This document discusses computer viruses, including their definition, types (resident and non-resident), vectors of transmission, vulnerability of operating systems, antivirus software and how it works to detect viruses using signatures and heuristics, virus removal methods, and a brief history of early academic work on the theory of self-replicating programs.
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Computer Viruses: Causes, Types, Prevention and Removal
1. Computer Viruses
Done by Youssef Bahaa
Al-Din Mahmoud
Grade 9 A
Under the supervision of
Mr. Mohammed Salah
Omar
2. Introduction
• A computer virus is a computer program that can replicate
itself, and spread from one computer to another. The term
"virus" is also commonly, but erroneously, used to refer to
other types of malware, including but not limited to adware
and spyware programs that do not have a reproductive ability.
Malware includes computer viruses, computer
worms, ransom ware, Trojan horses, key loggers, most
rootkits, spyware, dishonest adware, malicious BHOs and
other malicious software.
3. Intoduction
• The majority of active malware threats are usually Trojans or
worms rather than viruses. Malware such as Trojan horses
and worms is sometimes confused with viruses, which are
technically different: a worm can exploit security
vulnerabilities to spread itself automatically to other
computers through networks, while a Trojan horse is a
program that appears harmless but hides malicious functions.
4. Introduction
• Worms and Trojan horses, like viruses, may harm a computer
system's data or performance. Some viruses and other
malware have symptoms noticeable to the computer user, but
many are surreptitious or simply do nothing to call attention
to themselves. Some viruses do nothing beyond reproducing
themselves.
5. Types of viruses
• Non-resident viruses
Non-resident viruses can be thought of as consisting of a finder
module and a replication module. The finder module is
responsible for finding new files to infect. For each new
executable file the finder module encounters, it calls the
replication module to infect that file.
6. Types of viruses
• Resident viruses
Resident viruses contain a replication module that is similar to
the one that is employed by non-resident viruses. This
module, however, is not called by a finder module. The virus
loads the replication module into memory when it is executed
instead and ensures that this module is executed each time the
operating system is called to perform a certain operation. The
replication module can be called, for example, each time the
operating system executes a file. In this case the virus infects
every suitable program that is executed on the computer.
7. Vectors and hosts
Viruses have targeted various types of transmission media or
hosts. This list is not exhaustive:
•Binary executable files (such as COM files and EXE files in MS-
DOS, Portable Executable files in Microsoft Windows, the Mach-
O format in OSX, and ELF files in Linux)
•Volume Boot Records of floppy disks and hard disk partitions
•The master boot record (MBR) of a hard disk
•General-purpose script files (such as batch files in MS-DOS and
Microsoft Windows, VBScript files, and shell script files on Unix-
like platforms).
8. Vectors and hosts
• System specific auto run script files (such as Autorun.inf file
needed by Windows to automatically run software stored on
USB memory storage devices).
• Documents that can contain macros (such as Microsoft Word
documents, Microsoft Excel spread sheets, AmiPro
documents, and Microsoft Access database files)
• Cross-site scripting vulnerabilities in web applications (see XSS
Worm)
9. Vectors and hosts
• Cross-site scripting vulnerabilities in web applications (see XSS
Worm)
• Arbitrary computer files. An exploitable buffer
overflow, format string, race condition or other exploitable
bug in a program which reads the file could be used to trigger
the execution of code hidden within it. Most bugs of this type
can be made more difficult to exploit in computer
architectures with protection features such as an execute
disable bit and/or address space layout randomization.
10. The vulnerability of operating systems to viruses
Just as genetic diversity in a population decreases the chance of
a single disease wiping out a population, the diversity of
software systems on a network similarly limits the destructive
potential of viruses and malware. This became a particular
concern in the 1990s, when Microsoft gained market dominance
in desktop operating systems, web browsers, and office suites.
Microsoft software is targeted by writers of viruses and malware
due to Microsoft's desktop dominance.
Although Windows is by far the most popular target operating
system for virus writers, viruses also exist on other platforms.
Any operating system that allows third-party programs to run
can theoretically run viruses.
11. The vulnerability of operating systems to viruses
• As of 2006, there were at least 60 known security exploits
targeting the base installation of Mac OS X (with a Unix-based
file system and kernel). The number of viruses for the older
Apple operating systems, known as Mac OS Classic, varies
greatly from source to source, with Apple stating that there
are only four known viruses, and independent sources stating
there are as many as 63 viruses. Many Mac OS Classic viruses
targeted the HyperCard authoring environment. The
difference in virus vulnerability between Macs and Windows
is a chief selling point, one that Apple uses in their Get a Mac
advertising. In January 2009, Symantec announced the
discovery of a trojan that targets Macs. This discovery did not
gain much coverage until April 2009.
12. Antivirus software and other preventive
measures
• Many users install antivirus software that can detect and
eliminate known viruses when the computer attempts to
download or run the executable (which may be distributed as
an email attachment, or on USB flash drives, for example).
Some antivirus software blocks known malicious web sites
that attempt to install malware. Antivirus software does not
change the underlying capability of hosts to transmit viruses.
Users must update their software regularly to patch security
vulnerabilities ("holes"). Antivirus software also needs to be
regularly updated in order to recognize the latest threats.
13. Antivirus software and other preventive
measures
• Examples of Microsoft Windows anti-virus and anti-malware
software include the optional Microsoft Security Essentials(for
Windows XP, Vista and Windows 7) for real-time
protection, the Windows Malicious Software Removal Tool
(now included with Windows (Security) Updates on "Patch
Tuesday", the second Tuesday of each month), and Windows
Defender (an optional download in the case of Windows XP).
Additionally, several capable antivirus software programs are
available for free download from the Internet (usually
restricted to non-commercial use).
14. How Antivirus software works
• Different anti-virus programs use different "signatures" to
identify viruses. The disadvantage of this detection method is
that users are only protected from viruses that are detected
by signatures in their most recent virus definition update, and
not protected from new viruses (see "zero-day attack"). A
second method to find viruses is to use a heuristic algorithm
based on common virus behaviors. This method has the
ability to detect new viruses for which anti-virus security firms
have yet to define a "signature", but it also gives rise to more
false positives than using signatures. False positives can be
disruptive, especially in a commercial environment.
15. How Antivirus software works
• There are two common methods that an antivirus software
application uses to detect viruses, as described in the
antivirus software article. The first, and by far the most
common method of virus detection is using a list of virus
signature definitions. This works by examining the content of
the computer's memory (its RAM, and boot sectors) and the
files stored on fixed or removable drives (hard drives, floppy
drives, or USB flash drives), and comparing those files against
a database of known virus "signatures".
16. How Antivirus software works
• A second method to find viruses is to use a heuristic algorithm
based on common virus behaviors. This method has the
ability to detect new viruses for which anti-virus security firms
have yet to define a "signature", but it also gives rise to more
false positives than using signatures. False positives can be
disruptive, especially in a commercial environment
17. Virus removal
• Many websites run by antivirus software companies provide free
online virus scanning, with limited cleaning facilities (the purpose of
the sites is to sell anti-virus products). Some websites—like Google
subsidiary VirusTotal.com—allow users to upload one or more
suspicious files to be scanned and checked by one or more antivirus
programs in one operation. Additionally, several capable antivirus
software programs are available for free download from the
Internet (usually restricted to non-commercial use). Microsoft
offers an optional free antivirus utility called Microsoft Security
Essentials, a Windows Malicious Software Removal Tool that is
updated as part of the regular Windows update regime, and an
older optional anti-malware (malware removal) tool Windows
Defender that has been upgraded to an antivirus product in
Windows 8.
18. Virus removal
• Some viruses disable System Restore and other important
Windows tools such as Task Manager and Command Prompt.
An example of a virus that does this is CiaDoor. Many such
viruses can be removed by rebooting the computer, entering
Windows safe mode with networking, and then using system
tools or Microsoft Safety Scanner. System Restore on
Windows Me, Windows XP, Windows Vista and Windows 7
can restore the registry and critical system files to a previous
checkpoint. Often a virus will cause a system to hang, and a
subsequent hard reboot will render a system restore point
from the same day corrupt. Restore points from previous days
should work provided the virus is not designed to corrupt the
restore files and does not exist in previous restore points.
19. History
• Academic work
The first academic work on the theory of computer viruses
(although the term "computer virus" was not used at that time)
was done in 1949 by John von Neumann who gave lectures at
the University of Illinois about the "Theory and Organization of
Complicated Automata". The work of von Neumann was later
published as the "Theory of self-reproducing automata". In his
essay von Neumann described how a computer program could
be designed to reproduce itself.