat life-threatening infections. Vaccines that produce
lifelong immunity can prevent viral infections.

Biologists debate whether or not viruses are living organisms. Some consider them
non-living as they do not meet all the criteria used in the common definitions of life.
For example, unlike most organisms, viruses do not have cells. However, viruses have
genes and evolve by natural selection. Others have described them as organisms at
the edge of life.
List of viruses
Enteric Adenoviruses

Herpes simplex virus

Leukemia cells that contain Epstein Barrvirus

Computer virus
A computer virus is a computer program that can copy itself and infect a computer
without permission or knowledge of the user. The term "virus" is also commonly used,
albeit erroneously, to refer to many different types of malware and adware programs.
The original virus may modify the copies, or the copies may modify themselves, as
occurs in a metamorphic virus. A virus can only spread from one computer to another
when its host is taken to the uninfected computer, for instance by a user sending it
over a network or the Internet, or by carrying it on a removable medium such as a
floppy disk, CD, or USB drive. Meanwhile viruses can spread to other computers by
infecting files on a network file system or a file system that is accessed by another
computer. Viruses are sometimes confused with computer worms and Trojan horses.
A worm can spread itself to other computers without needing to be transferred as
part of a host, and a Trojan horse is a file that appears harmless. Worms and Trojans
may cause harm to either a computer system's hosted data, functional performance,
or networking throughput, when executed. In general, a worm does not actually harm
either the system's hardware or software, while at least in theory, a Trojan's payload
may be capable of almost any type of harm if executed. Some can't be seen when the
program is not running, but as soon as the infected code is run, the Trojan horse
kicks in. That is why it is so hard for people to find viruses and other malware
themselves and why they have to use spyware programs and registry processors.

Most personal computers are now connected to the Internet and to local area
networks, facilitating the spread of malicious code. Today's viruses may also take
advantage of network services such as the World Wide Web, e-mail, Instant
Messaging and file sharing systems to spread, blurring the line between viruses and
worms. Furthermore, some sources use an alternative terminology in which a virus is
any form of self-replicating malware.

Some malware is programmed to damage the computer by damaging programs,

deleting files, or reformatting the hard disk. Other malware programs are not
designed to do any damage, but simply replicate themselves and perhaps make their
presence known by presenting text, video, or audio messages. Even these less
sinister malware programs can create problems for the computer user. They typically
take up computer memory used by legitimate programs. As a result, they often cause
erratic behavior and can result in system crashes. In addition, much malware is bug-
ridden, and these bugs may lead to system crashes and data loss. Many CiD
programs are programs that have been downloaded by the user and pop up every so
often. This results in slowing down of the computer, but it is also very difficult to find
and stop the problem.
Computer virus timeline
Theories for self-replicating programs are first developed.
Apple Viruses 1, 2, and 3 are some of the first viruses in the world or in the
public domain. Found on the Apple II operating system, the viruses spread
through Texas A&M via pirated computer games.
Fred Cohen, while working on his dissertation, formally defines a computer virus
as “a computer program that can affect other computer programs by modifying
them in such a way as to include a (possibly evolved) copy of itself.”
Two programmers named Basit and Amjad replace the executable code in the
boot sector of a floppy disk with their own code designed to infect each 360kb
floppy accessed on any drive. Infected floppies had “© Brain” for a volume
The Lehigh virus, one of the first file viruses, infects files.
One of the most common viruses, Jerusalem, is unleashed. Activated every
Friday the 13th, the virus affects both .exe and .com files and deletes any
programs run on that day.
MacMag and the Scores virus cause the first major Macintosh outbreaks.
Symantec launches Norton AntiVirus, one of the first antivirus programs
developed by a large company.
Tequila is the first widespread polymorphic virus found in the wild. Polymorphic
viruses make detection difficult for virus scanners by changing their appearance
with each new infection.
1300 viruses are in existence, an increase of 420% from December of 1990.
The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that turns
ordinary viruses into polymorphic viruses. The Virus Creation Laboratory (VCL)
is also made available. It is the first actual virus creation kit.
Good Times email hoax tears through the computer community. The hoax
warns of a malicious virus that will erase an entire hard drive just by opening an
email with the subject line “Good Times.” Though disproved, the hoax
resurfaces every six to twelve months.
Word Concept becomes one of the most prevalent viruses in the mid-1990s. It
is spread through Microsoft Word documents.
Baza, Laroux (a macro virus), and Staog viruses are the first to infect
Windows95 files, Excel, and Linux respectively.
Currently harmless and yet to be found in the wild, StrangeBrew is the first
virus to infect Java files. The virus modifies CLASS files to contain a copy of
itself within the middle of the file's code and to begin execution from the virus
The Chernobyl virus spreads quickly via .exe files. As the notoriety attached to
its name would suggest, the virus is quite destructive, attacking not only files
but also a certain chip within infected computers.
Two California teenagers infiltrate and take control of more than 500 military,
government, and private sector computer systems.

The Melissa virus, W97M/Melissa, executes a macro in a document attached to
an email, which forwards the document to 50 people in the user's Outlook
address book. The virus also infects other Word documents and subsequently
mails them out as attachments. Melissa spread faster than any previous virus,
infecting an estimated 1 million PCs.
Bubble Boy is the first worm that does not depend on the recipient opening an
attachment in order for infection to occur. As soon as the user opens the email,
Bubble Boy sets to work.
Tristate is the first multi-program macro virus; it infects Word, Excel, and
PowerPoint files.
The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook,
much like Melissa. The virus comes as a VBS attachment and deletes files,
including MP3, MP2, and .JPG. It also sends usernames and passwords to the
virus's author.
W97M.Resume.A, a new variation of the Melissa virus, is determined to be in
the wild. The “resume” virus acts much like Melissa, using a Word macro to
infect Outlook and spread itself.
The “Stages” virus, disguised as a joke email about the stages of life, spreads
across the Internet. Unlike most previous viruses, Stages is hidden in an
attachment with a false “.txt” extension, making it easier to lure recipients into
opening it. Until now, it has generally been safe to assume that text files are
“Distributed denial-of-service” attacks by hackers knock Yahoo, eBay, Amazon,
and other high profile web sites offline for several hours.
Shortly after the September 11th attacks, the Nimda virus infects hundreds of
thousands of computers in the world. The virus is one of the most sophisticated
to date with as many as five different methods of replicating and infecting
systems. The “Anna Kournikova” virus, which mails itself to persons listed in the
victim's Microsoft Outlook address book, worries analysts who believe the
relatively harmless virus was written with a “tool kit” that would allow even the
most inexperienced programmers to create viruses. Worms increase in
prevalence with Sircam, CodeRed, and BadTrans creating the most problems.
Sircam spreads personal documents over the Internet through email. CodeRed
attacks vulnerable webpages, and was expected to eventually reroute its attack
to the White House homepage. It infected approximately 359,000 hosts in the
first twelve hours. BadTrans is designed to capture passwords and credit card
Author of the Melissa virus, David L. Smith, is sentenced to 20 months in
federal prison. The LFM-926 virus appears in early January, displaying the
message “Loading.Flash.Movie” as it infects Shockwave Flash (.swf) files.
Celebrity named viruses continue with the “Shakira,” “Britney Spears,” and
“Jennifer Lopez” viruses emerging. The Klez worm, an example of the
increasing trend of worms that spread through email, overwrites files (its
payload fills files with zeroes), creates hidden copies of the originals, and
attempts to disable common anti-virus products. The Bugbear worm also makes
it first appearance in September. It is a complex worm with many methods of
infecting systems.
In January the relatively benign “Slammer” (Sapphire) worm becomes the
fastest spreading worm to date, infecting 75,000 computers in approximately
ten minutes, doubling its numbers every 8.5 seconds in its first minute of
infection. The Sobig worm becomes the one of the first to join the spam
community. Infected computer systems have the potential to become spam
relay points and spamming techniques are used to mass-mail copies of the
worm to potential victims.
In January a computer worm, called MyDoom or Novarg, spreads through
emails and file-sharing software faster than any previous virus or worm.
MyDoom entices email recipients to open an attachment that allows hackers to
access the hard drive of the infected computer. The intended goal is a “denial of
service attack” on the SCO Group, a company that is suing various groups for
using an open-source version of its Unix programming language. SCO offers a
$250,000 reward to anyone giving information that leads to the arrest and
conviction of the people who wrote the worm.
An estimated one million computers running Windows are affected by the fast-
spreading Sasser computer worm in May. Victims include businesses, such as
British Airways, banks, and government offices, including Britain's Coast Guard.
The worm does not cause irreparable harm to computers or data, but it does
slow computers and cause some to quit or reboot without explanation. The
Sasser worm is different than other viruses in that users do not have to open a
file attachment to be affected by it. Instead, the worm seeks out computers
with a security flaw and then sabotages them. An 18-year-old German high
school student confessed to creating the worm. He's suspected of releasing
another version of the virus.

Virus Origins
Computer viruses are called viruses because they share some of the traits of
biological viruses. A computer virus passes from computer to computer like a
biological virus passes from person to person.
Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus
must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery
to reproduce itself. In some cases, the cell fills with new viral particles until it bursts,
releasing the virus. In other cases, the new virus particles bud off the cell one at a
time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on
top of some other program or document in order to launch. Once it is running, it can
infect other programs or documents. Obviously, the analogy between computer and
biological viruses stretches things a bit, but there are enough similarities that the
name sticks.

Virus History
Traditional computer viruses were first widely seen in the late 1980s, and they came
about because of several factors. The first factor was the spread of personal
computers (PCs). Prior to the 1980s, home computers were nearly non-existent or
they were toys. Real computers were rare, and they were locked away for use by
"experts." During the 1980s, real computers started to spread to businesses and
homes because of the popularity of the IBM PC (released in 1982) and the Apple
Macintosh (released in 1984). By the late 1980s, PCs were widespread in businesses,
homes and college campuses.

Floppy disks were factors in the

distribution of computer viruses.

Virus Evolution
As virus creators became more sophisticated, they learned new tricks. One important
trick was the ability to load viruses into memory so they could keep running in the
background as long as the computer remained on. This gave viruses a much more
effective way to replicate themselves. Another trick was the ability to infect the boot
sector on floppy disks and hard disks. The boot sector is a small program that is the
first part of the operating system that the computer loads. It contains a tiny program
that tells the computer how to load the rest of the operating system. By putting its
code in the boot sector, a virus can guarantee it is executed. It can load itself into
memory immediately and run whenever the computer is on. Boot sector viruses can
infect the boot sector of any floppy disk inserted in the machine, and on college
campuses, where lots of people share machines, they could spread like wildfire.
In general, neither executable nor boot sector viruses are very threatening any
longer. The first reason for the decline has been the huge size of today's programs.
Nearly every program you buy today comes on a compact disc. Compact discs
(CDs) cannot be modified, and that makes viral infection of a CD unlikely, unless the
manufacturer permits a virus to be burned onto the CD during production. The
programs are so big that the only easy way to move them around is to buy the CD.
People certainly can't carry applications around on floppy disks like they did in the
1980s, when floppies full of programs were traded like baseball cards. Boot sector
viruses have also declined because operating systems now protect the boot sector.
Infection from boot sector viruses and executable viruses is still possible. Even so, it
is a lot harder, and these viruses don't spread nearly as quickly as they once did. Call
it "shrinking habitat," if you want to use a biological analogy. The environment of
floppy disks, small programs and weak operating systems made these viruses
possible in the 1980s, but that environmental niche has been largely eliminated by
huge executables, unchangeable CDs and better operating system safeguards.

How to Protect Your Computer from Viruses

You can protect yourself against viruses with a few simple steps:
• If you are truly worried about traditional (as opposed to e-mail) viruses,
you should be running a more secure operating system like UNIX. You never
hear about viruses on these operating systems because the security
features keep viruses (and unwanted human visitors) away from your hard

• If you are using an unsecured operating system, then buying virus

protection software is a nice safeguard.

• If you simply avoid programs from unknown sources (like the

Internet), and instead stick with commercial software purchased on CDs,
you eliminate almost all of the risk from traditional viruses.

• You should make sure that Macro Virus Protection is enabled in all
Microsoft applications, and you should NEVER run macros in a document
unless you know what they do. There is seldom a good reason to add
macros to a document, so avoiding all macros is a great policy.

• You should never double-click on an e-mail attachment that contains

an executable. Attachments that come in as Word files (.DOC),
spreadsheets (.XLS), images (.GIF), etc., are data files and they can do no
damage (noting the macro virus problem in Word and Excel documents
mentioned above). However, some viruses can now come in through .JPG
graphic file attachments. A file with an extension like EXE, COM or VBS is an
executable, and an executable can do any sort of damage it wants. Once
you run it, you have given it permission to do anything on your machine.
The only defense is never to run executables that arrive via e-mail.
Open the Options dialog from the Tools menu in
Microsoft Word and make sure that Macro Virus Protection is enabled. Newer versions of Word allow you to
the level of macro protection you use.

Filtering Software Protects Your Computer Before Something Happens

Statistics of growth of viruses
Computer virus incident reports

The Computer Virus & Unauthorized Computer Access Countermeasures Group (VUAC)
receives reports about detections and damage caused by intrusive computer viruses. The
VUAC operates Anti-Computer-Virus Committee, whose members are representatives from
associations of IT industries and academies.
They analyze the accumulated incident reports and endeavor in devising countermeasures.
The results of their investigations as well as recommendations are publicized monthly
through the media such as newspapers and magazines.

Computer Virus Incident Reports [Summary]

The worst virus ever !

There were approximately 10,000 reports for W32/Klez in one year ! !
This is a summary of Computer Virus Incident Reports for December 2002 and for the
year 2002 compiled by IPA: Information-technology Promotion Agency.

1. Computer Virus Incident Reports

1-1. Annual virus incident report for 2002

-- W32/Klez had the worst number of reports ever --

In 2002, 20,352 reports were submitted to IPA, and the number decreased slightly
compared from 2001 having 24,261 reports. W32/Klez had the worst number
reported for 9 consecutive months, having 9,648 reports (approximately 50% of
total), which made a single virus to have the worst number of reports ever for a
year. This was followed by W32/Badtrans having 3,336 reports and W32/Hybris having
870 reports.

For more information, please refer to "Computer Virus Detection Incident Reports in 2002"

1-2. December computer virus incident reports

In December, 1,135 reports were submitted to IPA (November: 1,408 reports). The top
number of viruses reported were W32/Klez having 465 reports with new variants
having subjects such as "Happy Christmas" and "Happy New year", W32/Bugbear
having 133 reports, and W32/Opaserv and VBS/Redlof, having 67 reports.

In addition, an alert was announced for a massive spread of virus mail during the year
change period since there was a concern, but there was no serious viral damage.

Caution necessary for infection through web page ! !

There are viruses, such as VBS/Redlof , where infection is obtained just by

browsing a web page . When infected with this virus, infection is spread through ways
provided below.

*Infected computer will record the virus program in the body of the sending e-mail
, hence spreads the infection.

*Infects HTML and other files on the computer, and when the infected file is uploaded on
the web page without noticing this, infection will spread to people who browse the
web page.

Especially, there are more cases where one gets infected through browsing a web page,
so caution is necessary.

There are various ways for virus infection to happen. The most common type is obtained
through attached file on the e-mail, such as W32/Klez and W32/Bugbear. But there
are infections obtained from browsing a web page, such as W32/Nimda and
VBS/Redlof, and infections obtained from shared network, such as W32/Opaserv.

In order to prevent infection damages through various paths from happening, it is

essential to use the anti-virus software with the latest version of virus detecting
data file on a constant monitoring setting.

3 steps for anti virus software

1.Must be installed === Necessity for countermeasure

2.Appropriate setting === Constant monitoring setting is effective
3.Updating virus detecting data file === New virus emerges everyday Update at
least once a week !

Status of damage report

The pie charts show the result of analysis of the computer virus damage cases reported in

Statistics of computer virus damage reports

Note)14 cases reported between April and December in 1990, 57 cases reported in 1991,
253 cases reported in 1992, 897 cases reported in 1993, 1127 cases reported in 1994,
668 cases reported in 1995, 755 cases reported in 1996, 2391 cases in 1997, and 2035
cases in 1998.
Information security seminars

ISEC hosts Information security seminars all over Japan in every year. In 2001, 13
seminars were held from Hokkaido to Okinawa, in which computer virus countermeasures,
and unauthorized computer access countermeasures.

The VUAC conducts the following activities to promote computer virus prevention
= Help Desk (Tel, Fax,E-mail)
= Exhibition at computer-related shows
= Distribution of anti-virus brochures and CD-ROMs
= Anti-virus WEB site
= Anti-virus articles on magazines and papers
= Information exchange with anti-virus software vendors

Investigation of actual damage by computer viruses in Japan

The VUAC conducts a questionnaire survey to estimate the actual status of damage due to
computer virus in Japan.
Investigation of number of damaged bodies
1995 1996 1997 1998 1999 2000

Government and municipal

84 91 99 82 71 101

Public organization and

212 215 158 154 179 162

Private industries 893 1,094 1,013 1,334 1,279 1,410

Total 1,189 1,400 1,270 1,570 1,529 1,673

number of damaged 158 482 482 614 661 824

bodies (14.2%) (17.9%) (38.6%) (39.8%) (44.1%) (49.3%)

What are the Types of Computer Viruses?

Computer viruses are generally defined as a program inputted into a computer that
allows replication of the program installed. As it replicates, the program intentionally
infects the computer, typically without even the user knowing about the damage
being done. A virus, unlike worms or Trojan horses, needs an aid to transfer them to
computers. Viruses usually take a large amount of computer memory, resulting into
system crashes. Viruses are categorized to several parts based on its features.

Computer Virus is a kind of malicious software written intentionally to enter a

computer without the user’s permission or knowledge, with an ability to replicate
itself, thus continuing to spread. Some viruses do little but replicate others can cause
severe harm or adversely effect program and performance of the system. A virus
should never be assumed harmless and left on a system. Most common types of
viruses are mentioned below:

Resident Viruses
This type of virus is a permanent which dwells in the RAM memory. From there it can
overcome and interrupt all of the operations executed by the system: corrupting files
and programs that are opened, closed, copied, renamed etc.

Examples include: Randex, CMJ, Meve, and MrKlunky.

Direct Action Viruses

The main purpose of this virus is to replicate and take action when it is executed.
When a specific condition is met, the virus will go into action and infect files in the
directory or folder that it is in and in directories that are specified in the
AUTOEXEC.BAT file PATH. This batch file is always located in the root directory of the
hard disk and carries out certain operations when the computer is booted.

Overwrite Viruses
Virus of this kind is characterized by the fact that it deletes the information contained
in the files that it infects, rendering them partially or totally useless once they have
been infected.

The only way to clean a file infected by an overwrite virus is to delete the file
completely, thus losing the original content.

Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

Boot Virus
This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part
of a disk, in which information on the disk itself is stored together with a program
that makes it possible to boot (start) the computer from the disk.

The best way of avoiding boot viruses is to ensure that floppy disks are write-
protected and never start your computer with an unknown floppy disk in the disk

Examples of boot viruses include: Polyboot.B, AntiEXE.

Macro Virus
Macro viruses infect files that are created using certain applications or programs that
contain macros. These mini-programs make it possible to automate series of
operations so that they are performed as a single action, thereby saving the user
from having to carry them out one by one.

Examples of macro viruses: Relax, Melissa.A, Bablas, O97M/Y2K.

Directory Virus

Directory viruses change the paths that indicate the location of a file. By executing a
program (file with the extension .EXE or .COM) which has been infected by a virus,
you are unknowingly running the virus program, while the original file and program
have been previously moved by the virus.

Once infected it becomes impossible to locate the original files.

Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using different
algorithms and encryption keys) every time they infect a system.

This makes it impossible for anti-viruses to find them using string or signature
searches (because they are different in each encryption) and also enables them to
create a large number of copies of themselves.

Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

File Infectors
This type of virus infects programs or executable files (files with an .EXE or .COM
extension). When one of these programs is run, directly or indirectly, the virus is
activated, producing the damaging effects it is programmed to carry out. The majority
of existing viruses belong to this category, and can be classified depending on the
actions that they carry out.

Companion Viruses
Companion viruses can be considered file infector viruses like resident or direct action
types. They are known as companion viruses because once they get into the system
they "accompany" the other files that already exist. In other words, in order to carry
out their infection routines, companion viruses can wait in memory until a program is
run (resident viruses) or act immediately by making copies of themselves (direct
action viruses).

Some examples include: Stator, Asimov.1539, and Terrax.1069

FAT Virus
The file allocation table or FAT is the part of a disk used to connect information and is
a vital part of the normal functioning of the computer.
This type of virus attack can be especially dangerous, by preventing access to certain
sections of the disk where important files are stored. Damage caused can result in
information losses from individual files or even entire directories.

A worm is a program very similar to a virus; it has the ability to self-replicate, and
can lead to negative effects on your system and most importantly they are detected
and eliminated by antiviruses.

Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson.

Trojans or Trojan Horses

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike
viruses do not reproduce by infecting other files, nor do they self-replicate like

Logic Bombs
They are not considered viruses because they do not replicate. They are not even
programs in their own right but rather camouflaged segments of other programs.

Their objective is to destroy data on the computer once certain conditions have been
met. Logic bombs go undetected until launched, and the results can be destructive.

Antivirus software are computer programs that attempt to identify, neutralize or
eliminate malicious software. The term "antivirus" is used because the earliest
examples were designed exclusively to combat computer viruses; however most
modern antivirus software is now designed to combat a wide range of threats,
including worms, phishing attacks, rootkits, trojan horses and other malware.
Antivirus software typically uses two different approaches to accomplish this:

• examining (scanning) files to look for known viruses matching definitions in a

virus dictionary, and
• identifying suspicious behavior from any computer program which might
indicate infection.

The second approach is called heuristic analysis. Such analysis may include data
captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis
on the virus dictionary approach. Although some people consider network firewalls to
be a type of antivirus software, this categorization is not correct

In the virus dictionary approach, when the antivirus software looks at a file, it refers
to a dictionary of known viruses that the authors of the antivirus software have
identified. If a piece of code in the file matches any virus identified in the dictionary,
then the antivirus software can take one of the following actions:
1. attempt to repair the file by removing the virus itself from the file,
2. quarantine the file (such that the file remains inaccessible to other programs
and its virus can no longer spread), or
3. delete the infected file.

To achieve consistent success in the medium and long term, the virus dictionary
approach requires periodic (generally online) downloads of updated virus dictionary
entries. As civically-minded and technically-inclined users identify new viruses "in the
wild", they can send their infected files to the authors of antivirus software, who then
include information about the new viruses in their dictionaries.

Dictionary-based antivirus software typically examines files when the computer's

operating system creates, opens, closes, or e-mails them. In this way it can detect a
known virus immediately upon receipt. Note too that a System Administrator can
typically schedule the antivirus software to examine (scan) all files on the computer's
hard disk on a regular basis.

• eScan AntiVirus
• ArcaVir by
• avast!
• Avira
• AVG Anti-Virus
• BitDefender
• BullGuard
• CA Anti-Virus
• Cisco Security Agent
• Dr.Web
• DriveSentry (antivirus, antispyware and HIPS technologies)
• eSafe
• Fortinet FortiClient End Point Security
• F-Secure
• G DATA AntiVirus
• IKARUS antivirus
• INCA Internet
• Kaspersky Anti-Virus
• LinuxShield
• McAfee VirusScan
• Mks vir
• NOD32
• Norman ASA
• Norton AntiVirus
• Panda Security
• PC Tools AntiVirus
• Rising AntiVirus
• Sophos Anti-Virus
• Trend Micro Internet Security
• TrustPort Antivirus -AEC
• Vba32 AntiVirus
• Virus Chaser
• Windows Live OneCare
• ZoneAlarm


• Avira AntiVir Personal - Free Antivirus

• AOL Active Virus Shield (no longer available via AOL)
• AVG Anti-Virus Free (Registerware, Nagware)
• avast! Home (Registerware)
• BitDefender Free version does not provide real time scanning
• Comodo AntiVirus
• DriveSentry Fully functional free version
• F-PROT (for Linux, FreeBSD and DOS only)
• PC Tools AntiVirus Free Edition


• Clam AntiVirus
• ClamWin
• OpenAntiVirus
• Winpooch
• Untangle


• Cyberhawk (now ThreatFire AntiVirus)

• Eliashim (now eSafe)
• The Antidote and Antidote SuperLite

on- on- Signature Signature False Proactiv
Anti-Virus Windows Mac OS Linux FreeBSD Unix License
demand access Detection Detection Positives Detectio
Software X
scan scan count[1] %[1] [1]
Avira AntiVir
Personal -
Yes No Yes Yes Yes Freeware Yes Yes 1,020,627 99.6% 1 Good
Avira AntiVir Proprietary
Yes No Yes Yes Yes Yes Yes 1,020,627 99.6% 1 Good
Premium (commercial)
AOL Active
Yes No No No No Freeware Yes Yes
Virus Shield
Avast! Yes Yes Yes No No Yes Yes 1,018,204 99.4% 2 Satisfacto
Avast! Home Yes Yes Yes No No Yes Yes 1,018,204 99.4% 2 Satisfacto
AVG Anti- Proprietary
Yes No Yes Yes No Yes Yes 1,005,006 98.1% 1 Satisfacto
Virus (commercial)
AVG Anti-
Yes No Yes No No (commercial) Yes Yes 1,005,006 98.1% 1 Satisfacto
Virus Free
AVK 2008 Proprietary
Yes No No No No Yes Yes 1,022,418 99.8% 2 Good
(G DATA) (Commercial)
BitDefender Yes No Yes Yes No Yes Yes 1,003,902 98.0% 2 Very Goo
BitDefender Yes (with
Yes No No No No Freeware Yes 1,003,902 98.0% 2 Very Goo
Free Edition Winpooch)
BullGuard Yes No No No No Yes Yes
Clam see see KlamAV
Yes Yes GPL Yes No 791,505 77.3% 3 Poor
AntiVirus ClamWin ClamXav and
Yes (with
ClamWin Yes No No No No GPL Yes 791,505 77.3% 3 Poor
729,233 71.2% 1 Poor
Yes Freeware Yes Yes
Dr Web 887,736 86.7% 2 Good
eTrust-VET 566,161 55.3% 0 Poor
FortiClient Proprietary
Yes No No No No Yes Yes 957,558 93.5% >3 Very Goo
End Point (commercial)
F-Prot Yes No Yes Yes Yes Proprietary Yes Yes 1,003,731 96.3% 1 Poor
Kaspersky Yes (SMB
Yes No No Proprietary Yes Yes 1,003,470 98.0% 2 Good
Anti-Virus (BETA) and
McAfee Proprietary
Yes Yes Yes Yes Yes Yes Yes 959,919 93.7% 0 Good
VirusScan (commercial)
Metascan Yes No No Yes Yes Yes Yes
Moon Secure
Yes No No No No GPL Yes Yes
NOD32 Yes No Yes Yes No Yes Yes 953,936 93.1% 1 Very Goo
AntiVirus Yes Yes Yes Yes No Proprietary Yes Yes 1,006,849 98.3% 0 Good
Panda Proprietary
Yes No Yes No No Yes Yes 979,409 95.6% 2 Very Goo
Antivirus (commercial)
PC Tools Proprietary
Yes Yes No No No Yes Yes
AntiVirus (commercial)
Protector Proprietary
Yes No No No No Yes Yes
Plus (commercial)
Sophos Anti-
Yes Yes Yes Yes Yes Proprietary Yes Yes 1,001,655 97.8% 1 Very Goo
on- on- Signature Proactiv
Anti-Virus Mac OS Detection False
Windows Linux FreeBSD Unix License demand access Detection Detectio
Software X on- Positives
scan scan %[1] (HIPS)[

Monthly Malware Statistics for July 2008

The format of the 'Virus Top Twenty' reports from Kaspersky Lab has changed as of
July 2008. The previous method used to compile these reports and to assess the
current threat landscape was based on data generated by analysing email traffic and
the files checked using our Online Scanner. However, this method no longer provides
an accurate reflection of the changing nature of malicious threats; email is no longer
the main attack vector, and our data shows that malicious programs make up a very
small proportion of all mail traffic.

From July 2008 onwards, the Top Twenty will be composed using data generated by
Kaspersky Security Network (KSN), a new technology implemented in the 2009
personal product line. This data not only makes it possible for Kaspersky Lab to get
timely information about threats and to track their evolution, but also makes it
possible for us to detect unknown threats, and roll out that protection to users, as
quickly as possible.

The 2009 personal products haven't been officially launched in all countries, e.g. in
Russian and the USA. The data presented in this report therefore provides an
objective reflection of the threat landscape in the majority of European and Asian
countries. However, in the near future, such reports will include data provided by
users in other countries of the world.

The data received from KSN in July 2008 has been used to compile the following

The first is a ranking of the most widespread malicious, advertising, and potentially
unwanted programs. The figures given are a percentage of the number of computers
on which threats were detected.

Position Name
1 Trojan.Win32.DNSChanger.ech
2 Trojan-Downloader.WMA.Wimad.n
3 Trojan.Win32.Monderb.gen
4 Trojan.Win32.Monder.gen
6 Trojan.Win32.Monderc.gen
7 not-a-virus:AdWare.Win32.Shopper.v
9 Trojan.Win32.Agent.abt
10 Worm.VBS.Autorun.r
11 Trojan.Win32.Agent.rzw
12 Trojan-Downloader.Win32.CWS.fc
15 Trojan-Downloader.Win32.Agent.xvu
17 Trojan.Win32.Agent.sav
18 Trojan-Downloader.Win32.Obitel.a
19 Trojan.Win32.Chifrax.a
20 Trojan.Win32.Agent.tfc

As the rating is only compiled using data received during the course of a single
month, it's very hard to make any predictions. However, future reports will include
such forecasts.

Nonetheless, it is possible to divide all the malicious and potentially unwanted

programs shown above into the fundamental classes used by Kaspersky Lab in its
classification: TrojWare, VirWare, AdWare and Other MalWare.

Clearly, most of the time, victim machines are attacked by a wide range of Trojan

Overall, in July 2008, there were 20704 unique malicious, advertising, and potentially
unwanted programs detected on users' computers. Our data indicates that out of
these, approximately 20000 of them were found in the wild. The second Top Twenty
provides figures on the most common malicious programs among all infected objects

Position Name
1 Trojan.Win32.DNSChanger.ech
1 Virus.Win32.Virut.q
2 Worm.Win32.Fujack.ap
3 Net-Worm.Win32.Nimda
4 Virus.Win32.Hidrag.a
5 Virus.Win32.Neshta.a
6 Virus.Win32.Parite.b
7 Virus.Win32.Sality.z
8 Virus.Win32.Alman.b
9 Virus.Win32.Virut.n
10 Virus.Win32.Xorer.du
11 Worm.Win32.Fujack.aa
12 Worm.Win32.Otwycal.g
13 Worm.Win32.Fujack.k
14 Virus.Win32.Parite.a
15 Trojan-Downloader.WMA.GetCodec.d
16 Virus.Win32.Sality.l
17 Virus.Win32.Sality.s
18 Worm.Win32.Viking.ce
19 Worm.VBS.Headtail.a
20 Net-Worm.Win32.Allaple.b

The majority of the programs listed above are able to infect files. The figures given
are interesting as they indicate the spread of threats which need to be disinfected,
rather than simply dealt with by deleting infected objects.

Virus Top 20 for May 2008

Position in Name Percentage
Detection Flag
1. 0 Email-Worm.Win32.NetSky.q Trojan.generic 23.12
2. +1 Email-Worm.Win32.NetSky.y Trojan.generic 9.70
3. +2 Email-Worm.Win32.Scano.gen Trojan.generic 9.63
4. +4 Email-Worm.Win32.Nyxem.e Trojan.generic 6.75
5. -3 Email-Worm.Win32.NetSky.d Trojan.generic 6.27
6. Return Email-Worm.Win32.NetSky.x Trojan.generic 4.44
7. -1 Email-Worm.Win32.NetSky.aa Trojan.generic 3.74
8. Return Email-Worm.Win32.NetSky.b Trojan.generic 3.26
9. -5 Trojan.generic 2.75
10. Return Net-Worm.Win32.Mytob.u Worm.P2P.generic 2.60
11. +6 Net-Worm.Win32.Mytob.c Trojan.generic 2.40
12. 0 Trojan.generic 2.09
13. Return Email-Worm.Win32.NetSky.r Trojan.generic 1.98
14. +4 Email-Worm.Win32.NetSky.t Trojan.generic 1.94
15. Return Trojan.generic 1.65
16. -5 Email-Worm.Win32.Bagle.gen Trojan.generic 1.39
17. -4 Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.19
18. Return Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.08
19. -3 Email-Worm.Win32.NetSky.c Trojan.generic 0.97
20. New! Worm.P2P.generic 0.90
Other malicious programs 12.15

The May 2008 Email Top Twenty is a short one; this is explained by the well-known
fact that virus writers take a break over the summer months. The complete absence
of any epidemics in mail traffic, which is obvious from even a cursory glance at this
month's rankings, bears this out.

In fact, the only significant change to the rankings was caused by the re-entry of a
few worms which have been in circulation for several years now.

Trojan-Downloader programs such as Agent.ica, Agent.hsl, and Diehard that were

active during the first four months of 2008 disappeared without trace in May.

The Warezov and Zhelatin worms have not reappeared since dropping out of the Top
Twenty back in February. The authors have stopped sending out the executable
components of the worms by email, confining themselves to distributing the code via
links on infected websites.

This does mean that the threat posed by malicious code in email has declined.
However, phishing and spam continue to pose very real threats and have the potential
to create just as big a problem for the end user.

Other malicious programs made up a significant percentage (12.15%) of all malicious

code found in mail traffic.

The Top Twenty countries which acted as sources of infected emails in May are shown
Position Change Country Percentage
1 0 USA 21.72
2 +5 Poland 13.18
3 -1 South Korea 7.88
4 -1 Spain 5.85
5 -1 China 5.15
6 0 France 4.07
7 +1 Germany 3.54
8 -1 Brazil 3.49
9 0 United 2.83
10 -2 India 2.82
11 -1 Italy 2.66
12 -1 Isreal 1.80
13 0 Japan 1.66
14 +5 Canada 1.15
15 +2 The 1.07
16 -1 Turkey 1.05
17 -1 Australia 1.03
18 -4 Argentina 1.02
19 +1 Russia 0.99
20 New! Austria 0.91
Other Countries 16.13


• Moved up: Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Scano.gen, Email-

Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.t.

• Moved down: Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.aa,, Email-Worm.Win32.Bagle.gen, Email-
Worm.Win32.Mydoom.l, Email-Worm.Win32.NetSky.c.

• Returned: Email-Worm.Win32.NetSky.x, Email-Worm.Win32.NetSky.b, Net-

Worm.Win32.Mytob.u, Email-Worm.Win32.NetSky.r,,

• No change: Email-Worm.Win32.NetSky.q,

There are lots of viruses in the world and new viruses are coming up every day. There are new anti-
virus programs and techniques developed too. It is good to be aware of viruses and other malware
and it is cheaper to protect you environment from them rather then being sorry.

There might be a virus in your computer if it starts acting differently. There is no reason to panic if
the computer virus is found.

It is good to be a little suspicious of malware when you surf in the Internet and download files. Some
files that look interesting might hide a malware.

A computer virus is a program that reproduces itself and its mission is to spread out. Most viruses are
harmless and some viruses might cause random damage to data files.

A trojan horse is not a virus because it doesn't reproduce. The trojan horses are usually masked so
that they look interesting. There are trojan horses that steal passwords and formats hard disks.

Marco viruses spread from applications which use macros. Macro viruses spreads fast because
people share so much data, email documents and use the Internet to get documents. Macros are also
very easy to write.

Some people want to experiment how to write viruses and test their programming talent. At the same
time they do not understand about the consequences for other people or they simply do not care.

Viruses mission is to hop from program to other and this can happen via floppy disks, Internet FTP
sites, newsgroups and via email attachments. Viruses are mostly written for PC-computers and DOS

Viruses are not any more something that just programmers and computer specialist have to deal with.
Today everyday users have to deal with viruses.