2. • Overview
• Infection Strategies
• Evaluation of Virus
• Virus News & Statistics
• Identification Methods
• Project Overview
• Data Flow Diagram (DFD)
• Design the Proposed System
• Conclusion
• Future Work
2
3. • A computer virus is a computer program that can copy itself
and infect a computer without the permission or knowledge of
the owner.
• The term "virus" is also commonly but incorrectly used to
refer to other types of malware, adware, and spyware programs
that do not have the reproductive ability.
• A true virus can only spread from one computer to another
(in some form of executable code) .
3
5. Resource
DLL, OCX..
2
In order to replicate itself, a
…
virus must be permitted to 1
execute code and write to
memory. For this reason, 3
many viruses attach Virus Object
themselves to executable files File
that may be part of lawful
programs. If a user attempts
to launch an infected
program, the virus' code may 5
be executed simultaneously.
6. Figure : Virus Encounter Vectors
The following graph depicts security vulnerabilities experienced by actual
enterprise customers as surveyed by ICSA Labs for the years 1996 through
2002.
6
8. 1. The first virus was born in the very beginning of 1970s.
2 Creeper was an experimental self-replicating program written by Bob
Thomas at BBN in 1971.
3. Creeper gained access via the ARPANET and copied itself to the remote
system.
4. The Reaper program was created to delete Creeper. [First Antivirus]
5. "Rother J" was the first computer virus to appear first time the lab where it
was created. Written in 1981 by Richard Skrenta,
6. The first PC virus in the wild was a boot sector virus dubbed Brain.
created in 1986 by the Farooq Alvi Brothers.
7. Macro viruses have become common since the mid-1990s.
8
9. • It is estimated that PC Viruses cost businesses approximately $55 Billion in
damages in 2003.
• Processing between 50,000 and 60,000 new copies per hour, "W32/Mydoom.A
has exceeded the infamous SoBig.F virus in terms of copies intercepted, and the
number continues to rise."
• Message Labs collected over 1.2 Million copies of W32/Mydoom.A-mm
• At its peak infection rate, about 1 in 12 emails on the Internet were MyDoom
Viruses
9
11. Figure : Virus Signature Definition
A signature is an algorithm or hash (a number derived
from a string of text) that uniquely identifies a specific virus.
Format: <Virus CRC16/CRC32 Hash Value> | <Virus Name>
0095C3A4|STONED.LESZOP.A
0086C7BE|STONED.MARCH6.A
11
13. Pe n
D rive,
Flash e etc.
driv
1 Removable Drive Scan
M Delete virus
Searching for worm as soon
1
Removable as it plug-in to the system and M Delete Dependencies
Drive block auto-run activity. 2
Search
Dependencies
pI nfo.
Startu
2 Startup scan M Kill Process Tree
Scanning files and process at 1
System startup registry path.. M Delete Files
Registry 2
M Delete Reg. Keys
3
13
14. ss Li s
t 3 Real Time Monitor
Proce MILSPEC-MINING Apply M Kill Process Tree
Running 1
to monitor process M Delete Files
Process behaves 2
Search M Delete Reg. Keys
Dependencies 3
ory
4 Scan For Drive
Direct Use dictionary scan to M Kill Process Tree
ch 1
Local Sear match with existing virus M Delete Files
Disk Drive signature or Icon. 2
Search M Delete Reg. Keys
Dependencies 3
14
15. et
5 Scan with sample
Targ t Scan with file name / icon M Kill Process Tree
en 1
Local Cont / size / visibility etc. M Delete Files
Disk Drive 2
M Delete Reg. Keys
Directory 3
Search
Local
Drives
15
16. To store the virus signature a collection of flat file is used and the
attributes are separated by each other using pipeline “ | ‘’ symbol.
Some Example are mentioned below,
• 5B110B72|DENZUK.E
• 5B0DE15C|PINGPONG.A
• 5BEB04FF|WIN95.TWINNY.1638449
• 5B807327|WIN32.BOLZANO.3628
• 5B33914C|GENE.948
Where the first portion before ‘|’ (Pipeline), is used virus
signature in CRC16 form and another portion is mentioned as
virus code name. There are approximately 30’00 virus signatures
are included in this project.
16