CPIC 1

CLASSES OF MALICIOUS SOFTWARE

Two of the most common types of malware are viruses and worms.
These types of programs are able to self-replicate and can spread
copies of themselves, which might even be modified copies. To be
classified as a virus or worm, malware must have the ability to
propagate. The difference is that a worm operates more or less
independently of other files, whereas a virus depends on a host
program to spread itself. These and other classes of malicious software
are described below.
Viruses
A computer virus is a type of malware that propagates by
inserting a copy of itself into and becoming part of another
program. It spreads from one computer to another, leaving
infections as it travels.
Worms
Computer worms are similar to viruses in that they replicate
functional copies of themselves and can cause the same type of
damage.

In contrast to viruses, which require the spreading of an infected

host file, worms are standalone software and do not require a
host program or human help to propagate.

To spread, worms either exploit a vulnerability on the target

system or use some kind of social engineering to trick users into
executing them.

Trojans
A Trojan is another type of malware named after the wooden
horse the Greeks used to infiltrate Troy.

It is a harmful piece of software that looks legitimate. Users are

typically tricked into loading and executing it on their systems.

After it is activated, it can achieve any number of attacks on the

host, from irritating the user (popping up windows or changing
desktops) to damaging the host (deleting files, stealing data, or
activating and spreading other malware, such as viruses).

Trojans are also known to create back doors to give malicious

users access to the system.

Unlike viruses and worms, Trojans do not reproduce by infecting

other files nor do they self-replicate. Trojans must spread through
user interaction such as opening an e-mail attachment or
downloading and running a file from the Internet.

CPIC 2

Bots
"Bot" is derived from the word "robot" and is an automated
process that interacts with other network services. Bots often
automate tasks and provide information or services that would
otherwise be conducted by a human being. A typical use of bots
is to gather information (such as web crawlers), or interact
automatically
with instant
messaging (IM), Internet
Relay
Chat (IRC), or other web interfaces. They may also be used to
interact dynamically with websites.

Bots can be used for either good or malicious intent. A malicious

bot is self-propagating malware designed to infect a host and
connect back to a central server or servers that act as a
command and control (C&C) center for an entire network of
compromised devices, or "botnet."

Best Practices for Combating Viruses, Worms, Trojans, and

Bots
The first steps to protecting your computer are to ensure that
your OS is up to date. This means regularly applying the most
recent patches and fixes recommended by the OS vendor.

Secondly, you should have antivirus software installed on your

system and download updates frequently to ensure that your
software has the latest fixes for new viruses, worms, Trojans, and
bots.

Additionally, you want to make sure that your antivirus program

can scan e-mail and files as they are downloaded from the
Internet. This will help prevent malicious programs from reaching
your computer. You may also want to consider installing
a firewall.

SPYWARE
Spyware is software that aids in gathering information about a person
or organization without their knowledge and that may send such
information to another entity without the consumer's consent, or that
asserts control over a computer without the consumer's knowledge. [1]
"Spyware"
is
mostly
classified
into
four
types:
system
[2]
monitors, trojans, adware, and tracking cookies. Spyware is mostly
used for the purposes of tracking and storing Internet users'
movements on the Web and serving up pop-up ads to Internet users.
Additional Definitions and References

CPIC 3

Exploit
An exploit is a piece of software, a command, or a methodology that
attacks a particular security vulnerability. Exploits are not always
malicious in intentthey are sometimes used only as a way of
demonstrating that a vulnerability exists. However, they are a common
component of malware.
Back Door
A back door is an undocumented way of accessing a system, bypassing
the normal authentication mechanisms. Some back doors are placed in
the software by the original programmer and others are placed on
systems through a system compromise, such as a virus or worm.
Usually, attackers use back doors for easier and continued access to a
system after it has been compromised.
COMPUTER VIRUS
is a program which is to damage or sabotage the computer as well
as the computer files. It is also designed to attach itself to other
program and replicate by itself.
The DIFFERENT CLASSIFICATION OF VIRUS PROGRAM
1. Boot sector Virus is a computer virus which has the ability to
damage the master boot record of the Hard Drive or diskettes.
2. Parasitic virus a virus type that can infect command and
executable files.
3. Macro Virus a virus type that can infect document which are
created on Microsoft Office professional programs.
4. Logical virus a virus that has the ability to delete the host file
and create new infected files.
5. Trojan virus a virus type that has the ability to reformat your
HDD and reprogram your computer BIOS.
6. Sleeping virus (Live and Die) are viruses that activates only at
a certain date & time depending on the system clock timer.
7. Compression virus
is a virus type which is capable of
compressing your files after infection.
8. Email virus is a virus type that can damage email files from
the internet.
9. Multi-partite virus is a virus type that has the characteristics of
both hardware and file virus.
10.
Polymorphic or Mutation virus (Hide & Seek) is a virus
type that has the ability to elude detection by changing its
characteristics from virus to good file.

CPIC 4

11.
Stealth virus (buffered virus) is a virus type that the
ability to intercept the interrupt table of the computer which is
located at the beginning of the computer memory. They have
also the ability to control the system by redirecting the interrupt
calls and has the ability to hide to escape from detection.
HOW DOES A VIRUS INFECT A PROGRAM?
Two phases of infection

Action the virus program must be executed by the user or

executes by itself, and attach its structure to the computers
memory for further infections.
Replicate a virus program produces an infected program or
file.

Marker bytes the information located at the beginning of a files

which can be determined by the virus program whether that file is can
be infected or not.
Virus signature a byte added by the virus which indicates that file is
an infected file.
CHARACTERISTICS OF VIRUS
1. A virus program can modify other program by binding its
structures into this program.
2. A virus program can execute the modification on a number of
programs.
3. A virus program can recognize the modification done by other
virus.
4. A virus program can prevent further modification upon
recognition.
5. A virus program can damage computer peripherals and files.
PROTECTION STRATEGIES
1.
2.
3.
4.
5.
6.

Always backup your files

Purchase and use virus detection softwares
Be careful of downloaded files from the internet
Be careful of shareware softwares
Purchase your software only from dependable developer
Do not load your original file to a computer which is unknown to
you.

CPIC 5

7. Do not permit others to load their USB flash drives, diskettes, and
other removable storage in your computer without scanning it
first.
8. Make your COM and EXE files read only.
9. Keep inform.
SOURCES OF VIRUS
1.
2.
3.
4.
5.

Email attachment
Internet
Downloaded files
Shared Network
Computer Labs

TOP TEN MOST DESTRUCTIVE COMPUTER VIRUS

1. ILOVEYOU (2000)
Estimated Damage: 10 to 15 billion dollars
Also known as Loveletter and The Love Bug, this was a Visual Basic
script with an ingenious and irresistible hook: the promise of love.
On May 3, 2000, the ILOVEYOU worm was first detected in Hong
Kong. The bug was transmitted via e-mail with the subject line
"ILOVEYOU" and an attachment, Love-Letter-For-You.TXT.vbs. Similar
to Melissa, the virus mailed itself to all Microsoft Outlook contacts.

The virus also took the liberty of overwriting music files, image files,
and others with a copy of itself. More disturbingly, it searched out user
IDs and passwords on infected machines and e-mailed them to its
author.
An interesting footnote: Because the Philippines had no laws against
virus-writing at the time, the author of ILOVEYOU was not charged for
this crime.
2. So Big F (2003)
Estimated Damage: 5 to 10 billion dollars, over 1 million PCs
infected

CPIC 6

The Sobig worm hit right on the heels of Blaster, making August
2003 a miserable month for corporate and home PC users. The most
destructive variant was Sobig.F, which spread so rapidly on August
19 that it set a record (which would later be broken by MyDoom),
generating over 1 million copies of itself in its first 24 hours.
The virus infected host computers via innocuously named e-mail
attachments such as application.pif and thank_you.pif. When activated,
this worm transmitted itself to e-mail addresses discovered on a host
of local file types. The end result was massive amounts of Internet
traffic.

On September 10, 2003, the virus deactivated itself and is no longer

a threat. Microsoft (NSDQ:MSFT) has announced a $250,000 bounty
for anyone who identifies Sobig.F's author, but to date, the
perpetrator has not been caught.
3. Blaster (2003)
Estimated Damage: 2 to 10 billion dollars, hundreds of thousands
of infected PCs
The summer of 2003 was a rough time for businesses running PCs.
In rapid succession, IT professionals witnessed the unleashing of
both the Blaster and Sobig worms. Blaster, also known as Lovsan or
MSBlast, was the first to hit. The virus was detected on August 11
and spread rapidly, peaking in just two days. Transmitted via
network and Internet traffic, this worm exploited a vulnerability in
Windows 2000 and Windows XP, and when activated, presented the
PC user with a menacing dialog box indicating that a system
shutdown was imminent.
Hidden in the code of MSBLAST.EXE -- the virus' executable " were
these messages: "I just want to say LOVE YOU SAN!!" and "billy gates
why do you make this possible? Stop making money and fix your
software!!"

The virus also contained code that would trigger a distributed denial of
service attack on windowsupdate.com on April 15, but Blaster had
already peaked and was mostly contained by then.

CPIC 7

4. Code Red
Estimated Damage: 2.6 billion dollars
Code Red was a computer worm that was unleashed on network
servers on July 13, 2001. It was a particularly virulent bug because
of its target: computers runningMicrosoft (NSDQ: MSFT)'s Internet
Information Server (IIS) Web server. The worm was able to exploit a
specific vulnerability in the IIS operating system. Ironically, Microsoft
had released a patch addressing this hole in mid-June.
Also known as Bady, Code Red was designed for maximum damage.
Upon infection, the Web site controlled by the affected server would
display the message, "HELLO! Welcome to http://www.worm.com!
Hacked By Chinese!" Then the virus would actively seek other
vulnerable servers and infect them. This would go on for approximately
20 days, and then it would launch denial of service attacks on certain
IP addresses, including the White House Web server. In less than a
week, this virus infected almost 400,000 servers, and it's estimated
that one million total computers were infected.

5. CIH (1998)
Estimated Damage: 20 to 80 million dollars worldwide, countless
amounts
of
PC
data
destroyed
Unleashed from Taiwan in June of 1998, CIH is recognized as one of
the most dangerous and destructive viruses ever. The virus infected
Windows 95, 98, and ME executable files and was able to remain
resident in a PC's memory, where it continued to infect other
executables. What made CIH so dangerous is that, shortly after
activated, it would overwrite data on the host PC's hard drive,
rendering it inoperable. It was also capable of overwriting the BIOS
of the host, preventing boot-up. Because it infected executable files,
CIH wound up being distributed by numerous software distributors,
including a demo version of an Activision game named Sin. CIH is
also known as the Chernobyl virus because the trigger date of
certain strains of the virus coincides with the date of the Chernobyl
nuclear reactor accident. The virus is not a serious threat today,
thanks to increased awareness and the widespread migration to
Windows 2000, XP, and NT, none of which are vulnerable to CIH.

CPIC 8

6. Melissa (1999)
Estimated Damage: 300 to 600 million dollars
On Friday, March 26, 1999, W97M/Melissa became front-page news
across the globe. Estimates have indicated that this Word macro
script infected 15 to 20 percent of all business PCs. The virus spread
so rapidly thatIntel (NSDQ: INTC), Microsoft (NSDQ:MSFT), and a
number of other companies that used Outlook were forced to shut
down their entire e-mail systems in order to contain the damage.
The virus used Microsoft Outlook to e-mail itself to 50 names on a
user's contact list. The e-mail message contained the sentence, "Here
is that document you asked for...don't show anyone else. ;-)," with an
attached Word document. Clicking open the .DOC file -- and thousands
of unsuspecting users did so -- allowed the virus to infect the host and
repeat the replication. Adding insult to injury, when activated, this virus
modified users' Word documents with quotes from the animated TV
show "The Simpsons."

7. SQL Slammer (2003)

Estimated Damage: Because SQL Slammer erupted on a
Saturday, the damage was low in dollars and cents. However, it hit
500,000 servers worldwide, and actually shut down South Korea's
online capacity for 12 hours
SQL Slammer, also known as Sapphire, was launched on January 25,
2003. It was a doozy of a worm that had a noticeable negative
impact upon global Internet traffic. Interestingly enough, it didn't
seek out end users' PCs. Instead, the target was servers. The virus
was a single-packet, 376-byte worm that generated random IP
addresses and sent itself to those IP addresses. If the IP address was
a computer running an unpatched copy of Microsoft's SQL Server
Desktop Engine, that computer would immediately begin firing the
virus off to random IP addresses as well.
With this remarkably effective way of spreading, Slammer infected
75,000 computers in 10 minutes. The outrageously high amounts of
traffic overloaded routers across the globe, which created higher
demands on other routers, which shut them down, and so on.

CPIC 9

8. BAGLE (2004)
Estimated Damage: Tens of millions of dollars...and counting
Bagle, a classic but sophisticated worm, made its debut on January
18, 2004. The malicious code infected users' systems via the
traditional mechanism -- an e-mail attachment -- and then scoured
Windows files for e-mail addresses it could use to replicate itself.
The real danger of Bagle (a.k.a. Beagle) and its 60 to 100 variants is
that, when the worm infects a PC, it opens a back door to a TCP port
that can be used by remote users and applications to access data -financial, personal, anything -- on the infected system. According to an
April 2005 TechWeb story, the worm is "usually credited with starting
the malware-for-profit movement among hackers, who prior to the
ground-breaking worm, typically were motivated by notoriety."
The Bagle.B variant was designed to stop spreading after January
28, 2004, but numerous other variants of the virus continue to
plague users to this day.
9. MYDOOM (2004)
Estimated Damage: At its peak, slowed global Internet
performance by 10 percent and Web load times by up to 50 percent
For a period of a few hours on January 26, 2004, the MyDoom
shockwave could be felt around the world as this worm spread at an
unprecedented rate across the Internet via e-mail. The worm, also
known as Norvarg, spread itself in a particularly devious manner: It
transmitted itself as an attachment in what appeared to be an email error message containing the text "Mail Transaction Failed."
Clicking on the attachment spammed the worm to e-mail addresses
found in address books. MyDoom also attempted to spread via the
shared folders of users' Kazaa peer-to-peer networking accounts.
The replication was so successful that computer security experts
have speculated that one in every 10 e-mail messages sent during
the first hours of infection contained the virus. MyDoom was
programmed to stop spreading after February 12, 2004.
10.

Sasser (2004)

Estimated Damage: Tens of millions of dollars

CPIC 10

Sasser began spreading on April 30, 2004, and was destructive

enough to shut down the satellite communications for some French
news agencies. It also resulted in the cancellation of several Delta
airline flights and the shutdown of numerous companies' systems
worldwide.
Unlike most previous worms, Sasser was not transmitted via e-mail and
required no user interaction to spread. Instead the worm exploited a
security flaw in non-updated Windows 2000 and Windows XP systems.
When successfully replicated, the worm would actively scan for other
unprotected systems and transmit itself to them. Infected systems
experienced repeated crashes and instability.

Sasser was written by a 17-year-old German high school student, who

released the virus on his 18th birthday. Because he wrote the code
when he was a minor, a German court found him guilty of computer
sabotage but gave him a suspended sentence.