VIRUSESVIRUSES

- Janhavi Naik

Overview

Structure

Classification

Categories

VIRUS:- STRUCTURE (page no-652-654 s)

Virus can be prepended, postpended or embedded to an executable program.

The infected program when invoked will first invoke the virus code and then execute the original code of the program.

Depiction of virus structure (page no-653)

Program v :=

(go to main;

1234567;

subroutine infect-executable :=

{ loop:

file :=get-random-executable file;

if (first-line-of-file=1234567)

then goto loop

Cont..

Else prepend v to file; }

Subroutine do-damage :=

{whatever damage is to be done}

Subroutine trigger-pulled :=

{ return true if some condition holds}

Main: main-program:=

{ infect-executable ;

Cont..

If trigger-pulled then do-damage;

Goto next;}

Next:

}

program invoked

The following steps:-

For uninfected file ,the virus first compresses that file.

Copy of virus is prepended to compressed program.

Cont..

The compressed version of infected program is uncompressed.

The uncompressed original program is executed.

Compression logic (page no-654 s)

Program cv:=

(go to main;

01234567;

subroutine infect-executable :=

{ loop:file :=get-random-executable file;

if (first-line-of-file=01234567)

then goto loop;

Cont..

(1) compress file;

(2) prepend cv to file; }

Main: main-program

{if ask permission then infect executable;

(3) uncompress rest-of-file;

(4) run compressed file;}

}

Virus classification (page no-655 s)

Based upon following :

Type of target virus tries to infect

Method the virus uses to conceal itself from detection by users and antivirus softwares.

CLASSIFICATIONCLASSIFICATION BY TARGET BY TARGET (page no-655 s)(page no-655 s)

Boot Sector Infector:- infects a master boot record or boot record and spreads when a system is booted from the disk containing virus.

File Infector:- infects the file that the OS or shell consider to be executable

Cont..

Macro Virus:- infects files with macro code that is interpreted by an application.

Infect a document or template rather than executable code.

Can infect at different points during a file’s use.

CLASSIFICATION BY CLASSIFICATION BY CONCEALMENT CONCEALMENT STRATERGYSTRATERGY (page no-655,666)(page no-655,666)

Encrpted virus:- It creates random encryption key and decrypts the remainder of virus.

When infected program is invoked ,virus uses stored random key to decrypt the virus.

Cont..

When virus replicates ,different random key is selected because bulk of virus is encrypted with different key for each instance.

Stealth virus:- Its designed to hide itself from detection by antivirus software.

Cont..

Polymorphic virus:- Its mutates with every infection ,making detection by “signature” of virus.

It insert superflous instructions or interchange order of instructions.

Metamorphic virus:- It mutates with every infection but at each iteration rewrite itself completely increasing difficulty of detection.

Example of stealth virus (page no-655)

Virus uses compression so that infected and uninfected program are of same length.

Virus places intercept logic in I/o routine when we attempt to read suspected portion of virus,present back uninfected program.

Points to remember (page no-666)

Strategy of encryption virus where portion of virus is responsible for generating keys performing encryption or decryption is referred as “mutation engine”.

Virus kits enable to create number of different viruses and create problem for antivirus schemas.

Macro viruses (page no-666)

It infects ms word document or ms office .

It infects documents ,information introduced onto computer in form of document.

It easily spreads.(electronic mail)

Traditonal file system acess controls of limited use in preventing spread.

Email viruses (page no-656,657)

First rapidly spreading email virus is “Melissa” (made of ms word macro embedded in attachment).

The email virus sends itself to everyone on mailing list in user’s email package.

It does local damage on users system.

Cont..

Powerful version of virus appeared in 1999 that can be activated by opening email rather than attachment that used scripting language.

Questions

What is virus?Explain different phases of virus.Also with help of symbolic code explain virus structure. (7 mks)

Write short notes on viruses.(4 mks)

Explain nature of viruses and different types of viruses. (10 mks)

Write short notes on computer viruses. (6 mks)

Any questions ?

Thank you