|
|
|
|
|
|
|
Virus
infestations are increasing at an alarming
rate. Chances are that one or more of your computers
either has a virus now, or has had one in the last two
years. If you are connected to the Internet, receive
email, or have floppy drives and removable media devices you
are at risk for virus infestations. If your virus
software is not up-to-date, not setup properly, or does not
run complete system scans weekly you probably either have
already suffered a virus attack and may not yet have
detected it, or you will suffer one within the next 12-18
months.
Its not a question of IF,
but more a question of When?,
Where?, How
much damage will it cause?, and How
much will it cost my organization to Contain,
Eliminate, and Recover from the Virus. Some
organizations without proper data protection / backup
solutions may never fully recover.
|
|
|
How Viruses Work
A computer virus is a piece of
self-replicating code usually attached to another piece of
code. This code can be harmless—for example, it might
display a message or play a tune. Or it might be harmful and
proceed to delete and modify files.
The virus code searches users' files for an uninfected
executable program for which the user has security write
privileges. The virus infects the file by putting a piece of
code in the selected program file. When a program that is
infected with a virus is executed, the virus immediately
takes command, finding and infecting other programs and
files.
Some viruses are "memory resident" viruses. When a
user executes an executable file that is infected with this
type of virus, the virus loads itself into memory and
remains there even if the original program is shut down.
Subsequent programs that are executed are infected with the
virus until the computer is shut down or turned off. Some
viruses have a "dormant" phase and will appear
only at certain times or when certain actions are
performed.
|
|
|
|
Virus Terms &
Definitions |
|
|
|
|
A
|
- ActiveX
- ActiveX controls are software modules based on
Microsoft's Component Object Model (COM) architecture.
They add functionality to software applications by
seamlessly incorporating pre-made modules with the basic
software package. Modules can be interchanged but still
appear as parts of the original software.
-
On the Internet, ActiveX controls can be linked to
Web pages and downloaded by an ActiveX-compliant
browser. ActiveX controls turn Web pages into software
pages that perform like any other program launched from
a server.
-
ActiveX controls can have full system access. In most
instances this access is legitimate, but one should be
cautious of malicious ActiveX applications.
|
|
|
- Anti-virus Software
-
Anti-virus software scans a
computer's memory and disk drives for viruses. If it
finds a virus, the application informs the user and may
clean, delete or quarantine any files, directories or
disks affected by the malicious code. Also: Anti-virus
Scanner
|
|
|
- Antivirus Virus
-
Antivirus viruses specifically
look for and remove other viruses.
|
|
|
- Anti-antivirus Virus
- Anti-antivirus viruses attack, disable or infect
specific anti-virus software. Also: Retrovirus
|
|
|
- Applet
- Any miniature application transported over the
Internet, especially as an enhancement to a Web page.
Authors often embed applets within the HTML page as a
foreign program type.
Java applets are usually only allowed to access certain
areas of the user's system. Computer programmers often
refer to this area as the sandbox.
|
|
|
- Armored Virus
- An armored virus tries to prevent analysts from
examining its code. The virus may use various methods to
make tracing, disassembling and reverse engineering its
code more difficult.
|
|
B |
- Back Door
- A feature programmers often build into programs to
allow special privileges normally denied to users of the
program. Often programmers build back doors so they can
fix bugs. If hackers or others learn about a back door,
the feature may pose a security risk. Also: Trapdoor.
|
|
|
- Background Scanning
- A feature in some anti-virus software to automatically
scan files and documents as they are created, opened,
closed or executed.
|
|
|
- Bimodal virus
- A bimodal virus infects both boot records and files.
Also: Bipartite; See Also: Boot Sector Infector, File
Virus, Multipartite
|
|
|
- BIOS
- Basic Input/Output System. The part of the operating
system that identifies the set of programs used to boot
the computer before locating the system disk.
The BIOS is located in the ROM (Read Only Memory) area
of system and is usually stored permanently.
|
|
|
- Boot
- To start (a cold boot) or reset (warm boot) the
computer so it is ready to run programs for the user.
Booting the computer executes various programs to check
and prepare the computer for use. See Also: Cold Boot,
Warm Boot
|
|
|
- Boot Record
- The program recorded in the boot sector. This record
contains information on the characteristics and contents
of the disk and information needed to boot the computer.
If a user boots a PC with a floppy disk, the system
reads the boot record from that disk. See Also: Boot
Sector
|
|
|
- Boot Sector
- An area located on the first track of floppy disks and
logical disks that contain the boot record. Boot sector
usually refers to this specific sector of a floppy disk,
whereas the term Master Boot Sector usually refers to
the same section of a hard disk. See Also: Master Boot
Record
|
|
|
- Boot Sector Infector
- A boot sector infector virus places its starting code
in the boot sector. When the computer tries to read and
execute the program in the boot sector, the virus goes
into memory where it can gain control over basic
computer operations. From memory, a boot sector infector
can spread to other drives (floppy, network, etc.) on
the system. Once the virus is running, it usually
executes the normal boot program, which it stores
elsewhere on the disk. Also: Boot Virus, Boot Sector
Virus, BSI.
|
|
|
- Bug
- An unintentional fault in a program that causes
actions neither the user nor the program author
intended.
|
|
C |
- Cluster Virus
- Cluster viruses modify the directory table entries so
the virus starts before any other program. The virus
code only exists in one location, but running any
program runs the virus as well. Because they modify the
directory, cluster viruses may appear to infect every
program on a disk. Also: File System Virus
|
|
|
- Cold Boot
- To start the computer by cycling the power. A cold
boot using a rescue disk (a clean floppy disk with boot
instructions and virus scanning capabilities) is often
necessary to clean or remove boot sector infectors. See
Also: Boot, Warm Boot
|
|
|
- Companion Virus
- Companion viruses use a feature of DOS that allows
software programs with the same name, but with different
extensions, to operate with different priorities. Most
companion viruses create a COM file which has a higher
priority than an EXE file with the same name.
Thus, a virus may see a system contains the file
PROGRAM.EXE and create a file called PROGRAM.COM. When
the computer executes PROGRAM from the command line, the
virus (PROGRAM.COM) runs before the actual PROGRAM.EXE.
Often the virus will execute the original program
afterwards so the system appears normal.
|
|
D |
- Direct Action Virus
- A direct action virus works immediately to load itself
into memory, infect other files, and then to unload
itself.
|
|
E |
- Encrypted Virus
- An encrypted virus's code begins with a decryption
algorithm and continues with scrambled or encrypted code
for the remainder of the virus. Each time it infects, it
automatically encodes itself differently, so its code is
never the same. Through this method, the virus tries to
avoid detection by anti-virus software
|
|
F |
- FAT
- File Allocation Table. The under MS-DOS, Windows 3.x,
9x, and NT (in some cases), the FAT is located in the
boot sector of the disk and stores the addresses of all
the files contained on a disk. Viruses and other
malicious programs, as well and normal use and extended
wear and tear, can damage the FAT. If the FAT is damaged
or corrupt, the operating system may be unable to locate
files on the disk.
|
|
|
- File viruses
- File viruses usually replace or attach themselves to
COM and EXE files. They can also infect files with the
extensions SYS, DRV, BIN, OVL and OVY.
File viruses may be resident or non-resident, the most
common being resident or TSR
(terminate-and-stay-resident) viruses. Many non-resident
viruses simply infect one or more files whenever an
infected file runs.
Also: Parasitic Virus, Fire Infector, File Infecting
Virus
|
|
G |
-
|
|
H |
-
|
|
I |
- In The Wild, Wild
- A virus is "in the wild" if it is verified
as having caused an infection outside a laboratory
situation. Most viruses are in the wild and differ only
in prevalence. Also: ITW; See Also: Zoo Virus
|
|
J |
- JavaScript
- JavaScript is a scripting language that can run
wherever there is a suitable script interpreter such as
Web browsers, Web servers, or the Windows Scripting
Host. The scripting environment used to run JavaScript
greatly affects the security of the host machine:
-
- A Web page with JavaScript runs within a Web
browser in much the same way as Java applets and
does not have access to host machine resources.
-
- An Active Server Page (ASP) or a Windows Scripting
Host (WSH) script containing JavaScript is
potentially hazardous since these environments allow
scripts unrestricted access to machine resources
(file system, registry, etc.) and application
objects.
|
|
K |
-
|
|
L |
-
|
|
M |
- Macro Virus
- A macro virus is a malicious macro. Macro viruses are
written a macro programming language and attach to a
document file (such as Word or Excel). When a document
or template containing the macro virus is opened in the
target application, the virus runs, does its damage and
copies itself into other documents. Continual use of the
program results in the spread of the virus.
|
|
|
- Memory-resident Virus
- A memory-resident virus stays in memory after it
executes and infects other files when certain conditions
are met. In contrast, non-memory-resident viruses are
active only while an infected application runs.
|
|
|
- Multipartite Virus
- Multipartite viruses use a combination of techniques
including infecting documents, executables and boot
sectors to infect computers. Most multipartite viruses
first become resident in memory and then infect the boot
sector of the hard drive. Once in memory, multipartite
viruses may infect the entire system.
-
Removing multipartite viruses requires cleaning both
the boot sectors and any infected files. Before you
attempt the repair, you must have a clean,
write-protected Rescue Disk.
|
|
N |
- NTFS
- NT File System; a Windows NT file system used to
organize and keep track of files. See Also: FAT
|
|
O |
- Operating System - OS
- The operating system is usually the underlying
software that enables you to interact with the computer.
The operating system controls the computer storage,
communications and task management functions. Examples
of common operating stems include: MS-DOS, MacOS, Linux,
Windows 98. Also: OS, DOS
|
|
P |
- Polymorphic viruses
- Polymorphic viruses create varied (though fully
functional) copies of themselves as a way to avoid
detection from anti-virus software. Some polymorphic
virus use different encryption schemes and requires
different decryption routines. Thus, the same virus may
look completely different on different systems or even
within different files. Other polymorphic viruses vary
instruction sequences and use false commands in the
attempt to thwart anti-virus software. One of the most
advanced polymorphic viruses uses a mutation-engine and
random-number generators to change the virus code and
its decryption routine. See Also: Mutating Virus
|
|
Q |
-
|
|
R |
- Resident Virus
- A resident virus loads into memory and remains
inactive until a trigger event. When the event occurs
the virus activates, either infecting a file or disk, or
causing other consequences. All boot viruses are
resident viruses and so are the most common file
viruses.
|
|
|
- Retrovirus
- A computer virus that actively attacks an anti-virus
program or programs in an effort to prevent detection
|
|
S |
- Stealth Virus
- Stealth viruses attempt to conceal their presence from
anti-virus software. Many stealth viruses intercept
disk-access requests, so when an anti-virus application
tries to read files or boot sectors to find the virus,
the virus feeds the program a "clean" image of
the requested item. Other viruses hide the actual size
of an infected file and display the size of the file
before infection.
Stealth viruses must be running to exhibit their stealth
qualities. Also: Interrupt Interceptors
|
|
T |
- Trojan Horse Program
- A Trojan horse program is a malicious program that
pretends to be a benign application; a Trojan horse
program purposefully does something the user does not
expect. Trojans are not viruses since they do not
replicate, but Trojan horse programs can be just as
destructive.
Many people use the term to refer only to
non-replicating malicious programs, thus making a
distinction between Trojans and viruses. Also: Trojan
|
|
|
- TSR
- Terminate and Stay Resident. TSR programs stay in
memory after being executed. TSR programs allow the user
to quickly switch back and forth between programs in a
non-multitasking environment, such as MS-DOS. Some
viruses are TSR programs that stay in memory to infect
other files and program. Also: Memory-resident Program
|
|
U |
-
|
|
V |
- Variant
- A modified version of a virus. Usually produced on
purpose by the virus author or another person amending
the virus code. If changes to the original are small,
most anti-virus products will also detect variants.
However, if the changes are large, the variant may go
undetected by anti-virus software.
|
|
|
- VBS – VB
- Visual Basic Script. Visual Basic Script is a
programming language that can invoke any system
function--including starting, using and shutting down
other applications without--user knowledge. VBS programs
can be embedded in HTML files and provide active content
via the Internet. Since not all content is benign, users
should be careful about changing security settings
without understanding the implications. This file type
has the extension VBS.
|
|
|
- Virus
- A computer program file capable of attaching to disks
or other files and replicating itself repeatedly,
typically without user knowledge or permission. Some
viruses attach to files so when the infected file
executes, the virus also executes. Other viruses sit in
a computer's memory and infect files as the computer
opens, modifies or creates the files.
Some viruses display symptoms, and some viruses damage
files and computer systems, but neither symptoms nor
damage is essential in the definition of a virus; a
non-damaging virus is still a virus.
-
There are computer viruses written for several
operating systems including DOS, Windows, Amiga,
Macintosh, Atari, and UNIX, and others. McAfee.com
presently detects more than 57,000 viruses, Trojans, and
other malicious software. (Note: The preferred plural is
the English form: viruses)
-
See Also: Boot Sector Infector, File Viruses, Macro
virus, Companion Virus, Worm,
|
|
W |
- Worm
- Worms are parasitic computer programs that replicate,
but unlike viruses, do not infect other computer program
files. Worms can create copies on the same computer, or
can send the copies to other computers via a network.
Worms often spread via IRC (Internet Relay Chat).
|
|
X |
-
|
|
Y |
-
|
|
Z |
- Zoo
- A collection of viruses used for testing by
researchers. See Also: In The Wild, Zoo Virus
|
|
|
- Zoo Virus
- A zoo virus exists in the collections of researchers
and has never infected a real world computer system. See
Also: In The Wild
|
|
|
|
|
|
|
Virus Detection and
Prevention Tips |
|
|
-
Do not open any files attached to an
email from an unknown, suspicious or untrustworthy
source.
-
Do not open any files attached to an
email unless you know what it is, even if it appears to
come from a dear friend or someone you know. Some
viruses can replicate themselves and spread through
email. Better be safe than sorry and confirm that they
really sent it.
-
Do not open any files attached to an
email if the subject line is questionable or unexpected.
If the need to do so is there always save the file to
your hard drive before doing so.
-
Delete chain emails and junk email.
Do not forward or reply to any to them. These types of
email are considered spam, which is unsolicited,
intrusive mail that clogs up the network.
-
Do not download any files from
strangers.
-
Exercise caution when downloading
files from the Internet. Ensure that the source is a
legitimate and reputable one. Verify that an anti-virus
program checks the files on the download site. If you're
uncertain, don't download the file at all or download
the file to a floppy and test it with your own
anti-virus software.
-
Update your anti-virus software
regularly. Over 500 viruses are discovered each month,
so you'll want to be protected. These updates should be
at the least the products virus signature files. You may
also need to update the product's scanning engine as
well.
-
Back up your files on a regular
basis. If a virus destroys your files, at least you can
replace them with your back-up copy. You should store
your backup copy in a separate location from your work
files, one that is preferably not on your computer.
-
When in doubt, always err on the
side of caution and do not open, download, or execute
any files or email attachments. Not executing is the
more important of these caveats. Check with your product
vendors for updates which include those for your
operating system web browser, and email. One example is
the security site section of Microsoft located at
http://www.microsoft.com/security.
-
If you are in doubt about any
potential virus-related situation you find yourself in,
you may report a virus to our virus team.
|
|
|
|
|
|
|
|