1

2

• Overview• Infection Strategies• Evaluation of Virus• Virus News & Statistics• Identification Methods• Project Overview• Data Flow Diagram (DFD)• Design the Proposed System• Conclusion• Future Work

3

• A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner.

• The term "virus" is also commonly but incorrectly used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability.

• A true virus can only spread from one computer to another (in some form of executable code) .

4

Email/IM

Flash Drive

Floppy Disk

CD/DVD Pirated Software

Internet/FTP

LAN/File Sharing

5

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable f i les that may be part of lawful programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously.

1

2

3

…

Virus ObjectFile

ResourceDLL, OCX..

6

Figure : Virus Encounter Vectors

The following graph depicts security vulnerabilities experienced by actual enterprise customers as surveyed by ICSA Labs for the years 1996 through 2002.

7

Figure : Impact of Client Computing VulnerabilitiesRef: ICSA Labs Virus Prevalence Survey 2002

8

1. The first virus was born in the very beginning of 1970s.2 Creeper was an experimental self-replicating program written by Bob Thomas at BBN in 1971.3. Creeper gained access via the ARPANET and copied itself to the remote system.4. The Reaper program was created to delete Creeper. [First Antivirus]5. "Rother J" was the first computer virus to appear first time the lab where it was created. Written in 1981 by Richard Skrenta,6. The first PC virus in the wild was a boot sector virus dubbed Brain. created in 1986 by the Farooq Alvi Brothers.7. Macro viruses have become common since the mid-1990s.

9

• It is estimated that PC Viruses cost businesses approximately $55 Billion in damages in 2003. • Processing between 50,000 and 60,000 new copies per hour, "W32/Mydoom.A has exceeded the infamous SoBig.F virus in terms of copies intercepted, and the number continues to rise."• Message Labs collected over 1.2 Million copies of W32/Mydoom.A-mm• At its peak infection rate, about 1 in 12 emails on the Internet were MyDoom Viruses

10

11

Figure : Virus Signature Definition

A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus.

Format: <Virus CRC16/CRC32 Hash Value> | <Virus Name>0095C3A4|STONED.LESZOP.A0086C7BE|STONED.MARCH6.A

12

Search

Memory Search File Search Registry Search

Content Based Icon Based

13

Removable Drive ScanSearching for worm as soon

as it plug-in to the system and block auto-run activity.

1Delete virusM

1

Search Dependencies

Delete DependenciesM2

Flash Drive, Pen

drive etc.

Removable Drive

Startup scanScanning files and process at

startup registry path..

2Delete FilesM

2Delete Reg. KeysM

3

Startup Info.

System Registry

Kill Process TreeM1

14

Real Time Monitor

MILSPEC-MINING Apply to monitor process

behaves

3

Search Dependencies

Process List

Running Process

Delete FilesM2

Delete Reg. KeysM3

Kill Process TreeM1

Scan For Drive

Use dictionary scan to match with existing virus

signature or Icon.

4

Search Dependencies

Directory

Search Local Disk Drive

Delete FilesM2

Delete Reg. KeysM3

Kill Process TreeM1

15

Scan with sample

Scan with file name / icon / size / visibility etc.

5Target

Content Local Disk Drive

Delete FilesM2

Delete Reg. KeysM3

Kill Process TreeM1

Local Drives

Directory Search

16

To store the virus signature a collection of flat file is used and the attributes are separated by each other using pipeline “ | ‘’ symbol.Some Example are mentioned below,

• 5B110B72|DENZUK.E• 5B0DE15C|PINGPONG.A• 5BEB04FF|WIN95.TWINNY.1638449• 5B807327|WIN32.BOLZANO.3628• 5B33914C|GENE.948

Where the first portion before ‘|’ (Pipeline), is used virus signature in CRC16 form and another portion is mentioned as virus code name. There are approximately 30’00 virus signatures are included in this project.

17

18

19