Sie sind auf Seite 1von 16


This document covers the basics on computer viruses. Computer Virus is a kind of malicious software written intentionally to enter a computer without the user’s permission or knowledge, with an ability to replicate itself, thus continuing to spread. Some viruses do little but replicate others can cause severe harm or adversely affect program and performance of the system. A virus should never be assumed harmless and left on a system. You have heard about them, read the news reports about the number of incidents reported, and the amount of damage they inflict. Maybe you have even experienced one firsthand. And if you haven’t, count yourself fortunate. Computer viruses are real— and they’re costly. Springing up seemingly from nowhere, spreading like wildfire; computer viruses attack computer systems lightly or heavily, damaging files and rendering computers and networks unusable. They proliferate through e-mail, Internet file downloads, and shared diskettes. And they don’t play favorites; your home computer is just as likely as a Fortune 500 company’s network to experience an infection.


A computer virus is a computer program. , a block of executable code, which attach itself to, overwrite or otherwise replace another program in order to reproduce itself without a knowledge of a PC user .The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. As stated above, the term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves.



The first academic work on the theory of computer viruses (although the term "computer virus" was not invented at that time) was done by John von Neumann in 1949 who, held lectures at the University of Illinois about the "Theory and Organization of Complicated Automata". The work of von Neumann was later published as the "Theory of self-reproducing automata". In his essay von Neumann postulated that a computer program could reproduce.

The actual term 'virus' was first used in David Gerrold's 1972 novel, When HARLIE Was One. In that novel, a sentient computer named HARLIE writes viral software to retrieve damaging personal information from other computers to blackmail the man who wants to turn him off.



The Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBN Technologies. Creeper infected DECPDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper.


The Brain boot sector virus (aka Pakistani flu) was released. Brain is considered the first IBM PC compatible virus and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.

Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.

Appearance of the Vienna virus, which was subsequently neutralizedthe first time this had happened on the IBM platform.

Christmas Tree EXEC was the first widely disruptive replicating network program, which paralyzed several international computer networks in December 1987.



Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burger develops the first family of polymorphic virus: the Chameleon family.

In 1995 the first Macro virus, called "Concept," is created. It attacked Microsoft Word documents.

"Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine.

2000 and later


The I LOVE YOU worm appears. As of 2004 this was the most costly virus to businesses, causing upwards of 5.5 to 10 billion dollars in damage.


February 11: The Anna Kournikova virus hits e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook address book.

October 26: The Klez worm is first identified. It exploits vulnerability in Microsoft Internet Explorer and Microsoft Outlook and Outlook Express.


Beast is a Windows based backdoor Trojan horse, more commonly known as a RAT (Remote Administration Tool). It is capable of infecting almost all Windows OS i.e. 95 through XP. Written in Delphi and Released first by its author Tataye in 2002, its most current version was released October 3, 2004


June 13: ProRat is a Turkish-made Microsoft Windows based backdoor Trojan horse, more commonly known as a RAT (Remote Administration Tool).


Late January: MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm.

August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan Horse that is known to cause popup and advertising for rogue antispyware programs.



Late 2005: The Zlob Trojan, also known as Trojan. Zlob is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005.

2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor Trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer.


February 16: discovery of the first-ever malware for Mac OS X, a low-threat Trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced.


January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, comprised between 1 and 10 million computers by September.


February 17: Mocmex is a Trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame

March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse that affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer.

May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least.


July 15: Symantec discovered Daprosy Worm. Said Trojan worm is intended to steal online-game passwords on internet cafes.


February 18: Microsoft announced that a BSoD problem on some windows machines which was triggered by a batch of Patch Tuesday updates was caused by the Alureon Trojan



There are Different Types of Computer Viruses could be classified considering origin, techniques, types of files they infect, where they hide, the kind of damage they cause, the type of operating system or platform they attack etc.

Most common types of viruses are mentioned below:

1.Resident Viruses This type of virus is a permanent which dwells in the RAM memory. From there it can overcome and interrupt all of the operations executed by the system: corrupting files and programs that are opened, closed, copied, renamed etc. examples include: Randex, CMJ, Meve, and MrKlunky.

2.Direct Action Viruses the main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

3.Overwrite Viruses Virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected. The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content. Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

4. Boot Virus This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk,

in which information on the disk itself is stored together with a program that makes it possible to boot (start) the computer from the disk. The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive. Examples of boot viruses include: Polyboot.B, AntiEXE.

5. Macro Virus Macro viruses infect files that are created using certain applications or programs that contain

macros. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one. Examples of macro viruses: Relax, Melissa.A, Bablas, and O97M/Y2K.



Directory Virus

Directory viruses change the paths that indicate the location of a file. By executing a program (file with the extension .EXE or .COM) which has been infected by a virus, you are unknowingly running the virus program, while the original file and program have been previously moved by the virus.

Once infected it becomes impossible to locate the original files.

7.Polymorphic Virus Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system. This makes it impossible for anti- viruses to find them using string or signature searches (because they are different in each encryption) and also enables them to create a large number of copies of themselves. Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

8. File Infectors

This type of virus infects programs or executable files (files with an .EXE or .COM extension). When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging effects it is programmed to carry out. The majority of existing viruses belongs to this

category, and can be classified depending on the actions that they carry out.

9. Companion Viruses

Companion viruses can be considered file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they "accompany" the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident viruses) or act immediately by making copies of themselves (direct action viruses).Some examples include: Stator, Asimov.1539, and


10. FAT Virus

The file allocation table or FAT is the part of a disk used to connect information and is a vital part of the normal functioning of the computer. This type of virus attack can be especially dangerous,

by preventing access to certain sections of the disk where important files are stored. Damage caused can result in information losses from individual files or even entire directories.

11. Worms

A worm is a program very similar to a virus; it has the ability to self-replicate, and can lead to negative effects on your system and most importantly they are detected and eliminated by antivirus. Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, and Mapson.


12. Trojans or Trojan Horses Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses

do not reproduce by infecting other files, nor do they self-replicate like worms.

13. Logic Bombs

They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs. Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive.

once certain conditions have been met. Logic bombs go undetected until launched, and the results can




A computer virus is, in many ways, similar to the biological viruses that attack human bodies.

A biological virus isn’t truly a living, independent entity. A virus is nothing more than a fragment of DNA sheathed in a protective jacket. It reproduces by injecting its DNA into a host cell. The DNA then uses the host cell’s normal mechanisms to reproduce itself. A computer virus is like a biological virus in that it also isn’t an independent entity; it must piggyback on a host (another program or document) in order to propagate. Many viruses are hidden in the code of legitimate software programsprograms that have been “infected,” that is. These viruses are called file infector viruses, and when the host program is launched, the code for the virus is also executed, and the virus loads itself into your computer’s memory. From there, the virus code searches for other programs on your system that it can infect; if it finds one, it adds its code to the new program, which, now infected, can be used to infect other computers.

This entire process is shown in Figure

virus programe is lunched virus code is loaded into pc memory virus delivers its destructive
virus programe is lunched
virus code is loaded into pc memory
virus delivers its destructive payload
virus copies itself to other programe

If all a virus did, was copy itself to additional programs and computers, there would be little harm done, save for having all our programs get slightly larger. Unfortunately, most viruses not only replicate themselves, they also perform other operationsmany of which are wholly destructive. A virus might, for example, delete certain files on your computer. It might overwrite the boot sector of your hard disk, making the disk inaccessible. It might write messages on your screen, or cause your system to emit rude noises. It might also hijack your e-mail program and use the program to send itself to all your friends and colleagues, thus replicating itself to a large number of PCs. Viruses that replicate themselves via e-mail or over a computer network cause the subsidiary problem of increasing the amount of Internet and network traffic. These fast-replicating virusescalled wormscan completely overload a company network, shutting down servers and forcing tens of thousands of user’s offline. While no individual machines might be damaged, this type of communications disruption can be quite costly. As you might suspect, most viruses are designed to deliver their payload when they’re first executed. However, some viruses won’t attack until specifically prompted, typically on a predetermined date or day of the week. They stay on your system, hidden from sight


like a sleeper agent in a spy novel, until they’re awoken on a specific date; then they go about the work they were programmed to do. In short, viruses are nasty little bits of computer code, designed to inflict as much damage as possible, and to spread to as many computers as possiblea particularly vicious combination.


Viruses are software programs, and they can do the same things as any other programs running on a computer. The actual effect of any particular virus depends on how it was programmed by the person who wrote the virus. Some viruses are deliberately designed to damage files or otherwise interfere with your computer's operation, while others don't do anything but try to spread themselves around. But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of spreading. But viruses can't do any damage to hardware, they won't melt down your CPU or burn out your drive.


Not a month goes by without another big-time virus scare. Tens of millions of computers are infected by computer viruses every year. In 2001, 2.3 million computers were infected by the SirCam virus, and another million computers were hit by CodeRed. Even worse, the LoveLetter virus hit an estimated 45 million computerson a single day in 2000. ICSA Labs (, a leading provider of security research, intelligence, and certification, found that the rate of virus infection in North America in 2001 was 113 infections per 1000 computersmeaning that more than 10% of all computers they surveyed had been hit by a virus. And this rate is increasing; ICSA says that the likelihood of contracting a computer virus has doubled for each of the past five years. Viruses hit the corporate world especially hard; a single infected computer can spread the virus among the entire corporate network. (, a company specializing in virus protection, estimates that two-third of U.S. companies are attacked by viruses each year. A third of those companies reported that viruses knocked out their servers for an average of 5.8 hours per infection, and 46% of the companies required more than 19 days to completely recover from the virus incident. These incidents come with a heavy cost. The research firm Computer Economics (www estimates that companies spent $10.7 billion to recover from virus attacks in 2001. Technology magazine The Industry Standard ( puts the cost much higher, at upwards of $266 billion. Whatever the real number, it’s clear that computer viruses are costly to all concernedin terms of both money and the time required to clean up after them. Just look at the costs inflicted by individual viruses. For example, Computer Economics estimates that the Nimda virus alone cost companies $590 million in cleanup costs; CodeRed and LoveLetter were even more costly, running up costs of $2.6 billion apiece. To an individual company, these costs can be


staggering. ICSA Labs estimates that virus cleanup costs large companies anywhere from $100,000 to $1 million each per year. That’s real money. Unfortunately, this problem doesn’t look like it’s going to go away. In fact, the problem just keeps getting worse. To date, more than 53,000 different viruses have been identified and catalogued with another half-dozen or so appearing every day.

Diagnosing a Virus Infection-

How does one know if his/her computer has been infected with a virus? In short, if it starts acting funny, doing anything it didn’t do before, then a probable cause is some sort of computer virus. Here are some symptoms to watch for:

Programs quit working or freeze up.

Documents become inaccessible.

Computer freezes up or won’t start properly.

The CAPS LOCK key quits workingor works intermittently.

Files increase in size.

Frequent error messages appear onscreen.

Strange messages or pictures appear onscreen.

Your PC emits strange sounds.

Friends and colleagues inform you that they’ve received strange e-mails from you, that You don’t remember sending.



With dangerous viruses on the network, what can computer users do to protect their systems? Here are just a few hints:

Don’t assume anything. Make some time to learn about securing your system.

Acquire and use a reliable antivirus program. Select an antivirus that has a consistent track record.

Acquire and use a reliable firewall solution. Again, independent reviewers are your best bet for reasonable choices. Some operating systems come with a firewall which only filters incoming traffic. Use a firewall that can control both incoming and outgoing Internet traffic.

Do not open e-mails coming from unknown or distrusted sources. Many viruses spread via e- mail messages so please ask for a confirmation from the sender if you are in any doubt.

Do not open the attachments of messages with a suspicious or unexpected subject. If you want to open them, first save them to your hard disk and scan them with an updated antivirus program.

Delete any chain e-mails or unwanted messages. Do not forward them or reply to their senders. This kind of messages is considered spam, because it is undesired and unsolicited and it overloads the Internet traffic.

Avoid installing services and applications which are not needed in day-by-day operations in a desktop role, such as file transfer and file sharing servers, remote desktop servers and the like. Such programs are potential hazards, and should not be installed if not absolutely necessary.

Update your system and applications as often as possible. Some operating systems and applications can be set to update automatically. Make full use of this facility. Failure to patch your system often enough may leave it vulnerable to threats for which fixes already exist.

Do not copy any file if you don't know or don't trust its source. Check the source (provenance) of files you download and make sure that an antivirus program has already verified the files at their source.

Make backups of important personal files (correspondence, documents, pictures and such) on a regular basis. Store these copies on removable media such as CD or DVD. Keep your archive in a different location than the one your computer is in.



An anti-virus software program is a computer program that can be used to scan files to identify and eliminate computer viruses and other malicious software (malware). Anti-virus software typically uses two different techniques to accomplish this:

Examining files to look for known viruses by means of a virus dictionary

Identifying suspicious behavior from any computer program which might indicate infection

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.


In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file. To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.

Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis. Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.



The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings.

If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern antivirus software uses this technique less and less.


Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immediately tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in

a lot of false positives. Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analyzed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.



Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc. User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-virus software. Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread. There are various methods of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses. Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.



Computer viruses are malicious computer programs, designed to spread rapidly and deliver various types of destructive payloads to infected computers. Viruses have been around almost as Long as computers themselves, and they account for untold billions of dollars of damage every year. While there are many different types of viruses, the best protection against them is to exhibit extreme caution when downloading files from the Internet and opening e-mail attachments and to religiously avail yourself of one of the many antivirus software programs currently on the market.