trojan horse virus

Document Sample
trojan horse virus Powered By Docstoc
					  Boot Sector Virus

Feat. General Virus Information
Boot Sector Virus
   Gain Control of System

   Replace Bootstrap Code With Viral Code

   Hard Disks

   Floppy Disks
Code Action, Camouflage Technique
Viruses disguise themselves from antivirus and other
   security devices using a host of complex techniques:
   Stealth. Viruses that use this technique hide the normal characteristics that would
    indicate their presence.
   For example, the size of the file will normally increase when it is infected. However,
    by only inserting code in free file sections, this type of virus tricks the system by
    making it seem that the file size has not changed.
   During file infections the date and time are registered as file modifications. However,
    when these viruses infect a file, they do not make such changes and the file date and
    time information will remain as it was before the infection.
   To avoid suspicion, stealth viruses will hide some files and change their attributes so
    that they cannot be viewed.
   Tunneling. The 'tunneling' system is quite complicated, as these viruses try to avoid
    detection by the antivirus software by directly intercepting the interrupt handlers of the
    operating system and effectively 'burying' under the detection software.
   Armoring. Viruses that use the 'armoring' techniques disguise their code so that it
    cannot be read. To detect armored code, antivirus must use heuristic scanning
   Self-Encrypting. Antivirus programs search for certain tell-tale signs of virus activity
    such as groups of characters or instructions. These viruses encode or encrypt their
    code to make it more difficult for the antivirus program to detect them. However,
    modern antivirus solutions use algorithms to detect the encryption routine of these
   Polymorphism. Polymorphic viruses encrypt their code in a different way with each
    infection (their signature changes from one infection to the next). They take
    encryption one step further by also encrypting the way (routine or algorithm) in which
    their signature is encrypted. This means that a polymorphic virus is capable of
    creating different variants of itself from one infection to the next, changing its 'shape'
    with each infection.
   Fortunately, the virus cannot completely encrypt itself, as it needs to keep part of its
    original code unencrypted to be able to run. Antivirus programs can detect
    polymorphic viruses by locating the routine or algorithm that allow the virus to
Anti-Virus Technique
   Identifying Virus Signature

   Unique Code

   Anti-Virus Software Searches For Specific
    Virus Code
Recent Example

   Chaos

   The Chaos virus flags the disk as being
    full of bad sectors upon activation, though
    most of the supposed bad sectors are still
File sector virus

A computer virus that infects
application files such as
spreadsheets, computer games or
accounting software
E-mail is now the most common way that viruses are transmitted
 between computers. The most common mechanism the form of an
 “attachment” to the message. The attachment facility is
 normally used for emailing documents, images and so on.
 However, it is possible for attachments to contain programs
 which get run when the attachment is opened.
   In order to replicate itself, a virus must be permitted to
    execute code and write to memory. For this reason, many
    viruses attach themselves to executable files that may be part
    of legitimate programs. If a user tries to start an infected
    program, the virus' code may be executed first. Viruses can be
    divided into two types, on the basis of their behavior when
    they get executed. Nonresident viruses immediately search
    for other hosts that can be infected, infect these targets, and
    finally transfer control to the application program they
    infected. Resident viruses do not search for hosts when they
    are started. Instead, a resident virus loads itself into memory
    on execution and transfers control to the host program. The
    virus stays active in the background and infects new hosts
    when those files are accessed by other programs or the
    operating system itself.
   A checksum of a file can be formed
    by adding up all the instructions used
    within that file. This is then added
    to the file. When the file is about to
    be run the checksum is recalculated
    and if there is an error then it is
    assumed that the file could be
    infected and a warning is given.
   Storm Worm Botnet Computer Virus
   The FBI issued a warning today about e-mails that purport to link readers to
    an article about the "FBI Verses Facebook". The FBI Agent says the link is
    a virus, part of the Storm Worm botnet (a collection of compromised
    computers under the remote control of a criminal) that can make readers
    vulnerable to identify theft -- and make government computers vulnerable to
    national security threats.
   Spammers spreading this virus are preying on Internet users and making
    their computers an unwitting part of criminal botnet activity. The FBI Agent
    urge net-citizens to help prevent the spread of botnets by becoming Web-
    savvy and making sure their computers are not compromised.
   The warning was issued by the FBI's Internet Crime Complaint Center,
    which focuses on cyber crime.
Macro Viruses

 A macro virus is a virus that is written in macro language.
 They are the most common type of virus. They are built
 into software applications such as word processor, so
 that the programme runs automatically when the
 document is opened. This makes it easy to spread as it
 can be embedded into emails.

Trojan Horse
   A Trojan horse, also known as a Trojan, is malware
    that appears to perform a desirable function but in fact
    performs undisclosed malicious functions. Therefore, a
    computer worm or virus may be a Trojan horse. The
    term is derived from the classical story of the Trojan
   The author claims it is a free waterfall screen saver.
    When run, it instead unloads hidden programs,
    commands, scripts, or any number of commands without
    the user's knowledge or consent. Malicious Trojan Horse
    programs are used to circumvent protection systems in
    effect creating a vulnerable system to allow unauthorized
    access to the user's computer.
Trojan Dropper
   Discovered: February 2, 2000
   Updated: February 13, 2007 11:57:55 AM
   Also Known As: Virus. Dropper, Trojan dropper
   Type: Trojan Horse
   Systems Affected: Windows 2000, Windows 95, Windows 98, Windows
    Me, Windows NT, Windows Server 2003, Windows XP
    Trojan. Dropper is a Trojan horse that drops Trojan horses or back door
    Trojans onto compromised computers.
    Wild Level: Low
   Number of Infections: 0 - 49
   Number of Sites: 0 - 2
   Geographical Distribution: Low
   Threat Containment: Easy
   Removal: Easy
   Damage
   Damage Level: Low
 Other viruses can wait until a particular
  event happens before it attaches itself to a
  program or file.
 Usually some action or condition has to be
  met before the virus will attach itself.
Heuristic Detection
   Heuristic detection describes the
    technique of approaching a problem
    through previous experience. The
    technique is used to find unknown viruses
    that have not yet been identified by their
    signatures by looking for characteristics in
    a file that have previously been associated
    with a known virus.

 By Rebecca & Liam
    What is a worm?
   A worm is a program or algorithm that usually
    performs actions, such as using the computers
    resources and possibly shutting the system
   Worms only become noticeable once their
    replication consumes the memory to the extent
    that the system slows down or is unable to carry
    out particular tasks.
   Worms tend to use the parts of the computers
    operating system that is not seen by the user
    until its too late.
   Infected disks brought in from the outside used
    to be the main source of viruses until e-mail
    provided the ideal delivery vehicle. Downloads
    from peer -2- peer sites are another common

   Once delivery the virus will wait for the trigger to
    wreak its havoc, it can also attach itself to
    executable programs

   For Example Emails
Memory Resident Monitoring
 Programs are divvied into memory
  resident and non resident ones
 A memory resident program leaves its
  data in RAM after its finished and the
  operating system allocates memory for
  this programs operations.
 After that, the memory resident program
  operated in parallel with out programs.
Memory Resident Monitoring
   Non resident programs does not leave its code
    in memory after its termination, and the memory
    is then cleared
   Some anti-virus software can be memory
   Which means it can check any program that
    runs in ram when the computer is switched on
   The down side of this type of anti-virus software
    is it takes up RAM , which can slow down the
    usual functions of the computer.
Up-to-date virus
 This worm is called Stration
 And also known as W32.Stration@mm,
  W32/Spamta.A.worm, W32/Stration,
 It spreads via email subject line and

Shared By: