All About Computer Virus
August 8, 2010 Leave a comment
Indonesian Version is Here
At this time, we certainly have a lot to know about the virus and may have been often confronted with problems caused by it. Whatever it is, most viruses are small programs which damage our computers and sometimes even our own pockets.
A. THE ORIGIN OF VIRUS
1949, John Von Neuman, discover “self-altering automata theory” which is the result of research by mathematicians.
1960, lab BELL (AT & T), experts in the lab BELL (AT & T) to experiment with the theory expressed by john v Neuman, they played with the theory those for any type of game / game. The researchers made
program that can reproduce itself and can destroy enemy programs artificial. A Program which can survive and destroy all programs others, it will be regarded as a winner. This game finally become a favorite game in each and every Computer laboratory. Time by time their was conscious and cautious start this game because the program created more and more dangerous, so they do supervision and strict security.
1980, the program that eventually was known as “viral” This managed to spread beyond the lab environment, and began to circulate in cyber world.
1980, begin the known viruses that spread in the cyber world.
The virus, which first appeared in this world named [Elk Cloner] was born circa 1981 at TEXAS A & M. Spread through Apple II floppy disks are the operating systems in place. The destroyer was mendisplay message on the screen: “It will of get on all your disks It will of infiltrate your-chips-yes it is Cloner!-It will of stick to you like glue It will from ModifyRAM-too-send in the Cloner!” Hi … … … … … ….
The name “virus” that pronunced after two years of his birth by Len Adleman on November 3, 1983 in a meeting that disscused how to create viruses and protect yourself from viruses. But people often assume that the virus is just temporary, which first appeared is a virus [Brain] are actually born in 1986. Its fair, because the virus is the most shocking and the most widespread dissemination in spread through a DOS diskette that time which trend. The birth was also in conjunction with [PC-Write Trojan] and [Vindent]
From then on, `the virus began to take over the world. Development and sangar really horrible! one year later appeared the first virus that infects files. Usually the attack is a file with extension *. exe virus is named [suriv] included in the virus group “Jerusalem”. The speed of its spread is ‘thrilling’ for the moment. But this virus guns’ too bad ko ‘because this virus hit and beat up his IBM mainframe guns’ for long, just a year (it was a year old uh huh … what a minute?)
In 1988, BIG attacks appear to Machintosh by viruses [MacMag] and [scores] and the Internet network beaten-out by Robert Morris artificial viruses. In 1989 there are people who send fraudulent files “AIDS information program” and unfortunately, so this file is opened, which is obtained instead of info about AIDS, but the virus that enkrypted hard drive and demand payment for the opening code.
Since then, the spread of the virus already cant counted again. But the impact guns’ are too big. 1995 new year comes a massive attack. Guns’ half-hearted, they attacked large companies such as Griffith Air Force Base, the Korean Atomic Research Institute, NASA, IBM and many other giant companies who are persecuted by the “INETRNET Liberation Front” on Thanksgiving day ~ ~. Because of the courage and severity of the attack, dubbed as the year 1995, the Hackers and Crackers.
The Cracker’s never satisfied. Each appears the new operating system or program, they were ready with a new virus. You are often typed in MS Word may never finding Titassic virus. This is original Indonesian local virus and unique, this virus remembered us make prayers on time. But make no mistake, macro viruses that have a title [concept] could also be bad, very grim and vicious . Because the evil was going to be pious to destroy 80% of data files and programs victim.
Now, along with the development of technology, which combines the first virus appeared macro viruses and worms. His name is pretty sweet [Melissa]. But its not as sweet as the name implies, the virus is going to spread to others via E-Mail and the most painful, he was going to spread to all E-Mail addresses in your address book. And now comes a virus that haunt millions of non erratic in nature the Internet.
B. UNDERSTANDING VIRUS
“A Program That Can infect other programs by modifying Them to include a slighty altered copy of itself.A virus spreads throughout a computer cans system or network using the authorization of Every user using it to
infect on their programs. Every programs gets infected That Can Also Act as That a virus infection grows ” (Fred Cohen)
The first time the term “virus” is used by Fred Cohen in 1984 United States. A computer virus called “virus” because it has some fundamental equation with the virus in medical terms (biological viruses).
Computer viruses can be interpreted as a computer ordinary program. But it have fundamental differences with other programs, namely virus designed to infect other programs, change, manipulate it even hurt it. There is to be noted here, if the virus will only infect a trigger program or programs that have been been infected executable, this is where the difference with the “worm”. Writing This worm will not be discussed because it will divert us from discussion of this virus.
C. CRITERIA FOR VIRUS
A program called the new virus can be said is completely true if the virus has at least five criteria:
1. The ability of a virus to obtain information
2. His ability to check a program
3. His ability to copy itself and infect
4. His ability to perform manipulation
5. His ability to conceal himself.
Now will try to explain briefly what each ability is and why it is very necessary.
1. Ability to obtain information
In general, a virus requires a list of file names that exist in a directory, for what? so that he can identify what programs Just who will he infect, such as macro viruses that will infect all files with extension *. doc after the virus was found, this is where the ability gather the information necessary to enable the virus can make a list / all data files, continue to sort them by searching for files that can be Infected. Usually this data is created when the program is infected / affected or even a virus program is executed. The virus will soon collecting data and put it in RAM (usually: P), so that if computer is turned off all the data is lost but will be created each program bervirus run and is usually created as hidden files by virus.
2. Ability to inspect a school program
A virus must also be biased to examine a program that will transmitted, for example, he served infect *. doc extension program, he must check whether the document files have been infected or not, because if it is then he will be useless menularinya two times. This is very useful to improve the ability of a virus in terms of speed
infect a file / general program.Yang done by the virus is have / give a sign on the files / programs that have been infected so easy to recognize by the virus. Sample labeling is such as to give a unique bytes in each file
have been infected.
3. Ability to multiply
The point of the virus is the ability doubelize themselves by infecting other programs. A virus has been discovered when the victim (Either a file or program) so it will recognize it by check, if it is not infected then the virus will start its action to infect identifier byte by writing a program / file, and onwards copying / write virus code above object files / programs infected. Some common ways for viruses carried by infect / reproduce themselves is:
a.File / programs that will be transmitted deleted or renamed. then created a file using that name by using the virus these (meaning the virus changed his name to the name of the deleted file)
b.Program viruses that have been executed / loaded into memory immediately infect other files in a way to back in all files / programs existing.
4. Ability to perform manipulation
Routine (routine) owned by a virus will be executed after the virus infect a file / program. the contents of a routine can be varied ranging from the lightest to the vandalism. This routine is generally used to manipulate the program or to popularize its maker! This routine exploit the ability of an operating system (Operating System), therefore has the same ability with the present system operation. eg:
a. Make a picture or message on the monitor
b. Replace / change to change the label of each file, directory, or the label of drive in your pc
c. Manipulate programs / files infected
d. Destroy programs / files working e. Chaosing printers, etc.
5. Ability to Conceal Himself
Hide this capability themselves to be possessed by a virus so that all good job from the beginning to the success of transmission can be accomplished. the usual steps are:
-Original program / virus is stored in coded form and machines combined with Other programs that are considered useful by the user.
-Virus program is placed in the Boot Record or rare tracks note by the computer itself.
-Virus program is made as short as possible, and the results are not infected file changing size.
-The virus does not change the description of time of a file
D. VIRUS LIFE CYCLE
The life cycle of viruses in general, through four stages:
o dormant phase (Phase Rest / Sleep)
In this phase the virus is not active. The virus will be activated by a condition specific, such as: the date specified, the presence of another program / execution other programs, etc.. Not all of the virus through this phase
o Propagation phase (Phase Distribution)
In this phase, the virus will copy itself to a program or to a place of storage media (both hard drives, ram etc). Every infected program will be the result of “klonning” virus (Depending on how the virus infect it)
o Trigerring phase (Phase Active)
In this phase the virus becomes active and it is also spurred by several conditions as in the dormant phase
o Execution phase (Execution Phase)
In this phase of active virus that has been going to perform their functions. Such as deleting files, display messages, etc.
E. THE KIND OF VIRUSES
To further refine our knowledge of viruses, I will try provide an explanation of the types of viruses that often roam in the cyber world.
1. Macro Virus
Type of virus is very often we would have heard. Virus with the programming language of an application rather than by language programming of an Operating System. The virus is able to walk when constituent applications can run well, that if the Mac computers can run applications word then this virus works on
Mac operating applying computer.
W97M-variant, for example W97M. Panther
1234 bytes long,
will infect Normal.dot and infected when the document is opened.
41 984 bytes long,
Ms.Word document will infect that use macro languages, usually DOT and with extension *. DOC *.
2.Virus Boot Sector
The boot sector viruses are very common in doubles it spread. The Viruswill move or replace the original boot sector program boot virus. So that when booting the virus will occur in the load to RAM and then the virus will have the ability to control the hardware standards (Ex:: monitor, printer etc) and from this memory will also spread the virus to all existing drives and connected kekomputer (ex: floppy, drive another other than drive c).
-Wyx virus variants
ex: wyx.C (B) infects the boot record and floppy;
Length: 520 bytes;
characteristics: memory resident and encrypted)
-Variant of the V-sign:
infects the Master Boot Record;
520 bytes long;
characteristics: to live in the memory (memory resident), encrypted, and polymorphic) 4th-Stoned.june / bloody!:
infects the Master Boot Record and floppy;
520 bytes long;
characteristics: to live in the memory (memory resident), is encrypted and displays message “Bloody! june 4th 1989” after booting the computer as much as 128 times
This virus will master table at the DOS interrupt table that often we know the “Interrupt interceptor”. This ability to control virus DOS-level instruction and usually they are hidden as its name either in full or in size.
infect files *. COM and *. EXE;
4298 bytes long;
characteristics: to live in RAM, hidden, has triggered
-WXYC (which includes any category because the boot record into stealth category Also included here), an motherboot infect floppy record;
520 bytes long;
settled in the memory; size and hidden viruses.
infect files *. EXE, *. SYS and *. COM;
fie length of 3275 bytes;
characteristics: to live in memory, size, hidden in the encryption.
Designed for this virus to fool the antivirus program, it means the virus is always trying not to be identified by antivirus in a way is always changing fox structure after each infect files / other programs.
-Necropolis A / B,
infect files *. EXE and *. COM;
files 1963 bytes long;
characteristics: to live in the memory, the size and hidden viruses, encrypted and can be changed to change the structure
infect *. EXE file;
files 4554 bytes long;
characteristics: to live in the memory, the size and hidden virus, has a trigger, encrypted and can change the structure
5.File Virus / Program
This virus infects executable files directly from the operating system, whether an application file (*. EXE), or *. com is usually also the result of infection of this virus can be detected by changing the size of the attacked files.
6. Multy Partition Virus
This virus is a combination dariVirus boot sector and file viruses: it means the work performed resulted in two, that he can infect a file- *. EXE file and also infect the Boot Sector.
F. DISTRIBUTION HOW SOME VIRUS
Viruses like biological viruses must have the media for spreading the virus computers can spread control every aspect of your computer / other machinery as well as through various ways, including:
1. Diskete, storage media R / W
External storage media can be an easy target for viruses to be the media. Whether as a place to settle or as a distribution medium. Biased media do the operation R / W (read and Write) very possible for carrying the virus and serve as a distribution media.
2. Network (LAN, WAN, etc.)
Relations between several computers allows a very direct follow to move the event of virus exchange / executing files / programs which contains a virus.
Very likely an accident site in foster a ‘virus’ that will infect the computers that access it.
4.Software a Freeware, Shareware or even piracy Lots of viruses are deliberately planted in a program at
disseminate good for free, or trial version of the course already virus embedded in it.
5.Attachment on email, transferring files
Almost any type of viral spread in recent years using email attachments because all users must use Internet services for email communicate, these files are created deliberately striking / attract attention, even
often have a double extension on the file naming.
1.Langkah-Step to Prevention
For prevention you can do the following steps:
o Use the Antivirus that you believe the latest undate, don’t care about brand as long as it is always updated, and turn on the Auto protect
o Always scan all external storage media to be used, maybe this is a bit cumbersome but if your anti-virus Autoprotect working then this procedure can be passed.
o If you are connected directly to the Internet try to combine Your antivirus with Firewall, Anti-spamming, etc.
Next step 2. Infected ways
o Detection and determine roughly where the source of the virus if the disk, network, email etc., if you connect to your network then it’s good used to isolate your computer (either by removing the cable or disable
from the control panel)
o Identify and classify what type of virus that attacks your pc, manner:
– The symptoms, for example: messages, files are corrupted or missing, etc.
– Scan with your antivirus, if you hit when walking Autoprotect vius definition in the computer means you do not have data of this virus, try to update manually or download for viruses definitionnya
you install. If the virus is blocking your attempt to update it then, try to use other media (computer) with antivirus Latest update.
o Clean, after you’ve managed to detect and recognize it then try to seek immediate removal or the means to destroy it on your site
-Site that provides information on virus development. This if the antivirus the latest updates you do not succeed destroy.
o Step worst, if all the above does not work is the format Your computer restarts.
Removing the antivirus on another computer
By releasing a computer hard drive that has been infected with a virus and then loaded onto another computer which have the latest antivirus or at least able to identify a virus in an infected system. Perform a full scan on the hard drives of infected systems and remove all viruses found. Having completed the hard drive can already reassembled the computer, and run the system as usual. Do check back if the computer is still showing the same symptoms when exposed to the virus. Is a powerful way to clean the virus throughout the antivirus on another computer can recognize and remove the virus on the infected hard drive. But the virus still leave traces in the form or the startup autorun is not functioning. This trail is sometimes raises an error message that is not dangerous but may be a bit disturbing.
Deleting with other operating systems
On a laptop or computer that is not removable hard drive then the other way is to run other operating systems that are not infected with the virus and do a full scan of the entire hard drive. Usually there is some users who use dual OS such as Linux and Windows or Windows XP and Windows Vista etc. In addition can also use the LiveCD or OS Portable like Knoopix and Windows PE (Windows which has diminimazed and can dibooting from portable storage media such as flash disk or CD.) And then do a full scan with antivirus. Effective at removing the virus with antivirus on another computer example above. Viruses sometimes still leaving a trail is not dangerous.
If you do the above difficulties there is still another way is by manually. These steps are:
Turn off the process which is run by the virus. Active virus must have a process running on the system. This process usually monitor the activities of the system and perform actions when certain events are identified virus. For example, when we install the flash disk, the process will recognize the virus and infect the action flash disk with the same virus. This process should be viewed from the task manager which can be activated with Ctrl + Alt + Del but sometimes the virus will block this action by doing log off, close the Task Manager window, or restart the system. Another way is to use another tool to view and turn off the virus. I used to use Process Explorer from http://www.sysinternals.com/. With this tool you can turn off the process which is considered a virus. At the time of the deadly virus belonging to note sometimes the virus’s process consists of more than one process to monitor each other. When a process is switched off then the process will be turned on again TSB with other processes. Because of that deadly virus must rapidly process before the process is turned off again by another process. Recognize that the process is considered first and then turn off all the virus quickly. Usually the virus disguised to resemble the process but of course no different windows like that mimic IExplorer.exe Explorer.exe. Here are the windows that can be safely categorized as a reference process:
C: \ WINDOWS \ system32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ Explorer.exe
In addition to the explorer process you can use other tools that may be easier and could remove the process once. Another example is HijackFree. You can search on google similar tools.
After the deadly virus managed to do the default return value parameter of the system used virus to activate itself and block efforts to remove him. The parameters are located on the windows registry which can be reset to default values. Save the following file with any name with the file extensions. Reg. Then execute the file by clicking two times. If there is confirmation you can answer Yes / Ok. The following registry file:
Windows Registry Editor Version 5:00
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced]
“Hidden” = dword: 00000000
“SuperHidden” = dword: 00000000
“ShowSuperHidden” = dword: 00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot]
“AlternateShell” = “cmd.exe”
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ SafeBoot]
“AlternateShell” = “cmd.exe”
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot]
“AlternateShell” = “cmd.exe”
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
“Shell” = “Explorer.exe”
“Userinit” = “C: \ WINDOWS \ system32 \ userinit.exe,”
[HKEY_CLASSES_ROOT \ regfile \ shell \ open \ command]
@ = “Regedit.exe \”% 1 \ “”
[HKEY_CLASSES_ROOT \ scrfile \ shell \ open \ command]
@ = “\”% 1 \ “% *”
[HKEY_CLASSES_ROOT \ piffile \ shell \ open \ command]
@ = “\”% 1 \ “% *”
[HKEY_CLASSES_ROOT \ comfile \ shell \ open \ command]
@ = “\”% 1 \ “% *”
[HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command]
@ = “\”% 1 \ “% *”
The above registry file will unblock regedit, and prevent the virus transplanting himself to the system, and reset other parameters to prevent the virus from another road.
Once the virus is turned off and reset the system parameters. Prevent the virus active again by removing the autorun virus entry and startup of Windows. Can use the MSCONFIG tool windows congenital or directly editing the registry with Regedit. To more easily use third-party tools like autoruns from http://www.sysinternals.com to delete the entry and startup autorun virus belongs to TSB. Do not forget to check your StartUp folder on the Start menu -> Programs -> Startup and make sure there are no TSB virus entry.
Download the latest antivirus and do a full antivirus scan on your system so check the whole system and remove all viruses found.
Before restarting make sure you do not pass the virus either from Process and startup or autorun system. Because if not, upon restart the system will return as when infected with the virus and in vain all the steps you did earlier.
After restarting your computer and check to see if symptoms appear when the computer is infected is still there or not. If there then you missed beberpa autorun virus or reset the system parameters above are not successful. Perform the above steps and check more carefully every step before you restart the system.
That’s the steps for a virus on Windows XP systems. To prevent the virus coming back should be diligent in updating your antivirus or install applications such as prevention or Comodo Firewall WinPooch which will warn users when there are other programs that will modify the system. So even though the virus is not recognized but before entering the user will be warned by the application of prevention. If you recognize the programs that want to access your system then you can allow such access, but if not should be rejected and blocked access because there is a possibility the program is a virus.
Careful when opening flash disk. Do not open the flash disk with a click two times. Open with a right click and select the Open menu to the autoplay feature on the flash disk does not run a virus ototmatis. Do not forget to note the files that you open. Although iconnya same note that you open a file type open application or program. Make sure the word file is actually a word and folders folders really can see the details or properties from the file. Hopefully this article helps you become infected and prevent computer viruses.
Hopefully, the discussion of this virus may provide benefits in particular
for authors who are studying and for all of us in general. This article was taken from several sources that I have written below.
1. [Stallings, William], “Cryptography AND NETWORK SECURITY, principle
and practice: second edition “, Prentice-Hall, Inc., New Jersey, 1999
2. [Salim, IR.Hartojo], “Computer Viruses, techniques & step-
penaggulangannya step, Andi Offset, Yogyakarta, 1989.
3. [Amperiyanto, Tri], “Playing around with the Macro Virus”, Elex Media
Komputindo, Jakarta, 2002
4. [Jayakumar], “Viruspaperw.pdf”, ebook version
5. [Y3dips], “knick knacks Virus”, http://ezine.echo.or.id, Jakarta, 2003
6. “Virus Definition than one Antivirus”
7.http: / / ezine.echo.or.id /
8.http: / / www.resep.web.id/
9.http: / / www.thinkrooms.com/
10.http: / / id.wikipedia.org /