[-{}-ANTIVIRUS-{}-]
===========================================================
----------------------------------------------------------------------------------------------------------
Viruses can be divided into classes according to the following characteristics:
- environment
- Operating system (OS)
- different algorithms of work
- destructive capabilities
Do not forget that there also exist other "harmful" programs or so-called "malware," such as Trojan horses.
According to the ENVIRONMENT, viruses can be divided into the following:
Virus Types :
The majority of viruses fall into five main classes:
Boot-sector:
Boot sector viruses infect the boot sector or partition table of a disk.
Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard drive.
Also, there are a few viruses that can infect the boot sector from executable programs-
these are known as multi-partite viruses and they are relatively rare.
Once the system is infected, the boot sector virus will attempt to infect every disk that is accessed by that computer.
In general, boot sector viruses can be successfully removed.
File-infector:
File infecting viruses infect executable programs (generally, files that have extensions of .com or .exe).
Most such viruses simply try to replicate and spread by infecting other host programs -
but some inadvertently destroy the program they infect by overwriting some of the original code.
There is a minority of these viruses that are very destructive and attempt to format the hard drive
at a pre-determined time or perform some other malicious action.
In many cases, a file-infecting virus can be successfully removed from the infected file.
If the virus has overwritten part of the program's code, the original file will be unrecoverable
Multi-partite:
Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.
Macro:
Macro viruses during late 1990 and early 2000 were the most prevalent viruses.
Unlike other virus types, macro viruses aren't specific to an operating system and spread with ease via email attachments,
floppy disks, Web downloads, file transfers, and cooperative applications.
Macro viruses are written in "every man's programming language" – Visual Basic – and are relatively easy to create.
They can infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted.
Worm:
A computer worm is a self-contained program (or set of programs) that is able to spread
functional copies of itself or its segments to other computer systems.
The propagation usually takes place via network connections or email attachments.
---------------------------------------------------------------------------------------------------------------------
File viruses either infect executables in various ways (parasitic - the most common type of viruses),
or create file doubles (companion viruses), or use file-system specific features (link viruses).
Boot viruses either save themselves in a disk boot sector or to the Master Boot Record,
or change the pointer to an active boot sector.
Macro-viruses infect document files, electronic spreadsheets and databases of several popular software packages.
Network viruses use protocols and commands of a computer network or e-mail to spread themselves
----------------------------------------------------------------------------------------------------------------------
SELF-ENCRYPTING and POLYMORPHIC Viruses :
capabilities are used by virtually all types of viruses to make the virus detection procedure as complicated as possible.
Polymorphic viruses are really hard to detect; they have no signatures; that is, none of their code fragments remain unchanged.
In most cases, two samples of the polymorphic virus will not have a single match when doing a byte comparison.
This is achieved by two main ways - encrypting the main code of the virus with nonconstant key
with random sets of decryption commands, or by executable virus code changing.
There exist also other, rather exotic examples of polymorphism, for example the "Bomber" DOS virus is not encrypted,
but the sequence of instructions, passing control to the body of the virus, is completely polymorphic.
Polymorphic viruses exist of all kinds - from boot and file DOS viruses to Windows viruses and even macro viruses.
- http://www.viruslist.com/eng/viruslist.html?id=2
----------------------------------------------------------------------------------------------------------------------------
Worm :
A computer worm is a self-contained program (or set of programs)
that is able to spread functional copies of itself or its segments to other computer systems.
The propagation usually takes place via network connections or email attachments.
Tips on Avoiding Computer Worms :
- http://www.f-secure.com/virus-info/tips.shtml
----------------------------------------------------------------------------------------------------------------------------
ONLINE ANTI-VIRUS SCANNERS :
----------------------------------------------------------------------------------------------------------------------------
Several online scanners were tested by AV-Test.org (http://www.av-test.org) for detection of In-the-Wild (ItW) viruses.
Of these, only BitDefender, RAV, Panda, Trend, and McAfee achieved 100% ItW detection.
Command Software, Symantec, Hauri, and MKS_Vir did not.
Each of the following online scanners are considered best-of-breed and can offer important adjunct protection.
1) Trend Housecall - http://housecall.trendmicro.com/
Trend Micro's Housecall scored 100% detection for ItW threats, 100% in detection of viruses contained in embedded OLE objects and password protected DOC and XLS files, 38.46% of compressed files and 75% of archives. Housecall is one of the easiest products and fastest of the online scanners and provides virus tracking data as well.
2) RAV AntiVirus Scan Online - http://www.ravantivirus.com/scan/
A clean interface, no required registration, and fast scan speed make RAV AntiVirus Scan Online a top notch scanner. RAV was also one of the best when it came to detecting AV-Test.org's compressed viruses, achieving 76.92%, second only to McAfee's 85.62%. The combination of solid detection and ease-of-use place this online scanner at the head of the pack.
3) Panda's ActiveScan - http://www.pandasoftware.es/activescan/
Panda's ActiveScan is fast and easy to use, but it's difficult to find on their site so unless you're accessing it via a bookmark or this review, it may not be the best choice. Unlike first choice Housecall, an email address and geographical location are mandatory.
4) BitDefender Online Virus Scan - http://www.bitdefender.com/scan/licence.php
While BitDefender was able to scan an impressive 100% of password protected DOC and XLS files, their detection rate was only 35.29% when attempting to detect viral embedded objects in non-password protected DOC/XLS files. Though no information is requested, users are required to accept a lengthy licensing agreement.
5) McAfee FreeScan - http://us.mcafee.com/root/mfs/default.asp
McAfee FreeScan achieved 100% during the standard ItW tests, 91.67% archives, 84.62% compressed, 100% on password protected DOC/XLS files, but only 64.71% of embedded OLE objects. McAfee is the only online scanner in the Top Picks to require formal registration prior to use.
-----------------------------------------
--------------------------------------------------------------------------------------------
-----------------------------------------
Anti virus testing:
http://www.virusbtn.com/index.xml
http://antivirus.about.com/cs/softwarerevi...tp/aaonline.htm
http://www.virusbtn.com/vb100/archives/products.xml
http://www.av-test.org/index.php3?lang=en
http://www.virus.gr/english/fullxml/default.asp
=================================================================
Anti-Virus Program reviews:
- http://www.wilders.org/anti_viruses.htm
Nod 32:-
---------
- http://www.nod32.com/
- Trial Download Here
AVG:-
---------
http://www.grisoft.com/us/us_index.php
McAfee:-
----------
http://us.mcafee.com/root/catalog.asp?catid=av
Download Here
Symantec A/V: -
-------------------
http://www.symantec.com/avcenter
NORTON ANTIVIRUS MANUAL UPDATE
from this link below you can update the following programs and more..
NAV 2000 for Win9x/NT/2000
NAV 2001 for Win95b/98/NT/2000/Me
NAV 2002 Professional Edition
NAV 2002 for Win98/Me/NT/2000/XP Home/XP Pro
NAV 2003 Professional Edition
NAV 2003 for Win98/Me/2000/XP Home/XP Pro
Norton SystemWorks (all versions)
Norton Utilities for Windows 95/98 (all versions)
- http://securityresponse.symantec.com/avcen...ges/US-N95.html
Symantec Free Virus Removal Tools :
- http://www.symantec.com/avcenter/tools.list.html
WebAttack Free Anti-Virus tools:
- http://www.webattack.com/freeware/security...ty/fwvirus.html
- http://www.webattack.com/freeware/security...wavspecial.html
Free Avast Anti-Virus:
Avast! 4 Home Edition 4.1.26 :
avast! Home is now free of charge for HOME users for NON-COMMERCIAL use.
It scans for viruses, worms and Trojans. avast! obtained multiple VB100% award in Virus Bulletin reviews
- Download Here
- http://www.avast.com/
- http://www.avast.com/i_idt_1016.html
avast! Virus Cleaner is a free tool that will help you remove selected worm infections from your computer.
- http://www.avast.com/i_idt_171.html
List of known worms:
avast! Virus Cleaner is currently (in version 1.0.142) able to identify and remove the following worm families:
QUOTE
Win32:Badtrans [Wrm]
Win32:Blaster [Wrm] (aka Lovsan), variants A-F
Win32:BugBear [Wrm], including B variant
Win32:Ganda [Wrm]
Win32:Klez [Wrm], all variants (including variants of Win32:Elkern)
Win32:Nimda [Wrm]
Win32:Opas [Wrm] (aka Opasoft, Opaserv)
Win32:Sircam [Wrm]
Win32:Sobig [Wrm], including B, C, D, E and F variants
Win32:Yaha [Wrm] (aka Lentin)
Win32:Blaster [Wrm] (aka Lovsan), variants A-F
Win32:BugBear [Wrm], including B variant
Win32:Ganda [Wrm]
Win32:Klez [Wrm], all variants (including variants of Win32:Elkern)
Win32:Nimda [Wrm]
Win32:Opas [Wrm] (aka Opasoft, Opaserv)
Win32:Sircam [Wrm]
Win32:Sobig [Wrm], including B, C, D, E and F variants
Win32:Yaha [Wrm] (aka Lentin)
Stinger Virus Cleaner:
- http://vil.nai.com/vil/stinger/
Panda 25 in One Cleaner:
Detects, removes and restores Nimda, the new fast spreadin W32/Goner-A worm, and various other infections.
+ Plus a collection of free virus removal tools:
- http://www.wilders.org/free_tools.htm
In a bid to help administrators preempt a possible wave of new virus outbreaks,
GFI released a freeware version of GFI MailSecurity.
The freeware version scans inbound and outbound email using a single anti-virus engine
and can also check message bodies and subjects for keywords; this feature can be used to detect inappropriate mail.
- http://www.windowsecurity.com/news/GFI_Fre...ilSecurity.html
=============================================================
+ + + Anti-Virus Links + + +
=============================================================
GLADIATOR ANTI-VIRUS:
http://www.gladiator-antivirus.com/
About.Com Anti-Virus Center
- http://antivirus.about.com
AVAR - Association of Anti-Virus Asia Researchers
- http://www.aavar.org
AV-Test: Independent Anti-Virus Software Testing
- http://www.av-test.org
Computer Associates Virus Encyclopedia
- http://www3.ca.com/virus/encyclopedia.asp
E-Mail Security Testing Zone - GFI
- http://www.emailsecuritytest.com
European Center For Computer Anti-Virus Research
- http://www.eicar.org
HowStuffWorks.Com - Computer Viruses
- http://www.howstuffworks.com/virus.htm
ICSA Virus Alerts & Hoaxes
- http://www.trusecure.com/html/tspub/hypeor...rxrbindex.shtml
Symantec AV Center
- http://www.symantec.com/avcenter
Trojan Horse Encyclopedia
- http://www.dark-e.com/archive/trojans
VirusList AV Encyclopedia
- http://www.viruslist.com
Virus Bulletin
- http://www.virusbtn.com
Virus Myths
- http://www.vmyths.com
Yahoo Virus News
- http://dailynews.yahoo.com/full_coverage/t...nternet_viruses
links page:
- http://pcpitstop.ibforums.com/axslinger/pi...tlib/pitlib.htm
A helpful guide to virus removal:
- http://www.windowsreinstall.com/virusremoval/index.htm
============================================================
------------------
-------------------------------
Sorting Viruses for Testing ! :
-------------------------------
------------------
QUOTE
Script-based malware can be divided into BAT (prefix BAT),
HTML/VBS (prefixes HTML and VBS) viruses and mIRC (prefixes mIRC or IRC) worms.
Some anti-virus programs are still unable to find all this kind of malware or parts of it.
VBS and HTML viruses are very similar, because HTML viruses only contain VBS parts.
HTML itself does not contain any harmful commands.
BAT viruses require their own group, because there are no similarities to other kinds of viruses.
Most BAT viruses are very primitive and do not work correctly.
Therefore, the replication of this kind of viruses is not discussed in the following part.
Often, only the first generation of these viruses run, but the second one will fail to replicate.
Therefore, they are mostly intended viruses or can be grouped into groups like Trojan horses,
which is a subset of the “ other malware” part.
mIRC worms are a special problem - they cannot be replicated to get new samples,
because a copy of a worm is normally the same file. They can only be observed if they spread.
For this reason, an IRC server has to be set up - there is no other way to test whether they spread or not.
An existing IRC server could be used, but normally all people would be infected
when downloading the script that the worm offers.
Because of this, it is a better way to sort this kind of malware only by the names of anti-virus programs.
But most of them only use a heuristic based upon a small scan string
(see the pre-sorting part of this paper) and often the files are damaged a little bit,
because the end of the files are missing.
Therefore, it is not an easy task to sort them, but very few programs use a CRC over the
whole script file to identify the worm exactly.
The last virus-related category is Trojan horses, backdoors and other malware that harm
the system intentionally.
It is difficult to group them in categories exactly, so the name “other malware” should be applied.
This includes first generation (germ) files from viruses which do not run as expected,
but can destroy data because the trigger and damage function is still active.
A system crash is usually also a reason to detect the program.
If the germs run and replicate well and the form of the virus is the same
(e.g. the same type of infected files and entry point jumps) they should be copied into the respective collection
like File/DOS to the other files.
Very often germs can be found in a bad collection because the collector does not replicate the files.
They are dangerous, because the typical user will only get such files if he downloads “something”
and it is hard to clean the system if the germ cannot be found and only the infections can be cleaned each time.
Virus droppers should be sorted in the “ other malware” category, too.
This includes boot virus droppers that write an image of a boot virus to a floppy or hard disc.
Some programs have a special option to enable the feature to detect Backdoors like BackOrifice or SubSeven.
The reason for this is that some "trojan" backdoors like NetBus Pro are distributed as
commercial / shareware programs and the authors do not like their work to be detected as malicious code .
There are some companies that use such backdoors as a remote access tool and even Microsoft
has a program called SMS that can be used as backdoor.
Last but not least, the false positive collection should be prepared using executable files
and documents from the network server of the magazine or a company, together with files
that can be found on CD, disks etc. Because on some CD’s of magazines there are
viruses, the tester should keep in mind to check this and only add really “good” programs.
Joke programs should not be included, but it is an interesting idea to include innocent files
found in virus collections to check if the anti-virus researcher works carefully enough.
Some anti-virus programs have got false positives in graphic files like BMP or GIF, so files
of this type should be in the testing collection, too.
HTML/VBS (prefixes HTML and VBS) viruses and mIRC (prefixes mIRC or IRC) worms.
Some anti-virus programs are still unable to find all this kind of malware or parts of it.
VBS and HTML viruses are very similar, because HTML viruses only contain VBS parts.
HTML itself does not contain any harmful commands.
BAT viruses require their own group, because there are no similarities to other kinds of viruses.
Most BAT viruses are very primitive and do not work correctly.
Therefore, the replication of this kind of viruses is not discussed in the following part.
Often, only the first generation of these viruses run, but the second one will fail to replicate.
Therefore, they are mostly intended viruses or can be grouped into groups like Trojan horses,
which is a subset of the “ other malware” part.
mIRC worms are a special problem - they cannot be replicated to get new samples,
because a copy of a worm is normally the same file. They can only be observed if they spread.
For this reason, an IRC server has to be set up - there is no other way to test whether they spread or not.
An existing IRC server could be used, but normally all people would be infected
when downloading the script that the worm offers.
Because of this, it is a better way to sort this kind of malware only by the names of anti-virus programs.
But most of them only use a heuristic based upon a small scan string
(see the pre-sorting part of this paper) and often the files are damaged a little bit,
because the end of the files are missing.
Therefore, it is not an easy task to sort them, but very few programs use a CRC over the
whole script file to identify the worm exactly.
The last virus-related category is Trojan horses, backdoors and other malware that harm
the system intentionally.
It is difficult to group them in categories exactly, so the name “other malware” should be applied.
This includes first generation (germ) files from viruses which do not run as expected,
but can destroy data because the trigger and damage function is still active.
A system crash is usually also a reason to detect the program.
If the germs run and replicate well and the form of the virus is the same
(e.g. the same type of infected files and entry point jumps) they should be copied into the respective collection
like File/DOS to the other files.
Very often germs can be found in a bad collection because the collector does not replicate the files.
They are dangerous, because the typical user will only get such files if he downloads “something”
and it is hard to clean the system if the germ cannot be found and only the infections can be cleaned each time.
Virus droppers should be sorted in the “ other malware” category, too.
This includes boot virus droppers that write an image of a boot virus to a floppy or hard disc.
Some programs have a special option to enable the feature to detect Backdoors like BackOrifice or SubSeven.
The reason for this is that some "trojan" backdoors like NetBus Pro are distributed as
commercial / shareware programs and the authors do not like their work to be detected as malicious code .
There are some companies that use such backdoors as a remote access tool and even Microsoft
has a program called SMS that can be used as backdoor.
Last but not least, the false positive collection should be prepared using executable files
and documents from the network server of the magazine or a company, together with files
that can be found on CD, disks etc. Because on some CD’s of magazines there are
viruses, the tester should keep in mind to check this and only add really “good” programs.
Joke programs should not be included, but it is an interesting idea to include innocent files
found in virus collections to check if the anti-virus researcher works carefully enough.
Some anti-virus programs have got false positives in graphic files like BMP or GIF, so files
of this type should be in the testing collection, too.
-------------------------------------------------------------------------------------------------------
Read THIS page on why personal firewalls are absolutely useless if you accidentally/purposely install malicious software or MALware;
if you install malware on your system, your system is lost, regardless of what kind of protection software you install.
So dont install every untrusted software. Better to be safe than sorry.
if you have important data on your system, dont use it on the internet as no malware detection software nor personal firewall will change that, ever .
there are some technical solutions ranging from using non-priveledged accounts to real secure operating systems (like the militaries) but all of those solutions are currently not mainstream, cost a lot of time and money
---------------------------------------------------------------------------------------------------------
Various kinds of possible Malwares exploits
Hidden manipulation
Parameter tampering
Cookie poisoning
Stealth commanding
Forceful browsing
Backdoors and debug options
Third-party misconfiguration
Cross-site scripting
Buffer overflow
Published vulnerabilities
read THIS page on what malware is capable of doing to you
-------------------------------------------------------------------------------------------------------------
List of MALWARE control utilities....
Online Virus Scanners
Sandbox Utilities & Script Defense
Email Protection
Standalone Removal Tools
AV Boot Disks
Other
*** http://www.staff.uiuc.edu/~ehowes/soft3.htm
---------------------------------------------------------------------------------------------------------------
Please also read The Bluetack Guide on Trojan Horses:
http://www.bluetack.co.uk/forums/index.php...hp?showtopic=72
==============================================================
ill be back