Untitled

Virus
self-replicating computer program that interferes with a computer's hardware or operating system (the basic software that runs the computer). Viruses are designed to replicate and to elude detection. Like any other computer program, a virus must be executed to function-that is, it must be loaded from the computer's memory, and the virus's instructions must then be followed by the computer. These instructions are called the payload of the virus. The payload may disrupt or change data files, display a message, or cause the operating system to malfunction.

"Virus (computer)," Microsoft® Encarta® Encyclopedia 99. © 1993-1998 Microsoft Corporation. All rights reserved.

A computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission. Some viruses attach to files so when the infected file executes, the virus also executes. Other viruses sit in a computer's memory and infect files as the computer opens, modifies or creates the files. Some viruses display symptoms, and some viruses damage files and computer systems, but neither symptoms nor damage is essential in the definition of a virus; a non-damaging virus is still a virus.
There are computer viruses written for several operating systems including DOS, Windows, Amiga, Macintosh, Atari, and UNIX, and others. McAfee.com presently detects more than 57,000 viruses, Trojans, and other malicious software. (Note: The preferred plural is the English form: viruses)

http://www.mcafee.com/anti-virus/virus_glossary.asp#v

What is a computer virus?

The difference between a computer virus and other programs is that viruses are designed to self-replicate (that is to say, make copies of themselves). They usually self-replicate without the knowledge of the user. Viruses often contain 'payloads', actions that the virus carries out separately from replication. Payloads can vary from the annoying (for example, the WM97/Class-D virus, which repeatedly displays messages such as "I think 'username' is a big stupid jerk"), to the disastrous (for example, the CIH virus, which attempts to overwrite the Flash BIOS, which can cause irreparable damage to certain machines).

Example of WM97/Class-D virus payload

Viruses can be hidden in programs available on floppy disks or CDs, hidden in email attachments or in material downloaded from the web. If the virus has no obvious payload, a user without anti-virus software may not even be aware that a computer is infected.

A computer that has an active copy of a virus on its machine is considered infected.

http://www.sophos.com/virusinfo/whitepapers/videmys.html

Worm
in computer science, a program that propagates itself across computers, usually by spawning copies of itself in each computer's memory. A worm might duplicate itself in one computer so often that it causes the computer to crash. Sometimes written in separate "segments," a worm is introduced surreptitiously into a host system either for "fun" or with intent to damage or destroy information. The term comes from a science-fiction novel and has generally been superseded by the term virus.

"Worm (computer program)," Microsoft® Encarta® Encyclopedia 99. © 1993-1998 Microsoft Corporation. All rights reserved.

Worms are parasitic computer programs that replicate, but unlike viruses, do not infect other computer program files. Worms can create copies on the same computer, or can send the copies to other computers via a network. Worms often spread via IRC (Internet Relay Chat).

http://www.mcafee.com/anti-virus/virus_glossary.asp#w

W32/Oror-R is an internet worm which spreads via network shares, file sharing on KaZaA networks and by emailing itself to addresses found within files on the local hard drive.

The email subject line, message text and attachment filename are randomly chosen from a variety of possibilities.

The worm attempts to exploit a known vulnerability in Internet Explorer versions 5.01 and 5.5, so that the attachment is launched automatically when the email isselected for viewing. To prevent reinfection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.

The worm copies itself to the Windows folder with a name that is a combination of 'Cmd', the computer's name backwards and "16.exe", "32.exe" or ".exe".
For example if the computer's name is "test", the worm copies itself as
Cmdtset16.exe.

The worm creates the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= <filename of worm>.exe powrprof.dll,LoadCurrentPwrScheme

so that the worm is run automatically each time Windows is started.

The worm also prepends its pathname to the registry entry

HKCR\exefile\shell\open\command\

so that the worm is run whenever any EXE file is run.

W32/Oror-R chooses a random sub-folder of the Program Files folder and copies itself to this folder using the sub-folder name concatenated with "16.exe", "32.exe" or ".exe". If the chosen folder name contains spaces, only the beginning of the folder name is used, for example the worm may copy itself as \Program Files\Internet Explorer\Internet16.exe.

The worm adds the pathname of this executable under the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

so that this copy of the worm is run automatically on startup.

The worm also copies itself to the Windows System folder using the name of a randomly selected file from the System folder, but with "16.exe", "32.exe" or ".exe" in place of the file's extension.

The worm runs this copy of itself automatically on startup by adding the line

run=<pathname of worm>

to the [Windows] section of <Windows>\win.ini.

W32/Oror-R spreads over the local network by copying itself to selected shared folders using random filenames. During this process the worm may create additional entries under the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and may drop a file named AUTORUN.INF in the root folder of shared drives in an attempt to run the worm via the AutoPlay option.

The worm attempts to spread via file sharing on KaZaA networks by creating the folder <Windows>\Profiles and copying itself to this folder using filenames randomly selected from the following list:

KaZaA Media Desktop v2.13
Serials2K 7.1 (FULL Updated)
Serials2003_8.0(14.02.03)
Dreamweaver_MX_Update
ACDSee
WinAmp_3.1_Cool
Download Accelerator 5.5
Nero Burning Rom 5.7.7.3
cReditCarDs_gEn
Mail HACK
WinXP Crack Password
DiViDiX Coder 5.0 Beta
Eminem BioData
DMX Desktop
NFS HP Bonus Cars
Counter Strike 1.5 (Hack)
WinZip Password Crack
WinZip 8.1(FULL)
DivX 5.5 Full
Nice Girl*
15 years old blonde*
Shakira Boobs
Pamela3D
Teen_Sex_Cam
Sarah fingers pussy on webcam*
Skinny Lolita French Teen*
17year old teen babysitter*
KamaSutra*
Teen raped in bathroom*
Silvia Saint Theme
Russian_Teen*
mariana hot virgin*
German Rape*
BlondeShow*
ClubExtreme
Story015
Gipsy
Elfbowl
snowball_fight
mTVCharts
BoxDave
Pamela*
KamaSutra
Fishfood
Story017
16Yr_Old_Teen*
mTV_Charts

optionally followed by:

7.1 FULL
v5.5
(zip)
3.0
(Eng)
(Cracked)
(sHow)
3D
v4.5
(Rated)
3.3
_v1.1
2.3

and with an EXE extension.

The worm makes the folder <Windows>\Profiles shareable on KaZaA networks by setting the following entries:

HKCU\Software\Kazaa\LocalContent\Dir0 = 012345:<Windows>\profiles

HKCU\Software\Kazaa\LocalContent\DisableSharing = 0

W32/Oror-R creates a new version of the mIRC initialisation file <mIRC>\Mirc.ini and may also replace other files with an extension of INI in the mIRC folder.

The new INI files allow a remote intruder backdoor access to the computer via IRC channels.

The worm will attempt to terminate selected Windows based anti-virus programs.

The worm creates several configuration files in the Windows and System folders using randomly generated filenames.

http://www.sophos.com/virusinfo/analyses/w32ororr.html

Trojan Horse
in computer science, a destructive program disguised as a game, a utility, or an application. When run, a Trojan horse does something devious to the computer system while appearing to do something useful.

"Trojan Horse (computer)," Microsoft® Encarta® Encyclopedia 99. © 1993-1998 Microsoft Corporation. All rights reserved.

A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses.

http://www.mcafee.com/anti-virus/virus_glossary.asp#t

Troj/Manifest-A is a backdoor Trojan which allows unauthorised access of a computer from a remote location.

Troj/Manifest-A pretends to be an installation program for XviD MPEG-4 Codec. Upon execution, Troj/Manifest-A installs the above program but then drops the following files to the folder C:\<Program Files>\Common Files\Services:

wssdsu.exe
Bigfoot.bmp
Infospbz.bmp
Infospace.bmp
Swichbrd.bmp
Verisign.bmp
Whowhere.bmp
Yahoo.bmp

starr.ini
wsys.exe
wsys.dll
slog.sys

Serv-u.ini (detected as Troj/Manifest-A)
wssdsup.exe (detected as Troj/Manifest-A)
wssdtu.exe (detected as Troj/Manifest-A)

Troj/Manifest-A makes use of some legitimate software to allow unauthorised access and to monitor the victim computer, e.g. it makes use of an FTP server program along with an altered initialisation file Serv-u.ini which allows a remote intruder to upload or download files.

Troj/Manifest-A sets the following registry entries so that the Trojan and the legitimate software it uses are run on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Enumerate Service = "C:\Program Files\Common Files\Services\wsys.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Folder Service
= "C:\<Program Files>\Common Files\Services\wssdtu.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Serv-U
= "C:\Program Files\Common Files\Services\wssdsu.exe"

http://www.sophos.com/virusinfo/analyses/trojmanifesta.html

Hoaxes
Hoax virus warning messages are sent as pranks. After repeatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real, and truly destructive, virus.

"Virus Hoaxes: Not Just Harmless Pranks," http://vil.nai.com/VIL/hoaxes.asp

Hoaxes are not viruses, but are usually deliberate or unintentional e-messages warning people about a virus or other malicious software program. Some hoaxes cause as much trouble as viruses by causing massive amounts of unnecessary e-mail. Most hoaxes contain one or more of the following characteristics:
- Warnings about alleged new viruses annd its damaging consequences,
- Demands the reader forward the warninng to as many people as possible,
- Pseudo-technical "information" descriibing the virus,
- Bogus comments from officials: FBI, ssoftware companies, news agencies, etc.

If you receive an e-mail message about a virus, check with a reputable source to ensure the warning is real. Visit McAfee.com’s Virus Hoax page (http://vil.mcafee.com/hoax.asp) to learn about hoaxes and the damage they cause. Sometimes hoaxes start out as viruses and some viruses start as hoaxes, so both viruses and virus hoaxes should be considered a threat.

http://www.mcafee.com/anti-virus/virus_glossary.asp#v

A Vida é Bela hoax
This hoax warns of an infected Powerpoint presentation. It has been reported in Spanish, Portuguese, English, German and French.