Editor's Note
 Free Software
 GPG
 IEEE 802.11a
 Linux
 MBSA
 METU-CC Web Site
 Thesis Advisor A. Prog.
 Viruses
 CISN Archive
 Questionnaire
 Send Feedback


Computing & Information Services Newsletter
Viruses
     
 

Viruses are small programs that operate secretly on the system of the user and they do harm or perform unwanted tasks.

The first virus was changing the proprietary rights of a company when the company's program was being copied by diskettes. (1986-Brain). The major viruses followed that:

  • Chernobyl (CIH) (1998),
  • Melissa (1999),
  • Navidad (2000),
  • Nimda/Sircam/CodeRed (2001)

According to the information obtained in January 2002, there are 70,000 active viruses. Of this number, %26.1, constitute Macro viruses and %26.1 are Trojan Horses. However, when infection methods are examined, those viruses that spread via files that can be executable by systems are first in the rank by %79. The numbers of viruses detected continue to increase every month.

Not every virus written is harmful. To understand whether a virus is active or not, a great deal of anti-virus software sites should be visited and the grading of the viruses by the sites should be examined to be able to make a comment. These sites are:

yer almaktadır.

The Infection Method of the Viruses:

The most widespread virus infection methods are as follows:

  • Diskette, CD
  • E-mail
  • Network file sharing
  • Programs downloaded from Internet

Today, e-mail attachment files and the files downloaded from Internet are the source of major virus infections. Let's look at how viruses spread:

1. Virus Infection through E-mail

The executable attachments of e-mails may infect your system with virus. But it is not guaranteed that your system will not be infected, although you have not opened an attachment. Some e-mail reading programs may automatically open the attachments that are in a specific format. In this way, the virus may infect the system and perform what the program wants it to do. The user may not be aware of this process (e.g., Outlook / Outlook Express - Bubbleboy). If you perform the necessary operating system updates (to update Windows operating system, visit http://windowsupdate.microsoft.com/) the virus cannot take advantage of vulnerabilities on your operating system. The virus infection without the awareness of the user constitutes only a small part of virus infection through e-mail. The significant part is concerned with the executable files (.bat, .exe, .scr, .pif, etc.). The user may receive them with e-mail, may execute them after downloading to his/her system or execute it immediately. Users' such personal mistakes are the major causes of virus infection.

2. Virus Infection through WWW

Virus may infect the system through WWW, if the user downloads an insecure file from Internet. However, two issues must be addressed here. The users may intentionally download files or the web browser he/she uses (like Internet Explorer, Netscape) may download some files automatically.

In the first case, the user intentionally downloads a file from Internet, if that file has a virus, the execution of the file will infect the system. The users awareness of these critical actions should be increased to prevent such virus infections.

The second case is more complex. We should address two issues again:

  • Java-Script
  • ActiveX

The www pages using Java-Script or ActiveX may infect your system with a virus.

a) Java Script:

WWW pages have become interactive thanks to the java applets (animations etc.). Today, all the web browsers support Java. The problem is that these applets can also be downloaded from the insecure sites. A precautionary method is developed for that which is named as "sandbox". The applet executed by Sandbox cannot read or write on the files on your system. This system seems secure, doesn't it? However, there is a problem about the complex structure of sandbox technology. A vulnerability that could not be noticed may allow the viruses to run codes on the system. For example, the virus may open a great deal of secret windows and consume the resources of the system.

b) ActiveX:

They are Windows' applets. These structures are used by Windows to display the animations available on "web" pages. These applets download files with ".dll" (Dynamic Link Library) extensions. These files own all kinds of rights on the system. Therefore, these files allow the virus to become powerfully and most easily dominant on the system. That's why many security updates of MS Internet Explorer are released. The security system available on Internet Explorer is called "Authenticode system and Code Signing". The security settings of the browser should be set to maximum. However, if the security settings of the www browser are set to minimum, the browser automatically downloads the file with ".dll" extension to the system. The ".dll" files are authorized to execute significant files such as "command.com". The security level of "MS Internet Explorer" should be changed to "Medium" or higher as to take a precaution against harmful applets.

Internet Worms:

There are other viruses that take advantage of the security vulnerabilities of the operating systems or the services that run. (CodeRed, Nimda).

These viruses can cause the following results:

  • The web server can be affected with virus (e.g.: ISS)
  • The data on the diskettes may be deleted.
  • The content of the web page may be changed.
  • May cause unnecessary network traffic.
    • E-mail, tftp, port search.
  • May insert Backdoor / Trojan.

The typical two Internet Worms are Nimda and Melissa, which had cost millions of dollars of loss in the world.

Let's examine Nimda (W32/Nimda@MM) more closely:

  • Appeared on October 2001.
  • It infects IIS (Internet Information Server) web servers via a vulnerability that was discovered in August 2001.
  • Takes advantage of a vulnerability of "Outlook Express" e-mail client. It executes "Outlook Express" and infects the system.
  • Infects the system after "Internet Explorer" downloads and executes the infected readme.eml file from the web page.

Trojan Horses

These viruses do not spread themselves. Rather they run at the background. They infect the systems via executable files of e-mails or via exchange of executable files on programs such as ICQ etc. (Back Orifice, Sub Seven). When the Trojan Horse becomes active, a person with no good intentions may access your system remotely and obtain the right to download any program he/she would like to your system or attack to other computers from your system.

Virüs Types

1. HOAX

These are messages that mislead users. They do not spread any viruses; but they do tell you to delete a file that the message claims to be a virus. On the contrary, that alleged file is a significant file of the system whose loss may create problems. (Sulfnbk HOAX, Taliban HOAX).

2. BIOS & CMOS Setting Virus

These viruses affect the BIOS settings of your system. They may change the order of startup units (diskette, CD, HDD) of your computer. (Troj/KillCMOS, W95/CIH-10xx).

3. Visual Basic Script (VBS) Virus & Worm

These are small codes written in Visual Basic language. They may be embedded in a web page or an e-mail. They take advantage of the vulnerabilities of your web browser or e-mail client program and then infect your system (VBS/Numgame).

4. The Viruses Specific to Windows Operating System

a. Win32 Virus & Worm

These viruses can be executed on Windows operating systems. They exploit the security vulnerabilities of the program used (Web server or browser). E.g., W32/Magister, W32/Nimda

b. W95/98/ME Virus

These viruses only infect Windows 95/98/ME operating systems. They may change BIOS settings or render the system inoperatable. (CIH/10-xx, W95/Babylonia)

c. WinNT/2K/XP Virus

They exploit the security vulnerabilities of Windows NT/2000/XP operating systems or the programs that run on these systems. Since they are dependent on the functionalities of file system, they activate themselves on systems using NTFS (W2K/Stream, WNT/RemExp).

5. Macro Virus

They are macro programs. They are embedded in the documents that are used in Microsoft Office applications. They can be really harmful to the system since they have the ability to execute a program or a command. These can categorized as

  • Wm: Windows Macro virus
  • w97m:--> MS Word Macro virus
  • pp97m: MS PowerPoint Macro virus
  • xm97m: MS Excel Macro virus

(an example: Wm/Nuclear).

Viruses on new Internet Tools

It is feared that viruses may affect mobile phones, Palms, PDAs (Personal Digital Assistant) as well as PCs. In the year 2000, two viruses discovered were found out to effect PDAs. Although, personal mobile phones are less vulnerable, the e-mail reading programs that the phones will run may pose threats to users.

The virus scanning programs seem to offer the best solution for the security concerns of these tools.

What do Viruses Write on Where?

The viruses modify the "Windows Registry" settings of your system at startup to become active. You should think twice before changing the registry settings of Windows on your own. After you click Run in Start Menu, write 'regedit' and press "Enter" key. The following page will be displayed.

The viruses write their program names on the commands and registry keys given below to make the system run these virus programs at startup.

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\Windows\ CurrentVersion\
    • RunServices
    • RunServicesOnce
    • Run
    • RunOnce
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\
    • Run
    • RunOnce
    • RunServices

Precautions for Protection

  • Install an anti-virus software and keep it updated. Unless you update your anti-virus software, it will not keep your system immune to newly emerging viruses.
  • Keep your operating system updated. Please visit the following link to obtain the updates of Windows operating system:
    http://windowsupdate.microsoft.com
  • Use such e-mail reading programs as Netscape Messenger, Webmail, and Pine instead of MS Outlook or Outlook Express.
  • Do not share files on your system if not urgently necessary. If you are going to share a file, use password protect and "read-only" features.
  • Do not install server operating systems. Do not use IIS unless it is updated as web server.
  • Visit "Microsoft Security Bulletin" frequently from the following address:
    http://www.microsoft.com/security
  • Always boot the system from the hard disc.
  • Back up your important files and directories.
  • Do not run the macros that you do not know the source when running Office programs.
  • Use alternative office programs (e.g. OpenOffice):
    ftp://ftp.metu.edu.tr/pub/mirrors/openoffice/
  • Execute the attachment files only if you are sure that the sender is actually the person you know and trust.

Detection of Viruses

The most effective virus detection methods are carried out by anti-virus programs provided that they are regularly updated. Here is some of the anti-virus software operating methods:

  • Online Scanners:

    "Online scanners" are alternative for anti-virus programs. Those users who would not like to pay for anti-virus software and who would like to scan their computers infrequently can benefit from this service of anti-virus software companies. All the files of your computer are scanned remotely. The question, "Does it obtain information from the system as well?" cannot be answered, however, the service runs well.

    Follow the paths below to scan your system online:


  • The Structure of Anti-virus programs

    • Scanners:
      They trace the viruses from their tracks and destroy them if found. These scanners need updating frequently. They are very practical and user friendly.
    • Checksummers:
      The mofidifications in size of standard operating system files are regarded as viruses by the checksummers. This is a useful tool for those users who are competent about modifications on system files.
    • Heuristics:
      The characteristic structures of viruses are defined on these programs; however, they are sometimes not effective against new viruses that develop immunities to heuristics.

  • How does an Anti-virus Software operate?

    Virus pattern is a short "binary" code, which defines a virus. Anti-virus programs scan these virus patterns in all files of the computer via a scanner. When the software detects the virus, the software performs the tasks that are predefined in its database. For this reason, updated anti-virus software is the sole protection method of the user against the newly emerging viruses.

References:

İbrahim Çalışır

 
     
  - TOP -  
© 2002 METU CC
Design: CC - INFO