Documente Academic
Documente Profesional
Documente Cultură
--Select Year--
Location:
--Select Location--
Car Model:
--Select Model--
Renewal Month:
--Select Month--
Email:
Mobile Number:
Figure 8 Not in Fil e There are only three filename extensions that DOS
will search for when an attempt is made to execute afile. They are .BAT, .COM and .EXE. Whenever something is typed at the DOS command line, thecommand
completed, the command interpreter checks whether it is an internal command, likeDIR or CD. Since it is not, all directories listed by the PATH command are searched for a file
calledATTRIB.CO M. One is not found, so the search begins again, but for ATTRIB.EXE. This time, it shouldfind ATTRIB, as it is an .EXE file. It will then be executed. If
ATTRIB.EXE does not exist on your drive,DOS will search for ATTRIB.BAT before giving up, and generating an error message. Companionviruses exploit this process.
To infect ATTRIB.EXE, a companion virus creates a copy of itself in thesame directory as the command itself, store the name of the file it is infecting, then name the
"macros" embedded in them.Macros are short snippets of code written in a language which is typically interpreted by the application, alanguage which provides enough
functionality to write a virus. Thus, macro viruses are better thought of as data file infectors, but since their predominant form has been macros, the name has stuck.When a
macro-containing document is loaded by the application, the macros can be caused to runautomatically, which gives control to the macro virus. Some applications warn the user about
the presenceof macros in a document, but these warnings may be easily ignored.Concept's operation is shown in Figure 9. Word has a persistent, global set of macros
which apply to alledited documents, and this is Concept's target:once installed in the global macros, it can infect all documents edited in the future. A document infectedby Concept includes
two macros that have special properties in Word. AutoOpen Any code in the AutoOpen macro is run automatically when the file is opened. This is how
aninfected document gains control. FileSaveAs The code in the FileSaveAs macro is run when its namesake menu item (File... Save As...) isselected. In
other words, this code can be used to infect any as-yetuninfected document that is beingsaved by the user[3].
techniques
they use to hide themselves, both from usersand from anti-virus software.
- once the presence of a virus is known, it's trivial to detect and analyze.
5.4.2.2 Encryption
An encrypted virus is that the virus
body (infection, trigger, and payload) is encrypted in some way tomake it harder to detect. When the virus body is in encrypted form, it's not runnable
until decrypted. Sofirst executes a decryptor loop, which decrypts the virus body and transfers control to it.Figure 10 shows pseudo code for an encrypted virus. A decryptor
loop can decrypt the virus body inplace, or to another location; this choice may be dictated by external constraints, like the writability of theinfected program's code[3].
???
for i in 0...length (body):decrypt body1goto decrypted_body
5.4.2.3 Stealth
Stealth viruses exploit various operating system functions to remain as invisible as possible.Many of these techniques make it virtually impossible to find a
virus if it is in memory.
Some examples of stealth techniques:An infected file's original timestamp can be restored after
infection, so that the file doesn't look freshlychanged. The virus can store (or be capable of regenerating) all pre-infection
information about a file, includingits timestamp, file size, and the file's contents. Then, system I/O calls can be intercepted, and the viruswould play back the original information
in response to any I/O operations on the infected file,making it appear uninfected. This technique is applicable to boot block I/O too[3].
antivirus software. In order to challenge the antivirus software, virus writersinvented new techniques to create mutated decryptors.Oligomor phic viruses, as described in ,
change their decryptors in new generations, unlike encryptedviruses. One very simple technique is to have several decryptors instead of one. The Whale virus was thefirst virus to use
this technique. It carried a few dozens of different ecryptors and picked one randomly[9].
5.4.2.5 Polymorphism
The term polymorphic comes from the Greek words poly," which means many, and morhi," which means form. A polymorphic virus is a kind of virus that can take many
forms. Polymorphic viruses canmutate their decryptors to a high number of different instances that take millions of different forms . Theyuse their mutation engine to create a new
decryption routine each time they infect a program. The newdecryption routine would have exactly the same functionality, but the sequence of instructions could becompletely
different .The mutation engine also generates an encryption routine to encrypt the static code of the virus before itinfects a new file. Then the virus appends the new decryption
routine together with the encrypted virusbody onto the targeted file. Since the virus body is encrypted and the decryption routine is different foreach infection, antivirus scanners cannot
detect the virus by using search strings. Mutation engines arevery complex programs { usually far more sophisticated than their accompanying viruses. Some of themore
sophisticated mutation engines can generate several billions of different decryption routines[9].
6. Conclusion
By the end of this paper we covered
the concepts of computer virus, mechanism and how virus infecthost. Its noted that writers of computer virus use and develop many techniques which is used toovercome antivirus, so they
introduce complex and sophisticated techniques. These techniques may beused to fight virus or in benefit programs. For example compression file idea was first
mention in virus byFred Cohen 1984 also encryption of disk is first introduce in virus by Mark Ludwig.Finally I can say computer virus is good area for discover or develop