ADBM/BIS

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. However, the term "virus" is commonly used to refer to many different types of malware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Meanwhile viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. They typically take up computer memory used by legitimate programs. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss. The way a virus spreads to other computers varies with the type of virus. There are so many types of virus and am going explain some of them. Program virus - becomes active when a program infected with a virus is run. Once a program virus is active, it will

WANG QI YUE

Page |1

ADBM/BIS

usually infect other programs on the computer. If a copy of an infected program is moved to and run on another computer, it can then infect programs on that computer. Boot sector virus - infects hard disks and diskettes. If a computer is re-booted or its power is turned on while an infected diskette is in its disk drive, the virus will spread to the hard disk, even if the diskette is not capable of starting up the computer. Once the hard disk is infected, all diskettes used in the computer will be infected and can spread the infection to other computers. Macro virus - becomes active when a document infected with the virus is opened using the program it is designed to attack. The program must have its ability to run macros enabled (turned on). Generally, when a virus in a document becomes active, it will spread to global settings for the application so that other documents will become infected when they are opened. When an infected document is opened on another computer, the global settings used by that copy of the application will be infected as well. E-mail virus - spreads through e-mail messages and usually replicates by automatically mailing itself to all entries in the victim's e-mail address book. Worm - replicates itself using existing security holes on systems attached to a network. It scans the network for computer that will let it exploit the security hole to infect them. Then, from the newly-infected computers, it continues to probe the network for other vulnerable systems. Trojan horse - cannot usually replicate itself. However, it can still damage your computer. Precisely, there are two areas of infection. Nonresident viruses - Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.

WANG QI YUE

Page |2

ADBM/BIS

Resident viruses - Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. There are some prevention measures against viruses. Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the

WANG QI YUE

Page |3

ADBM/BIS

content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for. Some anti-virus programs are able to scan opened files in addition to sent and received e-mails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats. Treatment for LAN if it is infected has two ways by which we can solve the problem. Network Infection Handling - A network worm uses local network (LAN) to spread itself, so to stop its spreading it is advised to temporarily take down a network until all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers and ruin all previous disinfection attempts. However if FSecure Anti-Virus version 5.40 or a later version is installed on computers connected to a local network, it is recommended to set disinfection action of the On-Access Scanner (OAS) to 'Disinfect Automatically'. Such actions will allow protecting clean workstations connected to an infected network from further re-infection by a network worm. Automatic Disinfection - Usually standalone malware (backdoors, worms, Trojan, etc.) is automatically removed by F-Secure Anti-Virus (FSAV) starting from version 5.40.

WANG QI YUE

Page |4

ADBM/BIS

Malware files get automatically renamed by FSAV, so they cannot be started any more. In some rare cases, when automatic disinfection is not possible, a user can select disinfection action by him/her to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. Recommendation There are four major steps to avoid virus to take over your computer. Firstly, install and run an anti-virus. Secondly, update the anti-virus. Thirdly, run regular scans and lastly, keep windows up-to-date. A firewall can protect your computer from malicious traffic. A hardware firewall/router (such as the many offerings of companies like Linksys, D-Link, SMC, and others) acts as a barrier between the outside world and your computer. Running any program that arrives via email or that was downloaded from the Internet can be dangerous. Only run applications that you wish to grant complete access to your computer and the data contained on it. Choose a better browser, Mozilla's Firefox is available for almost every operating system and has many security and privacy advantages. Become a smarter computer user with regard to security issues. (1,465 Words)

WANG QI YUE

Page |5

ADBM/BIS

Reference http://ask-leo.com/recommendation_antivirus_software.html http://www.e-gold.com/unsecure/alert.html http://www.cert.org/tech_tips/home_networks.html http://www.microsoft.com/security/home/ http://www.securityfocus.com/ http://www.isalliance.org/content/bestpractices_cp.htm http://security.web.cern.ch/security/passwords/ http://www.udel.edu/topics/virus/v-infect.html

WANG QI YUE

Page |6