Boot Sector Virus
Feat. General Virus Information
Boot Sector Virus
Gain Control of System
Replace Bootstrap Code With Viral Code
Code Action, Camouflage Technique
Viruses disguise themselves from antivirus and other
security devices using a host of complex techniques:
Stealth. Viruses that use this technique hide the normal characteristics that would
indicate their presence.
For example, the size of the file will normally increase when it is infected. However,
by only inserting code in free file sections, this type of virus tricks the system by
making it seem that the file size has not changed.
During file infections the date and time are registered as file modifications. However,
when these viruses infect a file, they do not make such changes and the file date and
time information will remain as it was before the infection.
To avoid suspicion, stealth viruses will hide some files and change their attributes so
that they cannot be viewed.
Tunneling. The 'tunneling' system is quite complicated, as these viruses try to avoid
detection by the antivirus software by directly intercepting the interrupt handlers of the
operating system and effectively 'burying' under the detection software.
Armoring. Viruses that use the 'armoring' techniques disguise their code so that it
cannot be read. To detect armored code, antivirus must use heuristic scanning
Self-Encrypting. Antivirus programs search for certain tell-tale signs of virus activity
such as groups of characters or instructions. These viruses encode or encrypt their
code to make it more difficult for the antivirus program to detect them. However,
modern antivirus solutions use algorithms to detect the encryption routine of these
Polymorphism. Polymorphic viruses encrypt their code in a different way with each
infection (their signature changes from one infection to the next). They take
encryption one step further by also encrypting the way (routine or algorithm) in which
their signature is encrypted. This means that a polymorphic virus is capable of
creating different variants of itself from one infection to the next, changing its 'shape'
with each infection.
Fortunately, the virus cannot completely encrypt itself, as it needs to keep part of its
original code unencrypted to be able to run. Antivirus programs can detect
polymorphic viruses by locating the routine or algorithm that allow the virus to
Identifying Virus Signature
Anti-Virus Software Searches For Specific
The Chaos virus flags the disk as being
full of bad sectors upon activation, though
most of the supposed bad sectors are still
File sector virus
BY JAMES AND
(TEAM MAN LOVE)
A computer virus that infects
application files such as
spreadsheets, computer games or
E-mail is now the most common way that viruses are transmitted
between computers. The most common mechanism the form of an
“attachment” to the message. The attachment facility is
normally used for emailing documents, images and so on.
However, it is possible for attachments to contain programs
which get run when the attachment is opened.
In order to replicate itself, a virus must be permitted to
execute code and write to memory. For this reason, many
viruses attach themselves to executable files that may be part
of legitimate programs. If a user tries to start an infected
program, the virus' code may be executed first. Viruses can be
divided into two types, on the basis of their behavior when
they get executed. Nonresident viruses immediately search
for other hosts that can be infected, infect these targets, and
finally transfer control to the application program they
infected. Resident viruses do not search for hosts when they
are started. Instead, a resident virus loads itself into memory
on execution and transfers control to the host program. The
virus stays active in the background and infects new hosts
when those files are accessed by other programs or the
operating system itself.
USE OF CHECKSUM
A checksum of a file can be formed
by adding up all the instructions used
within that file. This is then added
to the file. When the file is about to
be run the checksum is recalculated
and if there is an error then it is
assumed that the file could be
infected and a warning is given.
Storm Worm Botnet Computer Virus
The FBI issued a warning today about e-mails that purport to link readers to
an article about the "FBI Verses Facebook". The FBI Agent says the link is
a virus, part of the Storm Worm botnet (a collection of compromised
computers under the remote control of a criminal) that can make readers
vulnerable to identify theft -- and make government computers vulnerable to
national security threats.
Spammers spreading this virus are preying on Internet users and making
their computers an unwitting part of criminal botnet activity. The FBI Agent
urge net-citizens to help prevent the spread of botnets by becoming Web-
savvy and making sure their computers are not compromised.
The warning was issued by the FBI's Internet Crime Complaint Center,
which focuses on cyber crime.
BYE BYE WE DON’T MISS YOU
A macro virus is a virus that is written in macro language.
They are the most common type of virus. They are built
into software applications such as word processor, so
that the programme runs automatically when the
document is opened. This makes it easy to spread as it
can be embedded into emails.
TROJAN HORSE VIRUS
BY AMANBER, MURDO,
IRFAN & ADEEL
A Trojan horse, also known as a Trojan, is malware
that appears to perform a desirable function but in fact
performs undisclosed malicious functions. Therefore, a
computer worm or virus may be a Trojan horse. The
term is derived from the classical story of the Trojan
The author claims it is a free waterfall screen saver.
When run, it instead unloads hidden programs,
commands, scripts, or any number of commands without
the user's knowledge or consent. Malicious Trojan Horse
programs are used to circumvent protection systems in
effect creating a vulnerable system to allow unauthorized
access to the user's computer.
Discovered: February 2, 2000
Updated: February 13, 2007 11:57:55 AM
Also Known As: Virus. Dropper, Trojan dropper
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows
Me, Windows NT, Windows Server 2003, Windows XP
Trojan. Dropper is a Trojan horse that drops Trojan horses or back door
Trojans onto compromised computers.
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Damage Level: Low
Other viruses can wait until a particular
event happens before it attaches itself to a
program or file.
Usually some action or condition has to be
met before the virus will attach itself.
Heuristic detection describes the
technique of approaching a problem
through previous experience. The
technique is used to find unknown viruses
that have not yet been identified by their
signatures by looking for characteristics in
a file that have previously been associated
with a known virus.
By Rebecca & Liam
What is a worm?
A worm is a program or algorithm that usually
performs actions, such as using the computers
resources and possibly shutting the system
Worms only become noticeable once their
replication consumes the memory to the extent
that the system slows down or is unable to carry
out particular tasks.
Worms tend to use the parts of the computers
operating system that is not seen by the user
until its too late.
Infected disks brought in from the outside used
to be the main source of viruses until e-mail
provided the ideal delivery vehicle. Downloads
from peer -2- peer sites are another common
Once delivery the virus will wait for the trigger to
wreak its havoc, it can also attach itself to
For Example Emails
Memory Resident Monitoring
Programs are divvied into memory
resident and non resident ones
A memory resident program leaves its
data in RAM after its finished and the
operating system allocates memory for
this programs operations.
After that, the memory resident program
operated in parallel with out programs.
Memory Resident Monitoring
Non resident programs does not leave its code
in memory after its termination, and the memory
is then cleared
Some anti-virus software can be memory
Which means it can check any program that
runs in ram when the computer is switched on
The down side of this type of anti-virus software
is it takes up RAM , which can slow down the
usual functions of the computer.
This worm is called Stration
And also known as W32.Stration@mm,
It spreads via email subject line and