• Choose a category
• All
• Classic-Fiction

Understand the Difference between a Virus and a Worm

A virus and a worm are similar in that they're both forms of malicious software (malware). A virus infects another executable and uses this carrier program to spread itself. The virus code is injected into the previously benign program and is spread when the program is run. Examples of virus carrier programs are macros, games, e-mail attachments, Visual Basic scripts, games, and animations.

A worm is a type of virus, but it's self-replicating. A worm spreads from system to system automatically, but a virus needs another program in order to spread. Viruses and worms both execute without the knowledge or desire of the end user.

Understand the Types of Viruses

Viruses are classified according to two factors: what they infect and how they infect. A virus can infect the following components of a system:

■ System sectors

■ Files

■ Macros (such as Microsoft Word macros)

■ Companion files (supporting system files like DLL and INI files)

■ Disk clusters

■ Batch files (BAT files)

■ Source code

How a Virus Spreads and Infects the System

A virus infects through interaction with an outside system. Viruses are categorized according to their infection technique, as follows:

Polymorphic viruses These viruses encrypt the code in a different way with each infection and can change to different forms to try to evade detection.

Stealth viruses These hide the normal virus characteristics, such as modifying the original time and date stamp of the file so as to prevent the virus from being noticed as a new file on the system.

Fast and slow infectors These can evade detection by infecting very quickly or very slowly.

Sparse infectors These viruses infect only a few systems or applications.

Armored viruses These are encrypted to prevent detection.

Multipartite viruses These advanced viruses create multiple infections.

Cavity (space-filler) viruses These viruses attach to empty areas of files.

Tunneling viruses These are sent via a different protocol or encrypted to prevent detection or allow it to pass through a firewall.

Camouflage viruses These viruses appear to be another program.

NTFS and Active Directory viruses These specifically attack the NT file system or Active Directory on Windows systems.

Understand Antivirus Evasion Techniques

An attacker can write a custom script or virus that won't be detected by antivirus programs. Virus detection and removal is based on a signature of the program. Until the virus is detected and antivirus companies have a chance to update virus definitions, the virus goes undetected. This allows an attacker to evade antivirus detection and removal for a period of time.

Understand Virus Detection Methods

The following techniques are used to detect viruses:

■ Scanning

■ Integrity checking with checksums

■ Interception based on a virus signature

The process of virus detection and removal is as follows:

1. Detect the attack as a virus. Not all anomalous behavior can be attributed to a virus.

2. Trace processes using utilities such as handl e. exe, 1 i std l 1 s. exe, fpo rt . exe, netstat. exe, and psl i st. exe, and map commonalities between affected systems.

3. Detect the virus payload by looking for altered, replaced, or deleted files. New files, changed file attributes, or shared library files should be checked.

4. Acquire the infection vector and isolate it. Then, update your antivirus definitions and rescan all systems.

A test virus can be created by typing the following code in Notepad and saving the file as EICAR. COM. Your antivirus program should respond when you attempt to open, run, or copy it. X50!P%@AP[4WZX54(P^ )7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H

Exam Essentials

Understand the definition of a Trojan. Trojans are malicious pieces of code that are carried by software to a target system.

Understand the definition of a covert channel. A covert channel uses communications in a way