Brought to you by

Stacey Raimondi & Dan Brush

Definition
History The
Of a Virus
Virus Virus
Computer Of Encyclopedia Protection Protection
Virus Computer :Top 8
Viruses Picks

Viruses Top Viruses

in the Virus in the Work
Present New Future.. Cited Page
Stories
Viruses can infect your computer by reading, or even, previewing, email.
There are many ways that you can find out what these email infectors are and
take the steps to prevent an infection.
You can get a virus as easily as reading an email. A site called the “EMAIL
Help Center” can guide you on how to prevent this from happening to you or
those you send mail to.

You can test whether your email system is vulnerable to email viruses and
attacks such as emails containing mail attachments, web page HTML’s, and
many more types of computer processing that be infected with one of many
different types of viruses.

A computer virus is a self-replicating program containing code that explicitly

copies itself and that can "infect" other programs by modifying them or their
environment such that a call to an infected program implies a call to a possibly
evolved copy of the virus.
 Since the age of technology arose, and the twentieth century
of computers came about, there have always been an attempt from
those trying to be “smarter” then the average computer, (or
computer user, for that matter). It was the very famous Fred Cohen
who "wrote the book" on computer viruses. He was the soul in the
development of a theoretical, and mathematical model of computer
virus behavior. He was able to use his logic to test several hypothesis
about computer virus’s. Cohen's very own, and well-known, informal
definition is "a computer virus is a computer program that can
infect other computer programs by modifying them in such a
way as to include a (possibly evolved) copy of itself". This does
not mean that a computer has to undergo actual destruction(such as
deleting or corrupting files) in order to be classified as a "virus" by
Cohen’s definition. Many people use the term "virus" loosely to cover
any sort of program that tries to hide its possible destructive
functions and\or tries to spread onto as many computers as possible;
 *Patricia Hoffman's hypertext VSUM. It covers PC
viruses and it is regarded by many in the anti virus field
as being inaccurate, so it is advised that you not to rely
solely on it. It can be downloaded from most major
archive sites. 
*A more precise source of information is the Computer
Virus Catalog,published by the Virus Test Center in
Hamburg. It contains highly technical descriptions of
computer viruses for several platforms: DOS,Mac,
Amiga, Atari ST and Unix. It is available by anonymous
FTP from atik.uni-hamburg. For the directory, go to:
pub/virus/texts/catalog.
* Another small collection of a good technical
 *There is plenty of information in the monthly
Virus Bulletin, published in the UK. Among other
things, it gives detailed technical information on
viruses . Want a –month subscribtion: only $395.00!!
*Another source of information is the book "Virus
Encyclopedia" which is part of the printed
documentation of Dr. Solomon's AntiVirus
ToolKit (a commercial DOS antivirus program). The
WWW site www.datafellows.fi, has an on-line,
cross-reference data base containing descriptions
of about 1500 PC viruses!
* Lastly, a network-accessible source of
information for viruses is provided by IBM
AntiVirus, at
:http://www.brs.ibm.com/ibmav.html.
 ARMORED Virus

An ARMORED virus is one that uses special tricks to

make tracing,disassembling and understanding of
its code more difficult.
EX.A good example is the Whale virus. 
 CAVITY Virus

A CAVITY VIRUS is one which overwrites a part of

the host file that is filled with a constant (usually
nulls), without increasing the length of the file,
but preserving its functionality.
The Lehigh virus was an early example of a cavity
virus.
 COMPANION VIRUS

The COMPANION virus is one that, instead of modifying an

existing file,creates a new program which is executed
instead of the intended program.
On exit, the new program executes the original program
so that things appear normal. On PCs this has usually
been accomplished by creating an infected .COM file with
the same name as an existing .EXE file.
Integrity checking anti virus software that only looks for
modifications in existing files will fail to detect such
viruses.
 ComputerVirus & Virus-L

To subscribe to Virus-L, send e-mail to

LISTSERV@LEHIGH.EDU saying
"SUBVIRUS-L your-name". For example: 
SUB VIRUS-L Jane Doe To be removed
from the Virus-L mailing list, send a
message to LISTSERV@LEHIGH.EDU
saying "SIGNOFF VIRUS-L". To "subscribe"
to comp.virus, simply use your favorite
USENET newsreader to read the group. 
 Comp.Virus & Virus-L

Virus-L and comp.virus are BOTH “discussion forums”

that focus on computer virus issues.
More specifically, Virus-L is an electronic mailing list
and comp.virus is a USENET newsgroup.
Both groups are moderated; and all submissions are
sent to the moderator who decides if a submission
should be distributed to the groups.
Virus-L is distributed in "digest" format (with multiple
e-mail postings in one large digest) and comp.virus is
distributed as individual news postings.However, the
content of the two groups is identical.
 FILE Infectors…for PC’s
The first class of the common PC virus consists of the
FILE INFECTORS which attach themselves to ordinary
program files. These usually infect arbitrary COM and/or
EXE programs,though some can infect any program for
which execution or interpretation is requested, such as
SYS, OVL, OBJ, PRG, MNU and BAT files.
 File infectors can be either DIRECT-ACTION or RESIDENT.
A direct-action virus selects one or more programs to
infect each time a program infected by it is executed.
A resident virus installs itself somewhere in memory
(RAM) the first time an infected program is executed,
and thereafter infects other programs when they are
executed, or when other conditions are fulfilled.
Direct-action viruses are also sometimes referred to as
NON-RESIDENT.The Vienna virus is an example of a
direct-action virus. Most viruses are resident.
 POLYMORPHIC Virus

 A POLYMORPHIC virus is one that produces varied

but operational copies of itself. This is so that virus
scanners will not be able to detect all instances of the
virus. 
One method of evading scan string-driven virus
detectors is self-encryption with a variable key.
These viruses (Cascades) are not "polymorphic", as
their decryption code is always the same.Therefore
the decryptor can be used as a scan string by the
simplest scan string-driven virus scanners (unless
another virus uses the identical decryption routine
and the exact identification.)
 Stealth Viruses
The STEALTH virus is one that, while "active“ can hide
the changes it has made to files or boot records. This
is achieved by monitoring the system functions used
to read files or sectors from storage media and forging
the results of calls to such functions. Meaning that
programs that try to read infected files or sectors see
the original, uninfected form instead of the actual,
infected form.
The virus's modifications may go undetected by anti
virus programs.: VERY TRICKY
In order to do this, the virus must be a resident in
memory when the anti virus program is executed and
this may be detected by antivirus program.
 SYSTEM or BOOT-RECORD
Infectors
A second PC category of viruses is SYSTEM or
BOOT-RECORD INFECTORS:these viruses infect
executable code found in certain system areas on
a disk.
On PCs there are ordinary boot-sector viruses,
which infect only the DOS boot sector, and MBR
viruses which infect the Master Boot Recordon
fixed disks and the DOS boot sector on diskettes.
( Examples include Brain, Stoned, Empire, Azusa
and Michelangelo.)
All common boot sector and MBR viruses are
memory resident. To confuse this classification
somewhat, a few viruses are able to infect BOTH
 The TROJAN HORSE Virus

A “TROJAN HORSE” is a program that does

something undocumented that the
programmer intended, but that some users
would not approve of if they knew about it.
It is a virus, as it is one which is able to
spread to other programs(i.e., it turns them
into Trojans too). A virus that does not do
any deliberate damage (other than merely
replicating)is not a Trojan.
 TUNNELLING Virus

A TUNNELLING VIRUS is one that finds the original

interrupt handlers in DOS and the BIOS and calls
them directly.
Then, by passing any activity monitoring
program, which may be loaded and have
intercepted, it interrupts the vectors in its
attempt to detect viral activity.
Some anti virus software also uses these
“tunnelling” techniques in an attempt to by pass
any unknown or undetected virus that may be
active when it runs.
 Worms
A computer WORM is a self-contained
program (or set of programs), that is able to
spread functional copies of itself or its
segments to other computer systems
(usually via network connections). 
Unlike other viruses, worms do not need to
attach themselves to a host program.
There are two types of worms—
1. “host computer
worms” &
NETWORK- Computer Worms

 Network worms consist of multiple parts,

called "segments.“ They each run on
different machines (and possibly perform
different actions) using the network for
several communication purposes.
Moving a segment from one machine to
another is only one of their purposes.
Network worms that have only one main
segment will coordinate the work of the
other segments; which are sometimes called
"octopuses."
 HOST- Computer Worms
Host computer worms are entirely
contained in the computer they run
on and use network connections
only to copy themselves to other
computers.
Host computer worms are the
original terminates after it launches
a copy on to another host (so there
is only one copy of the worm
running somewhere on the network
 TOP 5 Virus’s
14 Reported
12
10
8
Percent Reported to
6 Sophos 2003
4
2
0
W32/klez/h W32- W32/ElKern-
Bugbear-A C
Protect Yourself from
Computer Virus’s
• AVIEN & AVI-EWS
• CERT
• STOPzilla
• GFI Mail Security for
Exchange
• Anti Virus eScan 2003
• CIAC
• Cyber notes
• ICSA
• Information Security Magazine
• NIPC (National Infrastructure
Protection Ctr)
• SANS Institute
• Virus Bulletin
Brought to you by Guide Picks…
 #1 ~ PAND A ANT IVIRUS
PL AT IINUM v7.0
Panda A nti viru s Pl ati num v7. 0 c om bi ne s anti
vir us a nd fir ewa ll pr ote cti on to provide
robu st se cu rity wi th mi nima l syst em impac t.
Opt ional sc ript bloc king a nd a tta chmen t
fi lte ri ng com bin ed with d ai ly upda te s hel ps
en su re pr ote cti on aga inst eve n n ew and
unk nown em ail thr eats. Dow ns id e:
cumber som e custom c onf igu rati on for sc ans.
 #2 ~NORTON ANTIVIRUS 2003
This latest version of Norton AntiVirus
offers automatic updating combined with
script blocking and outbound worm
detection. It also includes protection
against IM worms and infected
attachments sent via America Online,
Yahoo!, and MSN instant messenger
programs. Downside: cumbersome
custom configuration for scans.
 #3~ F-PROT FOR WINDOWS
F-Prot for Windows continues to impress
with solid 100% ItW and 96.34% Zoo
detection. The interface is extremely
pleasing - easy enough for novice users to
navigate yet sophisticated enough for the
more advanced. An excellent addition to any
antiviral arenal. Downside: like other Top
Picks, excluding folders is a cumbersome
task. However, erring on the side of
protection is never a bad idea.
 #4~ MCAFEE VIRUSSCAN
HOME EDITION 7.0
Scoring 100% detection for ItW threats
and 99.84% Zoo (with a mere .01% false
positive rate), VirusScan Home Edition
provides the protection needed in today's
hostile computing environment. Script
Stopper technology stops VBScript and
JScript worms. Hostile Activity Watch
Kernel looks for suspicious activity and
stops mass-mailing worms. Downside:
Some reports of incompatibility with
ZoneAlarm.
 #5~ NORMAN VIRUS CONTROL

Norman Virus Control offers a highly respectable

100% rate of detection for ItW threats and
91.92% Zoo with only a .02% false positive rate.
With configurable email attachment blocking,
decompression module, and sandboxing, Norman
Virus Control has earned its second top pick
award. The new interface helps better integrate
the various modules. Downside: cumbersome
custom configuration for scans.
 #6~ PC-CILLIN
With 100% ItW, 94.82% Zoo detection, and only
a .02% false positive rate, Trend Micro's best-of-
breed anti virus protection features an integrated
firewall and extends its scanning to include even
web-based email. PC-cillin also provides mobile
users the extra protection needed to stay virus-
free on the road, including Wi-Fi connection
security and PDA synchronization protection.
 #7 ~ BIT DEFENDER
PROFESSIONAL v6.5
Softwin's BitDefender Professional provides
filtering of URLs, IP addresses, and ports, as well
as seamless signature updates every 8 hours.
BitDefender's impressive 100% ItW and 94.21%
Zoo detection also protects against viruses
encountered through the use of ICQ, Yahoo!
Messenger, NetMeeting, or MSN Messenger.
 #8 ~ NOD 32
Nod32 continues to be a personal
favorite. With a tiny footprint, its
presence on the system is barely
perceptible yet it packs quite a bit of
protection. For older systems, Nod32 may
well be the only antivirus solution capable
of offering superb 100% detection and
prevention of ItW threats without
impacting performance. Downside:
inability to exclude folders from scanning.
 #9 STOPzilla!
 BLOCK annoying popup-windows for good and forever with 
STOPzilla!STOPzilla maximizes your surfing speed by guarding your 
system against annoying unwanted popup windows. With fully 
customizable options that allow you to configure STOPzilla to meet 
your surfing needs, you will never again be smothered in an endless 
sea of pop-ups! 
•Acts like a firewall for popup windows, & Monitors your system while 
you surf the web and destroys pop-ups before they open. 
•Speeds up your surfing by keeping pop ups at bay, & is Configurable 
warnings alert you when a site attempts to open a pop-up. 
•Automatically add sites to the STOPzilla Black List to prevent all 
future popup attempts. 
•Fully customizable settings give you the flexibility to 'ALLOW' or 
'BLOCK' with the single click of a mouse. 
•Audible alerts let you know when STOPzilla has thwarted a 
perpetrator
 'SARS' computer virus hits India 
Breaking News Story : May 8, 2003
 NEW DELHI - Computers in India are vulnerable to a mass mailing worm "SARS", also 
known as W32/Coronex-A, which attacks address books and attempts to dupe users. 

Micro World Technologies Inc, a content security and IT solutions provider, has 
cautioned computer users of the mass mailing worm that uses a variety of subject lines, 
message bodies and attachment names, including "SARS Virus" and Hong Kong.exe. 

"SARS forwards itself to all contacts in address books and attempts to dupe innocent 
computer users into opening an attachment offering details on the current SARS 
epidemic. The worm is delivered as an e-mail attachment and the e-mail may have a 
subject line about the current paranoia about SARS," a statement said. 

The SARS worm just goes onto prove that there are still scores of virus writers who use 
common fears to spread dangerous viruses throughout the world, Govind Rammurthy, 
MD and CEO, Micro World Inc said. 

However, the impact of the worm seems to be less destructive, a security analyst said. 
Sunil Chandran, CEO, Stellar info, a data security firm in Delhi said, "The worm has 
been in operation since April 24 and so far its nature of destruction is not high and not 
widespread and there has been no reporting of data loss by customers to us." 
 What do expert’s believe are
in store for the future of
Virus’s?
''Iraq will destroy us by computer,'' the experts screamed
by Rob Rosenburg -- 05/01/03
"IRAQ WILL CRIPPLE the U.S. with cyber-attacks," the fear mongers warned. I tell
you, everyone got into the act -- from Congress to the FBI to former CIA officials to
computer security salesmen.
Even a fire-breathing Muslim cleric living the high life in Britain got into the act. Even
a delusional narcissistic hacker living in the slums of Kuala Lumpur got into the act. I
tell you, everyone screamed about the coming cybergeddon.
I mean, c'mon! How much effort does it take to “open a digital can of whoop-ass” on
the United States? From what I hear, even a 14 year old Iraqi nomad can remotely shut
down our national power grid and remotely pollute our vital toilet water supplies.
In August of last year, an ominous m2g press release quoted CEO D.K. Matai: "it
would seem highly likely that the launch of a physical attack on Iraq will see counter-
attacks from disgruntled Arab, Islamic fundamentalist and anti-American groups."
mi2g warned terrorists might launch remote-controlled “SCADA Attacks” along with
those (equally?) scary "chemical, biological, radiological, [and] nuclear" attacks.
CONT. In December 2002, IDC chief research officer John Gantz predicted a major cyber
terrorism event would occur in 2003 -- a cybertastrophe "that will disrupt the economy and bring
the Internet to its knees for at least a day or two," according to News.com scribe Ed Frauenheim.
Gantz specifically warned "the [looming] war with Iraq will galvanize hackers."
A New York Times story in mid-January quoted House Armed Services Committee member
Robert E. Andrews (D-NJ), who warned "a cyber attack really fits Saddam Hussein's paradigm
for attacking us." The same New York Times story quoted ex-FBI flunky Michael Vatis (a well-
documented fear-monger) on the cyber-threat Iraq could pose to U.S. interests should war break
out. ""I would suspect [Iraq's computer warfare program is] at a middling stage ... but even a
middling capability can cause serious harm."
FBI's National Internet Infrastructure Protection Center (now known as DHS NIPC) issued a
pre-war advisory to say Iraq or its sympathizers might cripple the U.S. with Spam.
Meanwhile, Japan's version of NIPC -- the Information Technology Security Center within the
Ministry of Economy -- went on "heightened alert" after their prime minister made comments
supporting the U.S.-led coalition against Iraq. The agency soon upgraded its cyber-threat
assessment and sent a written plea ("written"?) to computer security firms to ask them to "watch
for computer virus attacks and unauthorized changes to Web sites."
According to a Kyodo newswire, Japan's version of NIPC wanted to assure the public "[computer
security firms] will be on alert day and night to be able to act immediately on any abnormal
incidents." No doubt.
SEE OUR WEB PAGE:
www.uri.edu/personal/dbru7007/biblio.html