Cogen Antivirus

Saturday, May 23, 2009

What is a computer virus?

Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation.

A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk.

Viruses are most easily spread by attachments in e-mail messages or instant messaging messages. That is why it is essential that you never open e-mail attachments unless you know who it's from and you are expecting it.

Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.

Viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download.

To help avoid viruses, it's essential that you keep your computer current with the latest updates and antivirus tools, stay informed about recent threats, and that you follow a few basic rules when you surf the Internet, download files, and open attachments.

Once a virus is on your computer, its type or the method it used to get there is not as important as removing it and preventing further infection.

Virus, Malware, adware, & Spyware:

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software), including true viruses. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious.

Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging, and file sharing systems to spread.

Some Viruses Don't Do...........

Computer viruses can not infect write protected disks or infect written documents. Viruses do not infect compressed files, unless the file was infected prior to the compression.

Viruses do not infect computer hardware, such as monitors or computer chips; they only infect software.

In addition, Macintosh viruses do not infect DOS / Window computer software and vice versa. For example, the Melissa virus incident of late 1998 and the ILOVEYOU virus of 2000 worked only on Window based machines and could not operate on Macintosh computers.

One further note-> viruses do not necessarily let you know they are present in your machine, even after being destructive. If your computer is not operating properly, it is a good practice to check for viruses with a current "virus checking" program.

How do Viruses Spread?


Viruses begin to work and spread when you start up the program or application of which the virus is present.

For example, a word processing program that contains a virus will place the virus in memory every time the word processing program is run.

Once in memory, one of a number of things can happen. The virus may be programmed to attach to other applications, disks or folders. It may infect a network if given the opportunity.

Viruses behave in different ways. Some viruses stay active only when the application it is part of is running.

Turn the computer off and the virus is inactive. Other viruses will operate every time you turn on your computer after infecting a system file or network.

How to Prevent a Virus Invasion!


1. Load only software from original disks or CD's. Pirated or copied software is always a risk for a virus.
2. Execute only programs of which you are familiar as to their origin. Programs sent by email should always be suspicious.
3. Computer uploads and "system configuration" changes should always be performed by the person who is responsible for the computer. Password protection should be employed.
4. Check all shareware and free programs downloaded from on-line services with a virus checking program.
5. Purchase a virus program that runs as you boot or work your computer. Up-date it frequently.

Trojan Horses:

A trojan horse is not a virus. It is a program that you run because you think it will serve a useful purpose such as a game or provides entertainment. Like a "trojan horse" it serves not as it claims, but to damage files or perhaps plants a virus into your computer.

A trojan horse does not replicate or spread like a virus. Most virus checking programs detect trojan horses.

Wednesday, May 20, 2009

Trojan.Packed.Win32.Black.a

Brief Description: The Packed.Win32.Black.a detection identifies files that are packed with a stolen version of the Themida software protection program.

Stolen versions of this program (which are usable with leaked licenses) can be used to hide malware. Identifying a file that has been packed by a stolen version is therefore a precautionary measure against potentially malicious files.

Visible Symptoms: N/A

Technical description: Some antiviruses detect files packed by stolen version of the Themida software protection program as Trojan.Packed.Win32.Black.a. Please note that clean files which have been packed using a stolen version may also be detected.

Propagation: N/A

Removal instruction: Try to test suspicious files with different antiviruses.
Trojan-Downloader.WMA.GetCodec.d

Brief Description: Trojan-Downloader.WMA.GetCodec compromises system by connecting to the internet to download fake video codecs via Windows Media Player and entince user to install them on the system.

Visible Symptoms:
  • Unusual running processes/files in the task manager
  • Slow internet connection speed, declined bandwidth
  • Missing and phony system tray icons and shortcuts
  • Trojan-Downloader.WMA.GetCodec.d reinstalls after removal, difficult to remove
  • Uknown applications cause general windows instability
  • Can alter desktop background wallpaper
  • Creates pop-ups even with pop up blocker, can overflow computer with porn pop-ups
  • WMA.GetCodec.d can modify browser setting to www.flashcodec.com
  • Missing registry keys dlls and system files resulting in "Blue Screen"
Technical description: Trojan-Downloader.WMA.GetCodec.d is a dangerous media codec downloader trojan that infects mp3 and wma files via security loopholes. The infected files will show following notification "Windows Media Player - The file you are attempting to play has an extension that dous not match the file format. Playing the file may result in unexpected behavior.".

Propagation: Trojan-Downloader.WMA.GetCodec.d is generally installed on the system by clicking on fake mediaplayer codec update popups or by downloading infected windows_meda_player_flash_codec_plugin.exe file from www.flashcodec.com hijacker website.
How does anti-virus software work?


An anti-virus software program is a computer program that can be used to scan files to identify and eliminate computer viruses and other malicious software (malware).

Anti-virus software typically uses two different techniques to accomplish this:

Examining files to look for known viruses by means of a virus dictionary
Identifying suspicious behavior from any computer program which might indicate infection
Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Virus dictionary approach:


In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.

To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.

Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis.

Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.

Suspicious behavior approach:


The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti virus software uses this technique less and less.

Other ways to detect viruses:


Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives.

Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.

Issues of concern:

Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc.

User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-virus software.

Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread.

The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.

There are various methods of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses.

Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.