viruses
virus vital information resource under seige (VIRUS) ( its self replicating )
is small program written to alter the way a computer operates WITHOUT PERMISIION OR KNOWLEDGE OF THE USER
for a program to be considered a virus it must be able to execute and replicate itself without intervention of the user .
*
a virus is spread by inserting copies of itlself into other executable code or documentas with or without the knowledge
of the user by PIGGYBACKING with legimate application
*
the insertion of the virus into a program is known as INFECTION the infected file or executable code
-------------------------------------------------------------------------------------------------------------------------
REPLICATION - A VIRUS INFECT A HOST FILE WHICH IS A FILE THAT CONTAINS EXECUTABLE CODE
this stage is very difficult to detect . this file will attach to empty space inside an existing file .
*
ACTIVATION - the virus delivers its playload
*
PROGRAM INFECTORS - it infects .EXE OR .COM FILES
*
BOOOT SECTOR INFECTOR (BSI) - its passed at the time of disk accesss , its simple as DIR cmmnd
-------------------------------------------------------------------------------------------------------------------------
WORMS are self contained and do not need to be part of another program (host) to spread
it uses email or another transport mechanism (it dosent need user interaction for activation ) from one disk drive
to another .
some worms install BACKDOOR in an infected computer a backdoor is used to gain unauthorized access to a computer
EXAMPLE OF WORMS
MYDOOM -fastest spreading mass mailer
SOBIG WORM
--------------------------------------------------------------------------------------------------------------------------
TROGAN HORSE OR TROJAN FOR SHORT
IS A HARMFUL PROGRAM THAT IS DISGUIED as legitimate software ( like a rouge sequrity software)
it dosent look harmful intresting & useful they are quite damaging when they run
*
they r not self-replicating which distinguished them from viruses ond worms
*
additonally they require interaction with a hacker to fullfil their purpose the hacker need not be the individual
responsible for disturbing the Trojan horse
--------------------------------------------------------------------------------------------------------------------------
SPYWARE
its a generic term for a class off software designed to either gather information for marketing purpose or to deliver
advertisement to webpages
altough software of this type is legimate it can be installed on ur computer without the user's knowledge
---------------------------------------------------------------------------------------------------
adware
the term adware refers to any software which displays advertisement whether the user agreed to the advertisement or not
adware is a computer program where advertisement are automatically loaded by the software and displayed after instalation
adware is usually responsible for pop-ups that occur on an computer for no reason even when the computer is dissconnected from the internet
adware is often refferd to simply as spyware the main difference between spyware and adware is that adware programs do not
invisibilly collect and upload activity records or personal information to third parties
*************************************************************
ROOTKIT
a rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network
typically a cracker installs a rootkit on a computer after first obtaining user level access either by exploiting a known
vulnerability or cracking a password
once the rootkit is installed . it allows the attacker to mask intrustion and gain root or privleded access to the computer and posibbily other machiens
***************************************************************
phishing
it is an act of sending an email to a user falsely claiming to be established legitamate enterprise in attempt to scam
user into surrendering private information that will be used for identity theft
the email directs the user to visit a web site where they r asked to update personal information such as passwords and
credit card social security and bank account numbers that the legimate organization already has
**************************************************************************************************************************
key logger
a computer program that captures keystrokes of a computer user and stores them keyloggers spreads via email
*************************************************************************************************************************
pharming is a hackers attack aiming to riderct website traffic to another bogus website
it can be conducted either by changing the host file on a victims computer or by exploitation of a vulnerables dns server software
it has become a major concern to buisness hosting e- commerce & online banking websites
evry host on the internet has an ip address these 32-bit
address are usually re-presented as a dotted codes 4 number seprated by dot for eg.192.152.2.245
*************************************************************************************************************************
IP ADDRESS SPOOFING
in computer networking . IP ADDRESS SPOOFING OR IP SPOOFING reffers to the creation of internet protocol (IP)
packets with a forged source ip address called spoofing with the purpose of concealing the identity of the sender
or impersonating another computing system
*************************************************************************************************************************
question
MANUAL THREAT REMOVAL
FILE REMOVAL
ENABLE FIREWALL
PROGRAM REMOVAL
****************************************************************
BOTS
bot is derived from the word "robot" and is an automated process that interacts with other network services bots often automate tasks
and provide information or services that would otherwise be coundected by a human being
bots can be used for either good or malicious intent a malicious bot is self-propagating malware desinged to infect a hosts
and connect back to a centeral server or servers that attack
************************************************************************************************************************************************
SYMPTONS OF INFECTION
you recived an email message that has a strange attachment . when you open the attachment dailog boxes appear or a sudden degradation in system
performance occurs
an antivirus programs is disabled for no reason an it cannot be restarted
an antivirus program cannot be installed on the computer or it will not run
strange dailog boxes or messages boxes appear on the computer or it will not run
strange dialog boxes or message boxes appear onscreen
someone tells you that they have recently recived e-mail message from you containing attached files ( especially with .exe .bat .scr and .vbs extentions ) that you did not send
windows will not start because certain critical system files are missing and then you receive an error message that list those files
the computer runs very slowly and it takes a long time . to start
windows spontaneously restarts unexpectedly
a partition completely dissapears
a disk utility such as scandisk reports multiple serious disk errors
THE INFECTED FILE REPLICATES and multiples itself and fills up the space on the hard disk
a virus can attacthes itself to an email and sends itself to the contact lists in an email account
the virus may reformat your disk drive and delete your files and programs
the virus may install hidden programs such as pirated software this pirated software may then be disturbed and sold from your computer
the virus may reduce security this could allow intruders to remotely access your computer or network
****************************************************************
*********************************************************************************************************************************************************************
threat identification -
a list of some of the more frequently used AUTO START ENTRY POINTS (ASEP) IN WINDOWS INCLUDING STARTUP FOLDER REGISTRY KEYS AN INIFILES ARE
WIN,INI
SYSTEM.INI
STARTUPFOLDER
REGISTRY
INTERNET EXPLORER
***************************************************************************************************************************************************
System registry run keys
Certain registry keys may contain values used to load appliocations when windows is started like run and run once
Start up folder
The windows start up folder can include shortcuts, documents, executables or other types of files and programs to be launced when Windows is started. The current logged on user can view start up filder inclusions through the start menu:
Start/Programs/startup
The common startup folder, applicable to all users, correlates to:
/Start Menu/Programs/Startup
ASEP specific to ME, 2000, XP
Also check the following keys for unexpected values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
ASEP Laoding Sequence
The order in which Windows processes the autostart entry points is as follows:
1. RunServices/RunServicesOnce-
HKEY_LoOCAL_MACHINE and
HKEY_CURRENT_USER
RunServices/RunServicesOnce will be launced concurrently. In the event of a conflict, precedent is given to HKEY_LoOCAL_MACHINE. These ASEPs may continue loading during and after the login dialog.
2. Login Dialog (Winlogon)
3. RunOnce/Run for HKEY_CURRENT_USER hive
4. Run key in HKEY_CURRENT_USER hive
5. Startup Folder
6. RunOnce in HKEY_CURRENT_USER hive
----------------------------------------------------------------------------------------------------------------------
COMMON LOCATIONS AND AUTO START ENTRY POINTS(ASEP) OF VIRUS
System Registry Run Keys
• System Registry Run Keys - Certain registry keys may contain values used to load applications (including malware) when Windows is started. The values to examine are located in subkeys Run, RunOnce, RunServices, and RunServicesOnce, located in either of the following registry keys:
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Startup Folder
• The Windows Startup folder can include shortcuts, documents, executables, or other types of files and programs to be launched when Windows is started. The current logged on user can view startup folder inclusions through the Start menu:
• Start | Programs | Startup
• The common startup folder, applicable to all users, correlates to:
• \Start Menu\Programs\Startup
Winlogon
• Winlogon is responsible for supporting the DLL responsible for managing the interactive logon when Windows starts. Pre-Vista, that DLL provides a customizable user interface and authentication process.
• Malware that hooks into Winlogon can be particularly difficult to remove, as even booting into Safe Mode will not deactivate it. The string values that customize the Winlogon process are located in the following registry key:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
ASEP Loading Sequence
The order in which Windows processes the autostart entry points is as follows:
• RunServices / RunServicesOnce - HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER RunServices/RunServicesOnce will be launched concurrently. In the event of a conflict, precedent is given to HKEY_LOCAL_MACHINE. These ASEPS may continue loading during and after the login dialog.
• Login Dialog (Winlogon)
• RunOnce / Run for HKEY_LOCAL_MACHINE hive
• Run key in HKEY_CURRENT_USER hive
• Startup Folder
• RunOnce in HKEY_CURRENT_USER hive
Some Advanced Loading points which are identified recently with rootkit enabled malwares
• C:\Documents and Settings\
• C:\Documents and Settings\
• C:\Documents and Settings\
• C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
• C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
• C:\Windows\Temp
• C:\WINDOWS\system32\config\ systemprofile
Startup and Winlogon
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
• HKEY_CLASSES_ROOT\comfile\shell\open\command
• HKEY_CLASSES_ROOT\piffile\shell\open\command
• HKEY_CLASSES_ROOT\exefile\shell\open\command
• HKEY_CLASSES_ROOT\txtfile\shell\open\command
Services
• HKLM\SYSTEM\CurrentControlSet\Services\
• Active Setup Stub Keys (These are disabled if there is a twin in HKCU)
• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
• ICQ Agent Autostart
• HKCU\Software\Mirabilis\ICQ\Agent\Apps
• If you suspect that a system is infected, then examine each of these keys. Determine whether Value Name or Value Data, including the (Default) value, refers to a suspicious file.
Internet Explorer (To check for IE threats)
• HKLM\Software\Microsoft\Internet Explorer\Main, Start Page
• HKCU\Software\Microsoft\Internet Explorer\Main: Start Page
• HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
• HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
• HKLM\Software\Microsoft\Internet Explorer\Main: Search Page
• HKCU\Software\Microsoft\Internet Explorer\Main: Search Page
• HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default)
• HKCU\Software\Microsoft\Internet Explorer\Main: Window Title
• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride
• HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext
• HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar
• HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
• HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch =
• HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch
Identify Rootkit Infections
1. MSconfig -> Boot.ini tab -> Check /BOOTLOG
2. Restart the computer.
3. Go to c:\windows and open the file c:\windows\ntbtlog.txt
Check for any suspicious entries.
Program Removal
• Click on start->control panel->add/remove programs icon.
• Discuss with customer about any new program which is installed. If customer does not know about a particular program, follow the steps below -
o Click on start->My computer->Local drive C:-> Program files.
o Right click on the particular program folder-click on properties and check date created. Repeat the same to all new programs and close the program window.
Physical Location
• c:\program files
• c:\program files\common files
• C:\documents & Settings\User\Application Data
Registry
• H_Key_Local_Machine\Software
• H_Key_Current_User\Software
• H_Key_Local_Machine\Software\Microsoft\Windows\Current Version\Uninstall
File Removal GUI Mode
• Delete - Right click -> Delete or Higlight the file and hit the Delete button on the keyboard
• Rename - Right click -> Rename or Highlight the file -> Press F2 -> Type a new name -> Hit enter
• Move - Right click->Cut->Right click and paste it on the desire location
• Removing Permissions - Right click on file ->Go to properties ->Click on Security Tab ->Click Advanced -> Uncheck the box "Inherit from parent control…." -> Click Remove ->Click OK
Yes lots of virus's, spyware, adware, malware and lots of other things that you don't want.
'''It is a free, open-source antivirus program. It detects and removes trojans, worms, spyware, adware and other forms of malware. It also has an easy-to-use interface.'''
Spyware refers to programs that fall under malware. On the other hand, malware describes a wide variety of malicious software.
Rootkit is a type of malware that hides its presence while it's active on a computer. Rookit hides other malware too. It can be extremely difficult to remove a rootkit from a computer. However, solid antivirus software usually removes rootkits without any problems. Source: http://deletemalware.blogspot.com
Spyware is the type of malware which gives the negative effect on your computer system. It is a software that describes certain activity. It enters in your system without the owner known and gather information about internet interaction, keystrokes, passwords and other valuable data and also changing the configuration of your computer. Spyware can also be used as a type of adware.
instructions meant to do harm
Take a popular antivirus software called Spyware Doctor as an example. There are many benefits. For example, Spyware Doctor is well designed to detect and clean thousands of potential spyware, adware and other malware from your computer. There are many great features it offers to us, with SD's help, you could detects and remove spyware, adware, malware, Trojans, key loggers and trackware; continuously monitors and protects your PC from browser infections and tracking cookies; allows scheduling of a Quick Scan, Full Scan or Smart Update at specified times and intervals; prevents known malicious processes from running on your computer and so on. http://www.sharewarerating.com/spyware-doctor-reviews
Malware removal software removes all forms of malicious software such as keyloggers, trojans, spyware, adware, and viruses. Virus protection deals with viruses and worms, but may not deal with other forms of malware. It would be best to have a programs that covers everything and some even recommend that you use more than one program.
I believe you are referring to anti-rootkit software. Firstly, a rootkit is something that allows other threats (eg. viruses, spyware) to hide themselves. (Rootkits are often bundled with keyloggers or trojans.) Therefore, conventional anti-virus products cannot remove them because they are hidden. Anti-rootkit software is designed to remove the rootkit.
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly, but erroneously used, to refer to other types of malware, including but not limited to adware and spyware programs that do not have a reproductive ability.
ADWARE a user opens up a browser and its overwhelmed that their keystrokes are recorded LOGIC BOMB an employees contract is terminated and he configures a malicious program to execute the day after he leaves BACKDOOR malware exploits a firewall and opens port 80 which allows other malware to access the system SPYWARE a user types thir account credentials unaware that their keystrokes are recorded
MALWARE, SPYWARE, DECOMPRESSION BOMB, goggle.com, youareanidiot.org and other.