What is Malware



What is Malware?

Malware short for malicious software refers to any malicious or unexpected program or code such as viruses, Trojans, and droppers. Not all malicious programs or codes are viruses. Viruses, however, occupy a majority of all known malware to date including worms. The other major types of malware are Trojans, droppers, and kits.

Due to the many facets of malicious code or a malicious program, referring to it as malware helps to avoid confusion. For example, a virus that also has Trojan-like capabilities can be called malware.

What is a Trojan?

A Trojan is malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If it replicates, then it should be classified as a virus.

A Trojan, coined from Greek mythology's Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system problems in operation, and sometimes loss of valuable data.

What is a Virus?

A computer virus is a program a piece of executable code that has the unique ability to replicate. Like biological viruses, computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to just about any type of file and are spread as files that are copied and sent from individual to individual.

In addition to replication, some computer viruses share another commonality: a damage routine that delivers the virus payload. While payloads may only display messages or images, they can also destroy files, reformat your hard drive, or cause other damage. If the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading the overall performance of your computer.

Several years ago most viruses spread primarily via floppy disk, but the Internet has introduced new virus distribution mechanisms. With email now used as an essential business communication tool, viruses are spreading faster than ever. Viruses attached to email messages can infect an entire enterprise in a matter of minutes, costing companies millions of dollars annually in lost productivity and clean-up expenses.

Viruses won't go away anytime soon: More than 60,000 have been identified, and 400 new ones are created every month, according to the International Computer Security Association (ICSA). With numbers like this, it's safe to say that most organizations will regularly encounter virus outbreaks. No one who uses computers is immune to viruses.

Life Cycle of a Virus

The life cycle of a virus begins when it is created and ends when it is completely eradicated. The following outline describes each stage:

Creation

Until recently, creating a virus required knowledge of a computer programming language. Today anyone with basic programming knowledge can create a virus. Typically, individuals who wish to cause widespread, random damage to computers create viruses.

Replication

Viruses typically replicate for a long period of time before they activate, allowing plenty of time to spread.

Activation

Viruses with damage routines will activate when certain conditions are met, for example, on a certain date or when the infected user performs a particular action. Viruses without damage routines do not activate, instead causing damage by stealing storage space.

Discovery

This phase does not always follow activation, but typically does. When a virus is detected and isolated, it is sent to the ICSA in Washington, D.C., to be documented and distributed to antivirus software developers. Discovery normally takes place at least one year before the virus might have become a threat to the computing community.

Assimilation

At this point, antivirus software developers modify their software so that it can detect the new virus. This can take anywhere from one day to six months, depending on the developer and the virus type.

Eradication

If enough users install up-to-date virus protection software, any virus can be wiped out. So far no viruses have disappeared completely, but some have long ceased to be a major threat.

What can you do to Protect against Malware?

There are many things you can do to protect against malware. At the top of the list is using a powerful antivirus product, and keeping it up-to-date with the latest pattern files. To learn more about Trend Micro's offerings, and find out which solution is right for you, please view the interactive Trend Micro Enterprise Solution diagram. You may also visit the ICSA Web site for further suggestions.

ActiveX malicious code

ActiveX controls allow Web developers to create interactive, dynamic Web pages with broader functionality such as HouseCall, Trend Micro's free on-line scanner. An ActiveX control is a component object embedded in a Web page which runs automatically when the page is viewed. In many cases, the Web browser can be configured so that these ActiveX controls do not execute by changing the browser's security settings to "high." However, hackers, virus writers, and others who wish to cause mischief or worse may use ActiveX malicious code as a vehicle to attack the system. To remove malicious ActiveX controls, you just need to delete them.

Adware

Adware is a software application that displays advertising banners while the program is running. Adware often contains spyware in order for the program to know which advertisements to display based on the current user's preference.

Aliases

The Computer Antivirus Research Organization (CARO) sets the standard for naming malware and malicious codes. However, since every antivirus vendor has its own approach and technology in scanning, more often this contributes to different naming. Therefore, malware may be known by several different names or aliases. By providing an alias, it informs the user of the various names used by different vendors to detect the same malware.

Backdoor

A Backdoor is a program that opens secret access to systems, and is often used to bypass system security. A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications. For detailed removal instructions please view the virus description. See virus types for an explanation of Trend Micro virus-naming conventions.

Boot sector viruses

Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard drive. Also, there are a few viruses that can infect the boot sector from executable programs- these are known as multi-partite viruses and they are relatively rare. Once the system is infected, the boot sector virus will attempt to infect every disk that is accessed by that computer. In general, boot sector viruses can be successfully removed.

Computers infected since (date)

This table displays the number of infected computers, by region, since detection first became available for this virus. See Virus Map for additional information.

Damage Potential

Damage potential and danger to systems is derived from the characteristics of the malicious program. Some malicious programs have been known to attack important operating system files, leaving the system unstable or unable to re-boot.

High

- system becomes unuseable (i.e. flash bios, format HDD)

- system data or files are unrecoverable (i.e. encryption of data)

- system cannot be automatically recovered using tools

- recovery requires restoring from backup

- Causes large amounts of network traffic (packet flooders, mass mailers)

- Data/files are sent to a third party

Medium

- can be recovered using Trend Micro products or cleaning tools

- Minor data/file modification (i.e. File infectors)

- malware that write minimal amount of data to the disk

- malware that kill applications in memory

- causes medium amount of network traffic (i.e. slow mailers)

- Automatically executes unknown programs

- deletes security reletad applications (i.e. antivirus, firewall)

Low

- no system changes

- deletion of less significant files in the system

- damage can be recovered by users without using any tools

- damage can be reversed just by rebooting the system

Date of origin

Indicates when a virus was first discovered (if known).

Denial of Service

Denial of Service, or DoS, is a Trojan routine that interrupts or inhibits the normal flow of data into and out of a system. Most DoS attacks consume system resources, such that, in a short period of time, the target is rendered useless. Another form of DoS attack happens when a Web service is accessed massively and repeatedly from different locations, preventing other systems from accessing the service and from retrieving data from it.

Description

This is a brief summary of a virus listed in the Trend Micro Virus Encyclopedia. For detailed technical information, click on the "Tech Details" tab. For virus infection statistics, click on the "Risk Statistics" tab.

Destructive viruses

In addition to self-replication, computer viruses may have a routine that can deliver the virus payload. A virus is defined as destructive if its payload does some damage to your system, such as corrupting or deleting files, formatting your hard drive, and committing Denial of Service (DoS) attacks.

Dialer

Dialers are Trojans that, upon execution, connect the system to a pay-per-call location in which the unsuspecting user is billed for the call without his/her knowledge. Dialers often arrive in porn-related or other enticing service-related applications.

Distribution Potential

Distribution potential is derived from the characteristics of the malicious program. Fast-spreading network worms can spread across continents within just minutes. Some malicious programs also use numerous infection and spreading techniques ¡V often referred to as blended threats or mixed threats. The Nimda virus, for example, was able to spread via email, network shares, infected Web sites, as well as Web traffic (http/port 80).

As new systems are made and improved with added functionality, proof-of-concept malware often follows. This uniqueness, as well as the widespread implementation of a particular operating system or software, also influences the potential distribution of each malware. Many viruses written in the past do not run or spread on newer operating systems or operating systems that have all the latest security patches installed.

High

- Blended threats (i.e. spreads via email, P2P, IM, network shares)

- Mass mailers

- Spreads via network shares

Medium

- Mailers

- has spread via third-party or media

- spreads in IRC, IM, or P2P

- requires user intervention to spread

- URL/Web site download

Low

- no network spreading

- requires manual distribution to spread

Dropper

A dropper is malware that drops other malware into a system. Some droppers just drop viruses or Trojans, while others are viruses or Trojans that - after performing their payload - also drop copies of other malware into the system.

ELF

ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. Trend products detect malicious code for Linux/UNIX as "ELF_Virusname."

Encrypted Viruses

Encrypted viruses indicate that the virus code contains a special routine that employs data obscuring techniques to evade detection by antivirus software. Trend Micro's antivirus products have the ability to decrypt the virus and detect such viruses.

Exploit

An exploit is a Trojan that abuses certain vulnerabilities on existing systems or services. Exploits typically utilize a known flaw, which allows it to execute an otherwise difficult routine, such as running an arbitrary program on the target machine.

File infecting viruses

File infecting viruses infect executable programs (generally, files that have extensions of .com or .exe). Most such viruses simply try to replicate and spread by infecting other host programs - but some inadvertently destroy the program they infect by overwriting some of the original code. There is a minority of these viruses that are very destructive and attempt to format the hard drive at a pre-determined time or perform some other malicious action. In many cases, a file-infecting virus can be successfully removed from the infected file. If the virus has overwritten part of the program's code, the original file will be unrecoverable.

Hoax

Hoaxes are warnings that contain incorrect information about malware or system events. These warnings often describe fantastical or impossible malware program characteristics that often fool the user into performing unwanted actions on their system or suggests that users should forward the warning to other users. A hoax can be considered a nuisance by the mere fact that by forwarding it causes a waste of time and bandwidth.

In-the-Wild virus list

Malware that is designated as being In-the-Wild refers to common viruses that have been found infecting users' computers worldwide. The list is compiled by The WildList Organization (WLO). WLO updates the list regularly, working closely with antivirus research teams around the world, including Trend Micro's. When ICSA (International Computer Security Association) conducts virus testing of antivirus products, the In-the-Wild virus list serves as the basis for its comparative analysis. More info:

Java malicious code

Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. Java applets are small, portable Java programs embedded in HTML pages. They can run automatically when the pages are viewed. However, hackers and virus writers may use Java malicious code as a vehicle to attack the system. In many cases, the Web browser can be configured so that these applets do not execute by changing the browser's security settings to "high."

Joke programs

Joke programs are ordinary executable programs. They are added to the detection list because they are found to be either very annoying or they could cause users undue panic. At times joke programs may even display messages regarding delicate topics. Joke programs cannot spread unless someone deliberately distributes them. To remove a joke program, delete the file from your system.

Keylogger

Keyloggers are Trojans that, upon execution, log every keystroke or activity in a system. Although similar to third-party parenting/monitoring software, some malware actually employ the same technique to gather valuable data from unsuspecting users.

Kits

Kits are malware-producing applications that give the user the option to create customized malware. A kit can often produce multiple variations of a virus or a worm depending on the number of options offerred in the kit. An antivirus scanner should be capable of detecting the source (kit application) and its spawn.

Language

This refers to the language locale of the virus working platform such as MS Word in English or Chinese.

Macro Viruses

Macro viruses during late 1990 and early 2000 were the most prevalent viruses. Unlike other virus types, macro viruses aren't specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.

Macro viruses are written in "every man's programming language" ¡V Visual Basic ¡V and are relatively easy to create. They can infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted.

Malware

Malware is a general term used to refer to any unexpected or malicious programs or mobile codes such as viruses, Trojan, worm, or Joke programs.

Multi-partite Viruses

Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.

NE

NE refers to New Executable, which is the standard Windows 16-bit executable file format. Windows 16-bit viruses are detected by Trend products as "NE_Virusname."

Password

Some viruses set a password when they infect a document. The main objective of the virus here is to make the document inaccessible. This password can be a word, phrase, or even a randomly generated number.

Payload

Payload refers to an action that a virus performs on the infected computer. This can be something relatively harmless like displaying messages or ejecting the CD drive, or something destructive like deleting the entire hard drive.

PE

PE refers to Portable Executable, which is the standard Win32 executable file format. Windows 32-bit viruses are detected by Trend products as "PE_Virusname."

Place of Origin

Indicates where a virus is believed to have originated (if known).

Platform

Indicates the computer operating system or application on which a virus can run and perform an infection. Generally, a particular operating system is required for executable viruses and a specific application is needed for macro viruses.

Polymorphic viruses

Polymorphic viruses indicate that the virus code contains a special routine that changes the other parts of the virus code on each replication to evade detection by antivirus software. Trend Micro's antivirus products have the ability to decrypt the virus and detect such viruses.

Proof of Concept

A proof of concept virus or Trojan indicates that something is new or that it has never seen before. For example, VBS_Bubbleboy was a proof of concept worm, as it was the first email worm to automatically execute without requiring a user to double-click on an attachment. Most proof of concept viruses are never seen in-the-wild. However, virus writers will often take the idea (and code) from a proof of concept virus and implement it in future viruses.

Rate of Infection

This table displays the relative rate of infection in each region. While the "number of computers infected" table reflects the larger numbers of Internet users in North America, Asia and Europe, the "rate of infection" is useful as an estimate of how quickly a virus is spreading in each region. An infection rate of 5%, for example, means that approximately 5 out of 100 computers are infected. Please note that these rates are based only on HouseCall users who have scanned their PC in the last 24 hours. See Trend Micro's Virus Map for additional information.

Reported Infections

Reported Infections, or real-time spread, is measured by reports coming in from the World Virus Tracking Center, as well as from Trend Micro business units around the world that are receiving threat reports and support inquiries in their areas. Reports from other antivirus industry vendors, and media attention, also contribute to this factor.

High - reports indicate that the virus has been seen all over the world and with numerous infections per site.

Medium - few reported incidents all over the world or numerous reports in certain regions.

Low - no, or very few, infections reported.

Risk Rating

When a case is received, TrendLabs (Trend Micro's global network of antivirus research and product support centers) immediately evaluates the threat and assigns a risk rating of Low, Medium, or High. Several factors contribute to each risk rating.

Script viruses (VBScript, JavaScript, HTML)

Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from Windows Explorer.

HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

Size of macro/malicious code/virus

Indicates the size of the virus code in bytes. This number is sometimes used as part of the virus name to distinguish it from its variants.

Solution

Most viruses can be cleaned or removed from the infected host files by Trend Micro's antivirus software. Special removal instructions are provided for viruses or Trojans that modify the system registry and/or drop files. Generally, to remove Trojans or Joke programs, you just need to delete the program files - no cleaning action is needed. For a quick check-up of your PC, use House Call – Trend Micro's FREE on-line virus scanner. This will check for viruses, which may already be on your PC.

To keep your computer healthy by catching viruses before they have a chance to infect your PC or network, get the best antivirus solution available today. Trend Micro offers antivirus and content security solutions for home users, corporate users, and ISPs.

Spyware

Spyware is a software applications that monitors a user's computing habits and personal information and sends this information to third parties without the user's authorization or knowledge.

Stealer

A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network. Other stealers, called key loggers, log user keystrokes which may reveal sensitive information.

Technical details

The "technical details" section of the Virus Encyclopedia profile contains specific information about the actions performed by a virus on the host system. This information is provided to assist system administrators in identifying and removing viruses. Home users should use an automated tool like Trend Micro PC-cillin or Trend Micro's FREE online scanner HouseCall to detect and remove viruses from their computer.

Time period

This chart displays the number of computers infected within the last 24 hours (1d), last 7 days (7d), last year (1y), or since detection first became available (All). See Trend Micro's Virus Map for additional information.

Top 10 countries/regions

This table displays the number of infected computers in each of the top 10 countries/regions where this virus has been detected, since detection first became available. See Trend Micro's Virus Map for additional information.

Trigger Condition/Trigger Date

This indicates the condition or date on which the virus payload will be executed. A condition may range from the presence of a file to an action performed by the user. The date could include year, month, day, week, day of the week, hour, minute, second, or any other possible combination of any measurement of time.

Trojan

A Trojan is malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If it replicates, then it should be classified as a virus.

A Trojan, coined from Greek mythology's Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system s, problems in operation, and sometimes loss of valuable data.

Virus Map

The Virus Map is a tool for measuring virus infections around the world. All virus infection data comes from HouseCall, Trend Micro's free, online virus scanner for PCs. Trend Micro has been collecting real-time virus infection statistics since November 1999, therefore statistics for viruses discovered before this date are limited to the timeframe from November 1999 to the present. Visit the Virus Map at wtc..

Virus Types

The majority of viruses fall into five main classes:

Boot-sector

File-infector

Multi-partite

Macro

Worm

Worm

A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download