Complete Guide On Viruses

Hello,

This will be the first of my series of guides.

I will split this into different parts.

Part I : Basic Virus Knowledge
Part II : Anti-Viruses
Part III : Firewalls
Part IV : Removing Infections
Part V : Botnets


Part I : Basic Virus Knowledge

A lot of people are misled about viruses.

First of all What is a Virus?

The Web definition for a virus is,

A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability.


There are many different types of viruses such as :

RAT
Keylogger
Stealer
Java Drive-by

Now you're probably wondering what each one is... well let me explain.

What is a RAT(Remote Access Trojan)?

The Web definition for a RAT is,

A Trojan, sometimes referred to as a Trojan horse, is non-self-replicating Malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system. The term is derived from the Trojan Horse story in Greek mythology.

What is a Keylogger?


The Web definition for a Keylogger is,

Keystroke logging (often called keylogging) is the practice of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.


What is a Stealer?

My own definition of a Stealer is,

A Stealer is similar to a keylogger however it steals passwords that are stored in Firefox, Google Chrome, MSN, basically it will steal passwords from anything on your computer that saves user-names and passwords somewhere.


What is a Java Drive-by?


My definition for a Java Drive-by is,

A Java Applet normally on a website that downloads a file to your computer and runs it without you knowing(silent). These are commonly spread on MSN. However a Box will pop up when you visit the site saying do you trust this... so as long as you click no you should be fine.




Part II : Anti-Viruses



Now you're all probably thinking "I'm safe, I got an Anti-Virus.", However this statement is completely incorrect. These days it is incredibly easy to bypass a lot of Anti-Virus detection that any kid who knows how to download a program can make their virus nearly undetectable. Now we need to move onto file types, a lot of viruses are filename.exe however people can bind viruses to other file types as well with no experience. There are also several other file types that work like exe's such a .scr, .pif and .com so watch out for those. A lot of you may of heard of a "Sandbox", a definition of a sandbox is,

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users.

Sandboxes were once effective however these days most viruses are "Anti-Sandbox" which means they can pass through sandbox without detection, so you can no longer trust this form of protection.

So by now you're probably thinking can I trust anything? Well there are some ways to test something such as Online virus scanners. Below you will see a list of Online virus scanners,

http://novirusthanks.org
http://virustotal.com
http://virusscan.jotti.org/en

There are others however these 3 are the only ones that I know of which scan with all of the major anti-viruses. These aren't 100% but using these will definitely slim the chances of becoming infected. What these do is they scan the file that you submitted with the major anti-viruses, normally about 28-32 different anti-viruses and you will see a lot of the time that some will detect others where as others won't, some detections may be false positive but be sure to watch what NOD32, Avira, Avast and Kapersky have next to them as they are the most reliable. If a file is detected by Norton as Suspicious Insight then ignore that, if it gets detected just by 1 anti-virus then I wouldn't trust it.

What's the best Anti-Virus?

This is quite an easy one, the best anti-virus is Avira as I know that a lot of people have trouble making Avira not detect their virus. There is a free version of this anti-virus so use it.



Part III : Firewalls




What is a Firewall?

There are many types of Firewalls however I'll just be talking about Personal Firewalls So lets rephrase the question...

What is a Personal Firewall?

A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy.

Firewalls aren't essential but they can come in quite handy. Basically a firewall can protect you from attacks or say you are infected and the person who infected you is trying to connect to your computer then this will warn you that they are trying to connect to you and give you an IP, port and the process that is trying to connect to the IP(the person who infected you), so if this pops up and for example the process may be Opera.exe and this is may be Firefox so it's could be fine, however people could have their viruses named as this so if the IP is weird for example not your routers IP or any other IP you recognize then first of all search for Opera.exe everywhere on your computer and scan it with an online virus scanner(a foreign IP). It will look like this :



If you don't recognize the process then Google it and there will be reports on it and if it is a virus then you can do an IP trace(you can do this if you didn't recognize the IP as well) using these tools http://www.ip-adress.com/ip_tracer/ and http://web.informer.com/ and see where it is located and if it for a website, for example if the IP 74.82.171.183 came up for some reason(depending on your restriction settings) then using the first tool you would see that it is found in the US and it is A Host for a website, most people wouldn't have their servers for their viruses in the US, so there's one way to check and using the second tool you would see that the IP belongs to Sythe.org, a list of websites might come up if the site hasn't got it's own dedicated IP so if you see a site you are using or trust in that list then again you can feel a lot safer knowing that it has something to do with that website. However if the IP is located offshore or doesn't belong to a host or you don't recognize the domain then chances are that the virus is trying to connect and send your information to the person who infected you, you can take action on this by using http://whoishostingthis.com and entering the IP/Domain depending on what information you managed to gather and then it will give you the host and you can Google them and tell them the IP/Domain and that they are hosting a virus server on it and they will take action and most likely suspend the hosting account which means they won't get any more of your information from that infection.

That's about all on Firewalls, below is a list of firewalls you can use,

http://www.online-armor.com/
http://www.privacyware.com/personal_firewall.html
http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm
http://www.agnitum.com/
http://personalfirewall.comodo.com/

I recommend Zone Alarm.


Part IV : Removing Infections


If you were already infected before you came here then there are a few steps you can follow to getting rid of the infection. First of all disconnect your Computer from the internet(this will stop the virus from spreading and stop it from downloading even more viruses/updates of the virus onto your computer) and use download/gather help from another computer and put everything you need to fix it on a CD and then put the CD into your infected computer and do the stuff you need to do with the downloaded files on the CD on your infected computer, after you are done with the CD snap it in half and through it away.(Viruses spread on CD's and it's best to just throw them away after they've been in infected PC's)

First step is to find out exactly what virus you have such as a fake Microsoft Anti-Virus http://www.microsoft.com/security/antivirus/rogue.aspx
Viruses like these are normally easier to fix as all you need to do is Google "Program" Fake? Such As Windows Malicious Software Removal Tool Fake? Now you will see tons of results and even though there may be a legitimate program under that name there are also fake ones, there will be tons of guides on how to remove it when you Google it so just follow one and you'll be fine. Some easy ways to tell if the program is fake are; If you hit the exit button does it just pop-up again or not close, does it make you pay to remove the infection.

Alternatively if the virus isn't well known and your Anti-Virus doesn't pick it up/can't remove it then get Malwarebytes here - http://www.malwarebytes.org/mbam.php

Install it and scan(booting in safe mode would be better), it will find the infections and give you options on what to do with them such as Heal, Remove etc. Once you've done that then you will need to restart and the infection should be gone.

If you are having a lot of trouble with it and can't remove it then reinstall your OS, if you need help with that then just Google How To Fresh Install "OS Name Here", then you will find a step by step tutorial on how to do so, you will require the ISO or the CD but they're not hard to get a hold of.



Part V : Botnets

Well it seems that Botnets are found a lot more around these types of places. So I will give some general information on a botnet.


What is a Botnet?

A web definition for a Botnet is,
A collection of zombies(infected computers) that are controlled by the same cracker; a collection of compromised computers that is slowly built up then unleashed as a DDOS attack or used to send very large quantities of spam.

Why do people want a Botnet?

POWER, that's the main reason. People just want power on the internet and whether it's to kick players offline on an online game or to be able to kick websites offline if the owner or someone on them annoys them, also just to brag about what they are capable of doing.


How Can I Combat Them?

One way is if you're infected then get a Firewall and wait until they try to attack and then they will try and connect to your computer and you can get the IP and contact their host or report it to the Fuzz.

Below is an illustration of how Botnets work :



Key :

Bot Herder - The person who owns and spreads the Botnet.
Command & Control Center - Where the Botnet is hosted, normally on a VPS.
The little computers at the bottom - The infected Computers("Zombies")

Just a little more info, these days less people use IRC to host all their zombies on and more use RAT's to control their Botnets.



Well I hope this helps you in some way.

 

thanks this is very helpful, should have read it earlier on

 

RAT = Remote administration tool, it allows the infecter to see the screens aswell as keystrokes and alot of other things of his victims. stealers are usually incorporated to there, team viewer is an example but not a virus.

Stealers are rarely found by themselves and are usually incorporated with a key logger or a RAT.

Java applets are viruses but they are a method of transferring viruses.

Viruses cant spread to cd's, they can only spread to usb's so snapping the disc isn't necessary but viruses are known to bind to important sys32 files.

cbf going through the rest but you get the idea

 

Actually since this guide is on viruses then the correct word to use is "Remote Access Trojan".

Stealers are actually found seperately quite often.

It's a method of spreading and they are called "Java Drive-Bys".

In the future they may so just to be safe you should.

 

Another VERY helpful guide. You really know your stuff.

 

great guide, thanks my mate

 

very interesting guide, looking into it was more than appealing !