Malware Description


Spyware: Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.

Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of spyware is to download certain peer-to-peer file swapping products that are available today.

Aside from the questions of ethics and privacy, spyware steals from the user by using the computer's memory resources and also by eating bandwidth as it sends information back to the spyware's home base via the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability.

Because spyware exists as independent executable programs, they have the ability to monitor keystrokes, scan files on the hard drive, snoop other applications, such as chat programs or word processors, install other spyware programs, read cookies, change the default home page on the Web browser, consistently relaying this information back to the spyware author who will either use it for advertising/marketing purposes or sell the information to another party.

Licensing agreements that accompany software downloads sometimes warn the user that a spyware program will be installed along with the requested software, but the licensing agreements may not always be read completely because the notice of a spyware installation is often couched in obtuse, hard-to-read legal disclaimers.

Adware: A form of spyware that collects information about the user in order to display advertisements in the Web browser based on the information it collects from the user's browsing patterns.

Virus: A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:

It must execute itself. It will often place its own code in the path of execution of another program.

It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

Since 1987, when a virus infected ARPANET, a large network used by the Defense Department and many universities, many antivirus programs have become available. These programs periodically check your computer system for the best-known types of viruses.

Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.

There are five recognized types of viruses:

File infector viruses: File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.

Boot sector viruses: Boot sector viruses infect the system area of a disk--that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.

Master boot record viruses: Master boot record viruses are memory resident viruses that infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 95/98. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.

Multi-partite viruses: Multi-partite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multi-partite viruses include One_Half, Emperor, Anthrax and Tequilla.

Macro viruses: These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.

Worms: Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. PrettyPark.Worm is a particularly prevalent example.

Trojan Horse: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy.

Trojan Horses are impostors--files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojans contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must, invite these programs onto your computers--for example, by opening an email attachment or downloading and running a file from the Internet. The PWSteal.Trojan is a Trojan.

Hoax: Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Some of the common phrases used in these hoaxes are:

If you receive an email titled [email virus hoax name here], do not open it!
Delete it immediately!
It contains the [hoax name] virus.
It will delete everything on your hard drive and [extreme and improbable danger specified here].
This virus was announced today by [reputable organization name here].
Forward this warning to everyone you know!
Most virus hoax warnings do not deviate far from this pattern.

Blended Threat: Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage. Characteristics of blended threats include:

Causes harm: Launches a Denial of Service (DoS) attack at a target IP address, defaces Web servers, or plants Trojan Horse programs for later execution.

Propagates by multiple methods: Scans for vulnerabilities to compromise a system, such as embedding code in HTML files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment. Attacks from multiple points: Injects malicious code into the .exe files on a system, raises the privilege level of the guest account, creates world read and writeable network shares, makes numerous registry changes, and adds script code into HTML files. Spreads without human intervention: Continuously scans the Internet for vulnerable servers to attack.

Exploits vulnerabilities: Takes advantage of known vulnerabilities, such as buffer overflows, HTTP input validation vulnerabilities, and known default passwords to gain unauthorized administrative access.

Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.

What is not a virus?
Because of the publicity that viruses have received, it is easy to blame any computer problem on a virus. The following are not likely to be caused by a virus or other malicious code:

Hardware problems. There are no viruses that can physically damage computer hardware, such as chips, boards, and monitors. The computer beeps at startup with no screen display. This is usually caused by a hardware problem during the boot process. Consult your computer documentation for the meaning of the beep codes.

The computer does not register 640 K of conventional memory. This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those for the monitor or SCSI card can use some of this memory. Consult with your computer manufacturer or hardware vendor to determine if this is the case.

You have two antivirus programs installed and one of them reports a virus. While this could be a virus, it can also be caused by one antivirus program detect the other program's signatures in memory.

You are using Microsoft Word and Word warns you that a document contains a macro. This does not mean that the macro is a virus.

You are not able to open a particular document. This is not necessarily an indication of a virus. Try opening another document or a backup of the document in question. If other documents open correctly, the document may be damaged.

The label on a hard drive has changed. Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label command of from within Windows.


Back to Security Tips
Back to Tech page
Home