INTERNACIONALNI UNIVERZITET TRAVNIK

MAŠINSKI FAKULTET

SEMINARSKI RAD

Predmet: Engleski jezik

Tema : Computer virus

Student: Muhamed Sarajlić Profesor: Murat Dizdarević

Asistent: Mediha Dervišić

Travnik, Februar 2023.

Contents
INTRODUCTION...........................................................................................................................................4
COMPUTER VIRUS.......................................................................................................................................5
Where are the virus risks?...........................................................................................................................7
Kinds of Destructive Software.....................................................................................................................8
Trojan horses...........................................................................................................................................8
Worm or Bacterium.................................................................................................................................9
Logic Bombs.............................................................................................................................................9
Computer Virus.....................................................................................................................................10
Virus Classification.....................................................................................................................................11
Anatomy of a Typical Virus........................................................................................................................12
Application -> System Infection.............................................................................................................13
Application -> System Infection.............................................................................................................15
Overhead Incurred Because of a Virus..................................................................................................15
Currently Active Viruses............................................................................................................................15
nVIr........................................................................................................................................................16
INIT 29...................................................................................................................................................16
CONCLUSION.............................................................................................................................................17
LITERATURE...............................................................................................................................................18

2
INTRODUCTION

A computer virus is a special kind of computer program which Spreads across disks and
networks by making copies of it, usually surreptitiously. Can produce undesired sideeffects in
computers in which it inactive. As long as the virus is active on the computer, it can copy itself
to other files or disks that are accessed. Viruses can be transmitted by Booting a PC from an
infected medium, executing an infected program. In this paper we'll try to say more about
computer viruses.

3
COMPUTER VIRUS

A virus is a program designed by a computer programmer (malicious hacker) to do a certain

unwanted function. The virus program can be simply annoying like displaying a happy face on
the user's screen at a certain time and date. It can also be very destructive and damage your
computer's programs and files causing the computer to stop working. The reasons why hackers
create viruses are open for speculation. A computer virus is a computer program that can spread
across computers and networks by making copies of itself, usually without the user's knowledge.
Viruses have harmful side effects. These can range from displaying irritating messages to
deleting all the files on our computer. It is estimated that there are 53,000 computer viruses in

existence; with new one's being detected almost every quarter of minute. (Thomas, 2015;1)

A program called “elk cloner” is credited with being the first computer virus to appear “in the
wild” that is, outside the single computer or lab where it was Created. Written in 1982 by rich
skrenta, it attached itself to the apple DOS3.3 Operating System and spread by floppy disk. This
virus was originally a joke, created by the High School student and put on to a game. The game
was set to play, but release the virus on the 50th time of starting the game. Only this time, instead
of playing the game, it would change to a blank screen that read a poem about the virus named
Elk Cloner. The computer would then be infected. The first PC virus was a boot sector virus
called © brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of
Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software
they had written. However, analysts have claimed that the Asher virus, a variant of brain,
possibly predated it based on code within the virus. (ibid.)

The term 'computer virus' was first formally defined by Fred Cohen in 1983. Computer viruses
never occur naturally. They are always induced by people. Once created and released, however,
their diffusion is not directly under human control. After entering a computer, a virus attaches
itself to another program in such a way that execution of the host program triggers the action of
the virus simultaneously. It can self-replicate, inserting itself onto other programs or files,
infecting them in the process. Not all computer viruses are destructive though. However, most of
them perform actions that are malicious in nature, such as destroying data. Some viruses wreak
havoc as soon as their code is executed, while others lie dormant until a particular event (as

4
programmed) gets initiated, that causes their code to run in the computer. Viruses spread when
the software or documents they get attached to are transferred from one computer to another
using a network, a disk, file sharing methods, or through infected e-mail attachments. Some
viruses use different stealth strategies to avoid their detection from anti-virus software.
(Gajanana Prabhu)

Computer viruses attack systems by tricking an authorized user into executing them. The virus
infects other programs, and spreads throughout the system. They can perform any action that the
user can, including deleting files, altering data in files, and transmitting confidential information
over a network. Computer viruses are related to other types of programs such as Trojan horses
and computer worms. These programs are forms of malicious logic. Users trust programs to
perform a set of functions. The important characteristic of malicious logic is that it executes
unknown, unwanted instructions as well as the known set of functions. The unknown, malicious
instructions violate system security. But the operating system cannot determine this, because it
does not know that the user is unaware of these instructions being executed (as the user ran the
program containing them). There is no generic technique to determine if an arbitrary program
contains a computer virus. Hence specific characteristics of particular computer viruses, or of
particular types of computer viruses, must be used. Prevention methods are designed to stop the
computer virus from infecting other programs and from doing collateral damage. One set of
methods prevents instructions from being interpreted as data, and vice versa. Another set limits
the amount of sharing. A third reduces the access rights of programs as much as possible. The
rights allowed depend on user settings, file names, or guards associated with files. Detection
methods are designed to detect computer viruses, either directly or through their actions.
Signature analysis methods look for sequences known to be contained in computer viruses.
Integrity checking methods examine files for unexpected changes that may be a result of
infection. Specification-based methods look for actions that a program should not take. Anomaly
detection looks for unexpected characteristics or actions of programs. (Bishop; 1-2)

5
Where are the virus risks?

Here are the points where your office is vulnerable.

The internet

Downloaded programs or documents may be infected.

Documents and spreadsheets

These can contain macro viruses, which can infect and make changes to other
documents or spreadsheets.

Programs

Programs that carry a virus can infect your machine as soon as you run them.

Floppy disks and CDs

Floppy disks can have a virus in the boot sector. They can also hold infected
programs or documents. CDs may also hold infected items.

Email

Email can include infected attachments. If you double-click on an infected

attachment, you risk infecting your machine. Some emails even include malicious scripts that run
as soon as you preview the mail or read the body text. (Oldfield, 2001;11)

6
Kinds of Destructive Software

Intentionally destructive software can come in several different guises, including computer "
viruses, and can be grouped into the following broad categories. (Brown, 1992; 3)

Trojan horses

Trojan horses are programs that do things that are not described in their specifications. The user
runs what they think is a legitimate program, allowing it to carry out hidden, often harmful,
functions. For example, Troj/Zelu claims to be a program for fixing the ‘millennium bug’ but
actually overwrites the hard disk. Trojan horses are sometimes used as a means of infecting a
user with a computer virus. Backdoor Trojans are programs that allow other computer users to
take control of your PC over the internet. (Oldfield, 2001; 9)

In 1972, the Anderson Report first identified the Trojan horse as a threat to
computer systems. A Trojan horse is a program with an overt function and a
covert function. The overt function is a documented result or effect that the
user expects the program to perform. The covert function is an undocumented
result or effect that the user does not intend to occur. As an example, a simple
Trojan horse might present a login banner on a computer monitor. The user
would enter a name and a password. The Trojan horse would copy both into a
file and then pass both to the real login mechanism. The overt purpose of this
Trojan horse is to log the new user in, which it does by passing the information to the login
mechanism. The covert purpose is to save the user name and password in a file that an attacker
can access at a later time. The user logging in is unaware of this function, which violates the
site’s security policy. In 1974, Karger and Schell described a Trojan horse with a covert function
of copying itself. This replicating Trojan horse (an example of which is presented in Thompson’s
Turing Award lecture) laid the groundwork for experiments with malicious reproducing
programs. (Bishop, 2-3)

These programs, like their historical namesake, have a pm'pose beyond their exterior appearance.
While a Trojan horse program is executing, it may also be deleting fries from a hard disk, or it

7
may be performing any number of other disastrot/s actions. They are the most simplistic of the
destructive software group, as their "hidden agenda" is usually readily apparent. Unfortunately,
without prior precautions, the discovery is usually made too late. (Brown, 1992; 3)

Worm or Bacterium

Worms are similar to viruses but do not need a carrier (like a macro or a boot sector). Worms
simply create exact copies of themselves and use communications between computers to spread.
Many viruses, such as Kakworm (VBS/Kakworm) or Love Bug (VBS/LoveLet-A), behave like
worms and use email to forward themselves to other users. (Oldfield,2001;9)

These programs replicate and spread, but they do not attach themselves to other programs.
Unlike viruses, they do not require a host computer system to survive and replicate. Worms
usually spread within a single computer or through a network of computers. They are,not spread
through the sharing of programs. The most well-known example is the November 1988 Internet
Worm, wtfich infected and disabled several thousand government and university UNIX
computers in a single day.7 The Internet Worm is worthy of a short diversion from the main
topic of the paper. This particular worm took advantage of flaws in standard software installed
on many UNIX systems, as well as mechanisms used to simplify sharing of resources in local
area networks. Once established on a computer, the worm first gathered information about other
machines connected in the network by reading public configuration flies and executing system
utility programs. Through this information, the worm could establish the status of networked
nodes. It then attempted to load itself onto the networked systems by exploiting • flaws in system
software and by guessing user passwords. By exploiting the tendency of users to use common
words as passwords, the worm achieved a 50% success rate at some sites, s It should be noted
that the worm did not infect other software. It simply slithered its way through the defenses of
the computer systems and took up residence on the victimized machine. Services were disrupted
on these machines and system CPU cycles were wasted processing the worm Code. (Brown,
1992; 3-4)

Logic Bombs

8
 These programs are,intended to perform an unexpected (by the user) function at _,logically
determined (by the program)time. Many trigger mechanisms exist for this type of destructive
software. These mechanisms include: 1. A specified time period since installation has elapsed. 2.
A certain predetermined operation has been selected by the user. . 3. Some other predetermined
combination of events that have taken piace. Because their destructive nature is not as readily
apparent, logic bombs are slightly more . diabolical than Trojan horses in that they may lull the
user into accepting that the program is safe for use in a networked environment.(Brown,1992;3)

Computer Virus

These programs are somewhat like a cross between a Trojan horse and a worm, with one deadly
exception; not only do they mask their true purpose, they multiply and infect other software,
making them carriers as well. A virus may also take on some of the properties of a "logic bomb."
The virus may lay dormant for some time until a particular sequence of events awaken it. Given
these properties, it is safe to say that computer viruses have an extremely high potential for
destruction. (ibid.)

According to Ferbrache, the first virus-like programs ran on Apple II computers. One wrote itself
to the boot sectors whenever the catalog command was executed. A second infected a game
program. The game stopped working. The author rewrote the game to locate, and delete, the
infected copies of the game. In 1983, Fred Cohen described a Trojan horse contained in a small
segment of code placed into another (apparently benign) program. When executed, this segment
of code inserts itself into another program (the infection phase) and then performs some action
(the execution phase). The execution phase may be benign (for example, compressing files) or
malicious (for example, deleting files). Figure 1 shows pseudo-code for a computer virus. In
practice, benign computer viruses are exceptionally rare. For this reason, the term “computer
virus” in this article refers to a malicious computer virus, unless otherwise stated. (Bishop, 3)

9
 Figure 1. Anatomy of a computer virus.

The phases may require certain conditions to be satisfied. For example, the Lehigh computer
virus would determine if the boot file of the disk were infected. If not, it inserted itself into the
file (the infection). The virus then incremented a counter and, when the counter reached 4, would
erase the disk. However, if the boot disk were infected, the virus took no further action. Figure 2
illustrates how a computer virus spreads. Priam has execute access to some of Odysseus’ files.
One of them contains the computer virus. After Priam executes that file, some of his files are
infected. The key observation is that only those files to which Priam can write are infected. As
the computer virus spreads by inserting code into other files, and the computer virus is running
as Priam, it cannot write to any file that Priam cannot write to.

Figure 2. Example of a computer virus spreading. The infected files are italicized. The top
diagram shows the permissions Odysseus and Priam have on a set of files. The bottom diagram
shows the newly infected files after Priam has executed the infected program.

10
Because the computer virus is a form of Trojan horse, defenses against Trojan horses also work
against computer viruses. This will be the starting point of the defenses discussed in section 5.
Computer viruses can be classified by type of targeted file, longevity, self-concealment, and type
of virus. (ibid.)

Virus Classification

One way to classify viruses is by the extent of damage inflicted. In this manner, viruses may be
considered either benign or malignant. 2° The Macintosh nVIR virus, for example, is
programmed to speak the words "Don't Panic" when triggered and i_ considered benign. 21On
the other hand, the "Friday the Thirteenth" virus described above is definitel:, classified in the
malignant category. This distinction is somewhat misleading, however, in that even benign
viruses have a potential for destruction. If nothing else, a virus consumes CPU time that could be
put to more constructive use. When the virus is detected, time and effort must be expended to
eradicate it from the infected system. A survey of 1000 MacWorld readers revealed that of the 42
that had experienced a viral,infection, only 35% were able to eliminate the virus in less than two
hours, and some were not able to eliminate the virus after more than 20 hours ot work.22 Finally,
it must be noted that the user of an infected application is at the mercy of the virus writer. If the
writer did not take sufficient precautions for handling all error conditions that could arise while
the virus is executing, valuable data can be.lost or rendered unusable. In short, there is no such
thing as a "s'afe" virus. (Brown, 1992;10)

Anatomy of a Typical Virus

As stated previously, a program must be able to propagate itself to be considered a virus. "
Th__..is really the only requirement. 'ro propagate, the virus must attach itself in some way to the
operating environment of the computer. Once attached, the virus is then free to infect other
applications. These applications may then be carried on floppy disks to other computers, or the
applications may be run on other machines across a local area network (Figure 1). Either way,
the applications then can infect oth_r operating systems, and the cycle continues. There, must be
this two-way infection process: system -> application and system <- application.

11
 Figure 1. Example of Virus Propagation.

System .> Application Infection

Because the act of virus propagation is circular in nature, any discussion of the process must
begin by assuming that either the system or the application is already infected. For this
discussion, it is first assumed that the operating s_stem is already infected by a virus. The
primm3, purpose when infecting an application is to get viral code executed some time during
the execution of the application. The viral code can be destructive or nondestructive, and it may
incorporate a dormancy phase but at some point it will always attempt to propagate the virus (if
the application is still infectious). Assume that the operating :ystem of a computer has become
infected by a computer virus. The fh'st step in propagating the virus is to decide when to target
and irffect applications. Some viruses attack as soon as a diskette is inserted into the disk drive;
some attack while an uninfected application is executing; others may simply attack at random.
The following discussiot_ shows how a "typical" computer virus can propagate through a
computer system. Of course, this is not the only way that a virus can propagate, but it does serve
as a good example. Figure 2 illustrates how a normal operating system call can be implemented.
The actu_ operational details of this call have been omitted from this paper. Figure 3 shows how
a virus might be able to infiltrate an operating system. Notice that viral code is now being
executed within the execution cycle of the program.

12
Application -> System Infection

The assumptionmade above was that an operating system had somehow been remapped to point
to viral code. This section will o:._scnbehow that could be accomplished. When an infected
application is executed, the viral code gains control. This code then attempts to infect the
operating system of the computer on which it is executing. If it is determined that the operating
system is already infected, no action is taken. If the system is not already infected, it can be
infected by inserting code into the operating system such that this code will be executed at
startup or another predetermined time. The purpose of this inserted viral code is to remap one or
more of the operating system calls (as seen in Figure 3). This completes the virus cycle of
infection. The operating system infects applications, and applications in turn infect operating
systems. (Brown, 1992;11-12)

Figure 2. Normal Operating System Call.

13
 Figure 3. Redirected Operating System Call.

Application -> System Infection

The assumption made above was that an operating system had somehow been remapped to point
to viral code. This ,section will describe how that could be accomplished. When an infected
application is executed, the viral code gains control. This code then attempts to infect the
operating system of the computer on which it is executing. If it is determined that the 0i_rating
system is already infected, no action is taken, g the system is not ",already,infected,it can be
infer:ted by inserting code into the operating system such that this code will be executed at
startup or another _redetermined time. The purpose of this inserted viral code is to remap one or
more of the operating system calls (as seen in Figure 3). This completes the virus cycle of
infection. The operating system infects applications, and applications in turn infect operating
systems.

Overhead Incurred Because of a Virus

14
Once viral code has infected an application or an operating system, a certain amount of overhead
is imposed upon the software. This overhead is a result of attempts by the viral code to continue
propagation. The overhead manifests itself in three areas: processing time, memory demands,
and disk space utilization. As the virus interrupts the normal processing of the operating system
and executing applications, it takes CPU cycles away from these activities, thereby lowering the
throughput of the system. In a multiuser environment, so many cycles may be stolen that, in
some situauons, system performance is drastically degraded. _ - i The virus code will have to be
in main memory to be executed, therefore this memory will not be available to legitimate
applications. Finally, the virus code will add size to the operating system and to ali infected
applications. These storage dem__'_dswill continue to grow with each fresh infection of an
application. (ibid.)

Currently Active Viruses

Scores This virus is also known as the "NASA Virus." It is the among the most virulent of
known viruses irl the Macintosh environment and is estimated to account for approximately
onethird of known viral infections. Programmers at the National Aeronautics and Space
Administration (NASA) headquarters in Washington, D,C., were among the first to spot Scores
in the spring of 1988. The virus has also infected computer systems at the U. S. Environmental
Protection Agency, the Natio'aal Oceanic and Atmospheric Administration, and the U. S.
Sentencing Commission. NASA reportedly contacted the FBI to investigate the outbreak.
(Brown,1992;19)

nVIr

The nVIR virus first appeared in Europe in 1987 and in the United States in early 1988. The
nVIR virus attacks the Apple Macintosh line of personal computers, nVIR was named after the
resource files that it attaches to the applications and operating systems that it infects. nVIR is
considered a benign virus in that it exhibits no overt destructive characteristics. When a system is
first infected, a counter is set at 1000. The counter is decremented by one each time the system is
started up, and by two each time an infected applicaton is executed. When this counter reaches
zero, the dormancy phase ends. The system will now beep or speak the words "Don't Panic" (if a

15
speech driver is installed in the system) with a probability of 1/16 on system startup. This
anomaly will also occur with a probability of 15/128 when an infected application is run. A
1/256 chance exists that the system will beep or speak twice. (ibid.)

INIT 29

The INIT 29 virus is arguably the most virulent of Macintosh viruses. It first appeared in late
1988. INIT 29 is named after the resource that is adds to infected files. It differs from . most
Macintosh viruses in that the operating system is left untouched and that an application need not
be executed to become infected. INrI"29 infects almost any File that it comes in contact with.
Applications, documents, mid system flies can ali become infected. The virus attacks flies on any
disk inserted into the infected system. (ibid.)

CONCLUSION

Computer viruses can easily infect unprotected computer systems and there is no limit to the
amount of damage that can be inflicted once a system becomes infected. Since computer viruses
are simply malicious computer programs, anything that can be done on a computer can be done
within the context of a computer virus. The damage inflicted in this manner is limited only by the
virus author's imagination.

16
LITERATURE

1. An introduction to Computer Viruses, David R. Brown, Date Published - March 1992

2. COMPUTER VIRUSES AND ITS MANAGEMENT, Dr. Gajanana Prabhu B.

Department of P G Studies & Research in Physical Education Kuvempu University

3. Computer viruses demystified, Paul Oldfield, 2001

4. COMPUTER VIRUSES Matt Bishop Department of Computer Science, University of

California, Davis, CA, USA

17