1

Computer Virus and Antivirus

A presentation by
Vinay Panchal.
&
Nishant Bodke.
Roll no:1254 &1249.
2
Agenda
Computer Virus Concept
Analyze three common computer viruses
Antivirus Technologies
Conclusion


3
Computer Virus Concept

What is Computer Virus?
Computer Virus Time Line
Types of Computer Virus
How does computer virus works?



4
Computer virus concept

What is Computer Virus?
Definition -- Virus: A self-replicating piece of computer code that
can partially or fully attach itself to files or applications, and can
cause your computer to do something you don't want it to do.
Similarities between biological virus (like " HIV " )
and computer virus:
Need a host for residence.
Capable of self-replicate
Cause damage to the host.
Difference: Computer viruses are created by human.
5
Computer virus concept
Computer Virus Time Line
1949 - Theories for self-replicating programs was first developed.
1981 - Apple Viruses 1, 2, and 3 was some of the first viruses in
public.
1988 Jerusalem was detected. Activated every Friday the 13th, the
virus affects both .EXE and .COM files and deletes any programs run
on that day.
1991 - Tequila is the first widespread polymorphic virus found.
1999 - The Melissa virus, W97M/Melissa, executed a macro in a
document attached to an email. Melissa spread faster than any other
previous virus.
2000 - The Love Bug, also known as the ILOVEYOU virus, sent itself
out via Outlook, much like Melissa.
2001 - The Code Red I and II worms attacked computer networks in
July and August. They affected over 700,000 computers and caused
upwards of 2 billion in damages.

6
Computer virus concept
Types of Computer Virus
Boot Sector Virus - Michelangelo
Boot sector viruses infect the boot sectors on floppy disks and hard disks,
and can also infect the master boot record on a user's hard drive.
File Infector Virus - CIH
Operate in memory and usually infect executable files.
Multi-partite Virus
Multi-partite viruses have characteristics of both boot sector viruses and
file infector viruses.
Macro Virus - Melissa Macro Virus
They infect macro utilities that accompany such applications as Microsoft
Word, Excel and outlook.


7
Computer virus concept
Types of Computer Virus - Continue
Trojan / Trojan Horse Back Orifice
A Trojan or Trojan Horse is a program that appears legitimate, but
performs some malicious and illicit activity when it is run.
Worm Red Code
A worm is a program that spreads over network. Unlike a virus, worm
does not attach itself to a host program. It uses up the computer
resources, modifies system settings and eventually puts the
system down.
Worms are very similar to viruses in that they are computer programs
that replicate themselves. The difference is that unlike viruses,
worms exist as a separate small piece of code. They do not attach
themselves to other files or programs.

8
Computer virus concept
Virus Characteristics

Memory Resident:
Loads in memory where it can easily replicate itself into programs of boot
sectors. Most common.
Non-Resident:
Does not stay in memory after the host program is closed, thus can only
infect while the program is open. Not as common.
Stealth:
The ability to hide from detection and repair in two ways.
- Virus redirects disk reads to avoid detection.
- Disk directory data is altered to hide the additional bytes of the virus.

9
Computer Virus Concept
Virus Characteristics

Encrypting:
Technique of hiding by transformation. Virus code converts itself into
cryptic symbols. However, in order to launch (execute) and spread the
virus must decrypt and can then be detected.
Polymorphic:
Ability to change code segments to look different from one infection to
another. This type of virus is a challenge for ant-virus detection
methods.

10
Computer virus concept
How does computer virus work?
The Basic Rule: A virus is inactive until the infected program is run or
boot record is read. As the virus is activated, it loads into the computers
memory where it can spread itself.
Boot Infectors: If the boot code on the drive is infected, the virus will
be loaded into memory on every startup. From memory, the boot virus
can travel to every disk that is read and the infection spreads.
Program Infectors: When an infected application is run, the virus
activates and is loaded into memory. While the virus is in memory, any
program file subsequently run becomes infected.

11
Analyze three common viruses
CIH
Type: Resident, EXE-files
Origin: Taiwan
History: The CIH virus was first located in Taiwan in early June
1998. After that, it has been confirmed to be in the wild
worldwide. It has been among the ten most common viruses for
several months.
Infects Windows 95 and 98 EXE files, but it does not work
under Windows NT.
After an infected EXE is executed, the virus will stay in memory
and will infect other programs as they are accessed.


12
Analyze three common viruses
Macro Virus
What is Macro virus
A type of computer virus that is encoded as a macro embedded in
a document.
According to some estimates, 75% of all viruses today are macro
viruses.
Once a macro virus gets onto your machine, it can embed itself in
all future documents you create with the application.
In many cases macro viruses cause no damage to data; but in
some cases malicious macros have been written that can damage
your work.
The first macro virus was discovered in the summer of 1995. Since
that time, other macro viruses have appeared.

13
Analyze three common viruses
Macro Virus
How does it spread?
When you share the file with another user, the attached macro or
script goes with the file. Most macro viruses are designed to run, or
attack, when you first open the file. If the file is opened into its related
application, the macro virus is executed and infect other documents.
The infection process of the macro virus can be triggered by opening
a Microsoft Office document or even Office Application itself, like
Word, Excel. The virus can attempt to avoid detection by changing or
disabling the built-in macro warnings, or by removing menu commands


14
Analyze three common viruses
I LOVE YOU
VBS/LoveLetter is a VBScript worm. It spreads through e-
mail as a chain letter.
This worm sends itself to email addresses in the Microsoft
Outlook address book and also spreads to Internet
chatrooms.
This worm overwrites files on local and remote drives,
including files with the extensions .html, .c,.bat,.mp3 etc.
15
Antivirus Technologies
How to detect virus?
How to clean virus?
Best Practices

16
Antivirus technology
How to detect virus?
Some Symptoms
Program takes longer to load.
The program size keeps changing.
The drive light keeps flashing when you are not doing
anything.
User created files have strange names.
The computer doesn't remember CMOS settings.

17
Antivirus technology
How to detect virus?
Use Antivirus Software to scan the computer memory and
disks.
A memory-resident anti-virus software can be used to
continuously monitor the computer for viruses.
Scan your hard disk with an anti-virus software. You
should make sure that an up-to-date virus definition
data have been applied.
Use server-based anti-virus software to protect your
network.

18
Antivirus Technology
How to clean virus?
All activities on infected machine should be stopped and it
should be detached from the network.
Recover from backup is the most secure and effective way
to recover the system and files.
In some cases, you may recover the boot sector, partition
table and even the BIOS data using the emergency recovery
disk.
In case you do not have the latest backup of your files, you
may try to remove the virus using anti-virus software.
19
Antivirus Technology

How to clean virus?
The steps to reinstall the whole system
1. Reboot the PC using a clean startup disk.
2. Type in MBR to rewrite the Master Boot Record.
3. Format DOS partitions.
4. Reinstall Windows XP or other os and other applications.
5. Install Antivirus Software and apply the latest virus
definition data.

20
Antivirus Technology
Best Practices
Regular Backup
Backup your programs and data regularly. Recover from
backup is the most secure way to restore the files after a
virus attack.
Install Anti-virus Software
Install an anti-virus software to protect your machine and make
sure that an up-to-date virus definition file has been applied.
Daily Virus Scan
Schedule a daily scan to check for viruses. The schedule scan
could be done in non-peak hours, such as during the lunch-
break or after office hour.
Check Downloaded Files And Email Attachments
Do not execute any downloads and attachment unless you are
sure what it will do
21
Conclusion


Be careful when use new software and files
Be alert for virus activities
Be calm when virus attacks

22
Thank You