You are on page 1of 38

Macro Viruses

These viruses infect the files created using some applications or programs that contain
macros such as doc, pps, xls and mdb. They automatically infect the files with macros
and also templates and documents that are contained in the file. They hide in
documents shared through e-mail and networks.

Macro viruses include:


Relax
bablas
Melissa.A
097M/Y2K

Memory Resident Viruses


They usually fix themselves inside the computer memory. They get activated every
time the OS runs and end up infecting other opened files. They hide in RAM.

Memory Resident Viruses Include:


CMJ
meve
randex
mrklunky

Overwrite Viruses
These types of viruses delete any information in a file they infect, leaving them
partially or completely useless once they are infected. Once in the computer, they
replaces all the file content but the file size doesnt change.

Overwrite Viruses Include:


Trj.Reboot
way
trivial.88.D

Direct Action Viruses


These viruses mainly replicate or take action once they are executed. When a certain
condition is met, the viruses will act by infecting the files in the directory or the folder
specified in the AUTOEXEC.BAT. The viruses are generally found in the hard disks
root directory, but they keep on changing location.

Direct Action Viruses Include:


Vienna virus

Directory Virus
Also known as cluster virus or file system virus. They infect the computers directory
by changing the path indicating file location. They are usually located in the disk but
affect the entire directory.

Directory Viruses Include:


dir-2 virus

Web Scripting Virus


Most web pages include some complex codes in order to create an interactive and
interesting content. Such a code is often exploited to cause certain undesirable actions.
They mostly originate from the infected web pages or browsers.

Web Scripting Viruses Include:


JS.Fortnight a virus that spreads via malicious emails.

Multipartite Virus
These type of viruses spread in many different ways. Their actions vary depending on
the OS installed and presence of certain files. They tend to hide in the computers
memory but do not infect the hard disk.

Multipartite Viruses Include:


flip
invader
tequila

FAT Viruses
These lardy viruses attack the file allocation table (FAT) which is the disc part used to
store every information about the available space, location of files, unusable space etc.

FAT Viruses Include:


the link virus

Companion Viruses
These types of viruses infect files just like the direct action and the resident types.
Once inside the computer, they accompany other existing files.

Companion Viruses Include:


Asimov.1539
stator and terrax.1069

Polymorphic Virus
They encode or encrypt themselves in a different way every time they infect your
computer. They use different encryption and algorithms. This makes it difficult for the
antivirus software to locate them using signature or string searches (since they are
very different in each encryption).

Polymorphic Viruses Include:


Marburg
tuareg
Satan bug
elkern

Worm
This program is very similar to a virus and has the ability to self-replicate leading to
negative effects on your computer.

Worm Viruses Include:


lovgate.F
sobig.D
trile. C
PSWBugbear.B
Mapson
Trojans
Trojans can illegally trace important login details of users online. For example E-
Banking is very common among users, therefore, vulnerability of tracing your login
details whenever your PC is working without any strong powerful antivirus installed.

Email Virus
This is a virus spread via an email. Such a virus will hide in an email and when the
recipient opens the mail.

Browser Hijacker
This virus can spread in many different ways including a voluntary download. If
infects certain browser functions especially in form of re-directing the user
automatically to certain sites. A good example is

Browser Hijackers Include:


the cool web search

Boot Infectors
They include the boot sector plus master boot record types. All the viral codes can be
separate location; however they infect the hard disks or the floppy.

Boot Infectors Include:


the brain virus -it is the very first wild virus to be created.
From what we have seen, the many types of computer viruses and their effects are
very harmful and can completely damage your system. Always make sure your
system is up to date. Also install antivirus software. The antivirus program protects
your computer and the personal information in it.
esident viruses: These are permanent viruses dwelling in RAM memory. In this case, they
would be in a position to overcome, as well as interrupt, all operations that the system executes.
Their effects include corrupting programs and files that are closed, opened, renamed or copied.

Overwrite viruses: These viruses delete information that is in the infected files. In this case, the
infected files would be rendered totally or partially useless. Unfortunately, you would only clean
the infected file by deleting it completely, therefore losing original content.

Direct action viruses: This virus replicates itself, then acts when executed. Subject to
satisfaction of particular conditions, the virus infects files located in the folders or computer
directory. It is also in directories specified in the AUTOEXEC.BAT PATH. In most cases, it is
located in hard drives root directory and takes particular action when the computer boots.

File infectors: This virus infects executable files or programs. On running the programs, the
virus would be activated, then be able to carry out its damaging effects. Most of the existing
viruses are in this category.

Boot viruses: This virus infects the hard disks or floppy drives boot sector. This would make
the computer unable to boot. These viruses can, however, be avoided by ensuring that the floppy
disks and hard drive is well protected. Never start the computer using an unknown disk drive or
floppy disk.

Directory viruses: This virus alters the paths indicating a files location. In this case, when the
infected program is executed, you will be running the program unknowingly, since the virus has
moved the original program and file to another location. This therefore makes it impossible to
locate the moved files.

Macro virus: This virus affects files created using particular programs or applications
containing macros. The mini-programs increase their ability to automate some operations, in
which case they would be performed as single actions. The user would therefore be saved the
trouble of executing them singularly.
Comparison of viruses and related programs[edit]

Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

First virus to
Polymor use
1260 V2Px DOS 1998
phic polymorphic
encryption

1990- The first virus


4K 4096 DOS
01 to use stealth

1992- Infects .EXE


5lo DOS
10 files only

DOS,
A and
A_and_A Windows 1993
A
95, 98

Infects COM
file. Disk
DOS,
Abraxa 1993- Europ ARCV directory
Abraxas5 Windows
s 04 e group listing will be
95, 98
set to the
system date
and time
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

when
infection
occurred.

Acid.670,
Infects COM
Acid.670a,
DOS, file. Disk
Avatar.Aci Corp-
Acid Windows 1992 directory
d.670, $MZU
95, 98 listing will not
Keeper.Ac
be altered.
id.670

Upon
executing
infected EXE,
this infects
DOS, another EXE
Acme Windows in current
95 DOS directory by
making a
hidden COM
file with same
base name.

ABC causes
ABC-
keystrokes on
2378,
1992- the
ABC ABC.2378 DOS
10 compromised
,
machine to be
ABC.2905
repeated.
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

Actifed DOS

The Ada virus


mainly targets
1991- Argentin .COM files,
Ada DOS
10 a specifically
COMMAND.C
OM.

Infected
programs will
have a file
Agena.72 1992-
Agena DOS Spain length
3 09
increase of
723 to 738
bytes

AGI-Plan is
notable for
Mlhei
reappearing
m an
in South
AGI- der
Month 4-6 DOS Africa in what
Plan Ruhr,
appeared to
Germa
be an
ny
intentional re-
release.

Ah Italy Systems
1991-
infected with
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

05 Ah will
experience
frequent
system
hangs.

AI DOS

AIDS is the
Dr. first virus
Joseph known to
Popp exploit the
AIDS AIDSB, DOS 1990
and DOS
pcperfo "correspondin
rmer g file"
vulnerability.

AIDS II

Infects the
Air cop-B, 1990-
AirCop DOS boot sector of
Red State 01
floppy disks.

Hebrew Files infected


Universit by Alabama
Alaba Alabama. 1989-
DOS y, increase in
ma B 10
Jerusale size by 1,560
m bytes.
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

Overwrites
RSY,
random
Kendesm,
1997- information on
Alcon[1] Ken&Des DOS
12 disk causing
mond:disq
damage over
us, Either
time.

Ambul
ance

A Dutch court
stated that
Anna Sneek,
Email 2001- Jan de US$166,000
Kourni Netherla
VBScript 02-11 Wit in damages
kova nds
was caused
by the worm.

Due to a bug
in the virus
code, the
AntiC
virus fails to
MOS
eraseCMOS i
nformation as
intended.

1992- ARCV-n is a
ARCV- England ARCV
DOS 10/19 term for a
n , United Group
92-11 large family of
Kingdo
viruses
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

m written by the
ARCV group.

Polymorphic
virus which
infects
systems by
Bombe Command inserting
DOS Bulgaria
r erBomber fragments of
its code
randomly into
executable
files.

Basit a Considered to
ndAmja be the
Pakistani 1986- Lahore,
Brain d first computer
flu 01 Pakistan
Farooq virus for
Alvi the PC

It was one of
Swiss the most
Amiga, Crackin feared Amiga
Byte 1988-
bootsector g viruses until
Bandit 01
virus Associ the infamous
ation Lamer
Exterminator.

Christ
mas
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

Tree

Activates on
April 26, in
which it
Chernobyl Chen destroys
Windows 1998- Taiwa
CIH , Taiwan ing- partition
95, 98, Me 06 n
Spacefiller Hau tables, and
tries to
overwrite
the BIOS.

Famous for
being the first
SymbianBl
Comm worm to
uetoothwo
warrior spread
rm
via MMSand
Bluetooth.

An
experimental
self-
replicating
TENEX Bob
Creep program
operating 1971 Thoma
er which gained
system s
access via the
ARPANET
and copied
itself to the
remote
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

system.

1991-
Eliza DOS
12

Mt.
Mt.
Leban
Lebanon
on,
, The first virus
Elk Penns Rich
Apple II 1982 Pennsyl observed "in
Cloner ylvania Skrenta
vania, the wild"
,
United
United
States
States

A very
common boot
Switze
Form DOS 1990 virus, triggers
rland
on the 18th of
any month.

Graybi Graybird
rd P

Famous for
DOS,
press
Windows 1996-
Hare coverage
95,Windo 08
which blew its
ws 98
destructivene
ss out of
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

proportion

Computer
Michael
worm that
Buen,
Manila,P attacked tens
ILOVE 2000- Onel
hilippine of millions of
YOU 05-05 de
s Windows
Guzma
personal
n
computers

Malicious,
INIT 1992- triggered on
Mac OS
1984 03-13 Friday the
13th.

Jerusalem
was initially
very common
Jerusa 1987-
DOS and spawned
lem 10
a large
number of
variants.

Designed to
Blackwor
destroy
m,
Kama 2006- common files
Nyxem,
Sutra 01-16 such as
and
Microsoft
Blackmal
Word, Excel,
and
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

PowerPoint
documents.

The payload
of this virus
activates on
July 29 and
1991-
Koko DOS February 15
03
and may
erase data on
the users
hard drive

Random
Amiga,
Lamer encryption,
Boot 1989- German
Exterm fills random
sector 10 y
inator sector with
virus
"LAMER"

Drew,
MacM Bradow, 1987-
ag Aldus, 12
Peace

Garfield, 1990-
MDEF
Top Cat 05

Mailissa, Microsoft New David Part macro


Meliss 1999-
Simpsons, Wordmacr Jersey, L. virus and part
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

a Kwyjibo, o virus 03-26 United Smith worm.


Kwejeebo States Melissa, a MS
Word-based
macro that
replicates
itself through
e-mail.

Ran March 6
Michel 1991- Austral
DOS (Michelangelo
angelo 02-04 ia
's birthday)

Navida 2000-
d 12

Multipartite
, stealth,
Natas 1994 "Priest"
polymorphi
c

nVIR has
MODM, been known
nCAM, to 'hybridize'
nFLU, with different
nVIR Mac OS 1987
kOOL, variants of
Hpat, nVIR on the
Jude same
machine.
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

It is also
Slovak known as one
Bomber, of the first
OneHa Freelove viruses to
DOS 1994 Slovakia Vyvojar
lf or implement a
Explosion- technique of
II "patchy
infection"

Ontari
o.1024

Ontari
o.2048

Ontari 1990- Ontario,


SBC DOS Death Angel
o 07 Canada

The Pikachu
virus is
believed to be
Pikach 2000-
Asia the first
u virus 06-28
computer
virus made for
children.

Ping-
Boot, Boot Harmless to
pong
Bouncing sector most
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

Ball, virus computers


Bouncing
Dot,
Italian,
Italian-A,
VeraCruz

Once
distributed
RJump.A,
RavMo 2006- in Apple
Rajump, Worm
nE.exe 06-20 iPods, but a
Jisx
Windows-only
virus

Puts a
message on
Swiss screen.
Amiga,
Crackin Harmless
Boot 1987- Switzerl
SCA g except it
sector 11 and
Associ might destroy
virus
ation a legitimate
non-standard
boot block.

Designed to
Eric, Vult,
1988 attack two
NASA,
Scores Mac OS Sprin specific
San Jose
g applications
Flu
which were
never
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

released.

Infected files
Scotts will contain
Valley, the seemingly
Scott's 1990- Califor meaningless
DOS
Valley 09 nia, hex string
United 5E8BDE9090
States 81C63200B9
12082E.

666,
MDEF,
Seven 9806,
Mac OS 1998
Dust Graphics
Accelerato
r, SevenD

Shank
W97M.Ma Polymorph 1999- Sam Infects Word
ar's
rker.o ic 06-03 Rogers Documents
Virus

The
metamorphic
Etap, The code
Polymor
Simile MetaPHO Windows Mental accounts for
phic
R Driller around 90%
of the virus'
code
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

Two viruses
were created
United The
SMEG Polymor using the
DOS 1994 Kingdo Black
engine phic engine:
m Baron
Pathogen and
Queeg.

Wellin One of the


gton, earliest and
Stoned 1987 New most
Zealan prevalent boot
d sector viruses

Seattle Because of
, an error in
Jerusale
Sunda 1989- Washi coding, the
DOS m.Sund
y 11 ngton, virus fails to
ay
United execute its
States payload.

JD
TDL-4 Botnet
virus

The virus
Techn plays a tune
DOS
o that was
created by the
author of the
Isolati Iso
Viru Alias(e Orig Auth Note
Types on lati
s s) in or s
Date on

virus

At 9216
Hambur bytes, was for
Polymor 1990- g, R its time the
Whale DOS
phic 07-01 German Homer largest virus
y ever
discovered.

It was the first


virus to use a
ZMistfall,
Zombie.Mi technique
ZMist Zombie.Mi Z0mbie
stfall known as
stfall
"code
integration".

1. ILOVEYOU
The ILOVEYOU virus is considered one of the most virulent computer virus ever
created and its not hard to see why. The virus managed to wreck havoc on computer
systems all over the world, causing damages totaling in at an estimateof $10 billion. 10%
of the worlds Internet-connected computers were believed to have been infected. It was
so bad that governments and large corporations took their mailing system offline to
prevent infection.


via BBC

The virus was created by two Filipino programers, Reonel Ramones and Onel de
Guzman. What it did was use social engineering to get people to click on the
attachment; in this case, a love confession. The attachment was actually a script that
poses as a TXT file, due to Windows at the time hiding the actual extension of the file.
Once clicked, it will send itself to everyone in the users mailing list and proceed to
overwrite files with itself, making the computer unbootable. The two were never
charged, as there were no laws about malware.This led to the enactment of the E-
Commerce Law to address the problem.
2. Code Red
Code Red first surfaced on 2001 and was discovered by two eEye Digital Security
employees. It was named Code Red because the the pair were drinking Code Red
Mountain Dew at the time of discovery. The worm targeted computers with Microsoft
IIS web server installed, exploiting a buffer overflow problem in the system. It leaves
very little trace on the hard disk as it is able to run entirely on memory, with a size of
3,569 bytes. Once infected, it will proceed to make a hundred copies of itself but due to a
bug in the programming, it will duplicate even more and ends up eating a lot of the
systems resources.

via F-Secure

It will then launch a denial of service attack on several IP address, famous among them
the website of the White House. It also allows backdoor access to the server, allowing for
remote access to the machine. The most memorable symptom is the message it leaves
behind on affected web pages, "Hacked By Chinese!", which has become a meme
itself. A patch was later released and it was estimate that it caused $2 billion in lost
productivity. A total of 1-2 million servers were affected, which is amazing when you
consider there were 6 million IIS servers at the time.
3. Melissa
Named after an exotic dancer from Florida, it was created by David L. Smith in 1999. It
started as an infected Word document that was posted up on the alt.sex usenet group,
claiming to be a list of passwords for pornographic sites. This got people curious and
when it was downloaded and opened, it would trigger the macro inside and unleash its
payload. The virus will mail itself to the top 50 people in the users email address
book and this caused an increase of email traffic, disrupting the email services of
governments and corporations. It also sometimes corrupted documents by inserting a
Simpsons reference into them.

via MSN Canada

Smith was eventually caught when they traced the Word document to him. The file was
uploaded using a stolen AOL account and with their help, law enforcement was able to
arrest him less than a week since the outbreak began.He cooperated with the FBI in
capturing other virus creators, famous among them the creator of the Anna
Kournikova virus. For his cooperation, he served only 20 months and paid a fine of
$5000 of his 10 year sentence. The virus reportedly caused $80 million in damages.
4. Sasser
A Windows worm first discovered in 2004, it was created by computer science student
Sven Jaschan, who also created the Netsky worm. While the payload itself may be seen
as simply annoying (it slows down and crashes the computer, while making it hard to
reset without cutting the power), the effects were incredibly disruptive, with millions
of computers being infected, and important, critical infrastructure affected. The
worm took advantage of a buffer overflow vulnerability in Local Security Authority
Subsystem Service (LSASS), which controls the security policy of local accounts causing
crashes to the computer. It will also use the system resources to propagate itself to other
machines through the Internet and infect others automatically.


via HP

The effects of the virus were widespread as while the exploit was already patched, many
computers havent updated. This led to more than a million infections, taking out
critical infrastructures, such as airlines, news agencies, public transportation, hospitals,
public transport, etc. Overall, the damage wasestimated to have cost $18 billion. Jaschen
was tried as a minor and received a 21 month suspended sentence.

5. Zeus
Zeus is a Trojan horse made to infect Windows computers so that it will perform various
criminal tasks. The most common of these tasks are usually man-in-the-browser
keylogging and form grabbing. The majority of computers were infected either through
drive-by downloads or phishing scams. First identified in 2009, it managed
to compromise thousands of FTP accounts and computers from large multinational
corporations and banks such as Amazon, Oracle, Bank of America, Cisco, etc.
Controllers of the Zeus botnet used it to steal the login credentials of social network,
email and banking accounts.

via Abuse.ch

In the US alone, it was estimated that more than 1 million computers were
infected, with 25% in the US. The entire operation was sophisticated, involving people
from around the world to act as money mules to smuggle and transfer cash to the
ringleaders in Eastern Europe. About $70 million were stolen and in possession of the
ring. 100 people were arrested in connection of the operation. In late 2010, the creator of
Zeus announced his retirement but many experts believe this to be false.
6. Conficker
Also known as Downup or Downadup, Conficker is a worm of unknown authorship for
Windows that made its first appearance in 2008. The name comes form the English word,
configure and a German pejorative.It infects computers using flaws in the OS to create
a botnet. The malware was able to infect more than 9 millions computers all around the
world, affecting governments, businesses and individuals. It was one of the largest
known worm infections to ever surface causing an estimate damage of $9 billion.


via Wikipedia
The worm works by exploiting a network service vulnerability that was present and
unpatched in Windows. Once infected, the worm will then reset account lockout policies,
block access to Windows update and antivirus sites, turn off certain services and lock out
user accounts among many. Then, itproceeds to install software that will turn the
computer into a botnet slave and scareware to scam money off the user. Microsoft later
provided a fix and patch with many antivirus vendors providing updates to their
definitions.

7. Stuxnet
Believed to have been created by the Israeli Defence Force together with the American
Government, Stuxnet is an example of a virus created for the purpose of
cyberwarfare, as it was intended to disrupt the nuclear efforts of the Iranians. It was
estimated that Stuxnet has managed to ruin one fifth of Irans nuclear centrifuges and that
nearly 60% of infections were concentrated in Iran.

via IEEE

The computer worm was designed to attack industrial Programmable Logic


Controllers (PLC), which allows for automation of processes in machinery. It
specifically aimed at those created by Siemens and was spread through infected USB
drives. If the infected computer didnt contain Siemens software, it would lay dormant
and infect others in a limited fashion as to not give itself away. If the software is there, it
will then proceed to alter the speed of the machinery, causing it to tear apart. Siemens
eventually found a way to remove the malware from their software.
8. Mydoom
Surfacing in 2004, Mydoom was a worm for Windows that became one of
thefastest spreading email worm since ILOVEYOU. The author is unknown and it is
believed that the creator was paid to create it since it contains the text message, andy;
Im just doing my job, nothing personal, sorry,. It was named by McAfee employee
Craig Schmugar, one of the people who had originally discovered it. mydom was a line
of text in the programs code (my domain) and sensing this was going to be big, added
doom into it.
via Virus.Wikidot.com

The worm spreads itself by appearing as an email transmission error and contains
an attachment of itself. Once executed, it will send itself to email addresses that are in a
users address book and copies itself to any P2P programs folder to propagate itself
through that network. The payload itself is twofold: first it opens up a backdoor to allow
remote access and second it launches a denial of service attack on the controversial SCO
Group. It was believed that the worm was created to disrupt SCO due to conflict over
ownership of some Linux code. It caused an estimate of $38.5 billion in damages and the
worm is still active in some form today.

9. CryptoLocker
CryptoLocker is a form of Trojan horse ransomware targeted at computers running
Windows. It uses several methods to spread itself, such as email, and once a computer
is infected, it will proceed to encrypt certain files on the hard drive and any mounted
storage connected to it with RSA public key cryptography. While it is easy enough to
remove the malware from the computer, the files will still remain encrypted. The only
way to unlock the files is to pay a ransom by a deadline. If the deadline is not met, the
ransom will increase significantly or the decryption keys deleted. The ransom usually
amount to $400 in prepaid cash or bitcoin.

via Bleepingcomputer.com

The ransom operation was eventually stopped when law enforcement agencies and
security companies managed to take control part of the botnet operating
CryptoLocker and Zeus. Evgeniy Bogachev, the ring leader, wascharged and the
encryption keys were released to the affected computers. From data collected from the
raid, the number of infections is estimated to be 500,000, with the number of those who
paid the ransom to be at 1.3%, amounting to $3 million.

10. Flashback
Though not as damaging as the rest of the malware on this list, this is one of the few Mac
malware to have gain notoriety as it showed that Macs are not immune. The Trojan was
first discovered in 2011 by antivirus company Intego as a fake Flash install. In its newer
incarnation, a user simply needs to have Java enabled (which is likely the majority of us).
It propagates itself by using compromised websites containing JavaScript code that will
download the payload. Once installed, the Mac becomes part of a botnet of other infected
Macs.

via CNET

The good news is that if it is infected, it is simply localized to that specific users
account. The bad news is that more than 600,000 Macs were infected, including 274
Macs in the Cupertino area, the headquarters of Apple. Oracle published a fix for the
exploit with Apple releasing an update to remove Flashback from peoples Mac. It is still
out in the wild, with an estimate of 22,000 Macs still infected as of 2014.