Slide 1:PRESENTATION ON COMPUTER VIRUS AND ANTIVIRUS


Slide 2:History of virus Definition Classification Virus like programs Antiviral tactics Demonstration of deleting myheart virus Conclusions CONTENTS


Slide 3:In 1949 Hungarian American mathematician john von Neumann, proposed that it was theoretically possible for a computer program to replicate. In 1985 the first Trojan horses appeared. In 1995 the first macro language virus, WinWord Concept, was created. HISTORY


Slide 4:Virus is self-duplicating computer program that interferes with a computer's hardware or operating system. DEFINITION


Slide 5:Boot File Macro Network TRS viruses can be divided into:


Cdrom or diskette Hardisk :Boot sector Control BPB Os system file address main memory Executes MBR Disk partition table Active boot sector Cdrom or diskette Hardisk


Slide 7:Boot viruses infect the boot sector of a floppy disk and the boot sector or master boot record (MBR) of a hard disk. The boot viruses' operating principal is based on the algorithms of starting an operation system upon power on or reboot. B O O T V I R U S


Slide 8:It's a little program that runs when a computer starts up. It finds which part of the hard drive is in charge and hands off the start up processes to it. Usually, the MBR is on the first sector (or chunk of storage space) of a hard drive. MASTER BOOT RECORD


Slide 9:Infecting disks, boot viruses "substitute" their code instead of some programs' code, which received control upon system boot up. Therefore the principle of infecting is the same in all the above methods: upon boot up the virus "forces" the system to read into memory and pass control to the virus code, not the original loader routine code. HOW BOOT VIRUS WORKS


DISKETTE INFECTING :DISKETTE INFECTING Diskette infecting is done using the only known method - a virus rewrites the original boot sector code with its own code.


INFECTING HARDISK :INFECTING HARDISK A virus writes itself either instead of the MBR code, or instead of the boot sector code of the boot disk (C: drive usually), or modifies the address of the active boot sector in the Disk Partition Table, situated in the MBR of the hard disk drive.


VIRUS TOP ORIGINAL BOOT REST OF VIRUS :VIRUS TOP ORIGINAL BOOT REST OF VIRUS INFECTION ON MBR


DIFFERENT METHOD USED BY BOOT STRAP VIRUS :DIFFERENT METHOD USED BY BOOT STRAP VIRUS On the hardisk. Outside the hardisk.


Slide 14:At the DOS prompt, type "FDISK/mbr" and a new MBR would be created. HOW TO CURE


Slide 15:Macro viruses are computer viruses that use an application's own macro programming language to distribute themselves. These macros have the potential to inflict damage to the document or to other computer software. These macro viruses can infect Word files, as well as any other application that uses a programming language. MACRO VIRUS


HOW TO DETERMINE WETHER YOU HAVE MICRO VIRUS :HOW TO DETERMINE WETHER YOU HAVE MICRO VIRUS Unexplainable behavior on your system; for example, you may be prompted for a password on a file that you know does not contain a password or your document may be unexpectedly saved as a template. Unusual error messages, for example:This one's for you, Bosco. -or-. ROBERTA TI AMO! -or-. Just to prove another point. -or-. And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! Unusual changes to your documents; for example, the macro virus may randomly move three words then insert the word "WAZZU" at random locations.


SOURCES OF MICRO VIRUS :SOURCES OF MICRO VIRUS Email attachments Disks Modems Internet Networks


Slide 18:Always save document in “Rich Text Format”. HOW TO AVOID


Slide 19:Network virus use protocols and commands of computer network or email to spread themselves. NETWORK VIRUS


HOW NETWORK VIRUS WORKS :HOW NETWORK VIRUS WORKS Network viruses make extensive use of networking protocols and capabilities of local and global access networks to multiply. The main operating principle of the network virus is its capability to transfer is code to a remote server or workstation on its own. (full-scale) network viruses also are capable of running their code on remote computers or at least "pushing" users to run the infected file.


Slide 21:Terminate and Stay Resident - means that the virus is able to leave its copy in system memory, intercept some events (for example file or disk calls) and in the process run the infecting routines on found objects (files and sectors). TSR VIRUS


VIRUS LIKE COMPUTER PROGRAMS :VIRUS LIKE COMPUTER PROGRAMS Trojan horse Logic bomb Malicious software program


Slide 23:A Trojan horse is a program that pretends to be something else. A Trojan horse may appear to be something interesting and harmless, such as a game, but when it runs it may have harmful effects. TROJAN HORSE


Slide 24:A logic bomb delivers its instructions when it is triggered by a specific condition, such as when a particular date or time is reached or when a combination of letters is typed on a keyboard. A logic bomb has the ability to erase a hard drive or delete certain files. LOGIC BOMB


Slide 25:Malicious software programs that run within a Web browser often appear in Java applets and ActiveX controls. MALICIOUS SOFTWARE PROGRAM


ANTIVIRAL TACTICS :ANTIVIRAL TACTICS Step 1: Never open an e-mail attachment from a stranger. Step 2: Never open an e-mail attachment from someone you know, unless you know exactly what the attachment is. Step 3: Always keep your antivirus software up-to-date.


Slide 27:The Windows Registry is a central hierarchical database that is used in Microsoft Window 95/98/Me/NT/2000/XP and in Microsoft Windows CE to store information necessary to configure the system for one or more users, applications, and hardware devices. REGISTRY EDITOR


Slide 28:My Love.exe Kenangan.exe Hallo.exe Puisi Cinta.exe My Heart.exe Jangan Dibuka.exe Mistery.exe


Slide 29:W32.HLLW.Pesin is a worm that will copy itself to the Startup folder on remote machines. Also Known As: W32/Pesin.gen [McAfee], Troj/Pesin-A [Sophos], Win32.Pesin [Kaspersky] Type: WormInfection Length: 56,832 bytes Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x


When W32.HLLW.Pesin is executed, it performs the following actions: :When W32.HLLW.Pesin is executed, it performs the following actions: Copies itself as %System%\SysTask.exe and C:\My Documents\My Heart.exe. Creates the following files: C:\~Temp.Doc A:\~Temp45.Doc


Slide 31:3. Attempts to disable the following Windows, if open: Shut Down Windows Registry Editor System Configuration System Configuration Utility Hello 4. Adds the value:"LoadService"="%System%\SysTask.exe /run"to the registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5. so that the worm runs when you start Windows.