What is Malware?

• The contraction of "malicious software".
• Software developed for the purpose of doing harm.

Malware is classified based upon how they get executed, how they spread, and what they do:

 

More information about viruses is available from Wikipedia's virus web page, and from Trend Micro's "Virus Primer".

Computer viruses, like biological viruses, are parasitic and use their hosts to replicate and spread, often harming the hosts in the process. The host, in this case, is a computer program, often an operating system. Viruses work and spread by attaching themselves to legitimate software (or documents, in the case of "macro viruses"), so that when the user runs the intended program the viral code is also executed. To stay alive, well written viruses employ complex obscuring methods to evade detection. Macro viruses are a type of virus which exploits applications that allow their associated documents to contain executable code, known as a macro. These include Word, Excel, and other Microsoft Office Suite applications. Unlike other virus types, macro viruses aren't specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications. Macro viruses are written in simple language and are relatively easy to create. They can infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted.

 

Computer worms, while similar to viruses, are stand-alone applications and do not require attaching themselves to legitimate programs to replicate. A virus attaches itself to, and becomes part of, another executable program; a worm is self-contained and does not need to be part of another program to propagate itself. Instead, a worm copies itself directly to other computers over a network, including the Internet. Worms are not limited to the usual form of files or email attachments; propagation often takes place via shared resources, such as shared drives and folders, or other network ports and services. Many have the ability to spread themselves via legitimate network ports, such as port 80 (HTTP), 1434 (SQL), or 135 (DCOM RPC). Once a worm infects a new system, it searches the network for other vulnerable systems to infect. Worms often carry "payloads", such as Denial of Service (DoS) attacks. When such an attack is carried out, infected computers will attempt to overwhelm the target system until it is unable to function properly.

Statistics demonstrating effectiveness of worms:
List of Worm threats from the PestPatrol website
Sapphire worm outbreak first 30 minutes.
CodeRed infections, first 24 hours
Code Red Statistics

 

Trojan Horses, or Trojans, are named after the "gift" horse the Greeks used to gain access to, and capture, the city of Troy. Computer Trojans use the same technique to compromise computer systems. A Trojan Horse neither replicates (like a virus) nor copies itself (like a worm). Trojans, like worms, differ from viruses in that it they are self-contained programs. Trojans differ from worms in that they do not move from one computer to another on their own; they require someone to deliberately run them. So Trojan Horse designers use social engineering to trick people into executing them, often hiding a Trojan in an email attachment, or offering the "containing" application for download free of charge. Many other threats are delivered as Trojan Horses, including spyware. Examples of email messages carrying Trojans from Bank Safe Online

Recommended Reading

for beginners:	Microsoft's "Introduction to viruses, worms, and Trojan Horses"
for professionals:	Microsoft's "Antivirus Defense-in-Depth Guide, Chapter 2: Malware Threats"

Terminology

Because viruses were historically the first to appear, the term "virus" is often applied to all sorts of malware. "Anti-virus" software encourage this broader sense of the term as their operation includes viruses, trojans, worms, and more recently, spyware.

The main difference between a Trojan and a virus is the inability to replicate. Trojans do not replicate. If it replicates, then it should be classified as a virus.

Variants are new strains of malware derived by borrowing code and techniques from other successful malware.

Polymorphic viruses changes parts of the virus code on each replication to evade detection by antivirus software.

Hybrid or Blended Threat

• combine the most effective characteristics of viruses, worms, Trojan Horses, and other malicious code
• exploiting known vulnerabilities
• use overlapping methods and techniques to infect and propagate
• spread rapidly and cause widespread damage
• Effective protection requires a comprehensive solution containing multiple layers of defense

Prevention & Repair

All malware exploits system vulnerabilities or human weakness. Effective protection involves learning about risks and remedies, and applying both to secure computer systems.

How Does a Computer Catch a Virus?

Like viruses that infect living creatures, computer viruses infect your computer. They are software, and are often attached to other software or documents you might receive. When you run the virus's software or the file the virus has infected, the virus can infect your computer's software. There are only two ways for a computer to get a virus:

1. You load the virus onto your computer through an infected floppy, CD-ROM, or other storage medium.
2. The virus arrives by a downloaded file, email attachment, or other method from the Internet or a network.

At this point, an infected file is on the computer's hard drive. But remember, your computer will only become infected if you launch or view the file, or run the infected program. So an important tip is to always scan new files for viruses before you use them.

Take these precautions when working with files and the Internet:
• Before you load a file or install software onto your computer from a floppy disk or CD-ROM, use your antivirus program to scan the floppy or CD.
• If you receive an email attachment from an unfamiliar email address, or an attachment you were not expecting, either scan it or delete it (preferred).
• If you receive an email attachment from someone you know, and your antivirus program does not automatically scan incoming emails, save the attachment to your hard drive and scan it with the antivirus program. Your friend or colleague's computer may be infected with a virus.
• When you download software from the Internet, be sure to download it from the software company's site or a recognized download site ( http://downloads-zdnet.com.com/ , http://www.download.com or http://www.tucows.com for example). Download the file to your hard drive and scan it using your antivirus program before you run or decompress it.
• If someone sends you a 'joke' file or electronic greeting card that you must launch to view, be very wary.

Trojan horses can be protected against through awareness. Do not open unusual attachments that arrive unexpectedly, even if you know the sender or recognize the source's address. Even if you expect an attachment, scan it with up-to-date antivirus software before opening it. Files downloaded from the Internet are particularly suspect because file-sharing services are a known distribution method for Trojans.

An attacker might attach a Trojan with an innocent-looking filename to a spam email message, enticing the recipient into opening the file. The Trojan would have a filename extension such as .exe, .scr, .bat, or .pif. If Windows is configured not to display filename extensions (the default), the Trojan's extension might be "hidden", instead of "Readme.txt.exe" the user only sees "Readme.txt" and could mistake it for a harmless text file. When the recipient double-clicks on the attachment, the trojan superficially appears to do what the user expects (open a text file, for example), so as to keep the victim unaware of its malicious activity. Meanwhile, it might secretly modify or delete files, change the configuration of the computer, or use the computer as a base from which to attack computers.

Use of automatic updates (on Windows systems), antivirus, and other software upgrades will help to protect systems. For Microsoft Windows users the recommendations contained in Microsoft Knowledge Base Article #129972 - Computer viruses: detection, recovery, & prevention are mandatory.
 

---

	AVG Anti-Virus Free Edition Online anti-virus scanners: eTrust AntiVirus Web Scanner RAV AntiVirus Scan Online BitDefender ScanOnline Trend Micro HouseCall Panda ActiveScan McAfee FreeScan Online Spyware scanner	Resources: James Madison University Self-Help Trojans web page Computer Associates' Threat Information web page Computer Associates' Virus Encyclopedia Symantec's Security Response website List of computer viruses from Wikipedia Malicious Code - Articles & Information from PCVIRUS.ORG
	Test the effectiveness of your email anti-virus solution: Use the Anti-Virus Tester from Declude Use the Anti-Virus Tester from Webmail.us

---

Advanced Manual Repair:

The following is taken from the Symantec Knowledgebase.

WARNING:
The following recommendations assume that you have a working knowledge of Windows Registry and operating system. Incorrectly modifying the file system or Registry can seriously damage the functionality of your operating system and applications. So this section is recommended only for experienced computer administrators.

Due to the nature of Windows, many threats run as a process, so that they can be protected by the operating system after they are executed. To look for these, open the Task Manager and look for them on the Processes tab. Because there are many processes running, you must either know the name of a specific process to look for (described in a virus write-up) or which processes normally run on your computer.

1. Close all programs, saving any work.
2. Press Ctrl+Shift+Esc to open the Task Manager.
3. Click the Process tab.
4. Click "Image Name" twice to sort the processes.
5. Look through the list for possible threats.
6. When a suspicious process is located, select it, and then click End Process.
7. Locate and delete the loader files.
8. Remove any load points from the registry.

The most common loading points for these threats are in the registry. If you suspect that a system is infected, then examine each of these keys for suspicious entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Determine whether Value Name or Value Data, including the (Default) value, refers to a suspicious file.

Another possible method that is used to load an infector is to hide a file, or a shortcut to it, in the "StartUp" folders. To check for its presence, right-click "Start', and then click "Open All Users". Double-click "Programs". Double-click "StartUp". Look for any suspicious files or shortcuts. Be sure to set the explorer window's "View" > "Options" to "show all files' and to "display file extensions". Repeat this process for the current user's StartUp folder by right-clicking "Start" and then clicking "Open".

 

---