searchEngine

2008/08/10

Computer virus, Spyware and Adware - What Is The Difference?

Computer virus, spyware and adware share some similarity. All three are extremely irritant for surfers and other computer users. Let’s distinguish the three.

Spyware is software that does not purposely damage your hard disk. They make pathways in which someone else then the owner of the computer can be in touch with the computer. More often than not spyware record the diverse types of sites you go to. Afterward online marketers use these records to send you spam mails and pop-ups.

This is why computer users find spyware very irritating. They are more disturbing than adware. Spyware have their own unconnected executable software programs which let them look at applications that you are using. They also record your keystrokes after they scan the files on your hard disk.

Next the spyware sends the information that it had collected to the spyware programmer, often it is an online advertiser. The advertiser will then use this collected information for marketing and advertising purposes. In some cases the advertiser sells the information to companies that are looking for leads.

In contrast to spyware, adware is a more rightful form of free to download software. Just like spyware, adware contains software advertising programs. The difference is that adware installed itself on the computer after you have download software into your computer and spyware installed itself without any action of you.

There are also forms of adware that download marketing and advertising programs as a particular application is being utilized. It is very regrettable that the majority of the adware programs take the structure of spywares and that is track and report information from your computer to the programmer.

When Windows application takes too much time to load and unwanted pop-ads are coming up in front of your screen, it’s in 9 of the 10 cases a sign that your computer is infected with spyware.

Compared to spyware and adware viruses are super bad. A virus is a destructive form of software and is only create and design with the purpose to destroy whatever it comes in contact with. The nasty thing about viruses is that they replicate their self and this way they destroy as many elements of the computer’s operating system as possible.

These days, numerous anti-virus software programs also provide adware and spyware scanning and elimination functions. There are also some programs that are specialized in destroying adware and spyware programs. Both, Anti-virus software and anti-spyware/adware are dedicated to search your computer and identify any spyware and virus installed on your system.

They then get rid of it as well as their elements positioned in the system registry amongst other spaces in your computer. It is thus important to often update your spyware or virus scanner to make sure that your computer is protected against the millions of adware, spyware and viruses on the internet.

Don’t let the ads that claim that the download does not contain adware or spyware fool you. Learn how you can protect yourself against these spyware and adware. Be sure that your computer is protected with high quality antivirus and spyware/adware programs.

That’s why finding an anti adware and anti spyware program for your use must be a well researched project. You’ll need to take the time to fully learn about the product and you also must be alert for scam programs

Read More......

2008/08/07

Rustock and All That

The elusive rootkit

In December 2006, rumors began to circulate among rootkit researchers (both blackhat and whitehat) that someone had created and released an ‘absolutely undetectable’ rootkit, Rustock.С, which could not be detected on computers where it was active by any of the existing antivirus or anti-rootkit solutions.

A long search for the ‘mythical rootkit’ yielded no result. As a consequence, any information about Rustock.C was treated as a joke in circles close to rootkit researchers. This continued until May 2008.

‘Doctor’s’ diagnosis

In early May, the Russian company Dr.Web announced to the antivirus community that its experts had detected a new rootkit called Ntldrbot, aka Rustock.С. This piece of news was about as unpleasant as it was sensational.

According to Dr.Web, the rootkit had eluded all antivirus vendors since October 2007. It was suggested that Rustock.C was used to create one of today’s most extensive zombie networks for sending spam. Dr.Web also referred to a study conducted by Secure Works, according to which the botnet created using Rustock was the third-largest zombie network, capable of sending up to 30 billion spam messages every day. However, it is unlikely that the Secure Works estimate had anything to do with the newly-detected rootkit, since it was virtually unknown until May 2008. In all probability, Secure Works experts meant the botnet created using the earlier variants of Rustock – А and B (Trojan-Clicker.Win32.Costrat and SpamTool.Win32.Mailbot, according to Kaspersky Lab’s classification).

Judging by the information published by Dr.Web, the company’s experts obtained a sample of the real Rustock.С in late March 2008 and it took them over a month to analyze the rootkit’s code and create and release tools enabling its detection and treatment. Other antivirus companies were only notified of the finding after this.

The description of the rootkit prepared by Dr.Web left too many questions unanswered. First and foremost, it was completely unclear how and when the rootkit had spread and why nobody had detected it since October 2007.

The sample of the rootkit’s body distributed by Dr.Web was a 244,448-byte Windows driver.

Unfortunately, the so-called dropper, i.e., the file designed to install the rootkit on the system, was missing. If it had been provided, this file could have significantly simplified the work carried out by other antivirus laboratories to analyze the rootkit and develop procedures to detect and treat Rustock.С. It might also have helped to clarify how the rootkit had originally spread.

There was also no reliable information about the existence of the rootkit ‘in the wild’. There remained the possibility that Rustock.С was nothing more than a ‘collector’s item’ and was not widespread, which would explain the length of time that it had taken to find it.

Laboratory analysis

Kaspersky Lab began performing in-depth analysis of the rootkit’s code on May 12. The task faced by our experts was truly difficult, since the rootkit’s entire code was encrypted using an unknown method and could not be analyzed using the usual compressed-code analysis and emulation techniques. Further complicating the problem was the fact that each rootkit file had some kind of hardware binding to the infected computer and could not be executed and analyzed on other computers or virtual machines.

However, it only took our experts two days to overcome these difficulties, crack the key and decrypt most of the rootkit’s body. On the evening of May 14, we were able to view portions of the real code of Rustock.С.

However, it only took our experts two days to overcome these difficulties, crack the key and decrypt most of the rootkit’s body. On the evening of May 14, we were able to view portions of the real code of Rustock.С.

When was the rootkit created?

Thus, we had six hundred files of differing sizes that had been caught in our honeypots at different times. All the files had been collected during the period from September 10, 2007 to May 14, 2008. Leaping ahead of the story, I can say that we never found any samples of Rustock.C created before September 2007. It is possible that some variants developed for testing purposes and other early attempts by the author appeared before this time. However, what Dr.Web calls Ntldrbot definitely dates from September 2007.

So, what about the rumors of Rustock.C that were circulating widely as far back as the end of 2006? We believe that Rustock.C did not exist at that time. It was created after a promotion of sorts in rootkit researcher circles – possibly, in response to the hysteria that accompanied the search for it. Indirectly, this conclusion is supported by the fact that the malicious program’s name included in the rootkit’s code is ‘Rustock.С’. This is different from the names given by the author to the Rustock.A and B variants (‘spambot’ plus version number). The name Rustock was given by Symantec to the first variants of the rootkit dated 2005 and 2006. This was the name used by rootkit researchers, and the ‘elusive’ rootkit was named Rustock.C by analogy with the known variants, Rustock.A and .B. Therefore, the author may have given this name to the new rootkit to confirm the rumors that it in fact existed.

In any case, the first ‘operational’ samples of Rustock.С appeared in September 2007 and its development obviously started several months before that.

Modifications

The analysis of the 599 available files revealed many interesting details that had previously been unknown.

We identified four modifications of Rustock.С.

Variant C1 is dated September 10, 2007. The rootkit’s ‘pure body’ is 244,440 to 244,512 bytes in size and includes a driver and a DLL. This was the modification studied by Dr.Web experts and presented to other antivirus vendors.

Variant C2 is dated September 26. It is between 158,432 and 158,464 bytes.

Variants C3 and C4 were created on October 9 and 10, 2007. Their size varies from 158,400 to 158,496 bytes.

Although modification C1 is almost 100 KB larger than the ones that followed, there are no essential differences between this and other modifications. The author only optimized the obfuscation algorithm for the rootkit’s body. The DLL code (spambot) differs slightly from variant to variant.

The spambot

It took us five days to analyze the rootkit: it was fully unpacked and executed on virtual machines (in spite of the fact that we did not have a ‘dropper’). This gave us access to the code of the DLL (the spambot) the maintenance and protection of which is the main purpose of Rustock.С.

In the process of its operation, the rootkit extracts the DLL from its body and executes it in the system memory, injecting it into the winlogon.exe process. The DLL only exists in RAM and is never present on the hard drive in the form of a file. Its purpose is to send spam from an infected computer. To perform this task, it connects to a server at 208.66.194.215 and receives message templates from it. The IP address belongs to the US hosting provider MCCOLO, whose resources have long been used for distributing malicious programs and hosting cybercriminal sites.

Detection and treatment

Despite the various methods used by the author to protect the body of Rustock.С (including the protector, encryptor and encryption key), adding the rootkit to Kaspersky Lab antivirus databases was not a problem. It appears that whoever created the rootkit was so confident of its effectiveness that they did not attach much importance to thwarting antivirus protection. The author’s objective was to make analyzing the code as difficult as possible (both for antivirus vendors and for other virus writers) and to increase the time this would take, which is exactly what all the encryption technologies employed in the rootkit were designed to do.

Treating system files infected by the rootkit is somewhat more problematic. The rootkit works by infecting only Windows drivers developed by Microsoft that launch at system start. This is how the rootkit was able to take over the system and conceal its presence at the same time. The original driver that was infected was stored in the last section of the rootkit’s body and was also encrypted.

The algorithm used by the rootkit to encrypt the body of the driver it infected turned out to be fairly simple and was not bound to the infected computer’s hardware in any way. This enabled us to fully implement detection and disinfection.

The rootkit was classified as Virus.Win32.Rustock.a, since Rustock is in fact a fully functional file virus that operates in kernel mode.

Kaspersky Lab released procedures for the detection and treatment of infected files on May 20, 2008 (8 days after research on the rootkit began).

Detection of the rootkit when it is active on an infected system and treatment of infected files is fully implemented in the new version of Kaspersky Lab’s antivirus products – Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009. Users of other versions can scan their computers for Rustock using the Rescue Disk for any version of Kaspersky Lab’s antivirus products. They can also detect and disinfect suspicious files provided that the infection is not active on the computer.

Questions and answers

At this point it would seem that the problem has been solved: the rootkit has been defeated and its victims have received a reliable solution for detecting and removing the threat. However, the main questions remain unanswered: how does Rustock spread and does it really exist ‘in the wild’? It was a matter of honor for us to dot all the i’s by finding answers to these questions.

Distribution of Rustock

For several days, all available samples of the rootkit were carefully analyzed to identify their ‘hardware settings’. This could give us at least some idea of the scale on which Rustock had spread. All the data was matched against the dates on which each sample was detected.

We found that 590 out of 599 samples were caught by our honeypots from September 10 to November 23, 2007. And only nine were caught during the period from November 23, 2007 to the middle of May 2008.

These statistics were used to narrow down the search and match files to the four modifications of the rootkit known to us.

This analysis produced the following results:

Modifications Detection dates Outbreak period(s) Number of files
C1 September 10, 2007 September 10-13, 2007 321
C2 September 26, 2007 September 27 – October 9, 2007;
November 12 – 22, 2007
199
C3 October 9-10, 2007 October 9 – 17, 2007;
November 12– 22, 2007
31
C4 October 9-10, 2007 October 9 – 17, 2007;
November 12– 22, 2007
48

No Rustock appearances were identified between October 17 and November 12, 2007. However, a new surge in its activity was recorded from November 12 to 22 – mostly the C2 modification (dated September 26) with smaller numbers of the C3 and C4 modifications.

November 23, 2007 marked the beginning of a period of several months when Rustock was inactive (or disappeared for good?).

The data collected was very useful, but it remained unclear on what scale Rustock had spread and what methods were used to distribute it. In spite of all the efforts, the rootkit’s ‘dropper’ remained unidentified.

But eventually our luck changed. We found over 500 additional files of the rootkit and they supplied all the missing links in the chain.

The botnet

Our conclusion that active distribution of Rustock had begun on September 10, 2007 was confirmed. Now we know in detail how and from which servers it was downloaded and installed on computers. We also had the answers to such questions as: “Where is the dropper?” and “Were users of antivirus products really unprotected against the elusive rootkit that spread for at least three months?”

Unfortunately, the method and channels used to distribute Rustock will cause concern among many IT security experts. The following names will be familiar to every antivirus expert:

CoolWebSearch / IFrameBiz / Trafficadvance / LoadAdv.

Yes, we are once again facing one of the best-known cybercriminal groups on the Internet and the names above are associated with its websites and malicious programs. The gang has existed since early 2004, or longer, and is still active. The best-known and most widespread of the group’s creations were such Trojans as Harnig, Tibs, Femad, LoadAdv and various modifications of Trojan-Downloader.Agent and Small, as well as the Inject Trojan.

The group has always been in the vanguard of virus innovation: they were the first to use Trojan downloaders in chm files on a large scale; it was on their servers that the first variants of exploits for ANI and ICO file processing vulnerabilities were found. They were the ones to use Trojans written in Java (Trojan-Downloader.Java.ClassLoader) and to start the fashion for script downloaders.

The ‘hallmarks’ of the IFrameBiz group have tended to be domains in the .biz zone and filenames in the loadadv*.exe format.

The group can be traced back to Russia, where most of its members undoubtedly live. In the early stages of its existence the group extensively used hosting resources in St. Petersburg. It is also known to have collaborated with the infamous RBN network (Russia Business Network), which many experts also associate with the city.

In the four years of its existence, the group has created one of today’s most powerful systems of malicious program distribution. Its botnet, which includes millions of computers infected with various Trojan downloaders (primarily Tibs and Femad), can install any new malicious program on infected computers within a very short period of time. This is currently the most viable alternative to sending malicious code by email, a method that the antivirus industry has long since learnt to handle.

The IFrameBiz botnet is actively used to distribute new malicious programs. Customers pay for a time period during which their Trojans will be distributed via the botnet. Then the Trojans are downloaded to victim computers. It is common for the same downloader (e.g., Tibs) to install several Trojans from different customers. The service is in demand, and customers think nothing of their requests being fulfilled at the same time as several other client orders.

The services offered by IFrameBiz have been and are used by the developers of numerous adware programs, as well as those who wish to create their own botnets, spammers, DDoS attack perpetrators, etc. To draw a parallel with RBN, it can be said that the latter constitutes the hardware and technical part of the virus writers’ business, while IFrameBiz is the software part, as well as the starting point for a great many malicious programs.

It was namely IFrameBiz that the authors of Rustock approached in summer 2007 with an order to distribute their rootkit. A completely new module was created to distribute the rootkit via IFrameBiz channels. This may have been because IFrameBiz Trojans were unable to activate Rustock on user systems unnoticed, or perhaps the rootkit authors wanted to keep the code of the rootkit a secret to prevent the contractor from stealing the idea or technology.

Reconstructing the events

The following example describes what happened in late September 2007 on an infected computer that was part of an IFrameBiz botnet.

A downloader (probably Tibs) installed on the system connects to one of the botnet’s servers in the .hk zone (i.e., Croatia – the group began using domains in this zone in 2007) and attempts to download the file loadadv351.exe.

The file is an improved module for the same botnet – Trojan.Win32.Inject.mt according to the classification used by Kaspersky Lab. The name reflects what the malicious program does: it injects its code into the Explorer.exe process. This enables it to bypass a variety of firewalls and freely download files to the system.

The Trojan reports a successful installation to the IFrameBiz servers and receives orders from them telling it which files should be downloaded and from where. These reports also work as a statistics system of sorts for the botnet, enabling its owners to keep count of successful malicious program downloads and provide reports to customers.

The Trojan downloads several files from different servers – either from customer servers or from customer resources on IFrameBiz servers. In this case, files are loaded from customer resources rented from IFrameBiz (http:// *.biz/progs/*). At the same time, information about the infected computer, including the operating system, hard drive, etc., is collected and sent. This information is needed to determine the botnet’s status, geographic distribution, etc.

As a result, several new files appear on the system. We are interested in two of them: let’s call them ‘1.exe’ and ‘2.exe’. For now, we will concentrate on 1.exe (we will look at 2.exe later).

This file is yet another downloader, although a rather extraordinary one. Its first sample was detected by Kaspersky Lab on September 10, 2007, on the day the first Rustock variants appeared. In view of the facts described above, this is hardly a strange coincidence. From that same day, Kaspersky Lab products detected this downloader as Trojan-Downloader.Win32.Agent.ddl.

The malicious program includes a driver that loads into the operating system’s kernel (in other words, we are dealing with a rootkit here). The driver’s code is encrypted using a sophisticated encryption algorithm, which very much resembles the algorithm used to encrypt Rustock.

After removing all the layers of protection from the driver, we get to the interesting part: this downloader program for Rustock is no less ‘mythical’ than the rootkit itself.

The missing link

While rumors about the rootkit had circulated since December 2006, the first and only time the downloader’s actual existence was mentioned was in late October 2007, almost two months after it was detected and added to our antivirus databases. It is hardly surprising that, since Rustock.C itself eluded antivirus researchers, no one gave its downloader a second thought.

However, even after Rustock.С was detected and the search for its ‘dropper’ should have begun, some antivirus companies thought it was sufficient to simply detect the rootkit. They did not bother spending time determining how the rootkit found its way on to users’ computers and whether users were actually unprotected against the elusive rootkit.

Our research yielded answers to both these questions. As of September 10, 2007, i.e., the first day Rustock.C was distributed via the IFrameBiz botnet, Kaspersky Anti-Virus detected its ‘dropper’ – Trojan-Downloader.Win32.Agent.ddl. Later, a number of antivirus vendors added the Trojan’s signature to their antivirus databases.

For several months, users’ computers could only be protected from being infected by the elusive rootkit by timely detection of its downloader.

Unfortunately, even today (in early June 2008) some antivirus products still do not detect Agent.ddl.

The downloader

As we mentioned before, the Trojan consists of two components: the body and the driver. The driver collects the following information about the system: manufacturer identifiers and device model for the motherboard, and the installation date and exact version of the operating system. This information is then encrypted and sent to the server of Rustock’s author (or customers): 208.66.194.215.

Buffer contents sent to the server in encrypted (TEA) form: TSC, Bridge0, Bridge1, InstallDate, Version, ProductID.

The server to which the data is sent (208.66.194.215) is the same as that used for the rootkit’s DLL (spambot): it is the source of the spam messages that Rustock sends. However, the method used by the downloader driver to interact with the server is different from the method used by the spambot.

The Agent.ddl driver works with the TCP/IP virtual device directly, from Ring 0, making it impossible to detect outgoing traffic using some sniffers and/or firewalls on computers with active infections. Agent.ddl establishes a connection on port 443, attempting to disguise its data as HTTPS packets. As a result, even when researchers intercept traffic at the gateway, they may not realize that they are not actually dealing with HTTPS data but with encrypted data collected on an infected computer.

Below is an example of a packet from an infected machine that was disguised as HTTPS data:

Every time the driver is launched, the encryption key changes. Detection is made more difficult because the external observer does not know the encryption algorithm and key.

It should be noted that the authors of the Trojan downloader tried to make the life of anyone attempting to study the driver’s code as difficult as possible.

The IP address of the central server and the number of the port on which the driver establishes connections are coded in the program’s body in such a way as to hide their explicit function:

push 00000BB01 ; port – 443
push 0E00C04E1
sub d,[esp],00849C211; the difference equals 0xD7C242D0, i.e., the IP address
208.66.194.215

The authors have done much to obfuscate their code, as well. For example, the simple operation

mov [eax], ecx

after obfuscation becomes:

push ebx
mov ebx, 0x03451b8c
sub ebx,eax
sub ebx, 0x03451b8c
neg ebx
mov [ebx], ecx
pop ebx

One instruction has been replaced by seven. So, you can imagine what the rest of the driver is like!

Let’s now return to network communication. The malicious code sent a packet with information about the infected computer to the server. In response to the data received, the server presumably sent a file that was specially encrypted for the specific machine, with a key matching the hardware on the computer from which the packet was received.

This is how the authors solve the problem of outside analysts detecting, studying and launching the dropper, which would eliminate the need for them to find the encryption key in order to study the rootkit’s code.

The rootkit file that has been generated, its ‘pure body’, is downloaded to the victim computer, where Agent.ddl activates it. Rustock.C infects its first system driver, adding one more computer to the new spam botnet.

The server used by Rustock.C is currently blocked. All packets sent to it are filtered by network routers. It would seem that law-enforcement agencies are now taking an interest in this IP address, as well.

Conclusion

This reconstruction of events by our experts demonstrates that the rootkit was actively spreading from September to November 2007. The use of the IFrameBiz network could ensure that it became truly widespread. At the same time, the facts described above show that the rootkit’s elusiveness was due only to the high-level encryption of its code and the use of numerous anti-debugging techniques that hindered its analysis by most experts.

Antivirus vendors have had the rootkit since it appeared ‘in the wild’. Most antivirus products, with very few exceptions, have provided detection of its activity during its installation on the system and of the components responsible for its installation and distribution for almost as long. It could be easily blocked from penetrating a system using unsophisticated tools for monitoring file system changes.

Although this has been done to Rustock dozens of times, its code was not analyzed in detail until May 2008.

Rustock.С indeed exists; it is not a myth. But the rootkit’s elusiveness is mythical: it is not due to any extraordinary masking capabilities, but is based on the rumors which appeared in late 2006 and which only played into the hands of the malicious program’s authors.

Any rootkit created with existing detection capabilities in mind will evade the protective measures provided by such systems. Warfare at kernel level comes down to a question of who takes over first – the rootkit or the anti-rootkit solution.

The objective of Rustock’s author was not to create an undetectable rootkit but to make analyzing the rootkit as difficult as possible once it had been detected. This would ensure that there was a certain time lag between the beginning of the rootkit’s distribution and its detection by antivirus solutions.

Only one question remains: why did the author of Rustock stop improving the rootkit and releasing new variants in the middle of October 2007? Could it mean that a new project was commenced and that there is already a ‘Rustock.D’ somewhere?

We do not have an answer to that question, but whatever it may turn out to be, a single malicious program, even one that remained undetected for several months, does not affect the overall conditions characterized by thousands of other malicious programs appearing every day and being successfully neutralized by the antivirus industry.

While the Internet remains home to IFrameBiz and other similar groups that distribute hundreds of new malicious programs every day, hack numerous websites and organize dozens of epidemics, there is no point in celebrating one localized victory.

P.S. We wrote above that Trojan.Win32.Inject.mt installed two files on the system – 1.exe and 2.exe – but we have not discussed the nature of the second file.

This was a variant of Sinowal, a Trojan spy. The same Sinowal that became a headache for antivirus companies two months after the events described in this article and which became known as the ‘bootkit’.

Both Rustock and Sinowal were distributed at the same time and via the same botnet. New variants of Rustock stopped appearing in mid-October 2007. The first samples of the ‘bootkit’ were detected a month later, in November 2007.

Is this also just a coincidence? We may find out some day.

Source:
Kaspersky Lab




Read More......

What is a virus hoax?

Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Following are some of the common phrases that are used in these hoaxes:

* If you receive an email titled [email virus hoax name here], do not open it!
* Delete it immediately!
* It contains the [hoax name] virus.
* It will delete everything on your hard drive and [extreme and improbable danger specified here].
* This virus was announced today by [reputable organization name here].
* Forward this warning to everyone you know!

Most virus hoax warnings do not deviate far from this pattern. If you are unsure if a virus warning is legitimate or a hoax, additional information is available at the Symantec Security Response online database.


Read More......

Monthly Malware Statistics for July 2008

Alexander Gostev
Senior Virus Analyst, Kaspersky Lab

The format of the 'Virus Top Twenty' reports from Kaspersky Lab has changed as of July 2008. The previous method used to compile these reports and to assess the current threat landscape was based on data generated by analysing email traffic and the files checked using our Online Scanner. However, this method no longer provides an accurate reflection of the changing nature of malicious threats; email is no longer the main attack vector, and our data shows that malicious programs make up a very small proportion of all mail traffic.

From July 2008 onwards, the Top Twenty will be composed using data generated by Kaspersky Security Network (KSN), a new technology implemented in the 2009 personal product line. This data not only makes it possible for Kaspersky Lab to get timely information about threats and to track their evolution, but also makes it possible for us to detect unknown threats, and roll out that protection to users, as quickly as possible.

The 2009 personal products haven't been officially launched in all countries, e.g. in Russian and the USA. The data presented in this report therefore provides an objective reflection of the threat landscape in the majority of European and Asian countries. However, in the near future, such reports will include data provided by users in other countries of the world.

The data received from KSN in July 2008 has been used to compile the following rankings.

The first is a ranking of the most widespread malicious, advertising, and potentially unwanted programs. The figures given are a percentage of the number of computers on which threats were detected.
Position Name
1 Trojan.Win32.DNSChanger.ech
2 Trojan-Downloader.WMA.Wimad.n
3 Trojan.Win32.Monderb.gen
4 Trojan.Win32.Monder.gen
5 not-a-virus:AdWare.Win32.HotBar.ck
6 Trojan.Win32.Monderc.gen
7 not-a-virus:AdWare.Win32.Shopper.v
8 not-a-virus:AdTool.Win32.MyWebSearch.bm
9 Trojan.Win32.Agent.abt
10 Worm.VBS.Autorun.r
11 Trojan.Win32.Agent.rzw
12 Trojan-Downloader.Win32.CWS.fc
13 not-a-virus:AdWare.Win32.Mostofate.cx
14 Trojan-Downloader.JS.Agent.bi
15 Trojan-Downloader.Win32.Agent.xvu
16 not-a-virus:AdWare.Win32.BHO.ca
17 Trojan.Win32.Agent.sav
18 Trojan-Downloader.Win32.Obitel.a
19 Trojan.Win32.Chifrax.a
20 Trojan.Win32.Agent.tfc

As the rating is only compiled using data received during the course of a single month, it's very hard to make any predictions. However, future reports will include such forecasts.

Nonetheless, it is possible to divide all the malicious and potentially unwanted programs shown above into the fundamental classes used by Kaspersky Lab in its classification: TrojWare, VirWare, AdWare and Other MalWare.

Clearly, most of the time, victim machines are attacked by a wide range of Trojan programs.

Overall, in July 2008, there were 20704 unique malicious, advertising, and potentially unwanted programs detected on users' computers. Our data indicates that out of these, approximately 20000 of them were found in the wild. The second Top Twenty provides figures on the most common malicious programs among all infected objects detected.

Position Name
1 Trojan.Win32.DNSChanger.ech
1 Virus.Win32.Virut.q
2 Worm.Win32.Fujack.ap
3 Net-Worm.Win32.Nimda
4 Virus.Win32.Hidrag.a
5 Virus.Win32.Neshta.a
6 Virus.Win32.Parite.b
7 Virus.Win32.Sality.z
8 Virus.Win32.Alman.b
9 Virus.Win32.Virut.n
10 Virus.Win32.Xorer.du
11 Worm.Win32.Fujack.aa
12 Worm.Win32.Otwycal.g
13 Worm.Win32.Fujack.k
14 Virus.Win32.Parite.a
15 Trojan-Downloader.WMA.GetCodec.d
16 Virus.Win32.Sality.l
17 Virus.Win32.Sality.s
18 Worm.Win32.Viking.ce
19 Worm.VBS.Headtail.a
20 Net-Worm.Win32.Allaple.b

The majority of the programs listed above are able to infect files. The figures given are interesting as they indicate the spread of threats which need to be disinfected, rather than simply dealt with by deleting infected objects.
GetCodec.d, a program we talked about recently, is among the malicious programs in the rankings. We recently issued an announcement (http://www.kaspersky.co.uk/news?id=207575664) about this worm, which infects audio files; its presence in the Top Twenty indicates that it is spreading actively.

Details of change in position, and the proportion of all malicious, advertising, and potentially unwanted programs, as shown in previous reports, will be provided from August onwards.
Source:
Kaspersky Lab

Read More......

2008/08/04

Virus Writing Class Fails Reality Test

A recent Newsweek article discusses a Sonoma State University course in virus writing. The magazine story sensationalizes the course's impact, even going so far as to describe the course professor as "the guy who gave away the secrets to the Internet's bomb."

Huh?

The article then goes on to describe Ledin's syllabus as a "partly veiled attack on McAfee, Symantec, and their ilk, whose $100 consumer products he sees as mostly useless". Allegedly, Ledin also believes the antivirus vendors have some "hold over antivirus technology".

Huh? and Huh?

Here's the reality: signature-based antivirus scanners detect known viruses. There's no deeply kept secret about this, it's well known, established fact. So trying to "prove" this through a virus writing course is a bit like a sailing course designed to prove the world isn't flat. Yeah, we know already.

As for signature scanners being 'mostly useless' because they don't reliably stop never before seen malware, I suppose we should do away with law enforcement because they can only investigate after a crime has been committed? I'd rather detect the vast majority of threats than none at all. But the real chuckle comes over the alleged "hold over antivirus technology" the vendors' supposedly possess. Is that why there are hundreds of signature-based scanners, behavior analyzers, HIPS, VM solutions, and others flooding the market? Is that why there are industry conferences where antivirus researchers routinely openly publish and discuss the methods they've found successful? Is that why there are so many free antivirus scanners, removal tools and rootkit detectors offered by these vendors?

Perhaps I'm peeved most by the virus writing class because I'm currently funding my own son's college education. Knowing firsthand just how expensive that is, it's hard to fathom his being tricked into taking a class which not only offers no scientific value, but is also so grounded in baseless justifications.

Signature-based antivirus isn't perfect. It's not a panacea for all the security woes that befall us. But it is a critical component of any defense arsenal and one that deserves a bit more respect. Indeed, for the vast majority of users who don't have a degree in computer science, it's the most accessible and affordable protection they can get.

Read More......

PART II : What schools are doing to beat viruses

Technically, Blaster is a worm, a program that begins with a single machine and infects other machines, leaving a copy of the worm behind, so the infected machine hunts for others to attack.

At Parson's Hopkins High School in Minnetonka, Minn., the Blaster worm was more of an annoyance than a major threat to the school's network, according to Peter Markham, head of the technology department. Hopkins' two-man information technology staff watched Blaster in real time using Symantec, the school's antivirus software, and was immediately able to locate and work on the 12 computers it infected.

Hopkins has avoided serious virus problems because many of their computers are Macintoshes. Most viruses, Markham said, don't cause damage to Macs.

Map of Blaster path"Ninety-nine percent (of viruses) were written against Windows operating systems, because they're the most popular. Not many write (viruses) for Macs, which works for me."

Most of the viruses come into Hopkins as e-mail attachments. Their antivirus software now blocks any attachment that ends in ".exe," ".vbs" or ".ser.," common extensions for infected files.

Karen House, Webmaster for Regina Dominican High School, a small private all-girls school outside Chicago, said most of their viruses are transferred from disks.

House worries most about students receiving e-mails from hackers that direct them to delete antivirus software. One particular message cons the recipient into believing they are deleting a corrupted file, when they are really destroying their virus protection. Regina relies on antivirus software and has suffered some problems, but nothing major, said House.

Cesar Valle, the lone technology coordinator at Eastern High School in Washington, D.C., downloads updates from the Norton antivirus system all D.C. public schools use every night around 11 p.m. and midnight. Valle said that is the prime time for teenagers hacking away at home to send out viruses.

"We were not touched by the Blaster worm," said Valle. "But every other school in D.C. was affected.

Read More......

PART I: How Schools Are Fighting a New Type of Virus

They may bear seductive names, like Shakira, Britney Spears or Jennifer Lopez, but with the capacity to spread to thousands of computers within minutes and cause billions of dollars in damage to North American businesses, viruses are being recognized as acts of criminals and not just pet projects of lonely computer geeks.

computer keyboardFred Cohen spread the first computer virus 20 years ago. As a Ph.D. student at the University of Southern California, Cohen designed a program that could "infect other programs by modifying them to include a … version of itself."

Today, viruses spread through shared documents and e-mails, and exploit flaws in software. Writers of a recent virus, Mimail, targeted Web sites that filter for viruses and unsolicited e-mails, or "spam," while gathering e-mail addresses.

In an attempt to find and punish virus authors, Microsoft has created a $5 million antivirus reward program. The bounty includes $250,000 for evidence leading to the capture and conviction of the original author of the MSBlast.A worm or SoBig virus.


In August, Jeffrey Parson, known online as "teekid," was charged in federal court in Seattle for spreading a variant of the Blaster worm. The 18-year-old senior from Hopkins High School could get up to 10 years in prison and $250,000 in fines for infecting 7,000 computers and causing millions of dollars in damage to Microsoft alone.

Read More......

Traditional antivirus programs useless against new unidentified viruses!

Every now and then you can read about a new virus and the damage it causes. The millions viruses costs companies each time they strike. It is however not only companies that are suffering from the damages caused by viruses. A virus can be just as damaging if not more for a private Internet user by destroying important documents, family pictures and everything else you keep on your computer. Therefore should no home computer be without a good virus protection software. This way you can protect your computer and yourself from loosing data, corrupted hard drives and a number of other problems. There are several anti virus programs available of which some are free and some are not. You should however always remember that you might get what you paying for, meaning that the service and the updates might be better for the paid alternatives and thereby protect your computer better.

When using a virus program you should try to find one that is fast, reliable and able to discover as many viruses as possible. Whether it is fast or not might seem unimportant if you don’t use your computer that much, but you will find that an anti virus program that scans your computer faster will be used more frequently and thereby giving you a better protection. If an anti virus program should be effective when protecting your computer it needs to be able to recognize all viruses, and since new viruses are constantly created this means that the database for the program has to be constantly updated. You should therefore consider how often the different anti virus programs update their databases when choosing which antivirus program to get. You should always make sure to keep your virus program up-to-date.

One of the best anti virus programs on the market today is Panda Active Scan Anti Virus Software Online which has an unrivalled capacity for detecting viruses and other threats online which is the most common path for viruses to reach our computer. Almost all viruses today are spread through the Internet.

Panda Titanium Active Scan Anti Virus 2005 is easy to install and once it is installed it finds and remove viruses automatically. Panda Anti Virus also automatically updates itself if you want it to. In other words: Panda Anti Virus is an anti virus program that manages itself and makes sure that it is up to date and able to keep your computer safe from viruses. Panda Titanium Active Scan Anti Virus 2005 scans your entire computer, including the program itself, to make sure that a virus can’t infect any part of the computer. Panda Anti Virus doesn’t just search for virus, it also search your computer for a number of other security risks like spy wares and Trojans.

Panda Anti Virus contains TruPrevent Technologies. TruPrevent Technologies is a system designed to help Panda Anti Virus protect your computer against unknown viruses and intruders. The user can choose whether they want to use TruPrevent Technologies or not. The technology has been implemented to allow Panda Anti Virus to protect your computer against new virus since a new virus can spread world wide within a few hours. The TruPrevent Technologies allows Panda Anti Virus to detect and block viruses even if they are not yet included in the virus database. This allows Panda Titanium Active Scan Anti Virus 2005 to keep your computer safe against all viruses and not only the ones that are already identified, since you might encounter a new virus despite the fact that Panda updates their database at least once a day. Old anti virus programs - and most of the modern anti virus programs as well - can only protect you against already identified viruses. The ability to protect against unknown viruses is what Panda Anti Virus a superior choice for an anti virus program.

Panda Titanium Active Scan Anti Virus 2005 does not only offer superior security and very user friendly functionality. It also comes with tech support where experts answer any questions that might arise.

All personal computers should have virus protection since you otherwise risk loosing important document, family pictures etcetera and if you are looking for user friendliness and a superior security Panda Anti Virus is your best choice.

You can get panda antivirus at support cave Supportcave.com offers new and enhanced free virus scan software. Not only will these programs effectively check and clean your computer from virus, once installed they will also shield your computer from future virus intrusions - before the malevolent software even have a chance to enter you PC!

Read More......

Computer Virus accounts for about 7% of total data loss


Computer Viruses : Cause of Data Loss

Another threat to your important information is posed by a computer virus. It is a synthetic self-replicating computer program that spreads by infecting the documents and files.

Since, worms and viruses have increased in number in the recent years, This accounts for about 7% of total data loss.

The three main types of viruses, which are responsible for maximum amount of data loss, are:

• Boot Sector Viruses / Boot block Virus / Boot Virus:

It is a type of computer virus that infects the first or first few sectors of the hard disk or floppy disk, which allows the activation of virus as the diskette or drive boots.

What boot sector virus does ?

Boot sector virus infects computer systems by infecting it own code either to the partition table on a hard disk or the boot sector on a floppy disk. When the system boots from the hard disk or diskettes, virus is executed and installs its own code in the system’s memory. The Boot virus can spread to every disk that the system reads through the memory. These viruses are the most common of all other viruses. The examples of boot viruses are Stoned virus, Michelangelo, Disk Killer, Form, Junkie Virus, and Ohio Virus.

Symptoms ?

A boot sector virus may cause several problems relating to boot or data retrieval. There are cases when the data disappears from entire partitions or the computer suddenly becomes unstable. The failure to startup or to find the hard drive are the common problems that can be noticed when the virus attacks a system.

You may receive an error message on startup saying, "Bad or missing command interpreter. Enter name of command interpreter."

How it spreads ?

When the system boots or is attempting to boot, boot sector viruses are spread to computer systems, from an infected floppy disk. Any disk, even if it is non bootable can cause transmit the virus into memory, if it is in the drive while the system is booting up. The virus can also be spread across networks, if you are downloading files or trying to open up an email attachment.

Precautions

In order to keep your system and data safe from virus attack, the following tips can prove to be of some help.

• Make sure that you install virus detection software on your computer. Anti-virus programs perform the following functions in order to keep your system safe from the virus attack. Scan for viruses on disks and if found would remove them.

• File infecting viruses / Program viruses:

This virus infects executable program files by adding its own code to the executable file. When you run an infected file, the virus can attach itself to other executable files. The files that are infected by this type of virus are usually with extensions like .COM, .EXE, .SYS (device driver).

Overlay (.OVL) files and Dynamic link library (DLL) files are the file-infecting viruses that are designed for specific program. These are non-executable but are called as executable. The virus becomes active in memory when an infected file is executed. It makes copies of itself and infects files on disk.

Sunday, Cascade, Nemesis, Enigma, and Loki viruses are examples of this type of virus.

• Polymorphic Viruses:

Polymorphic viruses change their code so that the antivirus scanners do not detect them. Therefore, this virus produces varied but operational copies of itself. A polymorphic virus encrypts its code in different ways so that it appears differently in each infection.

The examples of polymorphic viruses are Involuntary, Phoenix, Stimulate, Evil, Virus 101, Proud, and Cascade.

Virus Symptoms:

If you notice the following changes occurring in your computer, then it may be possible that your system is infected by a virus:

-- When you are trying to open a program and it takes forever to load.

-- Your floppy disk or the hard disk is suddenly accessed and without any logical reason

-- You receive strange message saying, "Type Happy birthday Joshi" or "Driver Memory Error" appear on the screen.

-- The programs you are running may hang the computer or may not work at all.

-- You computer shows strange and unpredictable behavior like falling letters or a bouncing ball appearing on the screen.

If however, your data or files get corrupted don't give up, you can still recover all your corrupted or infected data. To recover these data you have contact data recovery companies, the technicians at these place can guide you through the recovery process. If you want to recover all the files then you can choose specific data recovery software according to your operating systems. However if you are concerned with certain specific file like word, excel, email then you can choose from various option offered by these recovery companies.

Stellar Information Systems Limited is an ISO 9001-2000 certified company specializing in data recovery and data protection software, services and solutions. Stellar offers a complete solution of data recovery software and lost data restoration programs for Windows (Windows 95, 98, ME, NT, 2000, 2003, XP), Apple Macintosh, Novell, Linux, Unix operating system and FAT, NTFS, NTFS5, HFS, HFS+, NWFS, JFS, EXT2 and EXT3 file systems.

Read More......

Viruses and worms

How do you know if your computer has contracted a worm or a virus?

I seem to have a lot of emails in my inbox with the same subject heading. What's going on?
It sounds as if you have an email virus.

There are thousands of viruses out there, but only a handful account for most of the problems. There are usually one or two that are the most prominent at any one time. The latest, a variant of the so-called BugBear email worm that began to infect computers across the globe last October, is spreading rapidly at the moment.

What is a virus?
A virus is a programme that self-replicates, and they are written by people who want them spread as widely as possible. Some viruses, such as Anna Kournikova or love bug, require user interaction to self-replicate - usually this means clicking on an attachment - while others, such as Code Red, can trawl networks looking for computers with a specific vulnerability to exploit.

All viruses clog up networks and slow down the performance of your PC, but many also have payloads, or code that triggers an action on the infected machine. These payloads can be anything from wiping your hard drive to emailing confidential documents to public newsgroups to installing a "Trojan horse" on your computer that allows hackers to access your data.

What is the difference between a virus and a worm?
A virus is parasitic code that attaches to another programme, such a visual basic (.vbs files) or an executable (.exe). A worm does not attach itself to other programmes and spreads without any user interaction. It is a technical distinction that does not really matter to the average computer user.

I have a virus in my inbox. Now what?
Do not open it. Some viruses will activate simply by opening the email, whether you double click on the attachment or not. Others require no user interaction and will already have infected your computer, simply by virtue of having been sent to you.

If you are at work, ask your IT service desk what to do about the virus. If you are at home, you can look on the website of your anti-virus software company, or call their help desk. Your internet service provider may also be able to help.

Do not send a universal email warning everyone in your company about the virus, as that will only clog networks already suffering from the virus attack. Send one email to your IT support desk, and let them take it from there.

How can I avoid getting viruses?
Anti-virus software is a good place to start, but it is by no means a guarantee.

Most email viruses will appear to be sent to you by someone you know. Beware of emails with "double-barrelled" attachments, such as filename.txt.vbs, and do not double click on them. Do not open executable (.exe) files or documents (.doc) without putting them through a virus scan first. If you need the information in the document, tell the sender to resend it as part of the email body text.

If you run Microsoft software, you should keep a look out for security alerts that the company posts on its website. Often the company discovers a hole in its software, posts a fix for it, and then weeks later a virus exploiting that very flaw infects thousands of users. This happened with the Code Red worm, which exploited a flaw in Microsoft's IIS software, and the SQL Slammer worm, which took advantage of a hole in Microsoft SQL 2000 server.

My elderly aunt Agatha just forwarded me a virus warning. What should I do?
Assuming Agatha is not a computer expert, she has probably just sent you one of the numerous virus hoaxes that endlessly do the email rounds. Tell her to stop forwarding on any information if she has not checked it out. Vmyths is a good first stop to check the veracity of an emailed virus alert.

Read More......

2008/08/03

Viruses & Ethics

I am talking about Computer Viruses, Spam, Spyware, Dialers, Hijackers and other threats that will make trouble for you. Maybe you are one of the lucky ones that never had a computer problem.(If so, you could propably stop reading this article if you want, and return to whatever you were doing online).

Anyway, for those who are still reading, I assume that most of them who are using the internet regularly have had one or more "troublemakers" sneaking through their cables and into their computers. I call it "troublemakers", because trouble's all they want. Right? If you think about ethics when it comes to creation of online threats, whether it's a joke, a dangerous virus, or even a spam email, they have an either profitable, educational, innocent or destructive agenda. Some just want to gather general info to learn.
Some are destructive, and some wants to find your private data.(such as bank account info etc.) By saying this I just want you to be aware of that some threats you can easily deal with, but others you just don't want at all.

Personally I do think there are ethics that are followed when creating online threats. But these ethics are only followed by the ethical people. There are all kinds of people on this planet, and most people are ok, but there will always be people with cruel intentions and burning desires of making the most trouble for other people. They exist on the internet as well.

Think of people that are abusing animals for instance. I can't in my wildest imagination understand what emotions that drives them to torture an animal, and that even gives them joy of it. How could I sit at home with my computer and create a virus that will for example destroy maindrives on all computers infected? What Joy will I feel when I know that hundreds, maybe thousands of people looses money, work and time beacuse of my evil creation? I would simply hate myself for that. Infact I would most likely never go as far as to begin to create a Virus. I think I have enough to do by keeping them away from me and others. What I mean to say is that you must be aware of that whether you're nice or not, there are threats out there that you should treat with fear and caution.

Not that I mean to scare you up. I just want to point out three essential things you absolutely should have installed on your computer to be properly secured. A Firewall protection(WinXp comes with a great one included) An Antivirus Solution, and an Anti Spyware software. Read more about these three main categories online on the website described at he bottom of this article.

There is one thing new I feel I need to share with you. There are certain programs that infiltrates your computer, and brings up several Failure warnings. These could be like : "Infected with Spyware. Click Here to Fix Now" - And often signed by "Protection Center" or similar. If you click one of the warnings that constantly pop up, you will be taken to a website to purchase the "needed" software to get rid of these "problems".

What I am about to tell you now is Very Important. Do NOT buy this software. Why? You Ask..Well, this so-called software claims to get rid of all kinds of bugs. But the fact is that THE ONLY THING it does in most cases is to remove itself. This software is made to nfiltrate your computer and show a lot of warnings about your computer's bad health. You see, they give you the disease, and secondly make you buy their remedy. Don't buy, because their software is the problem in the first place.

These things evolve very quickly, so you need to be Watch-out. Do I have a free Solution? Yes, as a matter of fact I do. But I don't like to turn to this solution, but sometimes I have to. Restore your Operating System. Format system-drive(s) and re-install Windows or the OS you use. This have in all my cases worked well. The warnings vanished. First time I was infected with this kind of spyware I remember that I was asked to download and install a Video Codek of some kind. After that something called "Protection Center" told me to buy a specific software to get rid of this problem, and others...This sounded weird.

Windows doesn't have such functions that will notify me that I am infected, and recommend a particular brand for me. (If it could, it would propably recommend Microsofts own software, don't you think?) So I tried to remove it but it was stuck. But it's worth doing a scan with all anti software you posess because maybe you are lucky. If not, it must be the hard way. Do everything that's worth a shot, but please don't go and buy their damned software. It isn't worth a penny.

A good way to spot that you are infected with such a software is when you suddenly see a lot of warnings about the security. You see, normal spyware doesn't make a sound. You won't see it if you don't mean to. Try to run a spyware killer that you trust.(Remember that you should have some kind of Anti Spyware software installed.) If it doesn't fix the problem, try your Anti-Virus software, and run a complete search and destroy. If nothing works, ask a friend with more computerskills than you to help you.

There is No simple solution but to pay the $29, or whatever it costs, and purchase their remedy to get rid of the warnings. Well, you're stuck with software that won't find anything else than the bug that was injected into your computer earlier. You are still unprotected against other threats, unless you have the three applications mentioned above in place.

So to the hard method. Make sure you have a working operatingsystem with working key. Then format your harddrive(s) and install the OS. When you are all done now, I encourage you to secure your computer from the threats out there.

Read More......

Virus infected files found on Mozilla download site

Infected binary downloads or source code is nothing new and they are sometimes found on public download sites. The problem has been around since the days of Bulletin Board Systems. The latest example of this is a series of files on the Mozilla.org download site. It seems that Korean distributives for Mozilla and thunderbird for Linux turned out to be infected with the virus ‘Virus.Linux.RST.b’. The file mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with the virus.

The virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.

The infected files have been removed from the Mozilla site now, this is is not the first time this will happen and it will not be the last time that a binary on a public download site will get infected. It just goes to show VIRUS SCAN EVERYTHING!!!

Read More......

New Worm Lebreat poses as Anti Virus

An new mass mailer and network worm is on the loose called W32/Lebreat.A. The worm claims to be ‘Breatle AntiVirus v1.0’ and spreads over both email and via exploiting network vulnerabilities. The worm uses vulnerabilities in the RPC and LSASS services on Windows to propagate over networks. It also mass mails itself to people using a variable email message. Shortly after the initial infection was discovered 2 variants appeared.

The worm also has a backdoor, a Trojan downloader and a Denial of Service component, which it is understood it uses to attempt a DoS attack against ‘www.symantec.com’.

The worm itself is about 15k bytes long and has been compressed with the MEW file compressor and then patched with PE_Patch. When the worm is first run it installs itself into the Windows System directory as the file CCAPP.EXE and then creates Windows registry keys to ensure it starts up at reboot. It also makes a copy of itself in the Windows System folder in a file called ATTACH.TMP too, both files are created with hidden attributes.

When sending emails the worm looks for email addresses on the drives of the system, looking in various file types. The worm also tries to avoid sending emails to various anti-virus companies and US government. Then it sends a mail with the subject and text taken from a short list of possibles.

The attempts to spread using the LSASS exploit for the Windows vulnerability described in MS04-011.

The worm also tries to open a back door on TCP port 8885, this port is an FTP server that can be used to manipulate files on the infected PC. The worm also tries to change the security settings of Windows by adding or modifying certain registry values.

Finally it attempts to pull a Trojan from a remote web site, depending on which variant this could be a mass mailer or a backdoor Trojan.

You can find out more about Lebreat here at F-Secure.

Read More......

Viruses released already for Microsoft Windows Vista

Virus authors have produced proof of concept viruses targeting the scripting language behind prototype versions of Microsoft Windows Vista. An Austrian virus writer published five sample viruses that target Microsoft Command Shell (MSH) in a virus-writing magazine. As MSH (codenamed Monad) is due to ship as the default shell for Windows Vista, these five pieces of malware can be classified as the first viruses for Windows Vista. However, there is still plenty of time for Microsoft to reconsider shipping MSH with Windows Vista.

Oddly enough, it is about a year ago since the concept of viruses for MSH was discussed by anti-virus researcher Eric Chien of Symantec at the Virus Bulletin conference. It is also understood that the MSH environment would provide virus writers far more powerful features than they ever could get with VBScript.

Read More......

2008/08/01

virus is

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The term "virus" is also commonly used, albeit erroneously, to refer to many different types of malware and adware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Meanwhile viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless. Worms and Trojans may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when executed. In general, a worm does not actually harm either the system's hardware or software, while at least in theory, a Trojan's payload may be capable of almost any type of harm if executed. Some can't be seen when the program is not running, but as soon as the infected code is run, the Trojan horse kicks in. That is why it is so hard for people to find viruses and other malware themselves and why they have to use spyware programs and registry processors.

Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware.

Some malware is programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Other malware programs are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these less sinister malware programs can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, much malware is bug-ridden, and these bugs may lead to system crashes and data loss. Many CiD programs are programs that have been downloaded by the user and pop up every so often. This results in slowing down of the computer, but it is also very difficult to find and stop the problem.

Read More......