With the broader use of computers and increasing connectivity, online communication has grown tremendously.  But as it is said that everything comes with a price, it's also true in the case of online communication. The increased and effective connectivity has made it easier for malicious virus writers to create viruses and worms that spread faster and further. Security problems from these viruses have generated some of the most costly mistakes in the computer industry in the last few years.

With the human body, viruses are nasty things.� They are actually little pieces of RNA that actually get into your cells and cause them to reproduce incorrectly, actually changing the genetic makeup of the infected cells thus creating more and more infected cells.� This is why viruses, like HIV or even the common cold and others are so difficult to cure.� Most of the time, you have to wait for your body to figure out how to fight it off and the best thing you can do for your body is find a way to make your body as comfortable and strong as possible in order to ride it out.�

The Need for Antivirus Software

History of Computer Viruses

The history of computer viruses is not very long. The first viruses ran on the old Apple II computer in 1981. In those days they weren't called viruses, because the name "computer virus" wasn't invented by then. This virus, through pirated computer games, infected the Apple II floppy disks containing operating system. The Name of this virus was Elk Cloner and displayed a little rhyme on the screen. In 1983, Fred Cohen, then a Ph.D. student, defines the term "computer virus" as "a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself." The first file viruses started to spread in 1987 infecting .COM files especial COMMAND.COM. The first of these viruses were the Lehigh virus and the Christmas Worm that attacked IBM mainframes at 500,000 replications per hour. Next year, one of the most popular viruses at that time, Jerusalem, spread across the computers. Jerusalem was set to activate on every Friday the 13th infecting .exe and .com files and deleting all the programs running that day. Next decade saw some of the most deadly viruses in the history of computers. In 1991, Tequila, first polymorphous virus, spread that has the ability to change itself to prevent detection. The first macro virus to attack Word, Concept, was developed in 1995 and in 1998 StrangeBrew spread as the first virus to infect Java files. In 1999, Melissa, the first mixture Word macro virus and worm, infected computers around the world. It utilizes the Outlook or Outlook Express address book to send itself to others via Email.

With time, computer viruses have come a long way. Since the first viruses were written, each new class of viruses incorporated new features that made them more difficult to detect and remove. These viruses can be classified into five generations on the levels of their sophistication and complexity.

First Generation

Viruses in the first generation of viruses were simple. Most of them were nothing but the bugs and incompatibilities in software that were not anticipated by the programmers. These viruses did nothing very significant other than replicating. These viruses were not capable of hiding on the computer and were usually found by the presence of a distinctive pattern in an infected file. Many new viruses that are detected today still fall in this category.

With time viruses become smarter. Viruses have a problem that of repeated infection of the host, leading to depleted memory and early detection. To prevent this detection, the virus writers started implanting a unique signature that signals that the file or system is infected. By this signature, a virus does perform redundant infections and hides its presence. But these signatures were the mixed blessings for the viruses as signatures provide a method of detecting viruses. Virus sweep programs scan files on disk for the signatures of known viruses, or sometimes inoculate the system by providing the viral signature in clean systems to prevent the virus from attempting infection.

Usually, viruses are identified on a contaminated system by means of scanning the secondary storage and searching for a pattern of data unique to each virus. To counteract such scans, some resident viruses employ stealth techniques. These viruses subvert selected system service call interrupts when they are active. Requests to perform these operations are intercepted by the virus code. If the operation would expose the presence of the virus, the operation is redirected to return false information. So, the main purpose of a stealth virus is after it has infected an executable program, to attempt hiding itself form detection. Some measures that virus takes include: hiding changes in file size, hiding date changes, redirecting disk access, and infecting/disinfecting the system in real time. There are many places for a virus to be hidden in an executable program. Also a common virus technique is to intercept I/O requests that would read sectors from disk. The virus code monitors these requests. If a read operation is detected that would return a block containing a copy of the virus, the active code returns instead a copy of the data that would be present in an uninfected system. In this way, virus scanners are unable to locate the virus on disk when the virus is active in memory.

With the development of anti-virus tools to analyze new viruses and craft defenses, virus writers have turned to methods of complicating the code of their viruses. Known as armoring, this technique adds confusing and unnecessary code, making it more difficult to analyze the virus code. This added and unwanted code is known as NOP (No OPeration code). These viruses appeared starting in 1990. Viruses with these forms of defenses tend to be significantly larger than simpler viruses and thus more easily noticed.

In recent years a new class of viruses has appeared on the scene, known as polymorphic or self-mutating viruses. These viruses infect their targets with a modified or encrypted version of themselves. By varying the code sequences written to the file, or by generating a different, random encryption key, the virus in the altered file is not identified through the use of simple byte matching by a virus scanner programmed to recognize known viruses' signatures. To detect the presence of these viruses requires that a more complex algorithm be employed that, in effect, reverses the masking to determine if the virus is present. During infection, the encryption routine is used to encrypt the original virus. The mutation engine then modifies the decryption routine by adding useless code, but preserving accurate decryption. The encrypted virus, encryption routine, mutation engine, and new decryption routine are then bundled together and attached to the target file or program. This way, every new infection has a different signature so it evades a pattern recognition scanner. These infected files vary significantly from infection to infection making detection much more difficult.

LoveLetter

LoveLetter is the worm everyone learned to hate in spring 2000. The infection affected millions of computers and caused more damage than any other computer virus to date. The worm sent copies of itself via Microsoft Outlook's address book entries. The mail included an executable file attachment with the email subject line, "ILOVEYOU." The worm had the ability to overwrite several types of files, including vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 files. It modified the Internet Explorer start page and changed Registry keys. It also moved other files and hide MP3 files on affected systems.

In March 1999, Melissa virus swamped corporate networks with a wave of email messages. On opening an email message containing infected Word attachment, the virus sent a copy itself to the first 50 names in the address book of the user. The email fooled many recipients because it bore the name of someone the recipient knew and referred to a document they had allegedly requested. So much email traffic was generated so quickly that companies like Intel and Microsoft had to turn off their email servers. The Melissa virus was the first virus capable of hopping from one machine to another on its own.

Nimda (also known as the Concept Virus) appeared in September 2001 and attacked thousands of servers and PCs all across the globe. The worm use to modify Web documents and executable files and then creating numerous copies of it. The worm spread as an embedded attachment in an HTML email message. Unlike typical viruses that require manual launching of the attachment, Nimda executes as soon as the recipient opened the message. It also moved via server-to-server Web traffic, infected shared hard drives on networks, and downloaded itself to users browsing Web pages hosted on infected servers.

Appeared in July 2001, Sircam virus infected attacked computers running Windows 95, 98, and Me. This worm also appeared in email inboxes with an attachment; the body of the message was in Spanish or English. Typical greetings included Hi! How are you? and Hola como estas? On opening the attachment, Sircam installed itself on the infected computer, then grabbed random documents and sent them out to email addresses it captured from the user address book.

Code Red infected hundreds of thousands of computers, mainly on corporate networks in the summers of 2001, Code Red slithered through a hole in Internet Information Server (IIS) software, which is widely used to power Internet servers, then scanned the Internet for vulnerable systems to infect and continue the process. The worm used contaminated PCs as weapons in denial of service attacks (flooding a Web site with information requests). The original target was the official White House Web site, but government officials changed the site's IP address to thwart the attack. The worm exploited a weakness in the IIS software (which has since been fixed with a patch from Microsoft) that allowed an intruder to run arbitrary code on a victimized computer. Multiple variants of this worm now exist.

The Anna Kournikova worm appeared in February 2001 but it didn't cause any data loss. Although in the process of boosting the profile of its namesake, the Russian tennis player, it did cause embarrassment and disruption for many personal and business users. The worm showed up in Microsoft Outlook users' email inboxes with an attachment, supposedly a picture of Kournikova. The attachment proved hard to resist. And on clicking, the bogus attachment sent copies of the worm via email to all addresses in the victim's Outlook address book.

The Klez worm, which blends different virus traits, was first detected in October 2001. Klez distributes itself like a virus, but sometimes acts like a worm, other times like a Trojan horse. Klez wasn't as destructive as other worms, but it was widespread and hard to exterminate. It spreads via open networks and email, regardless of the email program. It may corrupt files and disable antivirus products.

Magistr is one of the most complex viruses to hit the Internet. Its victims, users of Outlook Express, were hooked by an infected email attachment. The virus, discovered in mid-March 2001, sent garbled messages to everyone in the infected user's email address book. Attached were files pulled at random from the infected PC's hard drive plus an executable file with the Magistr code. This virus was not as widespread as many others, but it was very destructive. Magistr overwrites hard drives and erases CMOS and the flashable BIOS, preventing systems from booting. It also contained antidebugging features, making it hard to detect and destroy.

In May 2002, Benjamin, a new breed of worm was let loose. It affected users of the popular file-sharing program Kazaa. The crafty worm posed as popular music and movie files. Kazaa users thought they were downloading a media file to their machines, but they got the imposter instead. It then set up a Kazaa share folder and stuffed it with copies of itself posing as popular music and movie files, which other Kazaa users would download.

More Recent Viruses

Recently viruses are becoming more and more prevalent.  They are arriving faster and more furious than before on the internet.  

On January 26, 2004, a new mass-mailing virus now known as W32/Novarg.A, W32/Shimg, or W32/Mydoom arrived on the internet.  It arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. This malicious code has been reported to open a connection on port 3127/tcp or port 3176/tcp. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into the default folder used by KaZaA to share files. More information is available in CERT Incident Note IN-2004-01 and CERT Advisory CA-2004-02.

A variant of the Sobig mass-emailing worm, referred to as W32/Sobig.E, started on June 26, 2003.  It arrives as an attachment with a .zip extension. Within that .zip file is a file with either a .scr or .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension. Additionally, this worm spoofs the "From" address, therefore it is likely that the sender address is not that of the infected user.

Upon execution, the worm places the following files in the "%Windir%" directory: winssk32.exe (copy of worm) msrrf.dat (configuration file)

• The worm also attempts to propogate by copying itself to the following folders:

• Documents and Settings\All Users\Start Menu\Programs\Startup\

• Windows\All Users\Start Menu\Programs\StartUp\

A variant of the BugBear mass-emailing worm, referred to as W32/BugBear.B, W32/Kijmo or W32/Shamur started on June 5, 2003.  It arrives as an attachment with a .pif, .scr, or .exe extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in the current inbox and in files with a .dbx, .eml, .mbx, .mmf, .nch, .ocs, or .tbb file extension. Additionally, this worm has a built-in keylogger, a backdoor that listens on port 1080/tcp, and attempts to terminate numerous security product processes on the system.

The worm also attempts to propogate by copying itself to the following folders on the local machine as well as other machines that it has access to using a random file name:

• Windows\Start Menu\Programs\Startup\[random_name].exe when executed on a Windows 95/98/Me-based system

• Documents and Settings\<current user name>\Start Menu\Programs\Startup\[random_name].exe when executed on a Windows NT/2000/XP-based system

Virus Prevention Checklist

Security Settings

If you get an email with an attachment from an unknown source-DELETE IT.  Virus writers hide their little pieces of codes in attachments, when you open the attachment, it gets into your computer, reproduces itself, and infests you computer, causing a myriad of problems. What is even more freightening is that the virus can actually get into your email and send itself out to your address book, so anyone on your email list thinks they are receiving an attachment from you and believe it is safe to open it. This results in an exponential number of people getting the virus. Say the attacker emails the virus to 10 people who email it to 10 more to email it to 10 more, all the sudden, 1000 people have the virus and it is only three generations old.

• Take regular backups of the data files.

• Use of appropriate antivirus software for email server and firewall servers.

• Installation of antivirus software on all workstations.

• Enable the virus-detection option in CMOS.

• Setting "Read Only" attribute for critical system files like sys.ini, win.ini, autoexec.bat, and config.sys.

• Set servers and clients to scan both incoming and outgoing files and include all file types when scanning, such as exe, dll, and zip files.

• Consider using a software package that allows files to be quarantined. This will prevent users from gaining access to the infected files and perpetuating the virus.

• Enable all macro virus protection within software packages, such as Word and Excel.

• Setting permissions to registry and other system files on Windows NT and 2000 systems to prevent unauthorized changes.

• Institute a set of applications that users have available to do their job. Do not allow any software to be installed beyond those provided with their system.

• Restricting downloads and software installation only to the system administrator or the IT department.

• Restriction on downloading and installation of shareware (games, screensavers, etc) by users.

• Consider limiting Internet access to approved sites. Most browsers allow an administrator to create a password protected list of approved sites.

• Do not allow remote-access users to upload files to the network unless the system administrator verifies the integrity of the PC being used for remote access.

• Avoid the usage of floppy diskettes and other removable storage media by the user without the proper permission and scanning by the system administrator.

• Avoid using data and program disks received from unknown sources.

• Enact a policy that enforces the scanning of all diskettes before they are used in a workstation.

• Consider providing a stockpile of virus-free diskettes for users to take home.

• Scan the disk upon re-entry to the workplace to ensure that the user's home PC is not infected.

• Write-protect all data and program diskettes.

• Consider using a dedicated workstation that continually scans data directories on the network.

• Enable background monitoring on the workstations.

• Schedule full workstation scans on a regular basis with minimal intrusion to the user.

• Perform scanning in "stealth mode" to achieve minimal intrusion to the user.

• Disable user intervention of scans.

• Scan new PCs received from vendors, as they may contain viruses.

• System administrators should regularly update virus signature files on workstations and servers. Most vendors offer updates on regular basis.

• Ensure updating write-protected emergency boot disk whenever new signature files are received.

• Consider setting up a dedicated server or system to retrieve regular updates. Later users can connect to that system to update their workstations.

• Instruct users to check site providing reliable virus information and encyclopedias, such as virus encyclopedias provided by Symantec, Computer Associates. Users can also check for hoax virus information on these sites.

• Encourage users to install an antivirus software package on their home computers.

• Encourage users to report when they find a virus on their system for early detection and removal of the virus.

• Informing users of new virus threats from time to time to heighten their sense of awareness.

• Taking strict action against offenders and users breaking policies or bringing a virus into the network.