`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.' THE BASIC CONCEPTS OF PC VIRUSES `'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.' written by: paranoidxe date: 04/22/04 email: paranoidtsi@hotmail.com +----------------------+ | DEFINITIONS... | +----------------------+ Virus: a virus is a program that replicates itself and "injects" its code into other programs on your computer without the user's knowledge or permission. For a human example, when a human virus enters the body it attaches to a cell, it then injects its DNA coding into the cell and tells it to make copies...essentially the same concept, the computer virus attaches to a program. as defined in this guide a virus replicates on purpose NOT as a side effect. Trojan: a program that is advertised as having a legit function, but when the user launches it it either has alternative motives or it runs fine but does something in the background. The important difference between a trojan and a virus is that a trojan is a program that DOES NOT infect other files or spread like a virus. Worm: the third virus-like program, a worm spreads usually through security holes, it does NOT require user intervention and does not infect files on a computer. A worms primary function is to spread and under normal circumstances it causes overload on network systems causing them to crash. A worm will dissappear if the computer is turned off. The general prevention measure is to patch the security flaw the worm uses. Bug: a bug is a unintentional flaw in software products. The reason this is mentioned is because bugs usually cause a computer to act funky on the user, and just because this happens does not mean its a virus. Droppers: usually a shell of a virus, this is a program that has a virus encrypted into it to avoid detection. Once a dropper is launched the virus is decrypted and launched on the targeted machine. [MISC. MEANINGS] AV - antivirus: either refering to a program that combats and eliminates viruses, or a company that produces antivirus products. MBR - master boot record: this is the program that tells you hard drive how to work and how to understand to retrieve/ write data. file system: if MBR is the program to give direction (like a ref in a football game) then the file system is the field. file system is what organizes data on a drive. false positive: this is when a antivirus program reports a file as being infected when its really not. false negative: this is when a antivirus program reports the file uninfected, yet really it is. +-------------------------+ | VIRUS MECHANISMS | +-------------------------+ Viruses can use various technologies to infect the targeted machine, these are some of the common methods used: Boot Sector/MBR Infector: These viruses pray on the boot program that is on every single hard drive/floppy drive. The boot program essentially tells the size of the disk and tells the disk how to read the data...viruses have found a way to get here which insures that the virus is launched at every boot. Polymorphic: Polymorphic is a method used by virus writers to avoid detection, the way it works is normally a virus will infect a file with the same size and code..polymorphism will actually change the codes appearance as well as size. This makes detection more difficult and antivirus companies must rely on the patterns instead of code signatures. Stealth: This technology makes it so when reporting file sizes the virus reports the uninfected file size...this essentially means the virus makes the file appear unaltered. Encryption: A method that seems to be getting more and more complex, encryption makes it so antivirus companies cannot decypher the viruses code, this makes it harder for antivirus companies to understand the virus and provide fixes if the virus damages anything. TSR - terminate/stay resident: this is a virus that enters memory and stays in memory generally infecting any program written or read. This is a part of almost every virus now. Macro virus: a 1995 invention, a macro virus thrives off microsoft word, it infects the global setting file on word and every document after the initial infection is launched it too becomes infected. File Infector: this is the most common type of virus, it infects programs as they are launched but does NOT infect boot sectors. This is the most basic of viruses. multi-partite: these are viruses that use both file infection and boot sector infection. This is what most viruses will use now that are non-macro viruses. +-------------------------+ | UNDERSTANDING TROJANS.. | +-------------------------+ As stated in the definitions, a trojan is a program that appears to have a desireable function..but instead it has a hidden agenda. It is important to understand that trojans do NOT infect other files. They also may function as advertised with the malicious code taking effect in the background. Trojans can also load at every boot, however not in the same manner. Trojans rely on your operating system to load themselves everytime, unlike viruses which can get into the boot record, trojans generally cannot. Trojans often have various malicious functions such as: * Steal passwords * Format Hard Drives * Random Reboots * Used as a server program for another user A special type of trojan known as a "backdoor" trojan opens a port on your internet connection that allows the remote user to use his program and connect to your computer and do various functions. This could be just to annoy you, other times it could be used to take your data. Backdoor trojans are generally able to do the following: * rename/delete/edit files * upload/download files * open/close cdrom drive * run floppy drive * reboot computer * send messages Backdoor trojans can have there uses as a remote adminstrative tool, but this is rarely the case. +-------------------------+ | WHY WRITE VIRUSES | +-------------------------+ There are many reasons people want their viruses out there. The more common ones include: a) Revenge, the virus was ment to infect one computer but instead it ends up infecting more than just one. It was designed to get revenge on someone that apparently pissed the author off. b) Accidental, sometimes a virus is released accidently..the virus was just something to do in their spare time and was never meant to get released. c) Make a Statement, sometimes viruses are out to make statements, like stoned made the statement "Legalize Marijuana"...Tequila was obviously made by one who liked tequila