CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [54]
You should look for some of the following symptoms when determining if a virus infection has occurred:
■ The programs on your system start to load more slowly. This happens because the virus is spreading to other files in your system or is taking over system resources.
■ Unusual files appear on your hard drive, or files start to disappear from your system. Many viruses delete key files in your system to render it inoperable.
■ Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs on your disk.
■ Your browser, word processing application, or other software begins to exhibit unusual operating characteristics. Screens or menus may change.
■ The system mysteriously shuts itself down or starts itself up and does a great deal of unanticipated disk activity.
■ You mysteriously lose access to a disk drive or other system resources. The virus has changed the settings on a device to make it unusable.
■ Your system suddenly doesn’t reboot or gives unexpected error messages during startup. This list is by no means comprehensive.
How Viruses Work
A virus, in most cases, tries to accomplish one of two things: render your system inoperable or spread to other systems. Many viruses will spread to other systems given the chance and then render your system unusable. This is common with many of the newer viruses.
If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users. Figure 2.15 shows a virus spreading from an infected system either through a network or by removable media. When you give removable media to another user or put it into another system, you then infect that system with the virus.
FIGURE 2.15 Virus spreading from an infected system using the network or removable media
Many newer viruses spread using e-mail. The infected system attaches a file to any e-mail that you send to another user. The recipient opens this file, thinking it’s something you legitimately sent them. When they open the file, the virus infects the target system. The virus might then attach itself to all the e-mails the newly infected system sends, which in turn infects the recipients of the e-mails. Figure 2.16 shows how a virus can spread from a single user to literally thousands of users in a very short time using e-mail.
Types of Viruses
Viruses take many different forms. The following sections briefly introduce these forms and explain how they work. These are the most common types, but this isn’t a comprehensive list.
The best defense against a virus attack is up-to-date antivirus software installed and running. The software should be on all workstations as well as the server.
Armored Virus
An armored virus is designed to make itself difficult to detect or analyze. Armored viruses cover themselves with protective code that stops debuggers or disassemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program.
From the perspective of the creator, the more time it takes to deconstruct the virus, the longer it can live. The longer it can live, the more time it has to replicate and spread to as many machines as possible. The key to stopping most viruses is to identify them quickly and educate administrators about them—the very things that the armor intensifies the difficulty of accomplishing.
FIGURE 2.16 An e-mail virus spreading geometrically to other users
Companion Virus
A companion virus attaches itself to legitimate programs and then creates a program with a different filename extension. This file may reside in your system