1. Computer Viruses

2. Introduction zComputer virus have become today’s headline news zWith the increasing use of the Internet, it has become easier for virus to spread zVirus show us loopholes in software zMost virus are targeted at the MS Windows OS

3. Definition ÞVirus : A true virus is capable of self replication on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on it’s own with out traveling to a new host

4. Overview zBackground zSymptoms zClassifying Viruses zExamples zProtection/Prevention zConclusion

5. Background zThere are estimated 30,000 computer viruses in existence zOver 300 new ones are created each month zFirst virus was created to show loopholes in software

6. Virus Languages zANSI COBOL zC/C++ zPascal zVBA zUnix Shell Scripts zJavaScript zBasically any language that works on the system that is the target

7. Symptoms of Virus Attack z Computer runs slower then usual z Computer no longer boots up z Screen sometimes flicker z PC speaker beeps periodically z System crashes for no reason z Files/directories sometimes disappear z Denial of Service (DoS)

8. Virus through the Internet zToday almost 87% of all viruses are spread through the internet (source: ZDNet) zTransmission time to a new host is relatively low, on the order of hours to days z“Latent virus”

9. Classifying Virus - General zVirus Information Discovery Date: Origin: Length: Type: SubType: Risk Assessment: Category:

10. Classifying Virus - Categories zStealth zPolymorphic zCompanion zArmored

11. Classifying Virus - Types zTrojan Horse zWorm zMacro

12. Trojan Horse zCovert zLeaks information zUsually does not reproduce

13. Trojan Horse zBack Orifice Discovery Date: 10/15/1998 Origin:Pro-hacker Website Length:124,928 Type: Trojan SubType:Remote Access Risk Assessment: Low Category: Stealth

14. Trojan Horse zAbout Back Orifice yrequires Windows to work ydistributed by “Cult of the Dead Cow” ysimilar to PC Anywhere, Carbon Copy software yallows remote access and control of other computers yinstall a reference in the registry yonce infected, runs in the background yby default uses UDP port 54320 TCP port 54321 yIn Australia 72% of 92 ISP surveyed were infected with Back Orifice

15. Trojan Horse z Features of Back Orifice ypings and query servers yreboot or lock up the system ylist cached and screen saver password ydisplay system information ylogs keystrokes yedit registry yserver control yreceive and send files ydisplay a message box

16. Worms zSpread over network connection zWorms replicate zFirst worm released on the Internet was called Morris worm, it was released on Nov 2, 1988.

17. Worms zBubbleboy Discovery Date:11/8/1999 Origin:Argentina (?) Length:4992 Type:Worm/Macro SubType:VbScript Risk Assessment: Low Category: Stealth/Companion

18. Worms zBubbleboy yrequires WSL (windows scripting language), Outlook or Outlook Express, and IE5 yDoes not work in Windows NT yEffects Spanish and English version of Windows y2 variants have been identified yIs a “latent virus” on a Unix or Linux system yMay cause DoS

19. Worms zHow Bubbleboy works yBubbleboy is embedded within an email message of HTML format. ya VbScript while the user views a HTML page ya file named “Update.hta” is placed in the start up directory yupon reboot Bubbleboy executes

20. Worms zHow Bubbleboy works ychanges the registered owner/organization xHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RegisteredOwner = “Bubble Boy” xHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RegisteredOrganization = “Vandalay Industry” yusing the Outlook MAPI address book it sends itself to each entry ymarks itself in the registry xHKEY_LOCAL_MACHINE\Software\Outlook.bubbleboy = “OUTLOOK.Bubbleboy1.0 by Zulu”

21. Macro zSpecific to certain applications zComprise a high percentage of the viruses zUsually made in WordBasic and Visual Basic for Applications (VBA) zMicrosoft shipped “Concept”, the first macro virus, on a CD ROM called "Windows 95 Software Compatibility Test" in 1995

22. Macro zMelissa Discovery Date:3/26/1999 Origin:Newsgroup Posting Length:varies depending on variant Type:Macro/Worm Subtype:Macro Risk Assessment:High Category:Companion

23. Macro zMelissa yrequires WSL, Outlook or Outlook Express Word 97 SR1 or Office 2000 y105 lines of code (original variant) yreceived either as an infected template or email attachment ylowers computer defenses to future macro virus attacks ymay cause DoS yinfects template files with it’s own macro code y80% of of the 150 Fortune 1000 companies were affected

24. Macro zHow Melissa works ythe virus is activated through a MS word document ydocument displays reference to pornographic websites while macro runs y1st lowers the macro protection security setting for future attacks ychecks to see is it has run in current session before xHKEY_LOCAL_MACHINE\Software\Microsoft\Office\Melissa = “by Kwyjibo” ypropagates itself using the Outlook MAPI address book (emails sent to the first 50 addresses)

25. Macro zHow Melissa works yinfects the Normal.dot template file with it’s own code yLastly if the minutes of the hour match up to the date the macro inserts a quote by Bart Simpson into the current document x “Twenty two points, plus triple word score, plus fifty points for using all my letters. Game’s over. I’m outta here.”

26. Protection/Prevention zKnowledge zProper configurations zRun only necessary programs zAnti-virus software

27. Conclusion zYou know know more about virus and how: yviruses work through your system yto make a better virus zHave seen how viruses show us a loophole in popular software zMost viruses show that they can cause great damage due to loopholes in programming

28. Questions? Copies of the latest lovebug virus code are available…in print