On

Computer viruses

Table of contents
1. Introduction to Viruses.. 2. What Do Viruses Do?............................................ 3. Software Attacks Against Com uter And !heir Difference from Viruses ". #enera$ Virus %eha&ior.. '. !( es of Virus. ). Working *rocedure of Different !( e of Virus.. +. Diagnosis,Indication of Virus Infection.. -. .eco&er(,!i s on #etting .id of Virus Infection /. Some 01am $e of .ea$ Wor$d Viruses 12. Conc$usion...

Introduction to Viruses:We$come3 Viruses can seem m(sterious 4ut com uter &iruses are actua$$( 5uite eas( to understand. I6$$ gi&e (ou the information (ou need know to make sure that (our *C is safe from &iruses and a$$ the other threats that ma( damage (our rograms and data. In these ages I6$$ e1 $ain e1act$( what &iruses are7 how the( work7 and how to rotect against them. Viruses are actua$$( &er( sim $e. 8nce (ou understand e1act$( what the( can and cannot do7 it6s much easier to take a ro riate recautions. Whi$e we6$$ 4e s ending most of our time ta$king a4out &iruses7 I6$$ a$so co&er the threats that are much more $ike$( than &iruses to damage (our rograms and data. A$though I6$$ occasiona$$( touch on some rather esoteric or com $e1 to ics7 (ou won6t need to 4e a 9tech(9 to understand this te1t or to find it usefu$ in (our da(,to,da( use of (our com uter. I wi$$ go one ste at a time and I wi$$ e1 $ain a$$ the conce ts and :argon c$ear$( 4efore I use the terms. I6$$ a$so focus on ractica$ information that wi$$ he$ (ou rotect (our *C. 0&er(one shou$d 4enefit from reading these ages; those of (ou that are e1 erts wi$$ 4e a4$e to ski the 4ackground information7 (et I wi$$ sti$$ e1 $ain e&er(thing c$ear$( for those of (ou that are new to *Cs. <ou ma( e&en 4e wondering if &iruses are rea$$( worth worr(ing a4out at a$$. Do (ou think (ou6re safe 4ecause (ou rare$( down$oad software or 4u( on$( from a trusted retai$er? Are &iruses rea$$( a serious threat to (our *C or are &iruses most$( h( e? =et me 4egin 4( 5uick$( utting this issue into ers ecti&e. Viruses and anti,&irus rograms are not rea$$( the m(sterious7 com $e17 and hard to understand software that man( eo $e consider them to 4e. >ot on$( can these rograms 4e understood 4( an(one7 4ut these da(s7 it6s critica$ that we a$$ fu$$( gras how the( work so as to rotect ourse$&es. Viruses: ?ere6s our definition@ A virus is a program which reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected program is executed. ou could also say that the virus must do this without the permission or !nowledge of the user. A &irus can do an(thing that other rograms do. !he on$( difference is that it attaches itse$f to another rogram and e1ecute secret$( when the host

rogram is run .once a &irus is e1ecuting it can erform an( function7 such as erasing fi$es and rograms. 8ur &irus definition is &er( genera$ and co&ers a$$ &iruses. =et6s consider s ecifica$$( how this works. Viruses are rograms :ust $ike an( other on (our *C. !he( consist of instructions for Awhat I $ike to ca$$ 9code9B that (our com uter e1ecutes. What makes &iruses s ecia$ is that the( do their 9:o49 4( $acing se$f,re $icating code in other rograms7 so that when those other rograms are e1ecuted7 e&en more rograms are 9infected9 with the se$f, re $icating code. 9Se$f,re $icating code9 is sim $( a rogram that co ies itse$f to other rograms. !his se$f,re $icating code7 when triggered 4( some e&ent7 ma( do a otentia$$( harmfu$ act to (our com uter,,4ut this is strict$( o tiona$. 8n$( a minorit( of &iruses contain de$i4erate$( destructi&e code. <ou cou$d sa( that &iruses are distri4uted in the form of a !ro:an. In other words7 the &irus code has 4een $anted in some usefu$ rogram. Since the &irus infects other usefu$ rograms7 a4so$ute$( an( iece of e1ecuta4$e code can sudden$( 4ecome a !ro:an de$i&er( &ehic$e for the &irus. Another wa( of $ooking at &iruses is sim $( to consider them to 4e a rogram which can create co ies of itse$f. !hese co ies are inserted in other rograms Ainfecting these rogramsB. When one of these other rograms is e1ecuted7 the &irus code Awhich was inserted in that rogramB e1ecutes7 and $aces co ies of itse$f in e&en more rograms. <ou6$$ notice that I used the word 9attach9 in our definition of a &irus. !his is 4ecause &iruses can 9attach9 themse$&es to a rogram without direct$( modif(ing that rogram. !his might seem hard to 4e$ie&e at this oint7 4ut I6$$ e1 $ain $ater e1act$( how the( accom $ish this trick. When you consider our definition of viruses, it's important to understand that "programs" may exist in places that you don't expect. For example, all diskettes contain boot sectors which are "programs" that are executed when you boot your P and !icrosoft "ffice files #such as !$ Word %ocuments and &xcel $pread $heets' can contain macros which are "programs" that can be executed when you open these files.

"hat #o Viruses #o$

I6m going to resent an eas( to understand 4ut detai$ed e1 $anation of &iruses and other t( es of ma$icious software. Cor now7 it6s enough to understand that &iruses are otentia$$( destructi&e software that s reads from

rogram to rogram or from disk to disk. Com uter &iruses7 $ike 4io$ogica$ &iruses7 need a host to infect; in the case of com uter &iruses this host is an innocent rogram. If such a rogram is transferred to (our *C7 other rograms on (our *C wi$$ 4ecome infected. AI6$$ short$( e1 $ain in more detai$ how this ha ens.B 0&en though some &iruses do not intentiona$$( damage (our data7 I consider a$$ &iruses to 4e ma$icious software since the( modif( (our rograms without (our ermission with occasiona$ disastrous resu$ts. !he 4ottom $ine is that if (ou ha&e a &irus7 (ou are no $onger in contro$ of (our *C. 0&er( time (ou 4oot (our *C or e1ecute a rogram the &irus ma( a$so 4e e1ecuting and s reading its infection. Whi$e most &iruses ha&en6t 4een written to 4e destructi&e7 a$most a$$ &iruses can cause damage to (our fi$es,, most$( 4ecause the &iruses themse$&es are &er( oor$( written rograms. If viruses destroy nothing else% they destroy your trust in your &'-something that is (uite valuable

)oftware attac!s against computer and their difference from viruses:Fa$icious rograms

>eeds host *rograms

Inde endent

!ra doors

=ogic %om4s s

!ro:an ?orses

Viruses

Worm

Eom4ie

Taxonomy of malicious programs

Viruses are one s ecific t( e of rogram written de$i4erate$( to cause harm to someone6s com uter or to use that com uter in an unauthoriDed wa(. !here are man( forms of ma$icious software; sometimes the media ca$$s a$$ ma$icious software &iruses7 4ut it6s im ortant to understand the distinction 4etween the &arious t( es. =et6s e1amine the different t( es of ma$icious software@ Trap doors

!ra doors are a secret entr( oint in to a rogram that a$$ows some one that aware of the tra door to gain access without going through the usua$ securit( access rocedures. !ra doors 4ecome threats when the( are used 4( unscru u$ous rogrammers to fain unauthoriDed access. *ogic +ombs Gust $ike a rea$ 4om47 a $ogic 4om4 wi$$ $ie dormant unti$ triggered 4( some e&ent. !he trigger can 4e a s ecific date7 the num4er of times e1ecuted7 a random num4er7 or e&en a s ecific e&ent such as de$etion of an em $o(ee6s a(ro$$ record. When the $ogic 4om4 is triggered it wi$$ usua$$( do something un $easant. !his can range from changing a random 4(te of data somewhere on (our disk to making the entire disk unreada4$e. !he changing of random data on disk ma( 4e the most insidious attack since it wou$d do a $ot of damage 4efore it wou$d 4e detected. Tro,ans !hese are named after the !ro:an horse which de$i&ered so$diers into the cit( of !ro(. =ikewise7 a !ro:an rogram is a de$i&er( &ehic$e for some destructi&e code Asuch as a $ogic 4om4 or a &irusB onto a com uter. !he !ro:an rogram a ears to 4e a usefu$ rogram7 4ut when a certain e&ent occurs7 it wi$$ attack (our *C in some wa(. Viruses ?ere6s our definition@ HA &irus is a rogram which re roduces its own code 4( attaching itse$f to other rograms in such a wa( that the &irus code is e1ecuted when the infected rogram is e1ecuted.I <ou cou$d a$so sa( that the &irus must do this without the ermission or know$edge of the user "orms A worm is a se$f,re roducing rogram which does not infect other rograms as a &irus wi$$7 4ut instead creates co ies of itse$f7 which create e&en more co ies. !hese are usua$$( seen on networks and on mu$ti, rocessing o erating s(stems7 where the worm wi$$ create co ies of itse$f which are a$so e1ecuted. 0ach new co ( wi$$ create more co ies 5uick$( c$ogging the s(stem. !he so ca$$ed Forris A.*A>0!JI>!0.>0! 9&irus9 was actua$$( a worm. It created co ies of itse$f through the A.*A network7 e&entua$$( 4ringing the network to its knees. It did not infect other rograms as a &irus wou$d7 4ut sim $( ke t

creating co ies of itse$f which wou$d then e1ecute and tr( to s read to other machines. -ombie A Dom4ie is a rogram that secret$( takes o&er another internet Kattached com uter and then uses that com uter to $aunch that are difficu$t to trace to the Dom4ieLs creator .Eom4ies are used in denia$ of ser&ices attacks7 t( ica$$( against targeted we4sites.

.eneral Virus +ehavior

Viruses come in a great man( different forms7 4ut the( a$$ otentia$$( ha&e three hases to their e1ecution7 the dormant7 the infection hase and the attack hase@ #ormant &hase:!he &irus is id$e. !he &irus is e&entua$$( 4e acti&ated 4( some e&ent7 such as a date7 the resence of another rogram or fi$e7 or the ca acit( of disk e1ceeding some $imit. >ot a$$ &iruses ha&e this hase. Infection phase:-When the &irus e1ecutes it wi$$ infect other rograms. What is often not c$ear$( understood is recise$( when it wi$$ infect the other rograms. Some &iruses infect other rograms each time the( are e1ecuted7 other &iruses infect on$( u on a certain trigger. !his trigger cou$d 4( an(thing; it cou$d 4e a da( or time7 an e1terna$ e&ent on (our *C7 a counter within the &irus etc. Some &iruses are &er( se$ecti&e a4out when the( infect rograms; this is &ita$ to the &irus6s sur&i&a$. If the &irus infects too often7 it is more $ike$( to 4e disco&ered 4efore it can s read far. Virus writers want their rograms to s read as far as ossi4$e 4efore an(one detects them. !his 4rings u an im ortant oint which 4ears re eating@ It is a serious mistake to e1ecute a rogram a few times ,, find nothing infected and resume there are no &iruses in the rogram. <ou can ne&er 4e sure that the &irus sim $( hasn6t triggered its infection hase3

Fan( &iruses go resident in the memor( of (our *C :ust as a terminate and sta( resident A!S.B rogram such as SidekickA.B does. !his means the &irus can wait for some e1terna$ e&ent such as inserting a diskette7 co (ing a fi$e7 or e1ecuting a rogram to actua$$( infect another rogram. !his makes these &iruses &er( dangerous since it6s hard to guess what trigger condition the( use for their infection. .esident &iruses fre5uent$( corru t the s(stem software on the *C to hide their e1istence. /xecution phase:-!he second hase is the attack hase. Fan( &iruses do un $easant things such as de$eting fi$es or changing random data on (our disk7 simu$ating t( os or mere$( s$owing (our *C down; some &iruses do $ess harmfu$ things such as $a(ing music or creating messages or animation on (our screen. Gust as the &irus6s infection hase can 4e triggered 4( some e&ent7 the attack hase a$so has its own trigger. Viruses usua$$( de$a( re&ea$ing their resence 4( $aunching their attack on$( after the( ha&e had am $e o ortunit( to s read. !his means that the attack ma( 4e de$a(ed for (ears after the initia$ infection. !he attack hase is o tiona$; man( &iruses sim $( re roduce and ha&e no trigger for an attack hase. Does this mean that these are 9good9 &iruses? >o7 unfortunate$( not3 An(thing that writes itse$f to (our disk without (our ermission is stea$ing storage and C*M c(c$es. !his is made worse since &iruses which 9:ust infect97 with no attack hase7 damage the rograms or disks the( infect. !his is not intentiona$ on the art of the &irus7 4ut sim $( a resu$t of the fact that man( &iruses contain e1treme$( oor 5ua$it( code. 8ne of the most common &iruses7 the S!8>0D &irus is not intentiona$$( harmfu$. Mnfortunate$( the author did not antici ate other than 3)2N f$o ( disks7 with the resu$t that the &irus wi$$ tr( to hide its own code in an area on 1.2m4 diskettes which causes corru tion of the entire diskette. >ow that we6&e e1amined genera$ &irus 4eha&ior7 $et6s take a c$oser $ook at the two ma:or categories of &iruses and how the( o erate.

Types of viruses:!he most significant t( e of &iruses is fo$$owing@, +oot sector virus@ , it infects a master 4oot record or 4oot record and s reads when a s(stem is 4ooted from the disk containing the &irus.

&arasitic virus@ , the traditiona$ and most common form of &irus .it is a$so ca$$ed as fi$e &irus. A arasitic &irus attaches itse$f to e1ecuta4$e fi$es and re $icates7 when the infected rogram is e1ecuted7 finding other e1ecuta4$e fi$es to infect. )tealth virus :, A form of &irus e1 $icit$( designed to hide itse$f from detecting 4( anti&irus software. &olymorphic virus@, A &irus that mutates with e&er( infection7 making detection 4( the HsignatureI of the &irus im ossi4$e.

"or!ing procedure of different types of viruses:8nce we understand how the com uter norma$$( works then on$( we wou$d 4e a4$e to understand what a4norma$ities occur if a &irus enters the com uter. And then ossi4$( we wou$d 4e a4$e to write the rogram to detect and remo&e these &iruses. =et us 4egin with the 4oot,time rocedure.

+oot sector virus:Detai$ed 8 erations %oot !ime

!he entire rocedure can 4e di&ided into fo$$owing distinct ste s@ a. When the machine is switched on the micro rocessor asses the contro$ to a set of routines ca$$ed *ower 8n se$f !est A*8S!B routines. !he *8S! routines erform a re$ia4i$it( test of the other .8F rograms to find whether the( are in order or not. 4. A .8F startu routines sets u the Interru t Vector !a4$e AIV!B7 with the address of .8F %I8S routines. c. A .8F startu routine erforms the .AF test and stores the 4ase memor( siDe at $ocations 21"13 and 21"12.

d. .8F startu routines checks and initia$iDe the standard e5ui ment A$ike Ne(4oard7 VDM7 f$o ( Disk Dri&e and *rinterB and stores a $ist of this e5ui ment in memor( at $ocation 21"12. e. !he .8F startu routines check for non,standard e5ui ment attached to the com uter. If found7 the( momentari$( transfer contro$ to .8F e1tension routines. !he .8F e1tension routines initia$iDe the non, standard e5ui ment A$ike hard diskB and hand o&er the contro$ 4ack to the .8F startu routine. f. A .8F startu routine reads from C8FS .AF Ain case of A! and a4o&eB the s(stem 4oot u se5uence. Msua$$( this se5uence is A@7 C@ indicating that the s(stem wou$d first attem t to 4oot from the A dri&e and if it fai$s to do so then it wou$d attem t to 4oot from the C dri&e. !his se5uence can 4e changed 4( the user. In case of an O! the 4ooting se5uence is a$wa(s A@7 C@ and this se5uence cannot 4e changed. g. A .8F startu routine ca$$ed %ootstra =oader $oads the contents of side 27 track 27 sector 1 of the first dri&e in the s(stem 4oot u se5uence. >ow there are two ossi4i$ities@ 1. !he first dri&e in the s(stem 4oot u se5uence is dri&e A. 2. !he first dri&e in the s(stem 4oot u se5uence is dri&e C. =et us now stud( the 4ooting form these dri&es se arate$(.

%ooting Crom C$o ( Dri&e 1. !he %ootstra =oader *rogram is a short and rimiti&e rogram7 smart enough to mo&e the head of the disk dri&e to track 27 and read the contents of the first h(sica$ sector of the disk into memor(7 at a redetermined $ocation and ass contro$ to it. Side 27 track 27 sector 1 of the f$o ( disk contains %oot *arameter and a Disk %ootstra *rogram. ?ence the %ootstra =oader $oads these into memor( and hands o&er contro$ to them. In the 4oot arameters the first three 4(tes contain a :um instruction. !his instruction causes the contro$ to :um to the Disk %ootstra

*rogram7 4( assing the %oot *arameters which are $aced after the :um instruction. !he Disk %ootstra *rogram6s task is to $oad the fi$e I8.S<S into memor(. %ut it is handica ed 4ecause it doesn6t known the e1act $ocation of I8.S<S on the disk which de ending u on@ >um4er of co ies of CA! on the disk >um4er of sectors occu ied 4( each co ( of CA! >um4er of sectors occu ied 4( the director( As we had seen ear$ier7 these arameters &ar( from one t( e of disk to another. !his is where the %oot *arameters come to the rescue of the Disk %ootstra *rogram. Msing the data in %oot *arameters it ca$cu$ates the e1act $ocation of I8.S<S. 8nce this $ocation has 4een found out7 the actua$ $oading of 8 erating S(stem into the memor( starts. 2. !he Disk %ootstra *rogram first e1amines whether the fi$e I8.S<S is resent on the disk or not. If resent7 it $oads the fi$e into memor( and asses contro$ to it. If a4sent7 it f$ashes the fami$iar message@ >on,s(stem disk. Insert s(stem disk and ress an( ke( 8n inserting the s(stem disk and hitting a ke( it $oads I8.S<S from the disk. As soon as I8.S<S is $oaded7 the Disk %ootstra *rogram is wi ed out from memor(. 3. I8.S<S consists of two modu$es@ Disk %I8S and S<SI>I!. !he S<SI>I! modu$e $oads the fi$e FSD8S.S<S from disk into memor( and asses contro$ to it. ". FSD8S.S<S 4ui$ds some interna$ data structures and work areas and then returns the contro$ to S<SI>I!. S<SI>I! $oads a fi$e C8>CI#.S<S fi$e from root director( of the f$o (. !his o tiona$ fi$e can contain a &ariet( of commands that ena4$e the user to customiDe the working en&ironment. Cor instance the user ma( s ecif( the num4er of disk 4uffer7 the ma1imum num4er of fi$es that can 4e o ened7 etc. If it is found7 the entire C8>CI#.S<S fi$e is $oaded into memor( and each command in it is e1ecuted one $ine at a time. '. S<SI>I! then $oads the .esident *ortion of the fi$e C8FFA>D.C8F into memor(. 8nce this ortion is $oaded7 the

S<SI>I! modu$e is discarded from memor( and contro$ is handed o&er to the .esident *ortion. ). !he .esident *ortion of C8FFA>D.C8F $oads the !ransient *ortion of C8FFA>D.C8F into the high end of memor(. ?igh end here means the to of the 4ase memor(. !he high end wou$d &ar( from com uter to com uter since different com uters are $ike$( to ha&e different 4ase memor( siDes. !he .esident *ortion figures out the high end from the 4ase memor( siDe stored at $ocations 21"137 21"1" during .AF test. !he !ransient *ortion of C8FFA>D.C8F e1ecutes the fi$e AM!80O0C.%A!7 if it is resent in the root director( +. !he !ransient *ortion of C8FFA>D.C8F fina$$( dis $a(s the D8S rom t.

%ooting Crom a ?ard Disk Whi$e 4ooting from a hard disk ste s AaB through AgB gi&en a4o&e remain the same. .ests of the ste s are as fo$$ows@ 1. Since ca acit( of hard disks is huge7 $ogica$ artitions are created on it to accommodate different o erating s(stems. !he information a4out where each artition 4egins and ends7 the siDe of each artition7 etc. is stored in a artition ta4$e in side 27 track 27 sector 1. !his sector a$so contains a Faster %oot *rogram. !he artition ta4$e is )" 4(tes $ong. !he artition ta4$e a$so indicates which is the 4oota4$e artition. !he .8F %ootstra =oading rogram $oads the artition ta4$e and the Faster 4oot rogram into memor( and asses contro$ to it. !he Faster 4oot rogram finds out which is the 4oota4$e artition7 $oads the 4oot sector Acontaining %oot *arameters and Disk 4ootstra rogramB from the 4oota4$e artition and asses contro$ to it. 8nce the Disk %ootstra rogram recei&es the contro$ the rest of the 4ooting rocedure is the same as in case of 4ooting from a f$o ( disk. Cigure gi&en 4e$ow shows the 4ooting rocedure from a f$o ( disk and

2.

3.

a hard disk for eas( com arison. !hat is how the com uter 4oots u norma$$(. It is this 4oot,time rocedure which gets a$tered when either the Faster 4oot sector or the 4oot sector of the hard disk gets infected 4( the &irus. 8n a f$o ( there is no master 4oot sector7 therefore7 on$( the 4oot sector of a f$o ( can get infected with a &irus. !he &irus which infects the master 4oot sector is ca$$ed 6*artition !a4$e Virus67 whereas7 the one which infects the 4oot sector is ca$$ed 6%oot Sector Virus6. !here is another &ariet( ca$$ed 6Ci$e Virus6 which is dead$ier than the 4oot sector and the artition ta4$e &irus. ?ow do these &iruses work and how to eradicate them? We$$7 we wi$$ find out e1act$( how in the ne1t artic$e.

%ooting Crom An Infected disk@ An infected f$o ( disk ma( contain a &irus in the 4oot sector7 whereas an infected hard disk ma( contain a &irus either in the artition ta4$e sector or in the 4oot sector or 4oth. Whene&er a disk is infected 4( a &irus it ensures that the contents of the norma$ 4oot sector or the artition ta4$e sector are stored at some safe $ace on the disk. Assuming that the 4oot sector of a f$o (Jhard disk is infected 4( a &irus $et us see how the norma$ 4ooting rocedure wou$d 4e a$tered. !his rocedure is as fo$$ows. a. *8S! routines are e1ecuted. 4. IV! is set u with re$e&ant address c. AF test is erformed and %ase Femor( siDe is stored at $ocations 21"13 and 21"1". d. Standard e5ui ment is initia$iDed. e. >on,standard e5ui ment is initia$iDed. f. S(stem 4oot u se5uence is determined. g. Contents of 4oot sector are $oaded and contro$ is assed to it. In case of f$o ( disk this $oading wou$d 4e done 4( the %ootstra =oader *rogram7 whereas in case of hard disk it is done 4( the Faster %oot *rogram. Since we are assuming that the 4oot sector has 4een

infected7 the &irus wou$d get $oaded in memor( and contro$ wou$d 4e assed to it. h. !he &irus gets $oaded at a $ace in memor( where the norma$ Disk %ootstra *rogram is $oaded. M$timate$( the &irus wi$$ ha&e to 4ring the Disk %ootstra *rogram in memor( since it is this rogram which knows how to $oad the fi$e I8.S<S. If the Disk %ootstra *rogram is to enter memor( at the same $ocation where the &irus is resent right now then the &irus is 4ound to get o&erwritten. !his wou$d &irtua$$( 4e suicide for the &irus. It knows this thorough$( we$$ and hence 4efore $oading Disk %ootstra *rogram into memor( it makes a co ( of itse$f at the high end of memor(. !o figure out where the high end memor( for a articu$ar com uter is7 it takes the he$ of the 4ase memor( siDe stored at $ocation 21"13 and 21"1". As (ou wi$$ see $ater there cou$d 4e one more threat to the sur&i&a$ of the &irus. !o take care of this threat once it makes a co ( of itse$f at the high end it reduces the &a$ue of 4ase memor( siDe at $ocation 21"13 and 21"1" 4( an amount e5ua$ to the siDe of the &irus. A &irus wou$d $ike once the entire 4ooting is com $ete somehow or the other the contro$ shou$d reach it. !his it ensures 4( ca turing a few interru ts. >ote that reducing the 4ase memor( siDe and ca ture of interru ts has to 4e done 4( the &irus 4efore it $oads the Disk %ootstra *rogram i. !he &irus $oads the Disk %ootstra *rogram at a fi1ed $ocation in memor( there4( the first co ( of the &irus. Contro$ is handed o&er to the Disk %ootstra *rogram. :. !he Disk %ootstra *rogram $oads the fi$e I8.S<S. k. !he S<SI>I! modu$e of I8.S<S $oads the fi$e FSD8S.S<S from disk into memor( and asses contro$ to it. $. FSD8S.S<S 4ui$ds some interna$ data structure and work areas and then returns the contro$ to S<SI>I!. S<SI>I! $oads a fi$e C8>CI#.S<S from root director( and sets the en&ironment. m. S<SI>I! then $oads .esident *ortion of the fi$e C8FFA>>D.C8F into memor(. 8nce the .esident *ortion is $oaded the S<SI>I! modu$e is discarded from memor( and contro$ is handed o&er to the .esident *ortion.

n. !he .esident *ortion of C8FFA>D.C8F $oads the !ransient *ortion of C8FFA>D.C8F into high end of memor(. !he .esident ortion figures out the high end from the 4ase memor( siDe stored at $ocations 21"137 21"1". %ut since the &irus has a$read( reduced this &a$ue the !ransient *ortion gets $oaded :ust 4e$ow the &irus o. !he !ransient ortion of C8FFA>D.C8F e1ecutes the fi$e AM!80O0C.%A!7 if it is resent in the root director(. . !he !ransient ortion of C8FFA>D.C8F fina$$( dis $a(s the D8S rom t. !hus7 4( the time we get the D8S rom t the &irus has a$read( managed to 4ecome acti&e in memor(. =et us now see how the &irus s reads from one disk to another. !he medium used 4( the &irus to s read is the f$o ( disk. If we insert a c$ean uninfected disk when the &irus is acti&e in memor( and attem t to erform an( disk IJ8 the contro$ wou$d first reach the &irus since it has a$read( ca tured interru t 1/7 the disk IJ8 interru t. When the contro$ reaches the &irus it checks the 4oot sector doesnLt contain &irus code then it makes a co ( of itse$f in the 4oot sector of this c$ean disk. %efore making the co ( it takes care to co ( the norma$ 4oot sector contents to some other sector on the disk. 8nce this is done the &irus asses contro$ to the norma$ .8F, %I8S disk IJ8 routine. !hus7 the user fee$s that e&er(thing is fine since IJ8 has 4een erformed successfu$$(. ?owe&er7 the &irus has managed to $ant itse$f on a c$ean disk there4( infecting it. If we now take this infected disk to some other machine and tr( to 4oot the machine from that disk then the &irus is 4ound to get $oaded in memor(. 8nce in memor(7 it wou$d infect an( c$ean disks that are used on this machine. !his is how it manages to s read itse$f from one machine to another.

Working of A *artition !a4$e Virus When a &irus infects the artition ta4$e sector it kee s the data area intact and re $aces the Faster %oot *rogram with the &irus code. %efore doing this it co ies the contents of the artition ta4$e sector to some other $ocation on the disk. !his &irus cannot afford to distur4 the data area in the artition ta4$e

sector since the 4ootstra $oader rogram re$ies on this data to determine the 4oota4$e artition. If (ou are $uck( the machine ma( sti$$ 4oot 4ut (ou ma( not 4e a4$e to access an( of (our $ogica$ dri&es on the hard disk. A sure sign that something is serious$( wrong with the artition ta4$e. And that wou$d defeat that &er( ur ose since a &irus does not want (ou to know of its e1istence ti$$ it has destro(ed some of (our work. >ow during 4ooting7 the %ootstra =oader *rogram $oads the &irus into memor(. !his &irus does three things. Cirst it $oads itse$f at the high end of memor( after checking the .AF siDe from $ocation 21"13 and 21"1". !he &irus then reduces the .AF siDe in these two $ocations. As a resu$t when the !ransient *ortion of C8FFA>D.C8F is $oaded it wi$$ 4e $oaded 4e$ow the &irus. After reducing the 4ase memor( siDe it stea$s interru t 1/ and assigns the address of the &irus code in $ace of the origina$ address in the IV!. In much the same wa( as we did when we wrote !S.. So whene&er a ca$$ is made to interru t 1/7 first the &irus code is e1ecuted fo$$owed 4( the actua$ .8F,%I8S routine. After reducing the memor( siDe and ca turing interru ts it roceeds to $oad the Faster %oot *rogram in memor( from the sector where it has dis $aced 4( the &irus. Crom here onwards the norma$ 4ooting rocedure is fo$$owed. !he on$( difference is that when the .esident *ortion of C8FFA>D.C8F $oads the !ransient *ortion it wi$$ read the reduced .AF siDe from $ocations 21"13 and 21"1" and hence wou$d $oad the !ransient *ortion 4e$ow the &irus. =et us now see that wou$d ha en if we attem t to co ( a fi$e to a f$o ( in dri&e A. When we gi&e the co ( command7 an interru t 1/ wou$d 4e generated. %ut since the address of the .8F,%I8S routine has 4een re $ace 4( the address of the &irus itLs the &irus which wi$$ get the contro$. And not knowing the difference the &irus code wou$d get e1ecuted. !he &irus checks the C*M registers and rea$iDes that a write to A dri&es is 4eing attem ted. ?ence it roceeds to co ( itse$f in the first h(sica$ sector of the f$o ( that is the 4oot sector. %ut 4efore it does this it transfers the origina$ contents of this sector to another area on the disk. It then hands o&er the contro$ to the origina$ routine in the .8F,%I8S. !hus a f$o ( gets infected. If we attem t to 4oot another machine with this f$o ( the first sector containing the &irus wou$d get $oaded in memor(. >ow the &irus acts inte$$igent$(. If known that it has 4een $oaded from a f$o ( and hence

roceeds to co ( itse$f in the first h(sica$ sector of the hard disk7 that is the artition ta4$e sector. Instead of co (ing itse$f in the artition ta4$e sector7 some t( e of &irus ma( co ( itse$f in the first $ogica$ sector of the D8S artition that is the 4oot sector. In either case 4efore co (ing itse$f the &irus wou$d first dis $a( the origina$ contents of the sector to some other $ocation. 8nce this is done this it reduces the .AF siDe and stea$s some interru ts. !hen 4ack again to the f$o ( disk to $oad the origina$ 4oot sector in memor(. >ote that e&en if the infected disk is not 4oota4$e disk and we attem t to 4oot from the f$o (7 the &irus sti$$ manages to enter into the machine. !his is 4ecause D8S f$ashes the P>on,S(stem DiskL error message on$( when it fai$s to $oad the fi$e I8.S<S. %( this time the &irus has a$read( reached the memor( and taken o&er the contro$. !hus a non,4oota4$e f$o ( ma( a$so infect (our com uter. !his is how the &irus s reads from one f$o ( to another7 one machine to another7 one insta$$ation to another and across the seas.

&arasitic or 0ile Viruses:

In terms of sheer num4er of &iruses7 these are the most common kind. !he sim $est fi$e &iruses work 4( $ocating a t( e of fi$e that the( know how to infect Ausua$$( a fi$e name ending in 9.C8F9 or 9.0O09B and o&erwriting art of the rogram the( are infecting. When this rogram is e1ecuted7 the &irus code e1ecutes and infects more fi$es. !hese o&erwriting &iruses do not tend to 4e &er( successfu$ since the o&erwritten rogram rare$( continues to function correct$( and the &irus is a$most immediate$( disco&ered. !he more so histicated fi$e &iruses modif( the rogram so that the origina$ instructions are sa&ed and e1ecuted after the &irus finishes. %e aware that man( fi$e &iruses Asuch as "2/) which is a$so known as CrodoB a$so infect o&er$a( fi$es as we$$ as the more usua$ Q.C8F and Q.0O0 fi$es. 8&er$a( fi$es ha&e &arious e1tensions7 4ut 9.8V.9 and 9.8V=9 are common e1am $es.

1acro Viruses:!here is articu$ar t( e of fi$e &irus that that man( eo $e don6t understand. !hese are the fi$es from the Ficrosoft 8ffice a $ications Ae.g.7 FS Word7 FS 01ce$7 FS Access7 etc.B. !hese rograms a$$ ha&e their own macro $anguages Aa %ASIC $ike $anguageB 4ui$t in. !he associated fi$es AFS Word documents or tem $ates and FS 01ce$ s readsheet fi$esB are usua$$( thought of on$( as data fi$es so man( eo $e are sur rised that the( can 4e infected. %ut these fi$es can contain rograms Athe macro $anguageB that are e1ecuted when (ou $oad one of these fi$es into the associated roduct. !he rogram inside of these fi$es is inter reted 4( the FS 8ffice a $ication. What is now a $anguage origina$$( 4egan as a &er( sim $e macro $anguage that the user cou$d use to com4ine ke(strokes to automate some routine function? !he macro $anguage in these roducts has since grown su4stantia$$( and now is a fu$$( ca a4$e $anguage 4ased on Visua$ %asic AV%AB. Since an(thing that contains a rogram can otentia$$( 4e infected 4( a &irus7 these fi$es can har4or &iruses. A micro &irus is articu$ar$( threatening for a num4er of reasons@ 1. A micro &irus is $atform inde endent .&irtua$$( a$$ of the macro &iruses infect F,S Word documents. An( hardware $atform and o erating s(stem that su orts word can 4e infected. 2. Facro V infects documents not e1ecuta4$e ortion of code. Fost of the information in the com uter is stored in the form of document not rogram. 3. Facro &irus is easi$( s read. A &er( common method is 4( e$ectronic mai$.

)tealth virus:
A &irus such as the one :ust descri4ed is easi$( detected 4ecause an infected &ersion of a rogram is $onger than the corres onding uninfected one. 8ne wa( thwart such a sim $e means of a detecting a &irus is to com ress the e1ecuta4$e fi$e so that 4oth the infected and uninfected &ersions are of identica$ $ength. !he fo$$owing diagram descri4es it more c$ear$(.

We assume that rogram 1 is infected with the &irus CV. When the rogram is in&oked7 contro$ asses to its &irus7 which erforms the fo$$owing ste s@ QCor each uninfected fi$e 2 that is found7 the &irus first com ress that fi$e to roduce 2Q7 which is shorter than origina$ rogram 4( the siDe of &irus. QA co ( of the &irus is re ended to the com ressed rogram. Q!he com ressed &ersion of the origina$ infected rogram7 1Q is uncom ressed. Q!he uncom ressed origina$ rogram is e1ecuted. A com ression stea$th &irus

CV

CV

CV

3
*1Q *2 *1Q 1 *1 *2 *2Q

&olymorphic virus
A &irus is said to 4e o$(mor hic if its code a ears to 4e different e&er( time it re $icates Athough genera$$( each re $ication of the &irus is functiona$$( identica$B. !his is usua$$( achie&ed 4( encr( ting the 4od( of the &irus7 and adding a decr( tion routine which is different for each re $ication. When a o$(mor hic &irus re $icates7 a ortion of the decr( tion code is modified. A ortion of &irus genera$$( ca$$ed a mutation engine creates a random encr( tion ke( to encr( t the remainder of the &irus. !he ke( stored with7 the &irus7 and the mutation engine itse$f is a$tered. When an infected rogram is in&oked7 the &irus uses the stored random ke( to decr( t the &irus. When the &irus re $icates7 a different random ke( is se$ected. Additiona$$(7 random7 do,nothing 4$ocks of code can 4e em4edded in the rogram and are shuff$ed around to further &ar( the signature. In essence7 it $ooks $ike a different rogram to &irus scanners.

#iagnosis-Indication of Virus Infection:=ots of things can go wrong with com uters7 with most ro4$ems usua$$( arising from software 4ugs or hardware ma$functions. ?owe&er7 when two or more trou4$esome &irus $ike s(m toms a ear at the same time7 the odds on an infection increase7 thatLs when (ou shou$d check (our s(stem for the &irus. If (ou ha&e o4ser&ed an( of the fo$$owing s(m toms of &irus infection. 1. *rogram $oad take $onger than norma$. 2. Disk accesses seem to 4e e1cessi&e for &er( sim $e tasks. 3. Mnusua$ error message a ear. ". Access $ights come on when there is no o4&ious reason. '. S(stem memor( is reduced. ). Ci$es m(sterious$( disa ear. +. A&ai$a4$e disk s ace is reduced for no good reason. -. 01ecuta4$e rograms change siDe. /. Icons change in a earance.

2ecovery-Tips on .etting 2id of Virus Infections:2emoving +oot )ector Virus:.emem4er that a 4oot sector &irus attaches itse$f to instructions in the disk sector7 which are $oaded in to memor( immediate$( when the s(stem is owered on. !o remo&e this t( e of &irus (ou must re&erse the infection rocess7 the &irus out and reinsta$$ing the origina$ 4oot sector coding. !o do this we must fo$$ow the fo$$owing command@ 1. Mse the D8S uti$it( ca$$ed the S<S command as fo$$ows !( e the command S<S C@ at the AR rom t. If the transfer has 4een com $eted smooth$(7 (ou get the res onse )ystem transferred

2. !he S<S command ma( not a$wa(s remo&e the 4oot sector &irus7 so (ou ma( need to use a rogram that is designed for this task. one such rogram is ca$$ed FDISN and can 4e down$oaded from the com uter &irus industr( Association 4u$$etin 4oard. 3. !hird and $ast o tion is that to tr( to 4ack u a$$ (our data fi$es 4efore carr(ing out the ne1t ste , reformatting hard disk.

2emoving &arasitic or 0ile Virus:Co$$ow these ste s to get rid of one of these &iruses, 1. *ower down (our s(stem. When (ou switched on again7 4oot from a c$ean7 write rotected o erating s(stem master diskette. 2. Mse a &irus scanning uti$it( rogram to scan the fi$es for these rograms and identif( which ha&e 4een infected. 3. De$ete each of these infected fi$e from the s(stem.

". #et out (our origina$ documentation and disks for the a $ication rogram. Mse them to re eat the insta$$ation rocedure so that the infected fi$es are re $aced 4( the origina$ non infected &ersions.

A Tip to Avoid the 1acro Virus:Cor Ficrosoft 8ffice a $ications7 there is a sim $e safet( measure@ Word or 01ce$ wi$$ ski $oading such a macro if the SS?IC!T ke( is he$d down whi$e the fi$e is 4eing $oaded from the Ci$eJ8 en dia$og 4o1. It does not necessari$( work if the fi$e is o ened 4( dou4$e,c$icking in Ci$e Fanager or $aunched from 0CSFai$ or a We4 4rowser. Cor e1am $e7 to o en a Word document without automatica$$( e1ecuting an( macros@ 3. Sa&e it to a fi$e 4. Start u Word 5. Crom the Ci$e menu7 choose 8 en and se$ect the fi$e (ou wish to $oad 6. ?o$d down the SS?IC!T ke( and c$ick on S8NT

7.
$oading

Nee the SS?IC!T ke( de ressed unti$ the document has finished

)ome /xamples of 2eal "orld Viruses:1. &retty&ar!.exe

!he W32J*rett(.&irus is (et another one of those which s read 4( 0mai$. !his &irus infects on$( Windows /1 and >! users. It is 4e$ie&ed to ha&e 4een originated in Crance a$most a (ear ago. !his &irus arri&es 4( emai$ and its structure is something $ike 4e$ow. Su4:ect@ C@UCoo$*rogsU*rett( *ark.e1e !est@ *rett( *ark.e1e @B A fi$e named@ 6 rett( ark.e1e6 As soon as (ou e1ecute this rett( ark.e1e attachment7 the dreaded &irus Wi$$ start its rocess of infecting (our s(stem. !his fi$e when e1ecuted co ies itse$f to the fi$e CI=0S32.VOD in c@UwindowsUs(stem director(. !o ensure that the fi$e CI=0S32.VOD Awhich is the Virus itse$fB is e1ecuted whene&er an( .0O0 fi$e is runned7 it modifies the fo$$owing .egistr( Ne(@ ?N0<V=8CA=VFAC?I>0USoftwareUC=ASS0SUe1efi$eUshe$$Uo en In this ke(7 it changes the ke( &a$ue of 6command6 from 9W19 WQ to CI=0S32.VOD 9W19 WQ.As a resu$t after this .egistr( editing7 a$$ .0O0 which is e1ecuted wi$$ in turn 4e infected 4( this &irus. 8nce infected this &irus wi$$ automatica$$( tr( to emai$ it e&er( 32 Finutes to a$$ the emai$ addresses in 8ut$ook 01 ress6s Address %ook. !hus s reading itse$f to a$$ 5uarters of the Internet. !his feature or 4eha&ior is 5uite common amongst other emai$ 4orne &iruses. !his is how the( s read themse$&es and kee a$i&e. 2emoval Instructions *rett( *ark $ike some other inte$$igent &iruses7 does not a$$ow users to .emo&e references to the itse$f from the registr(. 8ne trick which Anti

Vira$ organiDations ha&e disco&ered is that if the .egistr( 0ditor is renamed from regedit.e1e to regedit.com A8n win/1 s(stemsB and from regedit32.e1e to regedit32.com A8n >! s(stemsB then we can sti$$ &iew the entire Windows. .un the Windows registr( 0ditor i.e. .egedit.e1e in Win/1 and regedit32.e1e on >!. Fake sure that (ou re4oot in FSD8S from the start u disk and then $aunch the .egistr( 0ditor. >ow remo&e references to the worm from the fo$$owing .egistr( Ne(s@ ?N0<VC=ASS0SV.88!Ue1efi$eUshe$$Uo enUcommandU ?N0<V=8CA=VFAC?I>0USoftwareUC=ASS0SUe1efi$eUshe$$Uo enUcom mad !o remo&e the references to the !ro:an change the &a$ue of the a4o&e ke( Crom CI=0S32.VOD 9W19 WQ to 9W19 WQ A>ote the s ace in 4etween the new &a$ue.B A$$ software or ser&ices which ha&e 4een referred to in the fo$$owing .egistr( ke(s start automatica$$( with Windows. So make sure that the Co$$owing ke(s ha&e no reference to the Virus@ ?N0<V=8CA=VFAC?I>0US8C!WA.0UFicrosoftUWindowsUCurrent VersionU.unSer&icesU ?N0<V=8CA=VFAC?I>0US8C!WA.0UFicrosoftUWindowsUCurrent VersionU.unU A$so de$ete an( references to the Virus from the fo$$owing@ 1. 8 en WI>.I>I in >ote ad and in the 6runX $ine6 under the SwindowsT Section $ook for an( reference to the !ro:an. 2. >ow7 o en S<S!0F.I>I and in the 6she$$X $ine6 under the S4ootT section7 remo&e a$$ references e1ce t the reference to 01 orer.e1e !hen $ook for the fo$$owing .egistr( ke(@ ?N0<VC=ASS0SV.88!U.d$ !his ke( is not found on a$$ s(stems. If (ou find it de$ete it. >ow re4oot and de$ete the !ro:an .e1e fi$e itse$f. If (ou had fo$$owed the A4o&e rocedure correct$( without an( errors7 then the worm wi$$ 4e de$eted otherwise (ou wi$$ get an error message. A$so de$ete the c@UwindowsUs(stemUCi$es32.&1d fi$e.

4.

#is! 8iller:-

!he disk ki$$er is a 4oot sector &irus and the most destructi&e of the new strains to emerge in $ate 1/-/. When it acti&ates7 it dis $a(s the fo$$owing message@

#is! !iller version 3.9 0rom ogre computers :ow !illing dis!. &lease do not power #own your system. !en seconds 4efore the message is dis $a(ed7 disk ki$$er has initiated a $ow $e&e$ format of the hard disk. *owering down immediate$( when the warning a ears on the screen is not effecti&e7 as e&er( thing on the disk has 4een destro(ed 4efore (ou can react.

5.

#ar! Avenger @,

Dark a&enger is a .C8F and .0O0 fi$e infector that romises to 4e a steadi$( increasing ro4$em 4ecause it is 4oth &er( infectious and destructi&e. Dark a&enger seeks new hosts rograms &irtua$$( an( moment of a $ication rogram acti&it(7 inc$uding $oading7 e1ecuting7 transferring code or data 4etween s(stems.

6.

-ero bug:-

!he Eero 4ug is another .C8F infector from 0uro e. It originates and destro(s data 4oth 5uick$( and efficient$(. We shou$d 4e ractica$$( concerned a4out Dero 4ugs 4ecause it incor orates a new method of outwitting man( of the &irus detection rograms now on the market. Some detection rograms re$( on monitoring rogram siDe to identif( hidden infections. Fan( &iruses attach and concea$ themse$&es within the code of a $ication rograms7 ine&ita4$( increasing the siDe of those rograms a4o&e the manufacture standard. !he Dero 4ug hides in a $ication rograms7 4ut it ma( 4e undetected 4( changing a rogramLs new identification detai$ed 4ack to the manufactureLs standard. !his is one of the most ingenious and effecti&e methods to concea$ment of &irus. So that it automatica$$( renders o4so$ete man( anti&ira$ rograms and uti$ities that re$( entire$( on sna shots7 checksums7 or other de&ice to com are the status of a rogram against the origina$ s ecification to seek s(m toms of a &irus infection.

7.

Alabama:-

!he A$a4ama is a .C8F and an .0O0 fi$e infector that a$so introduced a new distur4ing de&ice. Whene&er fi$e are co ied or otherwise acti&ated on an infected s(stem7 A$a4ama renames them7 gi&ing them the name of another e1isting fi$e on the &ictimLs s(stem. Soon a$$ the data fi$e $isting are scram4$ed, the data is sti$$ there 4ut (ou cannot access it effecti&e$( 4ecause (ou do not know under what fi$e name it is stored .

;.

an!ee #oodle

!he <ankee Dood$e is7 fortunate$(7 an innocuous &irus is its origina$ form. it is acti&ated 4( a com uterLs interna$ c$ock; at ' .m. it causes the tune H<ankee Dood$e dand(I to 4e $a(ed o&er com uterLs s eaker . Initia$$(7 this &irus did not destro( data or o&er$oaded s(stems 4( .e $icating out of contro$.

<.

)unday:-

As the name im $ies7 the Sunda( &irus acti&ated when interna$ c$ock of the s(stem it has infected reaches Sunda(. M on acti&ation of Sunda(7 the o erated is the greeted 4( fo$$owing message. Today is )unday. "hy are you wor!ing$ All wor! and no play ma!e you a dull boy. %efore or during the dis $a( of the message7 the Sunda( &irus has gar4$ed the CA! Afi$e a$$ocation ta4$eB section of o erating s(stem so that fi$es cannot 4e $ocated.

=.

.host:-

#host infects 4oth 4oot sectors and the .C8F fi$es on disks and f$o ies. So in addition to using the S<S command to disinfect the 4oot sector7 it is a$so necessar( to remo&e a$$ infected .C8F fi$es.

>.

+rain:-

%rain another 4oot sector infector that is a$so ca$$ed as H*akistani 4rainI or the H%asitI after its creators in =ahore7 *akistan7 who were the on$( ones e&er to ut there names7 address7 and te$e hone num4er in the co (right on a &irus. %ut it was the time of 1/-)7 when &irus was (et not ercei&ed to 4e a ma:or threat that cou$d e1 ose there creator !o retri4ution if caught. %asit and Am:ad A$&i insta$$ed the 4rain on irated software that the( so$d from their %rain software Ycom uter ser&ices sho in =ahore. !ourists cou$d not resist the tem tation of 4eing a4$e to urchase the co ies of word erfect and other o u$ar ro riet( software for few 4ucks and so sna ed u the infected disks. 8ne irated rogram can 4reed man( others and so the 4rain s read $ike a 4ushfire around the wor$d 7and was renamed the hard disk 4rain 7the c$one7 the shoe7 and the ?ouston &irus as it re5uired more ca a4i$ities to infect and cause damage . A$$ &ersions of %rain retain the origina$Ls c$e&er techni5ues of re $icating 5uick$( whene&er it finds an hos ita4$e en&ironment and concea$ing itse$f to a&oid detection .the 4rain takes immediate contro$ of the s(stem 4( infecting the 4oot sector of the disk7 then e1tends that contro$ 4( s $itting itse$f u into the section of rogramming that are hidden in &arious $aces on the disk7 which are then f$agged as 4ad sectors so that the( can not 4e read 4( the user.

=inkage !o Virus .emainder

*akistani %rain Infection

Additiona$ =inkage

%oot Sector

'onclusion:In :ust o&er a decade7 most of us ha&e 4een fami$iar with the term com uter &irus. 0&en those of us who don6t know how to use a com uter ha&e heard a4out &iruses through ?o$$(wood fi$ms such as (ndependence %ay or )ackers Athough ?o$$(wood6s de iction of &iruses is usua$$( high$( inaccurateB. Internationa$ magaDines and news a ers regu$ar$( ha&e &irus,scares as $eading stories. !here is no dou4t that our cu$ture is fascinated 4( the otentia$ danger of these &iruses. Fan( eo $e 4e$ie&e the worst a &irus can do is format (our hard disk. In fact7 this t( e of a($oad is now harm$ess for those of us who 4ack u our im ortant data. Fuch more destructi&e &iruses are those which su4t$( corru t data. Consider7 for e1am $e7 the effects of a &irus that random$( changes num4ers in s readsheet a $ications 4( $us or minus 12W at stock4rokers. %ut donLt $a( the 4$ame for &iruses on the techno$og( or the machines that e1ecutes that techno$og(. !he fundamenta$ truth a4out com uter &iruses is that the( are a eo $e ro4$em. *eo $e create &iruses for &arious reasons. *eo $e disseminate &irus infections either de$i4erate$( or as a resu$t of the &er( human traits of innocence7 ignorance7 or care$essness. And the eo $e who are the otentia$ &ictims of this henomenon can ac5uire the know$edge to turn a rea$ threat into a reasona4$( ca$cu$ated risk that the( can

2eferences:1. 2. 3. ". '. H!he Com uter Virus *rotection ?and4ookI 4( Colin Haynes. HCr( togra h( and >etwork Securit(I 4( William Staling. htt @JJwww.gfi.comJemai$securit(test. htt @JJwww.so hos.com. htt @JJ www.funducode.com.