ABIMCO ANTI VIRUS CLINIC

    This clinic will give you detail information about computer viruses/worms, their effects on your systems and the steps you need to take to prevent them.  There are also necessary removal tools from leading companies and finally you will always have the latest updated information about computer viruses

REVIEWS:                                                                              REMOVAL TOOLS

A virus  is malicious computer code embedded within an executable program that victims activate on their machines, usually by opening an e-mail attachment or through a shared folder or file.

Worms on the other hand, require no action of the victims to activate. They spread on their own from system to system without need for the victim to do anything. The Code Red Worm for example, automatically sends itself to 99 IP addresses it generates.

The difference between a computer virus and other programs is that viruses are designed to self-replicate (that is to say, make copies of themselves). They usually self-replicate without the knowledge of the user. Viruses often contain 'payloads', actions that the virus carries out separately from replication. Payloads can vary from the annoying (for example, the WM97/Class-D virus, which repeatedly displays messages such as "I think 'username' is a big stupid jerk"), to the disastrous (for example, the CIH virus, which attempts to overwrite the Flash BIOS, which can cause irreparable damage to certain machines).

Viruses can be hidden in programs available on floppy disks or CDs, hidden in email attachments or in material downloaded from the web. If the virus has no obvious payload, a user without anti-virus software may not even be aware that a computer is infected.

A computer that has an active copy of a virus on its machine is considered infected. The way in which a virus becomes active depends on how the virus has been designed, e.g. macro viruses can become active if the user simply opens, closes or saves an infected document.

How infection occurs

Once the virus is active on the computer, it can copy itself to (infect) other files or disks as they are accessed by the user. Different types of viruses infect computers in particular ways; the most widespread types are Macro, Boot and Parasitic viruses.

Macro viruses

A macro is an instruction that carries out program commands automatically. Many common applications (e.g. word processing, spreadsheet, and slide presentation applications) make use of macros. Macro viruses are macros that self-replicate. If a user accesses a document containing a viral macro and unwittingly executes this macro virus, it can then copy itself into that application's startup files. The computer is now infected--a copy of the macro virus resides on the machine.

Any document on that machine that uses the same application can then become infected. If the infected computer is on a network, the infection is likely to spread rapidly to other machines on the network. Moreover, if a copy of an infected file is passed to anyone else (for example, by email or floppy disk), the virus can spread to the recipient's computer. This process of infection will end only when the virus is noticed and all viral macros are eradicated. Macro viruses are the most common type of viruses. Many popular modern applications allow macros. Macro viruses can be written with very little specialist knowledge, and these viruses can spread to any platform on which the application is running. However, the main reason for their 'success' is that documents are exchanged far more frequently than executables or disks, a direct result of email's popularity and web use.

Boot sector viruses

The boot sector is the first software loaded onto your computer. This program resides on a disk, and this disk can be either the hard disk inside the computer, a floppy disk or a CD. When a computer is switched on, the hardware automatically locates and runs the boot sector program. This program then loads the rest of the operating system into memory. Without a boot sector, a computer cannot run software.

A boot sector virus infects computers by modifying the contents of the boot sector program. It replaces the legitimate contents with its own infected version. A boot sector virus can only infect a machine if it is used to boot-up your computer, e.g. if you start your computer by using a floppy disk with an infected boot sector, your computer is likely to be infected. A boot sector cannot infect a computer if it is introduced after the machine is running the operating system.

An example of a boot sector virus is Parity Boot. This virus's payload displays the message PARITY CHECK and freezes the operating system, rendering the computer useless. This virus message is taken from an actual error message which is displayed to users when a computer's memory is faulty. As a result, a user whose computer is infected with the Parity Boot virus is led to believe that the machine has a memory fault rather than an disruptive virus infection.

Parasitic viruses

Parasitic viruses attach themselves to programs, also known as executables. When a user launches a program that has a parasitic virus, the virus is surreptitiously launched first. To cloak its presence from the user, the virus then triggers the original program to open. The parasitic virus, because the operating system understands it to be part of the program, is given the same rights as the program to which the virus is attached. These rights allow the virus to replicate, install itself into memory, or release its payload. In the absence of anti-virus software, only the payload might raise the normal user's suspicions. A famous parasitic virus called Jerusalem has a payload of slowing down the system and eventually deleting every program the user launches
In the mid-eighties, so legend has it, the Amjad brothers of Pakistan who ran a computer store. Frustrated by computer piracy, they wrote the first computer virus, a boot sector virus called Brain. From those simple beginnings, an entire counter-culture industry of virus creation and distribution emerged, leaving us today with several tens of thousands of viruses.

 The first worm to get the attention of the computer users community was the Morris worm, released on November 2, 1988, by Robert Tappan Morris, a 23year old graduate student at Cornell University in USA. The infant Internet community then, has never seen anything like this worm, in a matter of hours it had infected 6,000 machines.

In May 2000 the Internet community were stricken by the "Love Bug" a virus (or, technically, a worm) that traveled as an attachment to an e-mail message and propagated itself rapidly through the victim's address books. The source of this worm was traced to Philippines within 24 hours one Onel de Guzman was arrested  in connection with the release of the worm

Magistr virus is a polymorphic worm from Sweden that is capable of mass mailing itself to addresses found within the Windows Address Book, Outlook, and Netscape address books as well as to addresses found in e-mail within these mailboxes. The subject and body of the infected e-mail changes, using file names found on the infected computer. Magistr may send more than one .exe file as attachments, if the attached infected file is executed, Magistr will randomly infect a file name to the RUN=line in the Win.ini file. It will also add the infected file name to the Registery. Magistr's code are encrypted, and uses anti-debugging techiniques to avoid detection. Magistr also contain a destructive payload.   

A new version of  the polymorphic virus Magistr was discovered late August, the new version Magistr.B (w32.Magistr.39921) features a payload that overwrites hard drivers with garbage, erases CMOS and flashes the BIOS on the infected system rendering the computer unuseable. Magistr.B arrives as an e-mail with an attachment with an .exe., .bat, .pif, .com extension,  when the attachment is opened, Magistr.B displays the following message from the original Magistr worm, "Another haughty bloodsucker......  YOU THINK YOU ARE GOD" . Magistr.B then searches for all sent e-mail addresses from Eudora, Outlook, Netscape Messenger and other Internet clients, and sends randomly constructed messages to up to 100 people. Magistr.B contains it's own SMTP e-mail to send copies, bypassing Microsoft's Outlook Security Patch. Magistr.B also searches for network resources, searching for Windows installations such as Windows 95, 98, Me, NT, and 2000, and infects all portable executable files found on remote systems. This worm destroy the contents of the computer's hard drive and the CMOS/BIOS information on the Windows operating systems.

The Leave Worm was discovered early 2001, the worm code known as W32-Leave.worm. This particular worm allowed intruder access to an infected system while the machine is connected to Internet, a 24year old  Briton was arrested on July 23, 2001 for designing and propagating malicious code, known as the W32-Leave.worm into window based computer systems.

The Code Red Worm was discovered on July 13, 2001, this worm prime targets are Microsoft Windows NT and Microsoft Window 2000 operating systems running llS 4.0 and 5.0. In one day alone the worm infected over 250,000 machines in just nine hours. This memory resident worm once active on a system, first attempt to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. Code Red ll was detected early in August, this worm exploits the same vulnerability as the original Code Red Worm, but instead of compromising a system to launch Denial Service attacks, it installs a backdoor into infected systems that can be accessed by anyone knowing that the victim's machine has been compromised. The estimates of a loss as a result of the effect of the attack of Code Red worm was around $1.2bn (£838m) as at August 2001 in USA  those estimates are destined to rise as the worm gains ground.

Code Blue worm was detected late August 2001, it is similar to Code Red. Code Blue exploits the Web Server Folder Directory Traversal vulnerability in servers running Microsoft's llS 4.0 and llS 5.0 software. From the infected Web server, code Blue sends a malformed GET request to as many as 100 randomly generated IP-addresses. Once it gain access to a vulnerable remote computer's hard drive, Code Blue then contacts the original infected server and downloads httpex.dll, which creates several new files on the remote machine. One of the files, Svchost.exe, creates a registry that allows Code Blue to execute at startup. The active Code Blue Infection on the remote computer will then open 100 ports for UDP connections to scan for new servers to infect. Another file created by Code Blue, d.vbs, disables .ida .idc printer services. Code Blue will also search for Inetinfo.exe, and if found, will try to terminate the process. Inetinfo.exe  is responsible for access to the servers resources. In addition, Code Blue changes the process that handles specialised Http-requests. These actions combined effectively terminate and prevent future Code Red infections on the Code Blue infected server.

Nimda worm is a fast spreading worm that is challenging both network administrators and home users. Nimda (W32.nimda.a.@mm) is a network-aware, mass-mailling worm that infects both personal computer users using Window operating systems and llS Web servers. Nimda attacks at least a dozen known vulnerabilities on systems running   Microsoft IIS and can also spread via open shared files or folders to other connected machines on a network. Infected Web site may display a Web page that encourages users to download  a file that is actually infected.   

One of the latest worm is Antset worm, it arrives be an e-mail and claims to be a Trojan horse scanner. There are at least three variations of Antset, W32.Anset.A@mm, W32Anset.B@mm, and W32.Anset.C@mm floating around the Internet. Anset is only known for now to be capable of sending multiple e-mail messages and does not damage the system.  

Viruses today
The number of known viruses surpassed 50,000 . A large majority of those (74%) are parasitic viruses (attacking executables), second are macro viruses (19%) and 7% are boot sector viruses. About  88% of infections  were due to macro viruses, 9% due to parasitic viruses and only 3% due to boot sector viruses. Note that a reported infection is counted as a single unit regardless of whether the virus infected one machine or 10,000 machines: the statistics quoted are not 'bomb-proof' but simply an indication of what is out there.
The number of new viruses discovered every month continues to increase.

Anti-virus companies are all faced with the dilemma of how to prioritise detection of viruses reaching their virus laboratory. It is impossible to predict which (if any) of the new viruses will be released 'in the wild' and start causing problems: new viruses must simply be analysed and the detection/disinfections for them included in the anti-virus software. However, there is a group of viruses which have a greater potential to spread rapidly. Viruses which are 'internet-enabled' and which exploit some form of common social engineering factor (such as the LoveLetter virus) obviously fall into this category.