FAQs about antivirus software and learn how to help protect your computer against viruses, worms, and other unwanted software.
www.microsoft.com/protect/computer/viruses/antivirus.mspx
The Conficker virus/worm is set to update itself on April 1, 2009. This is a VERY SERIOUS threat and is verified and legit. Please see below on how to protect your computer.
Step 1 -
Update and run your computers anti-virus software. You also need to run any ad-aware type program you may have.
Step 2 -
Go to this link and run the Microsoft Malicious software removal tool. I recommend running the full version
http://www.microsoft.com/security/malwareremove/default.mspx
Step 3 - Go to the this link and install the microsoft supported patch for the virus
Scan the list to see which version of Windows you are using.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Please pass this video around so that others are aware of this and will know how to protect their computers.
More Information: http://tech.yahoo.com/blogs/null/132464
More Information: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
A computer worm is a software program that is designed to copy itself from one computer to another, without human interaction. Unlike a computer virus, a worm can copy itself automatically.
Worms can replicate in great volume. For example, a worm can send out copies of itself to every contact in your e-mail address book, and then it can send itself to all of the contacts in their e-mail address books.
Some worms spread very quickly. They clog networks and can cause long waits for you (and everyone else) to view Web pages on the Internet.
You might have heard of specific computer worms, including the Sasser worm and the Blaster worm. The most recent worm is called the Conficker worm.
To help prevent infections by and to get rid of the Conficker worm and worms like it, visit the Windows Live OneCare Safety Scanner or the Malicious Software Removal Tool. If you have automatic updating turned on, the Malicious Software Removal Tool runs on your computer every month.
For more basic information about computer worms, see How to prevent computer worms and How to remove computer worms.
For more advanced information, see Protect yourself from the Conficker computer worm.
Websites are buzzing about the conficker april 1 virus. Reportedly, the conficker c virus aka conflicker, kiddo and downadup will evolve on April 1 making it more difficult to remove. Many security experts, however, believe that the april 1 worm will not wreak major havoc on Wednesday. Still, it is best to avoid the april 1 computer worm as online financial information like credit card accounts may be at risk of being hacked.
How to avoid the april 1 virus
One of the best recommended means to protect yourself from the April fool’s worm is to download the conficker patch. You can go to the Microsoft website for the conficker microsoft patch. You can also read the following posts: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Removing conficker worm
Several Win32 conficker removal tools are now available but because the conficker worm also spreads through portable storage devices such as USB drives, disabling your PC’s autorun feature for external media is recommended. Here is how to remove conficker with a conficker remover:
You can also read the following articles to learn more how you can protect your PC from Conficker virus, repair conficker virus damage and how you can manually remove conficker:
Automatic remover = Download this: Funny UST Scandal Avi.exe Remover
Manual:
Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb) in c:\windows\
lsass.exe(3920kb) in c:\documents and settings\all users\start menu\programs\startup
smss.exe(4088kb) in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script
[autorun]
open=smss.exe
shell\Open\Command=smss.exe
shell\open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\command=smss.exe
Funny UST Sandal.avi.exe(228kb) in all root drives
Registry Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)
HOw to remove this lame virus????
-first download taskiller in http://www.rsdsoft.com/task_killer/index.php4 and install it to
your computer because you cant use taskmanager to terminate the virus(the virus automatically close taskmanager).
-run taskiller and left click it on the system tray(the one with a skull icon)
-click processes
-to close the virus, select process and click yes to the question
(process to close)
1.killer.exe
2.lsass.exe
3.smss.exe
note: close only file that have the same icon of Funny UST S*andal.avi.exe
CMD STEPS
1-now, click "start" then "run"
2-type "cmd" without quotes
3-type "cd\" without quotes
4-type "attrib -h -s smss.exe" without quotes
5-type "attrib -h -s autorun.inf" without quotes
6-type "start c:" without quotes(a new window will open)
7-select smss.exe,autorun.inf,Funny UST Scal.avi.exe and delete it
-if theres any drive or a partition type "d:" in command prompt without quotes
"d" is the drive letter then repeat the CMD STEPS number 4-7 above.......
-now type this on the command prompt "cd windows" without quotes(na naman!)
-type "attrib -h -s smss.exe" without quotes(uli)
-type "start c:\windows" without quotes(hay naku!)
-delete the file smss.exe
-now, goto c:\documents and settings\all users\startmenu\programs\startup
-delete lsass.exe
-click "start" then "run"
-type "regedit" without quotes then delete the registry entries above....
special thanks to http://www.edmartechguide.com
Virus Infections
This virus affects your system by
Disabling Task Manager
Disabling Registry Editor
Creates a startup entry to start upon system start and
Creates its own exe files in Shared Documents folder which appear like ordinary folders.
Disables Folder Options
Uses your 50% or more processor
You can see that the folders in Shared Documents have an exe extension If you have unchecked Hide extensions for known file types in Folder Options
Smart Virus Remover (625.9 KiB, 232,465 hits)
The registry is one of the most vital components of the Microsoft Windows operating system. In simple phrase, it is a complex database containing virtually all system, software, hardware and user settings. Almost every piece of software keeps its data in the registry. It is so important, that Windows would not even start without it.
The major part of all dangerous parasites, especially browser hijackers, trojans, spyware and adware threats modify the Windows registry. Parasites add various registry entries, create new keys, change default values. This is made in attempt to register a pest in the system, alter essential settings of the Windows operating system and installed software. Most of such changes are made for malicious purpose.
On our site you can find parasite registry entries that need to be manually removed. However, editing the registry is a difficult task that only advanced users and professionals can accomplish safely. Most anti-spyware programs will remove malicious registry entries for you. However, even the most powerful spyware removers might be unable to get rid of certain threats. The reason is simple: security software vendors cannot examine each recent pest immediately after it goes wild, and new pests appear almost every day. Anti-spyware tools rely on spyware definition databases. A few advanced products can find unknown suspicious files, but unknown harmful registry entries often stay unrecognized. This is why you need to know how to manually edit the Windows registry. But you have to be extremely careful. One inappropriate value, mistyped registry key or other small mistake in the registry may damage installed software and even corrupt the entire system! Do not modify the registry if there is no real need for this!
The following guide thoroughly explains how to manually remove malicious registry entries.
Back up the Windows registry before editing it, so that you can quickly restore it later if something goes wrong. Please read the article Backing up and restoring the Windows registry to learn more. Remember, this step is very important!
Launch the Registry Editor. Press the Start button and then click Run. Type in regedit into the Open: field. Then click on the OK button.
Image 1. Open the Registry Editor
This program consists of two panes. Use the left pane (on Image 2 it is designated by the red box) to navigate to certain registry key. In the right pane (it is in the blue box) you will see values, which belong to that selected key.
Image 2. The Registry Editor
To edit the value, right-click on it and select the Modify option (on Image 3 it is designated by the red box) from the appeared menu.
Image 3. Select the value
You can also double-click on the value with you left mouse button or use the Edit (on Image 3 it is in the blue box) menu. Type in the preferred value in the appeared window and click OK. The same action can be performed with any other value or registry key.
Image 4. Edit the value
Perform the same sequence of actions as just described in order to delete the value or the registry key. However, this time you will have to select the Delete option (on Image 5 it is in the red box) instead of Modify.
Image 5. Delete the value
To add a new registry key or a new value, click on the Edit menu, select New and choose a type for the entry.
Image 6. Add the new value
You can export any key or value from the registry to the defined file. Right-click on the object and select Export (on Image 7 it is in the red box).
Image 7. Export the value
Enter a file name. Export registry files should have the .reg extension.
Image 8. Export registry entries to a file
You can also import a certain value or a key. Click on the File menu and select Import. Then choose the file containing objects you want to import.
Image 9. Import registry entries
If after modifying the registry something goes wrong, you can restore the registry from a backup. Read the article Backing up and restoring the Windows registry to learn more.
If you do not know how to perform the described actions, you are not certain, why you have to do some steps, or the above guide is too difficult for you, feel free to try our recommended automatic spyware removers.
Table of contents.
Introduction
I. Find the process and try terminating it
+ Alternative steps for finding and terminating the process
II. Locate the malicious file and try deleting it
III. Using Pocket KillBox for removal of difficult malware
INTRODUCTION
Processes
Each program is a collection of files. To start the program you launch an executable file that runs the entire program or some of its components.
When you launch an executable, part of its code is being loaded into computer’s memory. This code is the process. It allows the system to run the corresponding program. In simple phrase, every running program is represented by its main process (or task). If such process doesn’t exist, the application doesn’t run at the moment.
Parasites are programs and also have processes. However, unlike regular software, their processes run without user knoledge. You cannot terminate a parasite like a common application by simply closing its window. That’s why you have to learn how to kill malicious processes.
Files
Each program consists of files. Even spyware, a virus or a different parasite - all have their own files. Removing a parasite often means deleting all its files. However, some files cannot be easily erased. You cannot delete the file while it’s used by an active application. Furthermore, some files are "invisible".
Imagine the situation: your anti-spyware program keeps detecting a parasite, and you know where its files reside. You open the corresponding folder, but see nothing in there! The parasite continues performing malicious actions and its files remain in that "empty" directory. You wonder how this happens?
Files can really be "invisible". However, it’s not their exceptional feature - the operating system simply hides them from you. Such OS behavior can be a result of recent malware activity. Fortunately, there are several ways to make your system display such files, and thus allow you to delete them.
In this guide manual process termination methods are described. These methods can be applied to all modern Windows operating system versions. The following instructions also explain how to find a file, make it visible (in case it’s hidden) and completely remove it from the system. This information is also fully applicable to folders (directories).
INSTRUCTIONS
I. Find the process and try terminating it
1. Start Windows Task Manager
Use the following key combination: press CTRL+ALT+DEL or CTRL+SHIFT+ESC. This will open the Windows Task Manager.
If that didn’t work, try another way. Press the Start button and click on the Run… option. This will start the Run tool. Type in taskmgr and press OK. This should start the Windows Task Manager.
Image 1. Start the Task Manager
2. Find and terminate the process
Within the Windows Task Manager click on the Processes tab (it is in the red box). This will bring the complete list of all active tasks. Find the process by name. Names are in the first column from the left. Click on the Image Name button (it is designated by the blue box) to sort tasks in alphabetical order. Then scroll the list to find required process. Select it with your mouse or keyboard and click on the End Process button (in the green box). This will kill the process.
Image 2. Terminate the process
+Alternative steps for finding and terminating the process
II. Locate the malicious file and try deleting it
Let’s assume you know the file name or at least a part of it. In such case run Windows default search tool: Start > Search > For Files and Folders. Type in the file name or its part to the search field. Specify search location. For better results select "Look in: Local Hard Drives" or "Look in: My Computer". Now start searching. The file should appear in search results.
Image 6. Search for the file
If you have no idea how to spell a filename, but you know, where it can possibly be, then you should try finding this file manually. Most parasites attempt to hide their tracks, so you will have to enable the displaying of hidden and system protected files. Open Windows Explorer. Click on the Tools menu and select Folder Options.
Image 7. Make hidden files visible
Choose the View tab. In the Advanced Settings list find the option Show hidden files and folders (on Image 8 it is designated by the red box) and select it. Then remove a checkmark next to the line Hide protected operating system files (Recommended) (in the blue box).
Image 8. Change view settings
Some files may still be invisible. To see them, launch the Command Prompt. Press the Start button and then select Run. This should open the Run dialog. Type in cmd and press enter or click on the OK button.
Image 9. Open the Command Prompt
Type in dir /A name_of_the_folder to the console. This will list all the files that reside in that folder. Hidden files will also be displayed.
Image 10. View folder content
Simply delete the file using the Windows Explorer or any other program that you use to browse the file system. Don’t forget to empty the Recycle Bin. If an error message appears saying that file is in use and cannot be removed, try terminating the associated process and then delete the file. To do this you will have to open the Windows Task Manager (press CTRL+ALT+DEL or CTRL+SHIFT+ESCAPE). Then in the Processes tab select the corresponding process and click on the End Process button.
However, some processes will run immediately after you terminate them. In such case you have to reboot your system into Windows Safe Mode (this tutorial article explains how to do this). In this mode many system services are disabled and programs do not run automatically on startup. Practically any file can be easily removed.
The malicious file can also be deleted from the Command Prompt. Open the Command Prompt and navigate to the folder, where the harmful file is. To do this issue the following command: cd name_of_the_folder. Then invoke this command: del name_of_the_file. To delete the folder use another command: rmdir /S name_of_the_folder.
Image 11. Delete the folder from the Command Prompt
III. Using Pocket KillBox for removal of difficult malware
Sometimes malicious files cannot be deleted normally or even after entering into Safe Mode. Sophisticated parasites use integrated rootkits and special techniques in order to lock their files and prevent them from being deleted. Usually, such files run processes that cannot be terminated by the Task Manager. In such cases specially designed third-party tools should be used. One of them is Pocket KillBox, a tiny, but priceless utility designed for terminating harmful processes, deleting malicious files and folders containing malware.
If the above steps did not help you to delete a parasite file or kill its process, please do the following.
1. Download Pocket KillBox
This tool is absolutely free. You can get it either from the official web site, or from one of the trusted distributor sites such as Bleeping Computer.
There is no need to install the tool. Pocket KillBox comes as a single executable file. Just unpack (if you downloaded Pocket KllBox as an archive) and run the downloaded file. This will launch the utility.
2. Delete the file
Type in the full path of file you want to delete as shown on Image 12. Make sure that the Standard File Kill option is selected (it is designated by the blue box). Then click on the Delete file button (it is designated by the green box).
Image 12. Delete the file with KillBox
As parasites becoming more complex and sophisticated, there is always a possibility that even Pocket KillBox or similar powerful tool may fail removing certain files. In such case it is highly recommended to repeat the removal procedure in Windows Safe Mode (this tutorial explains how to do restart your system into it).
If the file cannot be deleted in Safe Mode too, repeat the removal once again, but this time select the Delete on Reboot option instead of Standard File Kill. Then restart your computer. Pocket KillBox will attempt to delete the file on next system startup.
If the process or file is still present, if you do not know how to follow steps above, if you are not sure why you have to do certain tasks, or the above guide is too difficult for you, feel free to try our recommended automatic spyware removers. You can also ask for help in our free spyware removal forum.
WiniBlueSoft is a fake anti-spyware remover. WiniBlueSoft creates many fake malware files on user's computer, usually in C:\Windows and C:\Windows\System32 folders. Those files are actually innocuous and were made only to scare the user. The main goal of WiniBlueSoft is to make the user believe that his computer is badly infected and to offer paid removal service.
"Windows Security Alerts
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of WiniBlueSoft and remove spyware threats from your PC."
"Infiltration Alert!
Your computer is being attacked by an Internet Virus. It could be a password-stealing attack, a trojan-dropper or similar."
WiniBlueSoft snapshot:
WiniBlueSoft manual removal
Kill processes:
- WiniBlueSoft.exe 1395
- 1spzmb9t5a2.exe 14041
- hackt5zl99.exe
- uninstall.exe 19524
- spyze9.exe 19991not-a-v5rzs1c9.exe
- 19z43hacktoo965f.exe
how to kill malicious processes
Delete registry values:
HKEY_CURRENT_USER\Software\WiniBlueSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WiniBlueSoft
HKEY_LOCAL_MACHINE\SOFTWARE\WiniBlueSoft
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "setup2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WiniBlueSoft"
HELP:
how to remove registry entries
Unregister DLLs:
111znot-a-v5rus998.dll 11797tzoj595.dll 12946sz5mbot79c.dll 129cvir1z58.dll 12bbszy5ar91941.dll 19945hzcktool65b.dll
HELP:
how to unregister malicious DLLs
Delete files:
- always_skip.xml
- data.bin
- License.txt
- main_config.xml
- uninstall.exe
- WiniBlueSoft.exe
- WiniBlueSoft.lnk
- Homepage.lnk
- Uninstall.lnk
- WiniBlueSoft.lnk
- 102959roz2b45.ocx
- 10325virusz955.ocx
- 10355h9eat227z2.cpl
- 111znot-a-v5rus998.dll
- 115z1vi9us3e85.ocx
- 11797tzoj595.dll
- 1197addwaze16915.ocx
- 127b95ief305z.ocx
- 12946sz5mbot79c.dll
- 129cvir1z58.dll
- 12bbszy5ar91941.dll
- 13323w95mz1b.ocx
- 135zvir1929.cpl
- 1393z5or9df.ocx
- 13951spzmb9t5a2.exe
- 14041hackt5zl99.exe
- 19199hackt5zl7a1.bin
- 19524spyze9.exe
- 19544spy6fbz.ocx
- 19945hzcktool65b.dll
- 19991not-a-v5rzs1c9.exe
- 19z43hacktoo965f.exe
- 1a59dow9lozder1735.ocx
- 1b20z9a5se2186.bin
how to remove harmful files
Delete directories:
c:\Program Files\WiniBlueSoft Software
c:\Program Files\WiniBlueSoft Software\WiniBlueSoft
c:\Documents and Settings\All Users\Start Menu\Programs\WiniBlueSoft
Many people are pulling their hair out because their computers doesn't seem to work the way they want it to. For some reason, their PCs seem to have a life of their own. Chances are, their computer systems have already been infected with spyware or malware, without realizing it. So what exactly is spyware and malware, and why is it a hair pulling experience for the user?
Spyware is a type of application that is installed into the computer system without the user's knowledge. It is meant to operate secretly, because the primary function of spyware is to obtain information from your computer without your permission. That is tantamount to stealing. For example, you could have spyware in your computer sending private and confidential information about your internet surfing activities, your online banking passwords, credit card numbers. Usually, they don't impede the use of a computer, but can result in your computer slowing down if heavily infected. But when passwords, email accounts and other information get stolen, including your personal data that is when the hair pulling starts.
Malware, similar to spyware, is also usually installed in the computer system without the user's permission. How can this happen? Malware can embed itself in an innocent looking application (e.g. a game), and the unsuspecting user installs the game into the computer. All the while, the user thinks that it is the game that is installed, when in reality, it is the game AND the malware that is installed. So what can malware do to the computer?
The term malware, actually comes from two words - malicious, and software. In other words, malware is short for malicious software. And that tells you something about the behavior of malware. You can expect it to behave maliciously. Behaving maliciously means that it is going to be actively causing damage to your computer system. Unlike spyware, which just sits there and grab data unobtrusively, malware actually create havoc in your computer. For example, it may erase important registry files, or attempts to format your harddisk, etc. The damage is sometimes irreparable, and it can amount of a lot of money if important data is lost.
So how to prevent spyware and malware from inflicting damage on the system?
There are many ways to do this. As the end user, it's always wise to install some kind of firewall for protection. Windows already come with its own firewall, but it has limited features. You can try something more feature rich like McAfee or Norton. Usually, such security software also comes with resident shield and anti virus software. Resident shield helps to prevent malware or spyware from being installed in the first place. If you attempt to install a suspicious piece of software, the shield will warn you. But in the event that a piece of malware still managed to get installed in the computer, then anti virus is needed to scan and clean the computer.
Ultimately, it comes down to the end user. If you choose to ignore warnings from the security software, you can still find yourself with a spyware or malware infested PC. So keep yourself updated with the latest computer security news, and be a smart computer user.
Article Source: ArticlesBase.com - What is Spyware and Malware? and Risk of Data Theft
Spybot-S&D! - can detect and remove spyware of different kinds from your computer.
Windows Defender - a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.
Ad-Aware 2007 Free - provides you with advanced protection against spyware that secretly attaches and takes control of your computer, resulting in aggressive advertising pop-ups, sluggish computer activity, even identity theft through stolen bank details, passwords, and credit card account numbers.
SUPERAntiSpyware - is the most thorough scanner on the market. Our Multi-Dimensional Scanning and Process Interrogation Technology will detect spyware that other products miss!
Prevx - PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.
CounterSpy - It’s a powerful Anti-Spyware tool that does not bog down your PC.
SpyCatcher Express - SpyCatcher Express protects all Web surfers by providing the safest and most advanced antispyware solution available as a free service.
Trend Micro CWShredder - Trend Micro CWShredder is the premier tool to find and remove traces of CoolWebSearch the name for a wide range of insidious browser hijackers from your PC. CWShredder removes these browser hijackers. CoolWebSearch installs dozens of bookmarks mostly to porn Web sites on your desktop, changes your home page without asking, and continually changes it back if you attempt to correct it. Furthermore, it significantly slows down the performance of your PC, and introduces modifications which cause Microsoft Windows to freeze, crash or randomly reboot.
RogueRemover - RogueRemover is a utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities. Rogue applications are applications that rather than remove spyware, provide false positives, distribute malware or spyware, advertise, or provide useless uninstallers. The main point is that rogue applications are useless and eat up system resources.
Spycar - Spycar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool.
ClamWin Free Antivirus - ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.
Avira AntiVir PersonalEdition Classic - Protection and security against viruses, worms, Trojans, dialers & more for Windows 2000/XP/Vista 32Bit and 64Bit.AVG Anti-Virus Free Edition - AVG Free is the most popular free solution available at no cost to home users.
Comodo AntiVirus - Includes on demand & on access scanning, email scanning, process monitoring, worm blocking and host intrusion prevention
McAfee VirusScan Plus Special edition from AOL - Gives you the most comprehensive free set of safety tools available, but with an aol.com email address.
UnityPro AV Tester - This freeware program allows you to SAFELY test your realtime Anti-Virus protection with a simple click of the button. Using the EICAR test pattern, AV Tester decrypts the test pattern in memory and attempts to write a file to the same folder where AV Tester is installed. If your Anti-Virus solution is watching, it will almost immediately go off, proving it is functioning properly.
PC Tools AntiVirus - PC Tools AntiVirus Free Edition provides world-leading protection, with rapid database updates, IntelliGuard™ real-time protection and comprehensive system scanning to ensure your system remains safe and virus free.
Few things are more frustrating than trying to delete a file only to discover your system says it’s locked or in use when you know it shouldn’t be. The annoying error messages come in several flavors.
Cannot delete file: Access is denied
Cannot delete folder: There has been a sharing violation
Cannot delete file: It is being used by another person or program
Cannot delete folder: Make sure the disk is not full or write-protected and that the file is not currently in use.
Unfortunately most malwares are locked and cannot be deleted or renamed,MoSo Anti-Malware Force Delete Utility is the solution,It works at the hardware level,can delete locked files easily,and this it is completely free and will always remain free,
And it is so easy to use,just drag files into the edit box and click "delete" to force delete them.
Delete Locked trojan file :
The worm, which has infected millions of computers worldwide, displays warning messages claiming that the PC has been infected, according to the report. Infected machines may suffer from slow computer performance sometimes resulting in the need for an overall computer repair.
According to the report, in the presented message the creators of the Conficker ask computer users to pay some $50 to clean the “infected” system. One of the main concerns is that people will be tempted to deliver their credit card information.
TrendMicro experts said in a separate release that they have also discovered a new variant of the Conficker. They added that this may indicate that cyber criminals behind the notorious worm are planning more serious attacks.
They said that the new variant, WORM_DOWNAD.E, runs using a random file name and random service name. The malicious software connects well-known sites, such as: Myspace, MSN, eBay, CNN and AOL.
reimage®, founded in 2007, makes old PCs work like new, employing unique, patent-pending technologies.
http://www.zdnetasia.com/news/security/0,39044215,62053082,00.htm
http://trendmicro.mediaroom.com/index.php?s=43&item=706
Articles via reimage.com
The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it. It is also known as: It exploits Microsoft Windows vulnerability: Side-effects Now let’s go back to the topic. Remember that this guide will only help you remove the jwgkvsq.vmx virus. Click through the link to continue… Now let’s start… Removing the jwgkvsq.vmx virus from your computer Removing the jwgkvsq.vmx virus from your USB device Just in case the virus registered itself on the registry. Open the Run dialog box from the start menu, then type regedit. Then search for the file name jwgkvsq.vmx. If you found an entry, just press DEL to delete it. If your computer is in a network, better check all the other computers connected to it. Also download and install the automatic update (Microsoft vulnerability) which I’ve posted at the beginning of this post. In extreme cases, your computer won’t initiate Safe Mode and after using the removal tool above, your system may report a missing .dll file or something. Credits (and for reference refer) to these two sites: For any additional support or inquiry regarding this problem, just leave a comment here, and I’ll reply as soon as I can.
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008
Here is a quick step to remove this virus from your computer, and from your USB devices.
http://tuxvoid.blogspot.com/
http://arpeex.blogspot.com/
First One: First One: I found this tut on cleaning ur usb drives manually very helpful and it shows all those hidden batch file running everytime u plug in ur usb flash drives Article Source: ArticlesBase.com - Clean Your Infected Flashdrives Manually
I found this tut on cleaning ur usb drives manually very helpful and it shows all those hidden batch file running everytime u plug in ur usb flash drives
One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ’Ravmon’ , ‘New Folder.exe’, ‘Orkut is banned’ etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives
Whenever you plug a USB drive in your system, a window will appear similar to the one shown below
One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ’Ravmon’ , ‘New Folder.exe’, ‘Orkut is banned’ etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives
Whenever you plug a USB drive in your system, a window will appear similar to the one shown below
Don’t click on Ok , just choose ‘Cancel’. Open the Command Prompt by typing ‘cmd‘ in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.
This will display a list of the files in the pen drive. Check whether the following files are there or not
* Autorun.inf
* Ravmon.exe
* New Folder.exe
* svchost.exe
* Heap41a
* or any other exe file which may be suspicious.
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the “Autorun.inf” file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
Security Tip
Disable the Autoplay feature of USB drives. If you disable the Autoplay feature of USB drives, then there are lesser chances of the virus spreading. A tool which can perform such a function is Tweak UI. Download it from here install it.
Run the program. Now you can disable the Autoplay feature of the removable drives as shown above. By following the above steps, you can keep your USB drives clean. If there are any other methods which you use, then share it with me through comments.
Second:
or the easy way (no software needed, just remember the process):
open my computer>tools>folder options
click on view tab, check display the content of the system folders.
under Hidden Files and Folders click on Show Hidden Files and Folders, then uncheck Hide Protected operating system files (recommended)
click Apply>Ok.
now you can view all the files in your removables.
precautions:
everytime you plug in your removables, do not, i mean do not just click on ok on the autorun process of Windows Eplorer. chances are if you click on OK, the autorun program which is being used by the virus and script in ur uremovable (e.g Autorun.inf, Ravmon.exe, New Folder.exe, svchost.exe) are executed and those names above is now in the process of infecting inside your PC without your knowledge.
to avoid this, cancel the Eplorer autorun window, go to your desktop (assuming you have plugged in ur removable), right click My Computer and choose Eplore. on the left pane of the Windows Explorer, click on your removable and there you go. you can now see those suspicious files inside in it. manully delete them all.
but the best way is, get an antivirus (e.g. ESET or AVIRA) and scan your removable for virus.
Third:
One of the easy way to stop autorun on your Machine (Windows XP Pro only)
is to use "Group Policy Option"
Assuming that your are the Administrator of your Machine!
Go to "RUN" and type "gpedit.msc" and click "OK"
On Group Policy Window expand "User Configuration"
Expand "Administrative Templates" and Click on "System"
At the right pane, scroll down and double click "Turn Off AutoPlay"
Click on "Enable" and at the DropDown Menu choose "CD-ROM" or "All Drives"
Good Luck!
About the Author:
If the users are truly worried about traditional (as opposed to e-mail) viruses, they should be running a more secure operating system like UNIX. One should never hear about viruses on these operating systems because the security features keep viruses (and unwanted human visitors) away from the hard disk.
If the users are using an unsecured operating system, then buying virus protection software is a nice safeguard. Some popular anti virus programs include:
•McAfee Virus Scan
•Norton Anti Virus
•Virex
•PC—cillin
•Avast!
•AVG Anti Virus System
Automatic protection of anti-virus software should be turned on at all times.
The users should perform a manual scan (or schedule a scan to occur automatically) of their hard disks weekly. These scans supplement automatic protection and confirm that the computer is virus-free.
Scan all floppy disks before first use.
Disable floppy disk booting -- most computers now allow the user to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive.
The users should Enable Automatic Update option of their anti-virus software in order to update their virus definition files.
Creation and maintenance of a rescue disk should be done by the user in order to facilitate recovery from certain boot viruses.
Periodic backups of the hard disk should be done.
Users’ should buy legal copies of all software they use and make write-protected backups.
Email messages and email attachments from unknown people should not be opened. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Further it should be verified that the "author" of the email has sent the attachments. Newer viruses can send email messages that appear to be from a person user know.
The potential users should make sure that Macro Virus Protection is enabled in all Microsoft applications, and they should never run macros in a document unless they know specifically the functionality of the macros.
Appropriate Passwords should be assigned to the shared network drives.
Things that are not viruses!
Joke programs
Joke programs are not viruses and do not inflict any damage. Their purpose is to frighten their victims into thinking that a virus has infected and damaged their system. For example, a joke program may display a message warning the user not to touch any keys or else the computer’s hard disk will be formatted.
Droppers
A dropper is a program that is not a virus, nor is it infected with a virus but when run it installs a virus into memory on to the disk, or onto a file. Droppers have been written sometimes as a convenient carrier for a virus and sometimes as an act of sabotage.
Hoaxes
There must be very few people on email who haven't received a chain letter with the subject line warning of a virus doing the rounds. These are often hoaxes and meant to scare people and have fun at their expense. The warnings encourage the recipient of the e-mail to pass the warning to the netizens and thus create an unnecessary furor, besides clogging mailboxes, as it usurps an air of credibility.
Methodology of virus detection applied by antivirus softwares:
Three main methods exist for detecting viruses: integrity checking (also known as checksumming), behavior monitoring and pattern matching (scanning).
Integrity checking
Antivirus programs that use integrity checking start by building an initial record of the status (size, time, date, etc.) of every application file on the hard drive. Using this data, checksumming programs then monitor the files to see if changes have been made. If the status changes, the integrity checker warns the user of a possible virus.
However, this method has several disadvantages, the biggest being that false alarms are altogether too common. The records used by checksumming programs are often rendered obsolete by legitimate programs, which, in their normal course of operations, make changes to files that appear to the Integrity checker to be viral activity. Another weakness of integrity checking is that it can only alert the user after a virus has infected the system.
Behavior monitoring
Behavior Monitoring programs are usually terminate and stay resident (TSR) and constantly monitor requests that are passed to the interrupt table. These programs are on the lookout for activities that a virus might engage in--requests to write to a boot sector, opening an executable program for writing, or placing itself resident in memory. The behavior these programs monitor is derived from a user-configurable set of rules.
Pattern matching
Using a process called "pattern matching," the anti-virus software draws upon an extensive database of virus patterns to identify known virus signatures, or telltale snippets of virus code. Key areas of each scanned file are compared against the list of thousands of virus signatures that the anti-virus software has on record.
Whenever a match occurs, the anti-virus software takes the action the user has configured: Clean, Delete, Quarantine, Pass (Deny Access for Real-time Scan), or Rename.
Self Defense Mechanisms Evolved By Viruses
Virus authors of course wish that their child successfully lives. For this reason there are many viruses outfitted with some self-defense mechanisms against anti virus systems.
Passive Defense :
Viruses use a variety of methods to hide themselves from antivirus programs. Passive defense uses programming methods which make analysis of the virus more difficult, e.g. polymorphic viruses which were developed to counter scanners looking for constant strings of virus code.
Today antivirus systems are capable of analyzing polymorphic code and searching for virus identifiers in the decrypted body. The virus authors reacted by making the encryption too complex for antivirus software to unravel, thus mistaking it for a clean program.
Active Self-defense :
Viruses actively defend themselves by protecting their own code or by attempting to damage antivirus software. A simple method is to locate antivirus software databases and amend or delete them.
More sophisticated resident viruses use stealth techniques. When they detect a request to use an infected file, they can temporarily "clean" it or report its original (uninfected) parameters. They can monitor which programs are being executed and react if it is antivirus software. The list of such reactions is endless. Usually, the execution of the antivirus program is refused, but it could be erased (often accompanied by a bogus error message) or the virus suspends its activities while it runs. There are occasionally extremely 'clever' viruses which modify the code of a specific AV program to partially disable it.
There are very rare viruses which consider an attempt to run an anti-virus program as arrogant and immediately reply with some revenge action - for example hard disk formatting.
Trap
A trap is the most malicious form of self-defense and works as follows. Although the user’s computer is infected but everything appears to work correctly. Once the user discovers the virus and removes it things get complicated - programs no longer run properly or the hard disk may become inaccessible even when booting from a clean system diskette.
The best known trap virus is One_Half. It continuously encrypts the data on a hard disk (two tracks on every boot). If it is removed from the partition sector before data files are decoded then some files will become inaccessible. At this stage the situation is serious but recovery of the data is still possible. However, if the user runs a disk utility (Scandisk etc.) to repair the damage then the data will almost certainly be lost forever.
These utilities are designed to repair relatively minor damage to file system and do not recognize the encrypted data.
Depending on the source of information different types of viruses may be categorized in the following ways:
PDA VIRUSES
The increasing power of PDAs has spawned a new breed of viruses. Maliciously creative programmers have leveraged the PDA's ability to communicate with other devices and run programs, to cause digital mayhem.
The blissfully safe world where users of these devices could synchronize and download with impunity came to an end in August 2000 with the discovery of the virus Palm Liberty. Since then, many more viruses have been discovered.
Though not yet as harmful as their PC-based cousins, these viruses still pose a threat to unsuspecting users. Their effects vary from the harmless flashing of an unwanted message or an increase in power consumption, to the deletion of all installed programs. But the threat is growing, and the destructiveness of these viruses is expected to parallel the development of the devices they attack.
MULTIPARTITE VIRUSES
A virus that combines two or more different infection methods is called a multipartite virus. This type of virus can infect both files and boot sector of a disk. Multi-partite viruses share some of the characteristics of boot sector viruses and file viruses: They can infect .com files, .exe files, and the boot sector of the computer’s hard drive. On a computer booted up with an infected diskette, the typical multi-partite virus will first make itself resident in memory then infect the boot sector of the hard drive. From there, the virus may infect a PC's entire environment. Not many forms of this virus class actually exist. However, they do account for a disproportionately large percentage of all infections. Tequila and Anticad are the examples of multipartite viruses.
BOMBS
The two most prevalent types of bombs are time bombs and logic bombs. A time bomb hides on the victim’s disk and waits until a specific date before running. A logic bomb may be activated by a date, a change to a file, or a particular action taken by a user or a program. Bombs are treated as viruses because they can cause damage or disruption to a system.
BOOT SECTOR VIRUSES
Until the mid-1990s, boot sector viruses were the most prevalent virus type, spreading primarily in the 16-bit DOS world via floppy disk. Boot sector viruses infect the boot sector on a floppy disk and spread to a user's hard disk, and can also infect the master boot record (MBR) on a user's hard drive. Once the MBR or boot sector on the hard drive is infected, the virus attempts to infect the boot sector of every floppy disk that is inserted into the computer and accessed. Examples of boot sector viruses are Michelangelo, Satria and Keydrop.
Boot sector viruses work like this: Let us assume that the user received a diskette with an infected boot sector. The user copied data from it but forgot to remove it from drive A:. When he started the computer next time the boot process will execute the infected boot sector program from the diskette. The virus will load first and infect the hard disk. Note that this can be prevented by changing the boot sequence in CMOS (Let C: drive boot before A:). By hiding on the first sector of a disk, the virus is loaded into memory before the system files are loaded. This allows it to gain complete control of DOS interrupts and in the process replaces the original contents of the MBR or DOS boot sector with their own contents and move the original boot sector data to another area on the disk. Because the virus has infected a system area of the hard disk it will be loaded into memory each time the computer is started. It will first take control of the lowest level disk system services before executing the original boot sector code which it has stored in another part of the hard disk. The computer seems to behave exactly as it should. Nobody will notice the extra few fractions of a second added to the boot sequence.
During normal operation the virus will happily stay in memory. Thanks to the fact that it has control of the disk services it can easily monitor requests for disk access - including diskettes. As soon as it gets a request for access to a diskette it will determine that there is a diskette in the floppy drive. It will then examine its boot sector to see if it has already been infected. If it finds the diskette clean it will replace the boot sector with its own code. From this moment the diskette will be a "carrier" and become a medium for infections on other PC's.
The virus will also monitor special disk requests for access to the boot sector. The boot sector contains its own code, and a request to read it could be from an anti-virus program checking for virus presence. The virus will not allow the boot sector to be read and will redirect all requests to the place on the hard disk where it has backed up the original contents. In this way nothing unusual is detected. Such methods are called stealth techniques and their main goal is to mask the presence of the virus. Not all boot viruses use stealth but those which do are common.
Boot viruses also infect the non-file (system) areas of hard and floppy disks. These areas offer an efficient way for a virus to spread from one computer to another. Boot viruses have achieved a higher degree of success than program viruses in infecting their targets and spreading.
Boot virus can infect DOS, Windows 3.x, Windows 95/98, Windows NT, and even Novell Netware systems. This is because they exploit inherent features of the computer (rather than the operating system) to spread and activate.
Cleaning up a boot sector virus can be performed by booting the machine from an uninfected floppy system disk rather than from the hard drive, or by finding the original boot sector and replacing it in the correct location on the disk.
CLUSTER VIRUSES
This type of virus makes changes to a disks file system. If any program is run from the infected disk, the program causes the virus to run as well. This technique creates the illusion that the virus has infected every program on the disk.
E-MAIL VIRUSES
These types of viruses can be transmitted via e-mail messages sent across private networks or the internet. Some e-mail viruses are transmitted as an infected attachment- a document file or program that is attached to the message. This type of virus is run when the victim opens the file that is attached to the message. Other types of email viruses reside within the body of the message itself. To store a virus, the message must be encoded in html format. Once launched many e-mail viruses attempt to spread by sending messages to everyone in the victim’s address book; each of those contains a copy of the virus.
The latest thing in the world of computer viruses is the e-mail virus called Melissa virus which surfaced in March 1999. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. As a result, the Melissa virus was the fastest-spreading virus ever seen and it forced a number of large companies to shut down their e-mail systems at that time.
The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.
The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess.
FILE INFECTING VIRUSES
File infectors operate in memory and usually infect executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS. They activate every time the infected file is executed by copying themselves into other executable files and can remain in memory long after the virus has activated.
Thousands of different file infecting viruses exist, but similar to boot sector viruses, the vast majority operates in a DOS 16-bit environment. Some, however, have successfully infected the Microsoft Windows, IBM OS/2, and Apple Computer Macintosh environments.
File viruses can be separated further into sub-categories by the way they manipulate their targets:
TSR FILE VIRUSES
A less common type of virus is the terminate-and-stay-resident file virus. As the name suggests these infect files usually these are .com and .exe files. there are however some device driver viruses, some viruses that infect overlay files, and although over 99% of executable programs have the extension .com and .exe, some do not .For a TSR virus to spread some one has to run an infected program. The virus goes memory resident typically looking at each program run thereafter and infects it. Examples of TSR file viruses are Dark Avenger and Green Caterpillar.
OVERWRITING VIRUSES
These viruses infect by overwriting part of their target with their own code but, by doing so, they damage the file. The file will never serve another purpose other than spreading the virus further. Because of this they are usually detected quickly and do not spread easily.
PARASITIC VIRUSES
These viruses attach themselves to executables without substantially changing the contents of the host program. They attach by adding their code to the beginning, end, or even middle of the file and divert program flow so that the virus is executed first. When the virus has finished its job, control is passed on to the host. Execution of the host is a little delayed but this is usually not noticeable.
MACRO VIRUSES
Many older applications had simple macro systems that allowed the user to record a sequence of operations within the application and associate them with a specific keystroke. Later, the user could perform the same sequence of operations by merely hitting the specified key.
Newer applications provide much more complex macro systems. User can write entire macro-programs that run within the word processor or spreadsheet environment and are attached directly onto word processing and spreadsheet files. Unfortunately, this ability also makes it possible to create macro viruses.
Macro viruses currently account for about 80 percent of all viruses, according to the International Computer Security Association (ICSA), and are the fastest growing viruses in computer history. Unlike other virus types, macro viruses aren’t specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.
Macro viruses are, however, application-specific. A macro virus is designed to infect a specific type of document file, such as Microsoft word or excel files. They infect macro utilities that accompany such applications as Microsoft Word and Excel, which means a Word macro virus cannot infect an Excel document and vice versa. A macro virus is embedded in a document file and can travel between data files in the application and can eventually infect hundreds of files if undeterred and in the process do various levels of damage to data from corrupting documents to deleting data.
Macro viruses are written in "every man's programming language" -- Visual Basic -- and are relatively easy to create. They can infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted
A typical chronology for macro virus infection begins when an infected document or spreadsheet is loaded. The application also loads any accompanying macros that are attached to the file. If one or more of the macros meet certain criteria, the application will also immediately execute these macros. Macro viruses rely upon this auto-execution capability to gain control of the application’s macro system.
Once the macro virus has been loaded and executed, it waits for the user to edit a new document, and then kicks into action again. It attaches its virus macro programs onto the new document, and then allows the application to save the document normally. In this fashion, the virus spreads to another file and does so in a completely discrete fashion. Users have no idea of the infection. If this new file is later opened on another computer, the virus will once again load, be launched by the application, and find other unsuspecting files to infect.
Finally, as far as a macro virus is concerned, the application serves as the operating system. A single macro virus can spread to any of the platforms on which the application is installed and running. For example, a single macro virus that uses Microsoft Word could conceivably spread to Windows 3.x, Windows 95/98, Window NT, and the Macintosh.
Macro viruses for Word
In the summer of 1995, Microsoft Word 6 was the first product affected with macro virus. The first one (WM/Concept.A) was really only a proof of concept - one of the installed macros (called Payload) contained only this remark:
“That's enough to prove my point”
Most macro viruses for Word use a feature called 'automacros'. The basic principle is that some macros with special names are automatically executed when Word starts, opens a file, or closes a file. The macro virus then inserts macros into NORMAL.DOT - a standard template which is loaded every time Word starts.
In Word there are some ways to disable automacros but this isn't the ultimate solution. Some macro viruses use other methods to take control over the Word environment.
Another method of self-protection may be to set NORMAL.DOT to read only. But this can also be bypassed and, in addition, it prevents the user from customizing the template.
Macro viruses for Excel
Excel has the same opportunities for virus authors as Word. It has automacros and a directory called XLSTART from which templates are automatically loaded.
But Excel does not have just normal VBA macros like Word. In Excel there are so called 'formulas' - macros stored in spreadsheet cells. The first macro virus using this technology was XF/Paix.
Macro viruses for other MS Office products:
Writing a macro virus for other Office products is not difficult. There have been already some viruses for Access, and it is expected that there will be macro viruses for Power Point in the near future.
But those macro viruses are not as dangerous as the macro viruses for Word or Excel. Not because of some limitation of these other Office products, but because data files from these products are not so frequently shared.
There is one danger which can be seen in today's Power Point even without native macro viruses written for this product. Programmers can include in their presentation any number of objects from Excel or Word. And these objects can be infected with macro viruses - if they edit the presentation and open the infected object with its parent application, then the virus can spread further.
But the current situation may change dramatically over the next few years. Microsoft has licensed VBA technology to many firms, so one can expect to see more macro viruses for other products, too.
POLYMORPHIC VIRUSES
This type of virus can change itself each time it is copied, making it difficult to isolate. Most simple viruses attach identical copies of themselves to the files they infect. An anti-virus program can detect the virus’s code (or signature) because it is always the same and quickly ferret out the virus. To avoid such easy detection, polymorphic viruses operate somewhat differently. Unlike the simple virus, when a polymorphic virus infects a program, it scrambles its virus code in the program body. This scrambling means that no two infections look the same, making detection more difficult. These viruses create a new decryption routine each time they infect, so every infected file will have a different sequence of virus code.
STEALTH VIRUSES
Stealth viruses actively seek to conceal themselves from attempts to detect or remove them. They also can conceal changes they make to other files, hiding the damage from the user and the operating system.
Stealth viruses, or Interrupt Interceptors, as they are sometimes called, take control of key DOS-level instructions by intercepting the interrupt table, which is located at the beginning of memory. This gives the virus the ability to do two important things: 1) gain control of the system by re-directing the interrupt calls, and 2) hide itself to prevent detection. They use techniques such as intercepting disk reads to provide an uninfected copy of the original item in place of the infected copy (read-stealthing viruses), altering disk directory or folder data for infected program files (size-stealthing), or both. For example, the Whale virus is a size-stealthing virus. It infects .EXE program files and alters the folder entries of infected files when other programs attempt to read them. The Whale virus adds 9216 bytes to an infected file. Because changes in file size are an indication that a virus might be present, the virus then subtracts the same number of bytes (9216) from the file size given in the directory/folder entry to trick the user into believing that the file’s size has not changed.
An antivirus program which is not equipped with anti-stealth technology will be deceived.
COMPANION VIRUSES
A companion virus is the exception to the rule that a virus must attach itself to a file. The companion virus instead creates a new file and relies on a behavior of DOS to execute it instead of the program file that is normally executed. These viruses target EXE programs. They create another file of the same name but with a COM extension containing the virus code. These viruses take advantage of a property of MS-DOS which allows files to share the same first name in the same directory (e.g. ABC.EXE and ABC.COM) but executes COM files in preference to EXE files.
For example, the companion virus might create a file named CHKDSK.COM and place it in the same directory as CHKDSK.EXE. Whenever DOS must choose between executing two files of the same name where one has an .EXE extension and the other a .COM extension, it executes the .COM file. This is not an effective way of spreading but has one big advantage - it does not amend files in any way and so can escape integrity tests or resident protection. Another method which can be used by companion viruses is based on defined path. A virus simply puts an infected file into the path listed before the directory within the original program.
PROGRAM VIRUSES
Like normal programs, program viruses must be written for a specific operating system. The vast majority of viruses are written for DOS but some have been written for Windows 3.x, Windows 95/98, and even UNIX. All versions of Windows are compatible with DOS and can host DOS viruses with varying degrees of success. Program viruses infect program files, which commonly have extensions such as .COM, .EXE, .SYS, .DLL, .OVL, or .SCR. Program files are attractive targets for virus writers because they are widely used and have relatively simple formats to which viruses can attach.
Malicious Programs and Scripts
Viruses that infect agent programs (such as those that download software from the Internet; for example, JAVA and ActiveX).
WORM
A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. An entire LAN or corporate e-mail system can become totally clogged with copies of a worm, rendering it useless. Worms are commonly spread over the internet via e-mail message attachments and through internet relay chat channels.
For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001.
A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server.
Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent. A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.
The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.
The Code Red worm was designed to do three things:
•Replicate itself for the first 20 days of each month
•Replace Web pages on infected servers with a page that declares "Hacked by Chinese"
•Launch a concerted attack on the White House Web server in an attempt to overwhelm it
The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001.
TROJAN HORSES
Trojans, another form of malware, are generally agreed upon as doing something other than the user expected, with that “something” defined as malicious. Most often, Trojans are associated with remote access programs that perform illicit operations such as password-stealing or which allow compromised machines to be used for targeted denial of service attacks. One of the more basic forms of a denial of service (DoS) attack involves flooding a target system with so much data, traffic, or commands that it can no longer perform its core functions. When multiple machines are gathered together to launch such an attack, it is known as a distributed denial of service attack, or DDoS.
Because Trojan horses do not make duplicates of themselves on the victims disk (or copy themselves to other disks), they are not technically viruses. But because they can do harm, many experts consider them to be a type of virus. Trojan horses are often used as by hackers to create a back door to an infected system. Trojans, such as BackOrrifice are very dangerous. If anyone runs this program and his computer is connected to the internet, then the hacker can take control of that computer - transfer files to or from the computer, capture screen contents, run any program or kill any running process, etc.
Once a Trojan is installed onto the system this program has the same privileges as the user of the computer and can exploit the system to do something the user did not intend such as:
Delete files
Transmit to the intruder any files that the user can read
Change any files that the user can modify
Install other programs with the user’s privileges
Execute privilege-elevation attacks—the Trojan can attempt to exploit a weakness to raise the level of access beyond the user running the Trojan. If successful, the Trojan can operate with increased privileges.
Install viruses
Install other Trojans
Virus can be reprogrammed to do many kinds of harm including the following.
1.Copy themselves to other programs or areas of a disk.
2.Replicate as rapidly and frequently as possible, filling up the infected system’s disk and memory rendering the systems useless.
3.Display information on the screen.
4.Modify, corrupt or destroy selected files.
5.Erase the contents of entire disks.
6.Lie dormant for a specified time or until a given condition is met, and then become active.
7.Open a back door to the infected system that allows someone else to access and even control of the system through a network or internet connection.
8.Some viruses can crash the system by causing some programs (typically Windows) to behave oddly.
How viruses spread from one system to another?
The most likely virus entry points are email, Internet and network connections, floppy disk drives, and modems or other serial or parallel port connections. In today's increasingly interconnected workplace (Internet, intranet, shared drives, removable drives, and email), virus outbreaks now can spread faster and wider than ever before.
The following are some common ways for a virus to enter the users’ computer system:
•Email attachments
•Malicious scripts in web pages or HTML email
•FTP traffic from the Internet (file downloads)
•Shared network files & network traffic in general
•Demonstration software
•Pirated software
•Shrink-wrapped, production programs (rare)
•Computer labs
•Electronic bulletin boards (BBS)
•Diskette swapping (using other people’s diskettes for carrying data and programs back and forth)
High risk files
The most dangerous files types are:
.EXE, .COM, .XLS, .DOC, .MDB
Because they don't need any special conversion to infect a computer -- all they've got to do is run and consequently the virus spreads. It has been estimated that 99% of all viruses are written for these file formats.
A list of possible virus carriers includes:
EXE - (Executable file)
SYS - (Executable file)
COM - (Executable file)
DOC - (Microsoft Word)
XLS - (Microsoft Excel)
MDB - (Microsoft Access)
ZIP - (Compressed file, common in the USA)
ARJ - (Compressed file, common in the USA)
DRV - (Device driver)
BIN - (Common boot sector image file)
SCR - (Microsoft screen saver)
Common Symptoms Of Virus Infection
Computer does not boot.
Computer hard drive space is reduced.
Applications will not load.
An application takes longer to load than normal time period.
Hard dive activity increases especially when nothing is being done on the computer.
An anti virus software message appears.
The number of hard drive bad sectors steadily increases.
Unusual graphics or messages appear on the screen
Files are missing (deleted)
A message appears that hard drive cannot be detected or recognized.
Strange sounds come from the computer.
Some viruses take control of the keyboard and occasionally substitute a neighboring key for the one actually pressed. Another virus "swallows" key presses so that nothing appears on the screen.
Also interesting are system time effects. Clocks going backwards are especially frightening for workers who cannot wait to go home. More seriously though, this type of virus can cause chaos for programs which depend on the system time or date.
Some viruses can cost the user dearly by dialing out on his modem. We do not know of one which dials premium telephone numbers but no doubt we shall see one soon. One particularly malicious virus dials 911 (the emergency number in the USA) and takes up the valuable time of the emergency services.
Author : Mary Landesman
In 1983, Fred Cohen coined the term “computer virus”, postulating a virus was "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself.” Mr. Cohen expanded his definition a year later in his 1984 paper, “A Computer Virus”, noting that “a virus can spread throughout a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows.”
Using that explanation, we can see that viruses infect program files. However, viruses can also infect certain types of data files, specifically those types of data files that support executable content, for example, files created in Microsoft Office programs that rely on macros. Compounding the definition difficulty, viruses also exist that demonstrate a similar ability to infect data files that don't typically support executable content - for example, Adobe PDF files, widely used for document sharing, and .JPG image files. However, in both cases, the respective virus has a dependency on an outside executable and thus neither virus can be considered more than a simple ‘proof of concept’. In other cases, the data files themselves may not be infectable, but can allow for the introduction of viral code. Specifically, vulnerabilities in certain products can allow data files to be manipulated in such a way that it will cause the host program to become unstable, after which malicious code can be introduced to the system. These examples are given simply to note that viruses no longer relegate themselves to simply infecting program files, as was the case when Mr. Cohen first defined the term. Thus, to simplify and modernize, it can be safely stated that a virus infects other files, whether program or data.
In contrast to viruses, computer worms are malicious programs that copy themselves from system to system, rather than infiltrating legitimate files. For example, a mass-mailing email worm is a worm that sends copies of itself via email. A network worm makes copies of itself throughout a network, an Internet worm sends copies of itself via vulnerable computers on the Internet, and so on.
Trojans, another form of malware, are generally agreed upon as doing something other than the user expected, with that “something” defined as malicious. Most often, Trojans are associated with remote access programs that perform illicit operations such as password-stealing or which allow compromised machines to be used for targeted denial of service attacks. One of the more basic forms of a denial of service (DoS) attack involves flooding a target system with so much data, traffic, or commands that it can no longer perform its core functions. When multiple machines are gathered together to launch such an attack, it is known as a distributed denial of service attack, or DDoS.
While purists draw a firm distinction between viruses, worms, and Trojans, others argue that it is merely a matter of semantics and give the virus moniker to all viruses, worms, and Trojans. The term malware, a.k.a. malicious software, can most easily be used to describe viruses, worms and Trojans while satisfying both arguments.
Malware is an even more appropriate term when one considers spyware, adware, and and browser hijacking techniques that may not fit in any of the aforementioned virus, worm, or Trojan classifications. Thus, malware can be defined as any program, file, or code that performs malicious actions on the target system without the user’s express consent. This is in contrast to Sneakyware, which can best be described as any program, file, or code that the user agrees to run or install without realizing the full implications of that choice. One of the best examples of Sneakyware was Friendly Greetings, a greeting-card trick that exploited users’ willingness to say Yes without reading the licensing agreement. By doing so, they were blindly agreeing to allow the same email to be sent to all contacts listed in their address book.
