Multipartite Viruses Wendy Bowman ETEC 562 General Information

Multipartite Viruses Wendy Bowman ETEC 562

General Information Hidden Payload Transmission Activation Removal

General Information • A computer virus is defined as a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. • http: //www. webopedia. com/TERM/v/virus. html

Viral Facts • Viruses can replicate. • All computer viruses are manmade. • Can infect other programs. • Viruses do not infect plain text files. • Viruses take up memory after replicating. • Viruses can not exist without a host.

Types of Viruses • Trojans and Stealth • Boot Sector • File • Macros • Worms • Network and Multipartite viruses

Network Viruses • Infect networks by making extensive use of network protocols. • Network viruses are able to transfer code to a remote server or workstation. Reference http: //www. viruslist. com/eng/viruslistbooks. html? id=24

Network Virus Facts • Called an octopus • Separated into several segments that when it has one main each run on a part of segment that the network. coordinates with • Use automated what the other functions such as segments are doing. email to replicate. • Can steal password • Use programming info and send it to a built into the macros malicious source. to spread themselves. http: //www. kaspersky. com/news. asp? tnews=0&nview=1&id=157& page=0

Multipartite Viruses A multipartite virus is defined as a virus that infects your boot sector as well as files.

Boot Sector The area of the hard drive that is accessed when the computer is first turned on. Back to Show

Multipartite Facts • Harder to spread • Can infect across networks floppy disks. but isn’t • Hardest virus to impossible. clean. • To spread across a network, the • Are memory server must be resident viruses. infected an http: //www. faqs. org/faqs/co mputer-virus/alt-faq/part 1/ infected program must be accessed.

Viral Payload is defined as the action the virus performs on the computer. http: //www. antivirus. com/pccillin/vinfo/virusencyclo/glossary. asp#payload

Possible Payloads • Corrupts the hard disk • Create files • Delete files • Modify files • Formats the hard drive • Hangs the system during rebooting • Modifies available memory • Modify available resources http: //www. antivirus. com/pccillin/vinfo/virusencyclo/

Activation or Trigger • Refers to the • Holidays are the condition or date most popular in which the trigger date. payload of the • http: //www. antivirus will occur. s. com/pc • Computer can be cillin/vinfo/virusenc infected for yclo/glossary. asp#tr months or years igger_condition_or_ before the payload date occurs.

Hidden Dangers • Decrease the size of memory in BIOS, cut the last MCB (memory control block), and replicate in the free space left by the MCB • Disguise the virus as part of a downloadable shareware package • Interrupting the DOS language just enough to “hook” a viral code onto existing language (hooking) until a floppy disk can be infected. • Hooking on to the debugger. http: //www. virusbtn. com/Virus. Information/natas. html

From here to there… • • Floppy disks CD-ROMs Shareware New software • • Network server Email attachments Hackers Downloading material from the Internet http: //www. cuyamaca. net/rachael. holloway/ppt/vir us. ppt

Disposal • Run anti-viral software • Quarantine the virus (if possible) • Replace the MBR (master boot record) • Reboot computer from a clean disk then run anti-viral software • Reformat the hard drive through DOS • Costliest method, purchase a new memory chip

Payload General Information Activation Click Here! Hidden Transmission Removal

Anthrax • Writes its viral code to the last sector of the hard drive while overwriting data there. • Memory resident • DOS platform • Infects. COM, . EXE, MBR, and floppy boot sectors • Multipartite • Uses 1024 bytes (files) and 512 bytes (MBR) http: //www. symantec. com/avcenter/vinfodb. html#

Clisti 1025 and Clisti 1025 (b) • • • No aliases Memory resident Uses encryption Wild ( Can be transmitted through networks • Infects. COM, floppy boot sector, hard disk boot sector • Mainly, transmitted through emails http: //www. symantec. com/avcenter/vinfodb. html#

One Half Boot • Infects. COM, . EXE, MBR • Memory resident • Slowly encrypts the hard drive • Uses 3155 bytes (files) and 512 bytes (MBR) • Multipartite, stealthing, and polymorphic • Transmitted through emails • All encrypted data is lost when virus is removed http: //www. symantec. com/avcenter/vinfodb. html#

Is your computer a ticking time bomb?