Computer Viruses-(Melissa, Code Red Virus, & Conficker Worm)

1. Melissa Virus or Melissa Worm
   
   
   

• also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus. As it is not a standalone program, it is not in fact a worm.
• First found on March 26, 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the virus.
• was not originally designed for harm, but it overloaded servers and caused unplanned problems.
• was first distributed in the Usenet discussion group alt.sex.
• was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites.
• original form was sent via e-mail to many people.

CREATED BY OR MADE BY:

• written by David L. Smith in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida.
• Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.
• mith was sentenced to 20 months in a federal prison and fined $5,000 United States dollars.
• This arrest was a result of collaboration between the FBI, New Jersey State Police and Monmouth Internet.
• Smith would later go on to help the FBI in tracking down Jan de Wit, the Dutch creator of the Anna Kournikova Computer virus.

Virus specifications

• Melissa can spread on word processors Microsoft Word 97 and Word 2000 and also Microsoft Excel 97, 2000 and 2003.
• It can mass-mail itself from e-mail client Microsoft Outlook 97 or Outlook 98.
  If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.
  When the macro mass-mails, it collects the first 50 entries from the alias list or address book and sends itself to the e-mail addresses in those entries.

1. Melissa.U
   This variant also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes.
   C:\Command.com
   C:\IO.SYS
   C:\Ntdetect.com
   C:\Suhdlog.dat
   D:\Command.com
   D:\Io.sys
   D:\Suhdlog.dat
2. Melissa.V

• This is another variant of the original Melissa macro virus, and is akin to Melissa.U.
• It uses Microsoft Outlook, and tries to send itself to the first 40 addresses in Outlook's address book.
• The subject line of the infected e-mail sent out is: "My Pictures ()", where is the name to whom the sender's copy of Microsoft Word is registered.
• There is also a variant of the virus named Melissa.V/E which is known to seek and destroy Microsoft Excel documents, randomly deleting sets of data from files, or, at the worst, making them completely useless by applying a set of malicious Macro code. To simplify the code, the author has encrypted only a vectorial search pattern in it, so the virus can only delete linear sets of data, usually random rows or columns in a table. It also has a search parameter that makes it go only for unique sets of data, known to cause more damage.
  A later edit of this variant makes backup copies of the destroyed files, and asks for a ransom of $100 to be transferred into an offshore account in return for the files. The account has been traced back to the owner. Due to a malfunction in code, in less than 1% of cases the code still makes copies.
• This virus was rendered obsolete when it was discovered that it leaves visible traces in the Windows Registry, providing enough data to ensure its destruction and the retrieval of stolen data.
• A special version of this variant also modifies the backed-up data, fooling the user even more.
• It searches for numeric data inside the files, and then, with the help of a random number generator, slightly modifies the data, not visibly, but making it useless.
  There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately.
• It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z:.
  Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".

3. Melissa.W

• This is the same as Melissa.A.

4. Melissa.AO

• This is what the e-mails from this version contain:

subject: Extremely URGENT:

To All E-Mail User - Attachment: Body:

This announcement is for all E-MAIL user. Please take notethat our E-Mail Server will down and we recommended you to readthe document which attached with this E-Mail.Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month. The payload consists of the virus inserting the following string into the document: "Worm! Let's We Enjoy."

2. Code Red (computer worm)

• was a computer worm observed on the Internet on July 13, 2001.
• It attacked computers running Microsoft's IIS web server.
• was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh, and named it; CodeRed, because they were drinking Pepsi's Mountain Dew CodeRed over the weekend they analyzed it and because of the worms references to China.
• pecifically the worm code contained the phrase "Hacked By Chinese!" with which the worm defaced websites.
• had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.
• On August 4, 2001 Code Red II appeared.

Code Red II

• is a variant of the original Code Red worm.
• it uses the same injection vector it has a completely different payload.
• It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not.
• it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
  eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).

How it worked?

1. Exploited vulnerability

• The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.
• The worm spread itself using a common type of vulnerability known as a buffer overflow.
• It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine.

2. Worm payload

The payload of the worm included:

1. defacing the affected web site to display:
   HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
   (The last sentence became a meme to indicate an online defeat)
   trying to spread itself by looking for more IIS servers on the Internet.
2. waiting 20–27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those. When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it were running IIS at all.
3. Apache access logs from this time frequently had entries such as these:

• GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNN
  %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
  %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

3. Conficker worm

• also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.
• uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
• the name Conficker is thought to be a portmanteau of the English term "configure" and the German word Ficker, which means "fucker."
• Microsoft analyst Joshua Phillips described the name as a rearrangement of portions of the domain name trafficconverter.biz, which was used by early versions of Conficker to download updates.
• The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta.
• While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009.
• Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009.
• A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares.
• these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.
• Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker. Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.
• s spreading through networks at alarming rates.
• It's weapon: exploiting vulnerability called MS08-067 in Windows 2000, XP, and Server 2003.
• spreads via Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.

Operation

• almost all of the advanced malware techniques used by Conficker have seen past use or are well-known to researchers, the worm's combined use of so many has made it unusually difficult to eradicate.
• The worm's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities.
• Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.

Initial infection

• Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer.
• On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe.
• Variants B and later may attach instead to a running services.exe or Windows Explorer process.
• Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.
• Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.
• To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.

Payload propagation

• The worm has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the worm to update itself to newer variants, and to install additional malware.
• Variant A generates a list of 250 domain names every day across five TLDs.
• The domain names are generated from a pseudo-random number generator seeded with the current date to ensure that every copy of the worm generates the same names each day. The worm then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
• Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.
  To counter the worm's use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains.
• Variant D counters this by generating daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics.
• This new pull mechanism (which was disabled until April 1) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the worm's peer-to-peer network.
• The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial of service attack (DDoS) on sites serving those domains.
• Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.
• Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability.
• Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.
• Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the worm is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads.
• To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.

Once this virus infects a computer it does a number of things including:

• Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
• Deletes the user's Restore Points.
• Registers a services called Netsvcs
• Creates scheduled tasks that execute all of the DLL files.
• Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
• Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
• Connects to external sites to download additional files.

Symptoms

1. Account lockout policies being reset automatically.
2. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
3. Domain controllers responding slowly to client requests.
4. Congestion on local area networks (ARP flood as consequence of network scan).
5. Web sites related to antivirus software or the Windows Update service becoming inaccessible.
6. User accounts locked out

Response

• On 12 February 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker.
• Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, Inc., M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.

Armoring

• To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key.
• The hash is then RSA-signed with a 1024-bit private key.
• The payload is unpacked and executed only if its signature verifies with a public key embedded in the worm.
• Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.

Self-defense

• Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.
• Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.
• An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.

End action

• Variant E of the worm was the first to use its base of infected computers for an ulterior purpose.
• It downloads and installs, from a web server hosted in Ukraine, two additional payloads:

1. Waledac, a spambot otherwise known to propagate through e-mail attachments.
2. Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.
3. SpyProtect 2009, a scareware anti-virus product.

Removal and detection

• Microsoft has released a removal guide for the worm, and recommends using the current release of its Windows Malicious Software Removal Tool to remove the worm, then applying the patch to prevent re-infection.

Third-parties

• Third-party anti-virus software vendors McAfee, Panda Security, BitDefender, Enigma Software, ESET, F-Secure, Symantec, Sophos, Kaspersky Lab and Trend Micro have released detection updates to their products and are able to remove the worm.

Automated remote detection

• On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely.
• The peer-to-peer command protocol used by variants D and E of the worm has since been partially reverse-engineered, allowing researchers to imitate the worm network's command packets and positively identify infected computers en-masse.
  Signature updates for a number of network scanning applications are now available including NMap and Nessus.
• Also it can be detected in passive mode by sniffing broadcast domain for repeating ARP requests.

The Action or response of US CERT

• The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media.
• Prior to the release of Microsoft knowledgebase article KB967715, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively.
• US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.

From that time on.....

• The ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator.
• Those which have taken action include:

1. On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.
2. On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by the worm over the next 12 months.
3. On 27 March 2009, NIC-Panama, the .pa ccTLD registry, blocked all the domain names informed by the Conficker Working Group.
4. On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."
5. On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the worm over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.
6. On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the worm.

• By mid-April all domain names generated by the Conficker.A variant had been successfully blocked, rendering its update mechanism ineffective.

Computer Virus-(NIMDA & ILOVEYOU VIRUS)

1. NIMDA VIRUS

· is a computer worm, and is also a file infector.
· It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red.
· Multiple propagation vectors allowed becoming the Internet’s most widespread virus/worm within 22 minutes.
· The worm was released on September 18, 2001. Due to the release date, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
· affected both user workstations (clients) running Windows 95, 98, Me, NT, 2000 or XP and servers running Windows NT and 2000.
· The worm's name spelled backwards is "admin".F-Secure found the text[2] "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code.
· one of the more complex virus/worm constructs released.
· It infects files, spreads itself via E-mail, spreads via Web sites, and spreads via local area network exploits.
· It infects all versions of Windows from Win95 through Win2000 as well as Microsoft's IIS.
· credited with several "firsts" in its infection techniques.
· It is the first beast to infect .EXE files by embedding them into itself as a resource.
· It also infects Web pages so unsecured browsers will infect upon viewing the Web page.
· the first worm to use any user's computer to scan a network for vulnerable machines behind a firewall to attack (in the past only infected servers did that).

Methods of infection
uses five different infection vectors:
1) e-mail
2) open network shares
3) browsing of compromised web sites
4) exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.) via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

Nimda uses these methods to spread:
1) from client to client through E-mail and an infected .EXE file
2) from client to client through open network shares
3) from web server to client through browsing of compromised Web sites
4) from client to Web server through active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
5) from client to Web server through scanning for the back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

· File Infection

In one mode, It acts like any standard file infector with a new twist. It searches for .EXE files and adds them to itself as a resource. When the .EXE file on a server downloads it then spread the beast. If the file is on a local computer, sharing that file can also spread the beast. When an infected file is run the worm extracts the original program and runs it. It attempts to delete this file after it finishes but cannot always do this. In that instance it creates WININIT.INI with commands to delete the file the next time Windows starts.

Nimda finds .EXE files to infect by searching the keys
1) [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths],
2) Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders], and all subkeys.
3) trangely, WINZIP32.EXE is not infected.

· E-mail Worm

It searches your E-mail client address book(s) and HTML files on your computer for E-mail addresses and then sends itself to these addresses in an attached file. An E-mail from the worm comes as a "multipart/alternative" message with two sections. The first is defined as MIME type "text/html", but contains no text (the message appears empty).
The second is defined as MIME type "audio/x-wav", but contains a base64-encoded attachment named README.EXE, which is a program. Many users can be tricked into opening such attachments and any mail software running on Windows that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the attachment and infects the machine. (both bad practices!). Nimda uses its own SMTP server to send E-mail messages.

· Web Worm

Using one of the known exploits listed above, It scans the Internet for Microsoft IIS Web servers. When a server is found, if it has open security holes, the worm enters and modifies random Web pages on the server (as well as .EXE files found on the server). The modifications allow the worm to spread to users simply browsing the infected site. To do this, it searches drives for .HTML, .ASP, and .HTM files. When found, it adds a small JavaScript snippet to the end of the files. This code opens a file named README.EML when loaded by a Web browser. README.EML is another form of the worm (MIME-encoded) deposited into directories where the .HTML file were found. Browsers not patched (see MIME exploit above) will automatically execute this file with no user input. Users will not see the worm running as it runs in a minimized window.

· File Share Propagation

Infected computers on a local network will search for other computers with open file shares. When found, it will transfer a hidden/system file (RICHED20.DLL) onto the other computer in any directory where .DOC or .EML files are found. After that, if any of these files are opened in Word, Wordpad, or Outlook the hidden RICHED20.DLL file will also be automatically executed. This will infect the that computer. It will try to replace the Windows RICHED20.DLL master file and will place .EML (and sometimes .NWS) files into folders it accesses.

NIMDA RUNS IN EVERY PERSONAL COMPUTER
Nimda usually shows up as a README.EXE attachment to an E-mail, but can show up as any .EXE file with over five characters in the rootname.
1) first copies itself to a temporary directory with a random name of the form MEP*.TMP (where * represents random characters).
2) It then runs itself from that folder using the command line option "-dontrunold").
3) The first thing the launcher does when running is to see if it has enough resources to run the main worm.
4) If so, it extracts itself from the infected .EXE file and executes. Using the current time and some arithmetic operations the worm determines if it can delete files from the temporary folder.
5) Once that is done, the worm builds its primary infection tool: a MIME-encoded copy of itself and multi-part message that can be attached to.
6) This latter is given a random name and stored in a temporary directory. Now it's ready to get to work.
7) Nimda next looks for the process called "Explorer."
8) it opens this process and assigns itself to a remote thread under Explorer.
9) If that fails the worm uses API information to get needed information about the local computer. Then, it rests.
10) When it wakes up Nimda checks to see what operating system it's running on.
11) If NT-based, it compacts itself and copies itself out to LOAD.EXE in the Windows\System folder. The SYSTEM.INI file is then modified to start with the shell EXPLORER.EXE (as usual) but with "LOAD.EXE - dontrunold" as well. This assures the worm will run at each system start.
12) the worm copies itself to RICHED20.DLL, also in the System folder, and sets the file to hidden and system.
13) When this is already done Nimda looks for shared network resources and starts to scan files on remote computers. Here it's looking for .DOC and .EML files and, when found, RICHED20.DLL is copied to their directory so it will be run when an OLE component is needed on the remote computer.
14) then starts the infection process on the remote computer.
15) While looking around the remote computer Nimda also copies infected .EML and (sometimes) .NWS files with names similar to HTML files already found on that remote computer. These files can also infect the remote computer if accessed.
16) Using the IP address of the infected computer, the worm searches for IIS servers to infect using a known backdoor (a patch is available, see the notes at the start of this page). The idea is that if the current computer is not properly protected then other local computers may not be as well so 50% of the probes (approximately) will be using near-by IP addresses.
Some other things the worm does...
1) It modifies the key [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] so that hidden files are no longer seen. This hides the worm in Explorer.
2) It adds the account "guest" to an infected system and gives it Administrator and Guests group priviledges. Using this it shares the C:\ drive with full access privileges.
3) It deletes subkeys from the key [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] which effectively disables sharing security.

2. I LOVE YOU VIRUS

• was a computer worm that hit numerous computers in 2000, when it was sent as an attachment to an email message with the text "ILOVEYOU" in the subject line.
• The worm arrived in e-mail boxes on May 4, 2000, with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs".
• Upon opening the attachment, the worm sent a copy of itself to everyone in the user's address list, posing as the user.
• It also made a number of malicious changes to the user's system.
• Such propagation mechanism had been well known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987, which brought down a large fraction of the world's mainframes at the time.
• The newly discovered "I Love You" virus that swept through banks, securities firms, and Web companies in the United States Thursday and later spawned copycat viruses has proved in large part to be more of an annoyance than a costly disruption of business.
• The virus did cause damage, however, at companies that make heavy use of multimedia files, such as magazines and advertising agencies, because it overwrites picture files with "jpg" extensions and MP3 music files.
• VBS/LoveLetter is a VB Script uses Microsoft outlook and Mirc clients to spread. It is spreading faster than Melissa virus. It causes heavy e-mail traffic and downs many mail servers. The new variant VBS/NewLove charges deadly payload and it will damage all files in the system.

Two aspects of the worm made it effective:

• It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
• It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment; the underlying mechanism – VBScript – had not been exploited to such a degree previously to direct attention to its potential, thus the necessary layers of protection were not yet in place.

CREATORS / MAKERS OF I LOVE YOU VIRUS

• The alleged authors of the worm were reported to be Filipinos.
• Siblings Irene and Onel de Guzman of Manila; Irene's boyfriend, Reomel Lamores, who was briefly held in May 2000 in connection with the worm outbreak; and Michael Buenafe, a fellow student of de Guzman at AMA.
• Onel finally came forward but denied writing the worm, although he said he may have inadvertently been responsible for its release.
• As there were no laws in the Philippines against malware-writing at the time, he was released and in August the prosecutors dropped all charges against him.
• The original charges brought up against her dealt with the illegal use of passwords for credit card and bank transactions.
  Architecture of the Worm
• The virus is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload.
• It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.
• The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension.
• The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.
• The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book.
• It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe".
• This is a password-stealing program which will e-mail cached passwords.

Effects

• The worm began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), causing about $5.5 billion in damage.
• By 13 May 2000, 50 million infections had been reported.
• Most of the "damage" was the labor of getting rid of the worm.
• The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm, as did most large corporations.
• This particular malware caused widespread damage.
• The worm overwrote important files, as well as music, multimedia and more, with a copy of itself.
• It also sent the worm to everyone on a user's contact list.
• Because it was written in Visual Basic Script, this particular worm only affected computers running the Microsoft Windows operating system. While any other computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.

How I love you Virus spreading out?

• Its massive spread moved westward arrived in the offices in a messages form or because the worm used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.

TO BE CONTINUE...........

Computer Viruses-Introduction

Computer Virus

• is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner.
• is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability.
• can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.
• is sometimes used as a catch-all phrase to include all types of malware.
• includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software), including true viruses.
• are sometimes confused with computer worms and Trojan horses, which are technically different.
• have symptoms noticeable to the computer user, but many are surreptitious.
• may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging, and file sharing systems to spread.

Bottom line is Computer Viruses are harmful, "HEADACHE MAKER", and dangerous especially for those who do have a computer. It is also similar to human viruses, bacterias, and diseases, that little by little drained your strenght, destroy your muscular system or body parts, absurd or suck your blood out, and fainted you out. Here are some historical or timeline of these Computer viruses...

1970-1979

1971

The Creeper virus was an experimental self-replicating program written by Bob Thomas at BBN in 1971. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was created to delete Creeper.

1974

The Wabbit virus was not really a virus but more of a fork bomb, a program that multiplies copies of itself on a single computer, named for the speed at which it clogged the system with copies of itself, reducing system performance, before reaching a threshold and crashing.

1974/1975

John Walker writes ANIMAL for the UNIVAC 1108, which asked a number of questions to the user in an attempt to guess the type of animal that the user was thinking of. When run, the related program PERVADE would also create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structure, and to not copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, "Pervading Animal" represents the first Trojan "in the wild".

1980-1989
1980

Jürgen Kraus wrote his master thesis "Selbstreproduktion bei Programmen" (self-reproduction of programs).

1981

A program called Elk Cloner, written for Apple II systems and created by Richard Skrenta. Apple II was seen as particularly vulnerable due to the storage of its operating system on floppy disk. Elk Cloner's design combined with public ignorance about what matware

1983<¶font>

the©term 'vùrus' is9coined ky Vredericj Cohen<¯a> in dtscribinö self-rüplicatiög compueer progâams. In(1984 Coøen uses°the phr`se "comxuter viòus" – aê suggesmed by hhs teacher Leonard Adleman – to describe the operation of such programs in terms of "infection". He defines a 'virus' as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." November 10, 1983, at Lehigh University, Cohen demonstrates a virus-like program on a VAX11/750 system. The program was able to install itself to, or infect, other system objects.

1984

Ken Thompson publishes "Reflections on Trusting Trust", a theoretical paper which describes how a virus can be inserted into a program's object code, when the virus itself cannot be found in the source code.

1986

January: The Brain boot sector virus (aka Pakistani flu) is released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.
December 1986: Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.

1987

Appearance of the Vienna virus, which was subsequently neutralized--the first time this had happened on the IBM platform.
Appearance of Lehigh virus, boot sector viruses such as Yale from USA, Stoned from New Zealand, Ping Pong from Italy, and appearance of first self-encrypting file virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and has never been found elsewhere as a result. A subsequent infection of Cascade in the offices of IBM Belgium led to IBM responding with its own antivirus product development. Prior to this, antivirus solutions developed at IBM were intended for staff use only.
October: The Jerusalem virus, part of the (at that time unknown) Suriv family, is detected in the city of Jerusalem. Jerusalem destroys all executable files on infected machines upon every occurrence of Friday the 13th (except Friday 13 November 1987 making its first trigger date May 13, 1988). Jerusalem caused a worldwide epidemic in 1988.
November: The SCA virus, a boot sector virus for Amigas appears, immediately creating a pandemic virus-writer storm. A short time later, SCA releases another, considerably more destructive virus, the Byte Bandit.
December: Christmas Tree EXEC was the first widely disruptive replicating network program, which paralysed several international computer networks in December 1987.

1988

June: The Festering Hate Apple ProDOS virus spreads from underground pirate BBS systems and starts infecting mainstream networks.
November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.

1989

October 1989: Ghostball, the first multipartite virus, is discovered by Friðrik Skúlason.

1990-1999

1990

Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burger develops the first family of polymorphic virus: the Chameleon family. Chameleon series debuted with the release of 1260.

1992

Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped according to mass media hysteria surrounding the virus. Later assessments of the damage showed the aftermath to be minimal.

1993

"Leandro & Kelly" and "Freddy Krueger" spread quickly due to popularity of BBS and shareware distribution.

1995

The "Concept virus", the first Macro virus, is created which attacked Microsoft Word documents.

1996

"Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine.

1998

June 2: The first version of the CIH virus appears.

1999

Jan 20: The Happy99 worm invisibly attached itself to emails. Displayed fireworks to hide changes being made and wished you a happy new year. Modified system files related to Outlook Express and Internet Explorer on Windows 95 and Windows 98.
March 26: The Melissa worm is released, targeting Microsoft Word and Outlook-based systems, and creating considerable network traffic.
June 6: The ExploreZip worm, which destroys Microsoft Office documents, is first detected.
December 16: Sub7, or SubSeven, is the name of a popular backdoor program. It is mainly used for causing mischief, such as hiding the computer cursor, changing system settings or loading up pornographic websites. However, it can also be used for more serious criminal applications, such as stealing credit card details with a keystroke logger.

2000 and later
2000

May: The ILOVEYOU worm appears. As of 2004[update] this was the most costly virus to businesses, causing upwards of 5.5 to 10 billion dollars in damage. The backdoor trojan to the worm, Barok, was created by Filipino programmer Onel de Guzman; it is not known who created the attack vector or who (inadvertently?) unleashed it; de Guzman himself denies being behind the outbreak although he suggests he may have been duped by someone using his own Barok code as a payload.

2001

May 8: The Sadmind worm spreads by exploiting holes in both Sun Solaris and Microsoft IIS.
July: The Sircam worm is released, spreading through Microsoft systems via e-mail and unprotected network shares.
July 13: The Code Red worm attacking the Index Server ISAPI Extension in Microsoft Internet Information Services is released.
August 4: A complete re-write of the Code Red worm, Code Red II begins aggressively spreading onto Microsoft systems, primarily in China.
September 18: The Nimda worm is discovered and spreads through a variety of means including vulnerabilities in Microsoft Windows and backdoors left by Code Red II and Sadmind worm.
October 26: The Klez worm is first identified.

2002

Beast is a windows based backdoor trojan horse, more commonly known in the underground cracker community as a RAT (Remote Administration Tool). It is capable of infecting almost all Windows OS i.e. 95 through XP. Written in Delphi and Released first by its author Tataye in 2002, its most current version was released October 3, 2004
August 30: Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K.

2003

January 24: The SQL slammer worm, aka Sapphire worm, Helkern and other names, attacks vulnerabilities in Microsoft SQL Server and MSDE and causes widespread problems on the Internet.
April 2: Graybird is a Trojan also known as Backdoor.Graybird.
June 13: ProRat is a Turkish-made Microsoft Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool).
August 12: The Blaster worm, aka the Lovesan worm, rapidly spreads by exploiting a vulnerability in system services present on Windows computers.
August 18: The Welchia (Nachi) worm is discovered. The worm tries to remove the blaster worm and patch Windows.
August 19: The Sobig worm (technically the Sobig.F worm) spreads rapidly through Microsoft systems via mail and network shares.
October 24: The Sober worm is first seen on Microsoft systems and maintains its presence until 2005 with many new variants. The simultaneous attacks on network weakpoints by the Blaster and Sobig worms cause massive amounts of damage.

2004

Late January: MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm.
March 19: The Witty worm is a record-breaking worm in many regards. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm, it was the first internet worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts.
May 1: The Sasser worm emerges by exploiting a vulnerability in LSASS and causes problems in networks, while removing MyDoom and Bagle variants, even interrupting business.
August 16: Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor Trojan Horse that infects Windows NT family systems (Windows 2000, XP, 2003).
August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan Horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.
October 12, 2004: Bitfrost, also known as Bitfrose, is a backdoor trojan which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attack.
December: Santy, the first known "webworm" is launched. It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading.

2005

August 16: The Zotob worm and several variations of malware are discovered on Microsoft systems. The effect was overblown because several United States media outlets were infected.
October 13: The Samy XSS worm becomes the fastest spreading virus by some definitions as of 2006[update].
October 31: Sony BMG was found to have purposefully infected music CDs with a rootkit in an attempt to prevent illegal copying of music.
Late 2005: The Zlob Trojan, also known as Trojan.Zlob, is a trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005.
2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the Internet.

2006

January 20: The Nyxem worm was discovered. It spread by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files.
February 16: discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced.
Late September: Stration or Warezov worm first discovered.

2007

January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, comprised between 1 and 10 million computers by September. Thought to have originated from Russia, it disguises itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film.

2008

January 17: MacSweeper is the first known rogue software for Mac OS X.
February 17: Mocmex is a trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame. The virus was traced back to a group in China.
March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse which affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer.
May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least.
July 6: Bohmini.A is a configurable remote access tool or trojan that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2.
July 31: The Koobface computer worm targets users of Facebook and Myspace.
November 21: Computer worm Conficker infects anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. The French Navy, UK Ministry of Defence (including Royal Navy warships and submarines), Sheffield Hospital network, German Bundeswehr[24] and Norwegian Police were all affected. Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s). Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.

2009

July 4: The July 2009 cyber attacks occur and the emergence of the W32.Dozer attack the United States and South Korea.

C O N T I N U E. . . . . . . . .