LT   EN   RU  
Friday 29 March 2024 Straipsniai.lt - Independent and informative portal
Home
Phorum
Contacts
Login
Register   Login
News subscribe
Subscribe   Unsubscribe
Partners
www.slaptai.lt www.gamezone.lt
www.penki.lt www.hakeriai.lt
   
   
Advertising
Statistic
Visits since 2002 09 12 - 70583126
Pages in Straipsniai.lt: 40735
  
  Computers > Computer technologies > Viruses
Lankomumo reitingas Print version Print version
Trojans, Viruses & Worms

Angelina, AntiCMOS, AntiEXE, Azusa, Back Orifice,
Bones, Boot-437, Brain, Bubbleboy, Bupt9146, Byway

Angelina virus

Stoned.Angelina is a variant of Stoned, and like Stoned, it spreads to a hard disk when an infected floppy disk (bootable or not) is in the A> drive, and the PC is booted/re-booted.

If an infected floppy disk is in A> drive at boot-up, its Boot Sector (Sector 0) which contains the virus "program" will be read into memory. The virus then takes control of the system, and infects the hard disk when the boot-up is completed, copying its code to (cylinder&head 0, sector 1), moving the Partition/MBR data to (cyl.&head 0, sector 2).

Ordinarily, data are not lost from the hard disk, because DOS does not use the sector that the virus uses. However, if that sector is used by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, problems can result.

At every boot-up thereafter, Angelina will become memory-resident, infecting floppy disks not already infected, or write-protected, by moving the floppy disk's original Boot record code to the area used by the Directory. This can cause loss of entries of files, deleted files, and sub-directories in the root which were listed in the Directory.

The files can still be located in the file storage area of the floppy disk, and could be recovered using a utility program, but since they're no longer listed in the Directory, they may be overwritten, as other files are later stored.

Angelina is considered a "stealth" virus, since besides giving no outward sign of its presence, while in RAM it can keep anti-virus programs from reading the infected sector, where the virus code locates itself.

AntiCMOS virus

AntiCMOS infects the hard disk's Master Boot record, and the Boot Sector of floppy disks. If an infected floppy disk is in the A> drive at boot-up, the virus program in the Boot Sector (Sector 0) will be read into memory. The virus then takes control of the system, and infects the hard disk.

AntiCMOS does not infect files, and reserves 1Kb of memory in an infected computer; CHKDSK will report 1Kb less total system memory than normal. It infects floppy disks that are either read or written to, if they are not already infected, or write-protected.

When AntiCMOS infects a hard disk, it leaves the original Partition Table data intact, and since it has its own code to find the active partition and transfer control to it, the virus does not retain the original MBR data. It overwrites it, instead of relocating it elsewhere.

The virus has code to tamper with CMOS data, with a one in 256 chance, at floppy disk accesses, but it does not actually work. (Computers produced in recent years have a special chip (the CMOS), which is short for Complementary Metal Oxide Semiconductor, on which data pertaining to the hardware are stored. When the PC is off, the data are maintained by battery power.)

AntiEXE virus

AntiEXE is also known as NewBug, and is believed to have originated in Russia. It infects the partition/Master Boot sector (cylinder&head 0, sector 1) of the hard disk, when a boot/re-boot occurs with an infected floppy in the A> drive. It writes its code there, and moves the partition/MBR data to (cylinder&head 0, sector 13). AntiExe is a stealth virus, blocking attempts to read the first sector of disks if in memory.

Ordinarily, data are not lost from the hard disk, because DOS does not use the sector that the virus uses. However, if that sector is used by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, problems can result.

AntiExe will be in memory after that, whenever the PC is on, and infects floppy disks by writing its code to the Boot sector (sector #0) of them, moving the boot data there to the last sector in the directory. If the floppy disk has many files listed in the root (192 or more for a 3.5 HD floppy disk), this will cause the loss of up to 16 entries of files, deleted files, and subdirectories in the root directory. The data would still be located in the file storage area of the disk, recoverable with the use of a disk utility program.

Every time a disk read is performed, AntiEXE searches for a particular 8-byte hex code string 4D5A40008801370F, looking for a match for a specific .EXE file header, and if found, it will overwrite its first sector in memory, thus preventing it from running. These bytes would fit an EXE file about 196kb in size, but no one knows which EXE it is. This peculiarity is how AntiEXE got its name.

Azusa virus

Azusa is a Boot Sector virus that also infects the hard disk's Master Boot Record, and is one of many viruses related to the Stoned virus. Some programs call "Azusa" the Hong Kong virus, since that's where it's believed to be from originally; it was first detected in the U.S. in 1991.

Azusa infects the Boot Sector (first sector, number 0) of floppy disks (like "Stoned" and other such viruses do), and if such an infected floppy disk is in the A> drive at boot-up, the virus goes resident at the top of Conventional Memory, and infects the hard disk.

Like Stoned, Azusa copies itself to the Master Boot sector (cylinder&head 0, sector 1), incorporating Partition data, but overwriting the Master Boot data. Unlike Stoned, it does not "save" an intact copy of the Partition/MBR data elsewhere, and when first discovered, wasn't easily removed.

Once it has infected the hard disk, Azusa will always be in memory, since the Partition/MBR sector is always the first disk sector read, at every boot-up. The virus will monitor disk accesses via Interrupt 13, and then can infect floppy disks accessed after that in either A> or B> drives, unless the floppy disks are write-protected.

Unlike Stoned and other similar viruses, Azusa will not infect floppy disks just because they're accessed. The DIR command won't cause the floppy disk to become infected, for example. However, if a file on the disk is "opened," either to be read (with the TYPE command, for example) or written to, the virus will infect the floppy disk. Although it doesn't save hard disk MBR data, it does save floppy disk boot data.

Unfortunately, Azusa can cause data loss in doing so, because it was not skillfully written, which is true of many viruses. It was written to copy itself from RAM to sector 0 of a floppy, and move the boot data from there to Sector 718 which is at the very end of a 360K disk.

Unless file data are stored there, no data are lost. This may not be a problem very often with 360K floppy disks, but on floppy disks of other sizes, the relocated boot data will be placed in a 512-byte sector in the middle of the disk, thus making it likely that a file will be partially overwritten.

One effect Azusa has is to disable temporarily COM1 and LPT1 ports, after 32 re-boots, interfering with printing. In addition, the virus interferes with the disk change line signal, and the directory of a previously read floppy disk will be shown on the screen when the next floppy disk is used.

Back Orifice Trojan

Back Orifice (a takeoff on Microsoft's Back Office name) is ostensibly a Windows 95/98 Network utility program, designed to enable a LAN administrator to control a network from a remote location. Such a utility can be useful in the right hands, but its creators (who even have a Web site) opted to allow it to install secretly and perform its functions silently. In the hands of a malicious person, it is a potential Trojan horse.

As its creators have advertised, Back Orifice "gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine has." Thanks to the smug complicity of its creators and distributors, this is entirely true, as many chat and ICQ users have discovered to their regret.

Its success has spawned similar "back-door" Trojan programs. Though they do not replicate like viruses, someone can send you a file (with a name of his or her choice) that provides complete access to your computer over the Internet, and all you have to do to make yourself vulnerable is double-click it.

Bones virus

Bones is poorly-written, but has some stealth-type capability to avoid detection. It does not always infect a hard disk properly, and can lead to loss of access to the hard disk data, when it overwrites Boot Sector data as well as the MBR. Files listed in the last sector of the directory on floppies can be lost, when the virus moves the floppy boot data there.

The virus can overwrite both MBR and Boot data, and a PC can hang during the boot process, with the hard disk light blinking. Booting from a floppy will show that there are "no files" on the hard disk, since the boot record's media descriptor byte incorrectly specifies that the capacity of the hard disk is 1.44 Mb.

Norton Utilities should be able to repair the boot record, with the correct Media Descriptor Byte for a hard disk. Someone without Norton's or a similar utility would need to run FORMAT /S, but that's not a good alternative.

Boot-437 virus

Boot-437 infects the system's Boot Record (in the first sector of the active partition, i.e. Sector 0,1,1), instead of the Master Boot Record, in the first sector of the hard disk, i.e., cyl&head 0, sector 1.

It is thus not an "MBR" virus, and can normally be removed with the SYS C: command, from C:\DOS\ or C:\WINDOWS\COMMAND\, as appropriate. It moves the original Boot data to cyl&head 0, sector 6.

Ordinarily, data are not lost from the hard disk, because DOS does not use the sector that the virus uses. However, if that sector is used by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, problems can result.

When Boot-437 infects floppy disks, it overwrites data in the Boot Sector (sector #0) instead of saving the data elsewhere. Thus, unlike many similar viruses, which cause damage to directory entries on floppies, Boot-437 should not cause loss of data, and does not corrupt files.

Brain virus

What was the first virus for 8086 PCs? There's some debate about that, but the original Pakistani Brain was perhaps the first, with a 1986 "copyright" date. Although it was not noticed in the United States until 1987, it has an interesting history.

Basit and Amjad Alvi were brothers, in Lahore, Pakistan. They had a computer store, and supposedly routinely pirated (illegally copied and sold) popular and expensive software, discounted to tourists.

Amjad was a university graduate, and a programmer of some skill, judging by what the virus does. One story goes that he wrote the virus because he was angry that others pirated software that HE wrote. Another version is that he merely wished to insert a copyright notice on disks containing his software.

There's no doubt that the virus itself is deliberately NON-destructive. It infects floppy disks only, and besides writing part of its code to the Boot Sector (#0), it uses 6 sectors (3072 bytes) in the data area of the disk (where files are stored).

The original boot sector data and the remainder of the virus are stored there. If there aren't 6 contiguous sectors available, the floppy disk will not be infected, and thus no damage to files on the disk can occur.

Since the data stored by the virus are not legitimately listed in the Directory, DOS would be able to use those sectors, and overwrite (most of) the virus, which would also make the disk (if bootable) non-bootable. So the virus marks those 6 sectors as if they are bad sectors.

Oddly enough, although he wrote the virus to change the volume label to "(c) Brain 00-00-1980 12:00" -AND- included an advertisement in the Boot Sector to call attention to its presence on the floppy disk, it's also a stealth virus.

If it's in memory, the virus directs reads of the Boot Sector away from the virus code stored there to the real boot data, relocated to the data area. Thus, unless an anti-virus program searches for the virus in memory, it will not find the virus on the disk (if it's in memory).

The first part of the virus is in sector 0, and if that sector is read, either by booting with the disk, or if it's a floppy left in the A> drive at boot up, the virus will go memory-resident.

It reserves 7Kb of RAM (some variants use less), located at the top of Conventional Memory. Chkdsk will show "3072 bytes in bad sectors" on the disk, and instead of "655360 total bytes memory," may show 648192.

The advertisement reads:
Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES..730 NIZAM BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN..PHONE :430791,443248,280530.
Beware of this VIRUS..Contact us for vaccination.. $#@%$@!!

Another variant, evidently from Singapore, has this text:
BRAIN COMPUTER SERVICES..730 NIZAM BLOCK ALLAMA IQBAL TOWN
Lahore,Pakistan. Ph: 430791,443248. Ver (Singapore)
Beware of this "virus". It will transfer to million of
floppy disks.... $#@%$@!!

Bubbleboy worm

VBS/Bubbleboy is a demonstration VBS script worm (it is NOT a virus), and the first malware known that can spread to a user's PC without the need to open an attachment, because Bubbleboy's script is included in the e-mail message itself. For that reason, it is worth noting its existence.

Although Bubbleboy has the potential to spread among those using Windows 98/2000, IE5, and Outlook/Outlook Express, the fact is that it is merely a demonstration, sent (presumably by its writer) to some anti-virus companies. Even though it was actually not in circulation, inaccurate news stories made many people think it was, and therefore an imminent threat.

If it were in circulation, Bubbleboy's spread would depend on two particular ActiveX controls being marked as "safe." If they are so marked, they can be used by Internet Explorer 4.0/5.0, and this worm (or another, yet to be written) can use them maliciously. This security hole was discovered months ago, and a patch already exists for it.

Even though Bubbleboy (at least as of this writing) is no threat, there is a possibility that future worms that use its techniques may become a danger in the future, so it would be prudent to download and install the patch from Microsoft, if you use MSIE 4.0/5.0.

BUPT9146 virus

BUPT9146 (also known as Beijing and WelcomB) is believed to be from China, and gets its name from the text it contains, which reads: Welcome to BUPT9146,Beijing! (this is a reference to the student-Red Army confrontation in China, June 4, 1991).

The virus infects the partition/Master Boot sector (cylinder&head 0, sector 1) of the hard disk, when a boot/re-boot occurs with an infected floppy in A> drive, writing its code there, and moving the partition/MBR data to (cylinder&head 0, sector 4).

Ordinarily, data are not lost from the hard disk, because DOS does not use the sector that the virus uses. However, if that sector is used by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, problems can result.

The virus is then resident in memory, and infects disks by writing its code to the Boot sector (sector #0) of them, moving the floppy disk's original Boot record code to the area used by the Directory. If the disk has files listed in the overwritten sector, this will cause loss of entries of files, deleted files, and sub-directories in the root.

The files could still be located in the file storage area of the floppy disk, and could be recovered using a utility program, but since they are no longer listed in the Directory, they may be overwritten, as other files are later stored on the floppy disk.

Byway virus

Byway (or DIR.Byway) modifies Directory entry listings of files to point to a disk cluster where the virus code is stored. Once memory-resident, it spreads quickly, because using the DIR command infects all files in a directory. Executing a program located in a directory listed in the PATH statement can cause the infection of all directories searched by DOS.

DIR.Byway can display a message, TRABAJEMOS TODOS POR VENEZUALA ("Let's all work for Venezuela"), and plays a song on the system's speaker.

To confuse people, the virus creates a hidden file in the Root Directory, named CHKLIST .MS (a name similar to the CHKLIST.MS files created by the DOS6 MSAV program except for the "spaces"), and listed only by using the DIR /AH command.

If that file is there, it should NOT be deleted, since even though that will disable the virus, it will also remove the ability for DOS to locate files on the disk. Anti-virus programs can remove the virus safely.

It's also possible (but involved) to remove it manually (with the virus IN memory), by using PKZIP to compress COM and EXE files, then deleting them. After re-booting from an UNinfected disk withOUT the virus in memory, Unzip the files and delete the hidden virus "file," then scan the hard disk and floppy disks.

         
Lankomumo reitingas

Diskusijos - Discusions

Print version - Print version

Atgal





Random tags:    Transport (54)    Heathendom (3)    Beer (10)    Dolphins (6)    Sound systems (10)    Music (10)    Agrobusiness (2)    Blow-ups (2)    Animals (65)    Feng Shui (14)    Security (22)    Monitors (10)    Computers (355)    Hobby (25)    Horoscopes (4)    Style (3)    Intercourse (265)    Operating systems (19)    Telecomunication (40)    Linux/Unix (2)    PHP (3)    History (4)    Astrology (10)    Health (20)    Philosophy (2)    Formula 1 (2)    Procesors (2)    Countries (43)    Tourism (46)    Dogs (17)    Kisses (13)    Gymnastics (9)    Wedding (10)    Prose (11)    Law (11)    Medicine (5)    Sport2 (8)    Cinema (20)    Software (11)    Hardware (43)    Paintball (10)    Biology (66)    Yoga (4)    Internet (4)    Films (10)    Photography (3)    SSL certificates (10)    Mysticism (119)    Cats (14)    Badminton (3)
1. avast! Virus Cleaner
2. Computer Virus Help
3. e-Mail Viruses ("Worms") & Junk ("Spam")
4. JPG (JPEG) Viruses
5. Preventing Virus Problems
6. Viruses Multiply Like Rabbits
7. How Computer Viruses Work
8. Making The Time Fit The Crime
9. Viruses. What They Are, How They Get There and How to Protect Your System.
1. How Computer Viruses Work
2. Viruses. What They Are, How They Get There and How to Protect Your System.
3. Making The Time Fit The Crime
4. JPG (JPEG) Viruses
5. Viruses Multiply Like Rabbits
6. avast! Virus Cleaner
7. e-Mail Viruses ("Worms") & Junk ("Spam")
8. Preventing Virus Problems
9. Computer Virus Help
Map