COMPUTER VIRUS & ANTIVIRUS SYSTEMS

INDEX 1.

Introduction General information How to deal with Viruses How to protect from Viruses How Viruses spread around the world? Computer Viruses & AntiVirus AntiVirus Databases Statistics

2.

3.

4.

5.

6.

7.

8.

9.

10.Conclusion 11.Forecast

Introduction to Computer Viruses A computer virus is a that can copy itself and infect a computer without permission or knowledge of the user. The term "virus" is also commonly used, albeit erroneously, to refer to many different types of and programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the , or by carrying it on a removable medium such as a , CD, or USB drive. Meanwhile viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a is a file that appears harmless. Worms and Trojans may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when executed. In general, a worm does not actually harm either the system's hardware or , while at least in theory, a Trojan's may be capable of almost any type of harm if executed. Some can't be seen when the program is not running, but as soon as the infected code is run, the Trojan horse kicks in. That is why it is so hard for people to find viruses and other malware themselves and why they have to use programs and registry processors. Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware. Some malware is programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Other malware programs are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these less sinister malware programs can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, much malware is bug-ridden, and these bugs may lead to system crashes and data loss. Many CiD programs are programs that have been downloaded by the user and pop up every so often. This results in slowing down of the computer, but it is also very difficult to find and stop the problem. The person might have a computer virus infection when the computer starts acting differently. For instance getting slow or when they turn the computer on, it says that all the data is erased or when they start writing a document, it looks different, some chapters might be missing or something else ubnormal has happened. The next thing usually the person whose computer might be infected with virus, panics. The person might think that all the work that have been done is missing. That could be true, but in most cases viruses have not done any harm jet, but when one start doing something and are not sure what you do, that might be harmful. When some people try to get rid of viruses they delete files or they might even format the whole hard disk like my cousin did. That is not the best way to act when the person think that he has a virus infection. What people do when they get sick? They go to see a doctor if they do not know what is wrong with them. It is the same way with viruses, if the person does not know what to do they call someone who knows more about viruses and they get professional help. If the person read email at their PC or if they use diskettes to transfer files between the computer at work and the computer at home, or if they just transfer files between the two computers they have a good possibility to get a virus. They might get viruses also when they download files from any internet site. There was a time when people were able to be sure that some sites we secure, that those secure sites did not have any virus problems, but nowadays the people can not be sure of anything. There has been viruses even in 's download sites. In this report I am going to introduce different malware types and how they spread out and how to deal with them. Most common viruses nowadays are macro viruses and I am going to spend a little more time with them. I am going to give an example of trojan horses stealing passwords.

Computer virus timeline 1949 Theories for self-replicating programs are first developed. 1981 Apple Viruses 1, 2, and 3 are some of the first viruses in the world or in the . Found on the Apple II , the viruses spread through Texas A&M via pirated computer games. 1983 Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.” 1986 Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label. 1987 The Lehigh virus, one of the first file viruses, infects command.com files. 1988 One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .exe and .com files and deletes any programs run on that day. MacMag and the Scores virus cause the first major Macintosh outbreaks. 1990 Symantec launches Norton AntiVirus, one of the first antivirus programs developed by a large company. 1991 Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection. 1992 1300 viruses are in existence, an increase of 420% from December of 1990. The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that turns ordinary viruses into polymorphic viruses. The Virus Creation Laboratory (VCL) is also made available. It is the first actual virus creation kit. 1994 Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line “Good Times.” Though disproved, the hoax resurfaces every six to twelve months. 1995 Word Concept becomes one of the most prevalent viruses in the mid1990s. It is spread through documents. 1996 Baza, Laroux (a macro virus), and Staog viruses are the first to infect Windows95 files, Excel, and respectively. 1998 Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section. The Chernobyl virus spreads quickly via .exe files. As the notoriety attached to its name would suggest, the virus is quite destructive, attacking not only files but also a certain chip within infected computers. Two California teenagers infiltrate and take control of more than 500 military, government, and private sector computer systems. 1999 The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any previous virus, infecting an estimated 1 million PCs. Bubble Boy is the first worm that does not depend on the recipient opening an attachment in order for infection to occur. As soon as the user opens the email, Bubble Boy sets to work. Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files. 2000 The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook, much like Melissa. The virus comes as a VBS attachment and deletes files, including MP3, MP2, and .JPG. It also sends usernames and passwords to the virus's author. W97M.Resume.A, a new variation of the Melissa virus, is determined to be in the wild. The “resume” virus acts much like Melissa, using a Word macro to infect Outlook and spread itself. The “Stages” virus, disguised as a joke email about the stages of life, spreads across the Internet. Unlike most previous viruses, Stages is hidden in an attachment with a false “.txt” extension, making it easier to lure recipients into opening it. Until now, it has generally been safe to assume that text files are safe. “Distributed denial-of-service” attacks by hackers knock Yahoo, eBay, Amazon, and other high profile web sites offline for several hours.

2001 Shortly after the September 11th attacks, the Nimda virus infects hundreds of thousands of computers in the world. The virus is one of the most sophisticated to date with as many as five different methods of replicating and infecting systems. The “Anna Kournikova” virus, which mails itself to persons listed in the victim's address book, worries analysts who believe the relatively harmless virus was written with a “tool kit” that would allow even the most inexperienced programmers to create viruses. Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems. Sircam spreads personal documents over the Internet through email. CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected approximately 359,000 hosts in the first twelve hours. BadTrans is designed to capture passwords and credit card information. 2002 Author of the Melissa virus, David L. Smith, is sentenced to 20 months in federal prison. The LFM-926 virus appears in early January, displaying the message “Loading.Flash.Movie” as it infects Shockwave Flash (.swf) files. Celebrity named viruses continue with the “Shakira,” “Britney Spears,” and “Jennifer Lopez” viruses emerging. The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes), creates hidden copies of the originals, and attempts to disable common anti-virus products. The Bugbear worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems. 2003 In January the relatively benign “Slammer” (Sapphire) worm becomes the fastest spreading worm to date, infecting 75,000 computers in approximately ten minutes, doubling its numbers every 8.5 seconds in its first minute of infection. The Sobig worm becomes the one of the first to join the spam community. Infected computer systems have the potential to become spam relay points and spamming techniques are used to massmail copies of the worm to potential victims. 2004 In January a , called MyDoom or Novarg, spreads through emails and file-sharing software faster than any previous virus or worm. MyDoom entices email recipients to open an attachment that allows hackers to access the hard drive of the infected computer. The intended goal is a “denial of service attack” on the SCO Group, a company that is suing various groups for using an open-source version of its . SCO offers a $250,000 reward to anyone giving information that leads to the arrest and conviction of the people who wrote the worm.

An estimated one million computers running Windows are affected by the fast- spreading Sasser computer worm in May. Victims include businesses, such as British Airways, banks, and government offices, including Britain's Coast Guard. The worm does not cause irreparable harm to computers or data, but it does slow computers and cause some to quit or reboot without explanation. The Sasser worm is different than other viruses in that users do not have to open a file attachment to be affected by it. Instead, the worm seeks out computers with a security flaw and then sabotages them. An 18-year-old German high school student confessed to creating the worm. He's suspected of releasing another version of the virus.

Virus Origins

Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person. Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the new virus particles bud off the cell one at a time, and the cell remains alive. A computer virus shares some of these traits. A computer virus must piggyback on top of some other program or document in order to launch. Once it is running, it can infect other programs or documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks.

2. General information about computer viruses 2.1 Different malware types Malware is a general name for all programs that are harmful; viruses, trojan, worms and all other similar programs. 2.1.1 Viruses

A computer virus is a program, a block of executable code, which attach itself to, overwrite or otherwise replace another program in order to reproduce itself without a knowledge of a PC user. There are a couple of different types of computer viruses: boot sector viruses, parasitic viruses, multi-partite viruses, companion viruses, link viruses and macro viruses. These classifications take into account the different ways in which the virus can infect different parts of a system. The manner in which each of these types operates has one thing in common: any virus has to be executed in order to operate. Most viruses are pretty harmless. The user might not even notice the virus for years. Sometimes viruses might cause random damage to data files and over a long period they might destroy files and disks. Even benign viruses cause damage by occupying disk space and main memory, by using up CPU processing time. There is also the time and expense wasted in detecting and removing viruses.

2.1.2

Trojan

A Trojan Horse is a program that does something else that the user thought it would do. It is mostly done to someone on purpose. The Trojan Horses are usually masked so that they look interesting, for example a saxophone.wav file that interests a person collecting sound samples of instruments. A Trojan Horse differs from a destructive virus in that it doesn't reproduce. There has been a password trojan out in AOL land (the American On Line). Password30 and Pasword50 which some people thought were wav. files, but they were disguised and people did not know that they had the trojan in their systems until they tried to change their passwords. According to an administrator of AOL, the Trojan steals passwords and sends an E-mail to the hackers fake name and then the hacker has your account in his hands.

2.1.3

Worms

A worm is a program which spreads usually over network connections. Unlike a virus which attach itself to a host program, worms always need a host program to spread. In practice, worms are not normally associated with one person computer systems. They are mostly found in multi-user systems such as Unix environments. A classic example of a worm is Robert Morrisis Internet-worm 1988.

2.2 Macro virus Macro viruses spread from applications which use macros. The macro viruses which are receiving attention currently are specific to Word 6, WordBasic and Excel. However, many applications, not all of them Windows applications, have potentially damaging and infective macro capabilities too. A CAP macro virus, now widespread, infects macros attached to Word 6.0 for Windows, Word 6.0.1 for Macintosh, Word 6.0 for Windows NT, and Word for Windows 95 documents. What makes such a virus possible is that the macros are created by WordBASIC and even allows DOS commands to be run. WordBASIC in a program language which links features used in Word to macros. A virus, named "Concept," has no destructive payload; it merely spreads, after a document containing the virus is opened. Concept copies itself to other documents when they are saved, without affecting the contents of documents. Since then, however, other macro viruses have been discovered, and some of them contain destructive routines. Microsoft suggests opening files without macros to prevent macro viruses from spreading, unless the user can verify that the macros contained in the document will not cause damage. This does NOT work for all macro viruses. Why are macro viruses so successful? Today people share so much data, email documents and use the Internet to get programs and documents. Macros are also very easy to write. The problem is also that Word for Windows corrupts macros inadvertently creating new macro viruses. Corruption's also creates "remnant" macros which are not infectious, but look like viruses and cause false alarms. Known macro virus can get together and create wholly new viruses.

There have been viruses since 1986 and macro viruses since 1995. Now about 15 percent of virus are macro viruses. There are about 2.000 macro viruses and about 11.000 DOS viruses, but the problem is that macro viruses spreads so fast. New macro viruses are created in the work-place, on a daily basis, on typical end-user machines, not in a virus lab. New macro virus creation is due to corruption, mating, and conversion. Traditional anti-virus programs are also not good at detecting new macro viruses. Almost all virus detected in the Helsinki University of Technology have been macro viruses, according to Tapio Keihänen, the virus specialist in HUT. Before macro viruses it was more easy to detect and repair virus infections with anti-virus programs. But now when there are new macro viruses, it is harder to detect macro viruses and people are more in contact with their anti-virus vendor to detect an repair unknown macro viruses, because new macro viruses spread faster than new anti-virus program updates come up. 2.3 Virus sources Viruses don not just appear, there is always somebody that has made it and they have own reason to so. Viruses are written everywhere in the world. Now when the information flow in the net and Internet grows, it does not matter where the virus is made. Most of the writers are young men. There are also few university students, professors, computer store managers, writers and even a doctor has written a virus. One thing is common to these writers, all of them are men, women do not waste their time writing viruses. Women are either smarter or they are just so good that never get caught. 2.3.1 Why do people write and spread viruses? It is difficult to know why people write them. Everyone has their own reasons. Some general reasons are to experiment how to write viruses or to test their programming talent. Some people just like to see how the virus spreads and gets famous around the World. The following is a list from news group postings alt.comp.virus and tries to explain why people write and spread viruses. • • • • • • • • • • they don't understand or prefer not to think about the consequences for other people they simply don't care they don't consider it to be their problem if someone else is inconvenienced they draw a false distinction between creating/publishing viruses and distributing them they consider it to be the responsibility of someone else to protect systems from their creations they get a buzz, acknowledged or otherwise, from vandalism they consider they're fighting authority they like 'matching wits' with anti virus vendors it's a way of getting attention, getting recognition from their peers and their names (or at least that of their virus) in the papers and the Wild List they're keeping the anti virus vendors in a job

2.4 How viruses act Viruses main mission is to spread out and then get active. Some viruses just spread out and never activate. Viruses when they spread out, they make copies of self and spreading is harmful. 2.4.1

How viruses spread out

Viruses mission is to hop from program to other and this should happen as quickly as possible. Usually viruses join to the host program in some way. They even write over part of the host program. A computer is infected with a boot sector virus if it is booted from an infected floppy disk. Boot sector infections cannot normally spread across a network. These viruses spread normally via floppy disks which may come from virtually any source: • • • • unsolicited demonstration disks brand-new software disks used on your PC by salesmen or engineers repaired hardware

A file virus infects other files, when the program to which it is attached is run, and so a file virus can spread across a network and often very quickly. They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and newsgroups. Trojan horses spread just like file viruses. A multipartite virus infects boot sectors and files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infection could spread across a network. 2.4.2 How viruses activate

We are always afraid that viruses do something harmful to files when they get active, but not all the viruses activate. Some viruses just spread out, but when viruses activate they do very different things. Might play a part of melody or play music in the background, show a picture or animated picture, show text, format hard disk or do changes to files. As an example, in one unnamed company: over a long period of time, the files in a server were corrupted just a bit. So backup copies were taken from the corrupted files. And after they noticed that something was wrong, it was too late to get back the data from the backups. That kind of event is the worst that can happen for the uses. There is also talk that viruses have done something to hardware like hard disk or monitor. Viruses can not do any harm to hardware but they can do harm to programs and for example to BIOS so that computer does not start after that.

2.5

Viruses in different platforms 2.5.1

PC viruses

Viruses are mostly written for PC-computers and DOS environment. Even though viruses are made for DOS environment, they are working also in Windows, Windows95, Windows NT and OS/2 operating systems. Some viruses like boot sector viruses, do not care what about operating systems. 2.5.2 Macintosh viruses Macintosh viruses are not as a big problem as PC viruses are. There are not so many viruses in Macintosh operating system. Macintosh viruses has been found mostly from schools. How many Mac viruses there are? I found out that there are about 2-300 Macspecific viruses. There are virtually no macro viruses which have a Mac-specific payload, but all macro viruses can infect on Macs and other platforms which runs Word 6.x of better. 2.5.3 Other platforms

Viruses can be found from in almost any kind of computer, such as HP calculators used by students like HP 48-calculators and old computers like Commodore 64 and Unix computers too. In general, there are virtually no non-experimental UNIX viruses. There have been a few Worm incidents, most notably the Morris Worm,. the Internet Worm, of 1988. There are products which scan some Unix systems for PC viruses. Any machine used as a file server (, Unix etc.) can be scanned for PC viruses by a DOS scanner if it can be mounted as a logical drive on a PC running appropriate network software such as PC-NFS. Intel-based PCs running Unix e.g. Linux, etc. can also be infected by a DOS boot-sector virus if booted from an infected disk. The same goes for other PChosted operating systems such as NetWare. While viruses are not a major risk on Unix platforms, integrity checkers and audit packages are frequently used by system administrators to detect file changes made by other kinds of attack.

3. How to deal with viruses 3.1 What are the signs of viruses Almost anything odd a computer may do, can blamed on a computer "virus," especially if no other explanation can readily be found. Many operating systems and programs also do strange things, therefore there is no reason to immediately blame a virus. In most cases, when an anti-virus program is then run, no virus can be found. A computer virus can cause unusual screen displays, or messages - but most don't do that. A virus may slow the operation of the computer - but many times that doesn't happen. Even longer disk activity, or strange hardware behavior can be caused by legitimate software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be accessed unexpectedly and the drive light to go on but legitimate programs can do that also. One usually reliable indicator of a virus infection is a change in the length of executable (*.com/*.exe) files, a change in their content, or a change in their file date/time in the Directory listing. But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM. Another common indication of a virus infection is a change to the reassignment of system resources. Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant. In short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable.

3.2

What to do when you find viruses

First thing what you should do when you find virus is count to ten and stay cool. You should keep notes on what you do and write down what your virus programs and you computer tells you. If you are not sure what to do, you should call the administrator for future action. In some cases it is not good to start you computer from hard disk, because the virus may active and then do some harm. Second,make sure that you should get sure that it is virus and what virus it is. It is important to know what kind of virus we are dealing with. Companies that make anti-virus programs knows what different viruses does and you can ether call them and ask about that viruses or you can go to their web pages and read about the virus you have. When you start you computer you should do it from a clean (non-infected) floppy diskette and after that run the virus program. The boot diskette should be write protected so that virus can not infect the boot diskette too. It is good to take a backup of the file that was infected. Virus program could do some damage to the file and that is why it is good to have a backup. It is good to let you administrator to know about the virus, so viruses would not spread around so much. In TKK PC classes are protected by anti-virus program and that virus program reports to a person, responsible for virus protection.

4. How to protect from viruses 4.1 How to provide against viruses Best way to protect yourself is to prepare your computer against viruses in advance. One way to protect you computer is to use updated anti-virus program. When you get an email attachment, you should first check the attachment by checking the file with a anti-virus program. As an example in one unnamed Finnish company all information was mailed in email attachments. There was this one Word document that was mailed to everybody. That email attachment was infected by a macro virus. Everyone got the infected attachment and those who opened that attachment by Word got that CAP-macro virus. After all there were a few thousand infections. It took lots of time and money to clear that virus. One can protect the computer against boot sector viruses by setting the BIOS to start from a hard disk rather than from a floppy disk. Write protection is a good way to prohibit against viruses. Write protection works well in floppy disks, Windows NT and UNIX, but not that well in Windows and Windows95. 4.2 Different anti-virus programs

There are three different kind of anti-viral packages: activity monitors, authentication or change-detection software, and scanners. Each type has its own strengths and weaknesses. Commercial anti-viral programs have a combination of the above mentioned functions. There are over ten good anti-viral programs. Most knows programs are Data Fellows F-Prot, EliaShim ViruSafe, ESaSS ThunderBYTE, IBM AntiVirus, McAfee Scan, Microsoft Anti-Virus, Symantec Norton AntiVirus and S&S Dr Solomon's AVTK. On a day-to-day basis, the average corporation should be very interested in the scan time; these impact strongly the users, who should be scanning hard drives and disks on a daily basis. If a product takes too long to carry out these basic tasks, users will be unwilling to wait, and will stop using it. This is clearly undesirable - the perfect anti-virus product would be one which takes no time to run and finds all viruses.

5. How computer viruses have spread out around the world? Computer viruses are a problem all over the world. The following picture tells us how many times people have accessed Data Fellows, a company that makes anti-virus program F-Prot, more than 1,672,846 per month. It means that people are interesting in virus information. One reason is that people have to deal with viruses. Viruses in not only a problem in Finland and USA, it is a problem around the world.

Picture 4 Accesses per month

Today's most common virus is the macro virus. Cap virus is one of the macro viruses. Last month there were 3100 Cap macro virus accesses during the last 30 days in Data Fellows. Next common virus was Join the Crew with 1171 accesses and third common was Pen pal Greetings with 895 accesses.

Picture 5 Twenty most accessed virus descriptions during the last 30 days

6. Computer viruses and network security Computer viruses are one network security problem. A few people when asked if computer viruses can cause network security problems answered as follows. Dave Kenney answered from National Assoc: "There is one macro virus for MSWord that is received as an attachment to MS Mail messages. If a user has Word open, and double clicks to see the contents of the attachment, MS Word and the open document is infected. Then the document is mailed to three other users listed in the original user's address book." "The only information that is leaked is the thing you should be worried about, your password! The trojan sends an E-mail to the hackers fake name and then he has your account at his hands," wrote CJ from American Online. "Rarely, a Word macro virus may accidentally pick up some user information and carry it along; we know of one case where a macro virus "snatched" an innocent user macro that contained a password, and spread it far outside the company where that happened. In the future, however, it is entirely possible that more network-aware viruses will cause significant network security problems," wrote David Chess from IBM. Marko Helenius wrote from Virus Research Unit, that there has been some cases when hackers have used trojan horses to gain information. There is one example in one finnish corporation where some money were transferred illegally a year ago. There has been a trojan in the University of Tampere too where the trojan pretend to be a host transfer program. The trojan saved users login name and password to hard disk.

7. Antivirus are computer programs that attempt to identify, neutralize or eliminate malicious software. The term "antivirus" is used because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, attacks, , trojan horses and other malware. Antivirus software typically uses two different approaches to accomplish this: • examining (scanning) files to look for known viruses matching definitions in a virus dictionary, and • identifying suspicious behavior from any computer program which might indicate infection.

The second approach is called heuristic analysis. Such analysis may include data captures, port monitoring and other methods. Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach. Although some people consider network firewalls to be a type of antivirus software, this categorization is not correct In the virus dictionary approach, when the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions: 1. attempt to repair the file by removing the virus itself from the file, 2. quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread), or 3. delete the infected file. To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically-minded and technically-inclined users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. Note too that a System Administrator can typically schedule the antivirus software to examine (scan) all files on the computer's hard disk on a regular basis.

Proprietary • • • • • • • • • • eScan AntiVirus ArcaVir by arcabit.com ! AVG Anti- Virus BullGuard CA Anti-Virus Cisco Security Agent Dr.Web • • • • • • • • • • • • • • • • • • • • • • • • •

DriveSentry (antivirus, antispyware and HIPS technologies) eSafe FortiClient End Point Security F-PROT F-Secure G DATA AntiVirus IKARUS antivirus INCA Internet Kaspersky Anti-Virus LinuxShield McAfee VirusScan Mks vir NOD32 Norman ASA Norton AntiVirus PC Tools AntiVirus Rising AntiVirus Anti-Virus TrustPort Antivirus -AEC Vba32 AntiVirus Virus Chaser Windows Live OneCare ZoneAlarm

FreeWare • • • • • • • Avira AntiVir Personal - Free Antivirus AOL Active Virus Shield (no longer available via AOL) AVG Anti-Virus Free (Registerware, Nagware) avast! Home (Registerware) BitDefender Free version does not provide real time scanning Comodo AntiVirus DriveSentry Fully functional free version • •

F-PROT (for Linux, FreeBSD and DOS only) PC Tools AntiVirus Free Edition

Open • • • • • Clam AntiVirus ClamWin OpenAntiVirus Winpooch Untangle

AbandonWare • • • Cyberhawk (now ThreatFire AntiVirus) Eliashim (now eSafe) The Antidote and Antidote SuperLite 8. Antivirus databases has shortened its response time to the growing number and increasing speed of new threats by releasing an increased number of antivirus database updates. The number of new records in Kaspersky Lab’s antivirus database each month in 2006 varied from approximately 5,000 to tens of thousands towards the end of the year. The average monthly number of new records amounts to 7,240 (not counting records in the extended databases). The average monthly number of new records was 4,496 in 2005.

Number of new antivirus database records (yellow indicates standard databases; red indicates extended databases) As the chart above shows, the number of monthly records in the antivirus databases increased irregularly over the course of the year. Each month with an increase was followed by a decrease. However by the end of the year there was steady growth that led to a record high of over 10,000 new records per month. Kaspersky Lab responds to the appearance of new malicious programs by releasing two types of antivirus database updates: standard updates (about once an hour) and urgent updates (in the event of an epidemic). The total number of standard database updates in 2006 exceeded 7,000, with a monthly average of 600. Number of standard updates per month As far as urgent updates are concerned, the data shown in the charts is particularly interesting for two reasons. First of all, they show the total number of “epidemiological” situations in 2006 and provide the opportunity to compare this information with figures from 2005. In addition, they can help us track and predict when epidemics are likely to occur.

Number of urgent updates per month These numbers show that events linked to the release of urgent updates were almost 30% fewer in 2006 than in 2005. In 2005 we saw an average of over 30 urgent updates per month, but in 2006 the monthly average was under 20.These figures show that virus writers were particularly active twice in 2006: in February-April and again in October-December. The charts clearly show the traditional summer slow period in June and July.

9.Statistics Monthly Malware Statistics for July 2008 The format of the 'Virus Top Twenty' reports from Kaspersky Lab has changed as of July 2008. The previous method used to compile these reports and to assess the current threat landscape was based on data generated by analysing email traffic and the files checked using our Online Scanner. However, this method no longer provides an accurate reflection of the changing nature of malicious threats; email is no longer the main attack vector, and our data shows that malicious programs make up a very small proportion of all mail traffic. From July 2008 onwards, the Top Twenty will be composed using data generated by Kaspersky Security Network (KSN), a new technology implemented in the 2009 personal product line. This data not only makes it possible for Kaspersky Lab to get timely information about threats and to track their evolution, but also makes it possible for us to detect unknown threats, and roll out that protection to users, as quickly as possible. The 2009 personal products haven't been officially launched in all countries, e.g. in Russian and the USA. The data presented in this report therefore provides an objective reflection of the threat landscape in the majority of European and Asian countries. However, in the near future, such reports will include data provided by users in other countries of the world. The data received from KSN in July 2008 has been used to compile the following rankings.

The first is a ranking of the most widespread malicious, advertising, and potentially unwanted programs. The figures given are a percentage of the number of computers on which threats were detected. Position 1 2 3 4 5 6 Name Trojan.Win32.DNSChanger.ech Trojan-Downloader.WMA.Wimad.n Trojan.Win32.Monderb.gen Trojan.Win32.Monder.gen not-a-virus:AdWare.Win32.HotBar.ck Trojan.Win32.Monderc.gen 7 8 9 10 11 12 13 14 15 16 17 18 19 20 not-a-virus:AdWare.Win32.Shopper.v not-avirus:AdTool.Win32.MyWebSearch.bm Trojan.Win32.Agent.abt Worm.VBS.Autorun.r Trojan.Win32.Agent.rzw Trojan- Downloader.Win32.CWS.fc not-a-virus:AdWare.Win32.Mostofate.cx Trojan- Downloader.JS.Agent.bi Trojan-Downloader.Win32.Agent.xvu not-a- virus:AdWare.Win32.BHO.ca Trojan.Win32.Agent.sav Trojan-Downloader.Win32.Obitel.a Trojan.Win32.Chifrax.a Trojan.Win32.Agent.tfc

As the rating is only compiled using data received during the course of a single month, it's very hard to make any predictions. However, future reports will include such forecasts.

Overall, in July 2008, there were 20704 unique malicious, advertising, and potentially unwanted programs detected on users' computers. Our data indicates that out of these, approximately 20000 of them were found in the wild. The second Top Twenty provides figures on the most common malicious programs among all infected objects detected. Position 1 1 2 3 4 5 6 Name Trojan.Win32.DNSChanger.ech Virus.Win32..q Worm.Win32.Fujack.ap Net-Worm.Win32.Nimda Virus.Win32.Hidrag.a Virus.Win32.Neshta.a Virus.Win32.Parite.b 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Virus.Win32..z Virus.Win32.Alman.b Virus.Win32.Virut.n Virus.Win32.Xorer.du Worm.Win32.Fujack.aa Worm.Win32.Otwycal.g Worm.Win32.Fujack.k Virus.Win32.Parite.a Trojan-Downloader.WMA.GetCodec.d Virus.Win32.Sality.l Virus.Win32.Sality.s Worm.Win32.Viking.ce Worm.VBS.Headtail.a Net-Worm.Win32.Allaple.b

The majority of the programs listed above are able to infect files. The figures given are interesting as they indicate the spread of threats which need to be disinfected, rather than simply dealt with by deleting infected objects.

Virus Top 20 for JULY 2008 Positio n 1. 2. 3. 4. 5. 6. Return 7. 8. Return 9. 10. Return -5 Email- Worm.Win32..gt Net-Worm.Win32.Mytob.u Trojan.generic Worm.P2P.generic 2.75 2.60 -1 Email-Worm.Win32.NetSky.aa Email-Worm.Win32.NetSky.b Trojan.generic Trojan.generic 3.74 3.26 Change in positio n 0 +1 +2 +4 -3 Name Email- Worm.Win32.NetSky.q Email-Worm.Win32.NetSky.y Email-Worm.Win32.Scano.gen Email- Worm.Win32.Nyxem.e Email-Worm.Win32.NetSky.d Email-Worm.Win32.NetSky.x Proactive Detection Flag Trojan.generic Trojan.generic Trojan.generic Trojan.generic Trojan.generic Trojan.generic Percentag e 23.12 9.70 9.63 6.75 6.27 4.44 11. 12. 13.

+6 0 Return

Net-Worm.Win32.Mytob. Email-Worm.Win32.Scano.bn Email-Worm.Win32.NetSky.r

Trojan.generic Trojan.generic Trojan.generic Trojan.generic Trojan.generic Trojan.generic Worm.P2P.generic Worm.P2P.generic Trojan.generic Worm.P2P.generic

2.40 2.09 1.98 1.94 1.65 1.39 1.19 1.08 0.97 0.90 12.15

14. 15.

+4 Return

Email-Worm.Win32.NetSky.t Net-Worm.Win32.Mytob.bi

16. 17. 18.

-5 -4 Return

Email-Worm.Win32.Bagle.gen Email-Worm.Win32.Mydoom.l Net-Worm.Win32.Mytob.t

19. 20.

-3 New!

Email-Worm.Win32.NetSky.c Net-Worm.Win32.Mytob.cg

Other malicious programs

The May 2008 Email Top Twenty is a short one; this is explained by the wellknown fact that virus writers take a break over the summer months. The complete absence of any epidemics in mail traffic, which is obvious from even a cursory glance at this month's rankings, bears this out. In fact, the only significant change to the rankings was caused by the re-entry of a few worms which have been in circulation for several years now. Trojan-Downloader programs such as Agent.ica, Agent.hsl, and Diehard that were active during the first four months of 2008 disappeared without trace in May. The Warezov and Zhelatin worms have not reappeared since dropping out of the Top Twenty back in February. The authors have stopped sending out the executable components of the worms by email, confining themselves to distributing the code via links on infected websites. This does mean that the threat posed by malicious code in email has declined. However, phishing and spam continue to pose very real threats and have the potential to create just as big a problem for the end user. Other malicious programs made up a significant percentage (12.15%) of all malicious code found in mail traffic.

Summary •

Moved up: Email-Worm.Win32.NetSky.y, EmailWorm.Win32.Scano.gen, Email- Worm.Win32.Nyxem.e, NetWorm.Win32.Mytob.c, Email-Worm.Win32.NetSky.t. Moved down: Email-Worm.Win32.NetSky.d, EmailWorm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gt, EmailWorm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, EmailWorm.Win32.NetSky.c. Returned: Email-Worm.Win32.NetSky.x, Email-Worm.Win32.NetSky.b, Net- Worm.Win32.Mytob.u, Email-Worm.Win32.NetSky.r, NetWorm.Win32.Mytob.bi, Net- Worm.Win32.Mytob.t, NetWorm.Win32.Mytob.cg. No change: Email-Worm.Win32.NetSky.q, EmailWorm.Win32.Scano.bn

10. Conclusions There are lots of viruses in the world and new viruses are coming up every day. There are new anti-virus programs and techniques developed too. It is good to be aware of viruses and other malware and it is cheaper to protect you environment from them rather then being sorry. There might be a virus in your computer if it starts acting differently. There is no reason to panic if the computer virus is found. It is good to be a little suspicious of malware when you surf in the Internet and download files. Some files that look interesting might hide a malware. A computer virus is a program that reproduces itself and its mission is to spread out. Most viruses are harmless and some viruses might cause random damage to data files. A trojan horse is not a virus because it doesn't reproduce. The trojan horses are usually masked so that they look interesting. There are trojan horses that steal passwords and formats hard disks. Marco viruses spread from applications which use macros. Macro viruses spreads fast because people share so much data, email documents and use the Internet to get documents. Macros are also very easy to write. Some people want to experiment how to write viruses and test their programming talent. At the same time they do not understand about the consequences for other people or they simply do not care. Viruses mission is to hop from program to other and this can happen via floppy disks, Internet FTP sites, newsgroups and via email attachments. Viruses are mostly written for PC- computers and DOS environments. Viruses are not any more something that just programmers and computer specialist have to deal with. Today everyday users have to deal with viruses.

11.Forecast In light of all of the trends and events described above, we expect that in 2007 virus writers will continue to concentrate their efforts on various types of Trojans used to steal personal information. Attacks will largely be focused on the users of various banking and payment systems in addition to online gamers. Virus writers and spammers will continue to pool their efforts; this symbiotic relationship will lead to the use of infected computers both for organizing epidemics and attacks, and for sending spam. Browser vulnerabilities and email will remain the primary infection vectors. The use of direct port attacks will be less widespread and will fully depend on critical vulnerabilities being discovered in Windows services. P2P networks or IRC channels will not be widely used to infect machines, but they will be to some extent, especially locally (for example, the P2P client Winny, which is very popular in Japan, could become a serious threat to Asian users in 2007). IM systems will remain in the top three most actively used mean of attack, even though we do not expect to see any significant increase in malicious use. Overall, epidemics and virus attacks will become defined in terms of geographical boundaries. For example, in-game Trojans and worms with virus functionality are typically seen in Asia, while Europe and the US tend to see Trojan spy programs and backdoors. South America is usually hit by a wide range of banking Trojans. Without a doubt, the most important underlying theme of 2007 will be the new Microsoft Vista operating system and its vulnerabilities. Vista’s vulnerabilities and limitations will determine the development of the virus industry in the years to come. We do not expect to see any fast-moving or major changes, although this new OS will definitely define the trends in the year to come. Malicious programs will continue to become more technically sophisticated and use methods to conceal their presence in infected systems. Polymorphic code, code obfuscation and technologies will be even more widespread and their use will become standard in most new malicious programs. We can expect to see considerable growth in malicious programs for other operating systems, first and foremost for MacOS and *nix systems. Virus writers will also focus some efforts on gaming consoles like PlayStation and Nintendo. The increasing number of these types of devices and the opportunities to use them to interact online could attract the attention of virus writers, although most likely exclusively for “research” purposes only. It could happen that viruses for “non- computers” in 2007 will breakthrough and transition into a phase of major development, although the chances are low, and developments will probably be limited to a large amount of proof of concept malware. The number of targeted attacks aimed at medium-sized and large businesses will increase. In addition to traditional data theft, these attacks will be aimed at extorting money from the victim organizations, and will use encryption (i.e. ). One of the main infection vectors will be MS Office files and vulnerabilities in this suite of applications.