Specific Computer Viruses

It was stated in the introduction to this chapter that CompTIA includes the subject of viruses in its domain objectives. It was also stated that there are over 65,000 reported or known viruses and variations. However, CompTIA does not specify which specific viruses it will target in the Security+ exam. You’d better believe the exam is going to ask you to identify specific viruses. With this in mind, it is important that you are familiar with as many specific viruses, worms, Trojans, and other malicious code. If you focused earlier with your study of malicious code, you should be more than ready to remember and associate the following specific viruses. Pay close attention here. This just might get you a passing grade on the real examination.

Backdoor.Subseven

Backdoor.Subseven is very similar to the remote administration tool threats Back Orifice and NetBus (which will be described shortly). It is considered a Trojan horse that allows a computer to be controlled remotely from another location. In other words, it allows undetected, unauthorized access to your system from within a network or over the Internet. The Backdoor.Subseven virus and some of its known variants—Backdoor.SubSeven.1_7, Backdoor-G, Backdoor.Trojan, and Sub7 are most commonly distributed through e-mail attachments and instant messaging file and program transfers.

Once executed, the virus will basically add itself, as well as other related executable files, into the system folder within your operating system. It also changes system registry values, which will allow your system to eventually be controlled. The affected system becomes the “server” that can then be controlled by a remote “client.”

If you have been infected with the Backdoor.Subseven virus, some or all of the following and much more might result:

• Your system can be remotely shut down and or restarted.

• Confidential information can be browsed, deleted, or obtained.

• Programs can be deleted or modified.

• System files can be manipulated.

Back Orifice (a.k.a. as BO Trojan)

The Back Orifice Trojan horse is a program that is similar in nature to NetBus (described next) that allows remote access to a computer system after a server application program has been executed on the remote or targeted computer. After the server piece has been executed on the target system, the remote system (client) can do just about anything they please to the infected system. The insidious thing about this is that the program can do its bidding undetected.

NetBus (a.k.a. Backdoor.NetBus)

NetBus is a remote administration Trojan horse type program similar to Back Orifice and Backdoor.Subseven that must first be executed on a system by a user in order to be installed. A system affected by NetBus or its variants can expect many of the same results as described with Backdoor.Subseven and Back Orifice. However, there are a few distinctions that exist with NetBus that make it a remote administration Trojan horse of choice for many hackers. It allows a remote user to pop a system’s CD tray in and out as well as manipulate mouse buttons and pointers. It should also be noted that there are several versions of NetBus. Unlike earlier versions of this remote control program, NetBus Pro Version 2.1 has been designed not to hide itself as to advertise that is a legitimate, controlled, remote administration tool.

If you research the Back Orifice and NetBus, you will most likely become very confused by the various descriptions and other explanations of these threats. Some sources simply describe them as “authored remote administration tools” while others, describe them as tools that are modified for malicious purposes. This type of subjective matter and confusion would be perfect ground for the trickery typically found in Microsoft certification examinations. Fortunately, the Security+ is a CompTIA certification. CompTIA will most likely be concerned that you know these are modified remote administration programs or tools that can are used for unauthorized, illegal and malicious purposes. For your own sanity and our specific Security+ exam focus, know that the Backdoor.Subseven, Back Orifice, and NetBus are considered to be Trojan horse remote administrative threats that exist in the wild.

Chernobyl

The Chernobyl virus, also named W98.CIH or just CIH, was named after the Chernobyl nuclear disaster and its author (Chen Ing-hau). It is an older space filler virus that mainly targets earlier versions of Microsoft Windows such as Windows 95 and Windows 98 operating systems. It was a devastating virus that would fill up all free space areas on a hard drive, making it very difficult for antiviral software to run, and was capable of wiping out all data in an infected computer system. This virus was triggered on April 26th, which coincides with the date of the Chernobyl nuclear disaster in Russia on April 26th, 1986. This virus is still considered to exist in the wild. Fortunately, it can be identified and controlled with current managed antivirus protection and updates.

ILOVEYOU

In May of 2000, The ILOVEYOU worm was released on the world. ILOVEYOU is a self-propagating worm that is included as an e-mail attachment to an e-mail entitled ILOVEYOU, which typically would be addressed to a targeted address from a friend, loved one, or associate. Once the attachment included with the e-mail is opened, the worm infects files with extensions such as .vbs, .vbe, .com, .jpg, .jpeg, .gif, .doc, .hta, .mp3, .wav, .txt, .bat, .htm, and .html, just to name a few. The worm then sends itself to all contacts in a targeted systems local Microsoft Outlook address book. This worm was one of the fastest spreading worms to date based on its marveled social engineering techniques; ability to be proliferated to all contacts within a contact list (the Melissa virus used the very first 50 contacts listed in a local address book); and its ability to spread through mapped network resources quickly.

Melissa

The Melissa (W97M.Melissa.A) virus is a macro virus that spreads very quickly when its payload is released or executed. The Melissa virus is distributed as an e-mail attachment, most often named LIST.DOC, whose mail subject title reads, “Important Message from [the name of someone]” and body text that reads, “Here is that document you asked for...don’t show anyone else ;-)”. When a person opens the attachment, the virus infects the targeted system, corrupts certain files and safety features associated with Microsoft Word, and e-mails itself to the first 50 contacts in the system’s local Microsoft Outlook address book.

W32.Kriz

The W32.Kriz virus is a virus similar to the Chernobyl virus, which typically resides in computer systems memory. Its payload attempts to flash or erase a computer system’s BIOS as well as erase files that reside on the infected computers hard disk, floppy disk, and all associated network mapped drives. The virus creates a bogus Kernel32.dll file and overwrites the existing known good Kernel32.dll. When the programs make application program interface calls, the bad Kernel32.dll will infect them. If the W32.Kriz virus has infected your system, you will most likely end up spending your Christmas holiday reformatting your hard drive as well as reloading your operating system. If this virus resides in a system, it is triggered to release itself on December 25 of any given year.

W32.Nimda.A@mm

W32.Nimda.A@mm is a mass-mailing worm that targets the weaknesses of vulnerable, unpatched Microsoft IIS (Internet Information Server) Web servers. W32.Nimda.A@mm proliferates through e-mail attachments and uses the Unicode Web Traversal exploit. Once it has infected an unpatched server, the server acts as a host or catalyst, if you will, which allows the worm to search through mapped network shares for other weak IIS servers within the network. Nimda affects local system as well as remote network shares and files. Here are two interesting facts: the virus’ name comes from the reversed spelling of admin. During the infection process, the local guest account is created with administrator privileges. This allows the worm to do its bidding on a local system.

When Nimda was released, it affected thousands of Web servers across the world. The author of this book personally contributed hundreds of hours successfully saving many infected IIS servers across a corporate network from destruction by this worm. Although the CompTIA Security+ exam and this book are considered “vendor neutral,” the author of this book is somewhat partial and would like to thank technical support at Symantec Corporations, “the world leader in Internet security technology,” for their quick response and assistance with fighting this worm. In the author’s opinion, Symantec Corporation was the first antivirus software provider to produce an effective solution (patches and instructions) for this worm that saved a very important company a lot of money and busy author a lot of time and frustration.

There are several variations of Nimda that you should acquaint yourself with. It is highly recommended that you visit the Symantec Security Response Web site and educate yourself with the Nimda variations as well as other viruses, worms, and Trojans.

If you are interested in getting more acquainted with some of thousands of viruses that exist, Symantec has quite an extensive virus encyclopedia that is available to the public at http://securityresponse.symantec.com/avcenter/vinfodb.html/ .

W32.Klez.A@mm

W32.Klez.A@mm is a mass-mailing e-mail worm threat that exploits known weaknesses associated with Microsoft Outlook Express and Microsoft Outlook. (Remember what the mm means?) This virus is very tricky; it spreads itself to local as well as mapped network drives when it is opened or viewed. Basically, the virus will zero out all infected files causing them to be useless. The virus’s payload is date specific. This means that when a certain system date is reached, the payload will be executed. The virus in known to release itself when the system date reaches the 13th of January, March, May, July, September, and November. If you have a quality antivirus product that is properly configured with updated virus definitions you should be well protected from this threat. If you do not, and have been infected by this virus, it is highly recommend that you visit the Symantec Security Response page at http://securityresponse.symantec.com/ and acquire the necessary removal tool for the worm.

Next, we will discuss the importance of managing and maintaining antivirus solutions properly.