Explanation
Alabama is a computer virus, discovered October 1989 on the campus of Hebrew University in Jerusalem.
Alabama is a fairly standard file infector outside its odd behaviour of deciding what files to infect. When an infected file is executed, Alabama goes memory resident. Whenever a .EXE file is executed from this point on, Alabama will search out for another file to infect. This is probably intended to place blame on the file that is being executed instead of the virus itself. Files infected by Alabama increase in size by 1,560 bytes.
Payload
On Fridays, Alabama will begin to modify the File Allocation Table in an odd way. Instead of searching for a file to infect, Alabama searches for a file to cross-reference. The virus modifies the FAT entry so that when the user executes one file, another will appear. For instance, on a machine where Alabama is resident, executing PROGRAM1.EXE on a Friday may cause the virus to search for another program and find PROGRAM2.EXE. Alabama will then modify the FAT so that whenever PROGRAM1.EXE is executed, PROGRAM2.EXE displays instead. This certainly can result in confusion, and may result in programs being lost or incorrectly deleted.
Variants
There is one known variant of Alabama. Alabama.B was distributed as a modified SDIR.COM. SDIR.COM was a program created to replace the DOS DIR command. Like the original Alabama, the "B" variant does not infect .COM files. The modified SDIR.COM is simply used as a dropper.
15.
It was a computer virus authored by Dutch programmer Jan de Wit on Feb 11, 2001.That virus tempts users with the message: "Hi: Check This!", with what appears to be a picture file labelled "AnnaKournikova.jpg.vbs".The worm arrives in an email with the subject line "Here you have, ;0)"
Correct Answer
A. Anna Kournikova
Explanation
The Anna Kournikova computer virus was a computer virus authored by Dutch programmer Jan de Wit on Feb 11, 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of tennis player Anna Kournikova, while actually hiding a malicious program. If set off, the program plunders the address book of the Microsoft Outlook e-mail program and attempts to send itself to all the people listed there. The Kournikova virus tempts users with the message: "Hi: Check This!", with what appears to be a picture file labelled "AnnaKournikova.jpg.vbs".The worm arrives in an email with the subject line "Here you have, ;0)" and an attached file called AnnaKournikova.jpg.vbs. When launched under Microsoft Windows the file does not display a picture of Anna Kournikova but launches a viral Visual Basic Script that forwards itself to everybody in the Microsoft Outlook address book of the victim.
The virus was created using a simple and widely available Visual Basic Worm Generator program developed by an Argentinian programmer called “[K]Alamar”. While similar to the ILOVEYOU virus that struck a year earlier, in 2000, the Anna Kournikova virus did not corrupt data on the infected computer
De Wit turned himself in to authorities in the town of Sneek located in the northern province of Friesland in the Netherlands. "By the time he understood what the virus did, he had conferred with his parents and decided to turn himself in to the police," Apparently, the author created the virus in a matter of hours. "The young man had downloaded a program on Sunday, February 11, from the Internet and later the same day, around 3:00 p.m., set the virus loose in a newsgroup." De Wit was charged with spreading data into a computer network with the intention of causing damage.On September 21, 2001, he was sentenced to one hundred and fifty hours community service.
It has been reported that the efforts of another virus writer working undercover for the FBI, David L. Smith, led to the identification of Jan de Wit and that the FBI passed the information to authorities in the Netherlands.De Wit turned himself in to the police in his hometown Sneek on February 14, 2001, a few days after the virus was released.
Reportedly, and resembling the cases of other computer virus writers, only a few days later the mayor of Sneek made a tentative job offer to De Wit, quoting his programming skills.
De Wit was tried in Leeuwarden and was charged with spreading data into a computer network with the intention of causing damage, a crime that carried a maximum sentence of four years in prison and a fine of 100,000 guilders (US$41,300).
The lawyers for Jan de Wit called for the dismissal of charges against him, arguing that the worm caused minimal damage. The FBI submitted evidence to the Dutch court and suggested that US$166,000 in damages was caused by the worm. De Wit admitted he created the worm using a virus creation toolkit but told the court when he posted the virus to a newsgroup he did it "without thinking and without overseeing the consequences". He denied any intent to cause damage. De Wit has been sentenced to 150 hours community service or 75 days in jail
19.
It is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and Dictionary attacks on administrator passwords to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. It have 5 types and the detction date of each: A (2008-11-21), B (2008-12-29), C (2009-02-20) , D (2009-03-04) and E (2009-04-07)
Correct Answer
A. Conficker
Explanation
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and Dictionary attacks on administrator passwords to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control. The worm has been unusually difficult to counter because of its combined use of many advanced malware techniques.
Operation
Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the worm's combined use of so many has made it unusually difficult to eradicate.The worm's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities.
Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ -> (MSFT) C and (CWG) C -> (MSFT) D.
Initial infection
Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe.Variants B and later may attach instead to a running services.exe or Windows Explorer process.
Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.
Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.
To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service
Explanation
Dark Avenger was a pseudonym of a computer virus writer from Sofia, Bulgaria. He gained considerable popularity during the early 1990s, as some of his viruses spread not only nationwide, but across Europe as well, even reaching the United States
Dark Avenger's viruses
Dark Avenger's first virus appeared in early 1989 and contained the string "This program was written in the city of Sofia (C) 1988-89 Dark Avenger". Thus, this first virus is usually referred to as "Dark Avenger", eponymous to its author. It was very infectious: Opening or just copying a file was sufficient to start an infection. Additionally, the virus also destroyed data, by overwriting a random sector of the disk at every 16th run of a program, filling space with files containing the string "Eddie lives... somewhere in time!"--possibly a reference to Iron Maiden's album, "Somewhere in Time". Due to its highly-infectious nature, the virus spread world-wide, reaching Western Europe, the USSR, the United States, and even East Asia. It even received moderate mention in the New York Times and Washington Post.
This virus was soon followed by others, each employing a new clever trick. Dark Avenger is believed to have authored the following viruses: Dark Avenger, V2000 (two variants), V2100 (two variants), 651, Diamond (two variants), Nomenklatura, 512 (six variants), 800, 1226, Proud, Evil, Phoenix, Anthrax, Leech. As a major means for spreading the source code of his viruses, Dark Avenger used the then popular bulletin board systems. In its variants, the virus also contained the following strings:
"Zopy (sic) me - I want to travel"
"Only the Good die young..."
"Copyright (C) 1989 by Vesselin Bontchev"
In technical terms, the most prominent feature of some of Dark Avenger's viruses was their polymorphic engine, the Mutation Engine (MtE); MtE could be linked to the plain virus in order to generate polymorphic decryptors. Dark Avenger did not, however, invent polymorphism itself, since this had already been predicted by Fred Cohen, and later put into practice by Mark Washburn in his 1260 virus, in 1990. It wasn't until a year or more later that Dark Avenger's viruses began to employ polymorphic code.
Dark Avenger made frequent attacks on Bulgarian anti-virus researcher Vesselin Bontchev. Such is the case with the viruses V2000 and V2100, which claim to be written by Vesselin Bontchev, in an attempt to cause defamation. This "conflict" between the two has led many to believe that Bontchev and Dark Avenger were intentionally "promoting" each other, or that they might even be the same person.
Dark Avenger's actions were not treated as a crime at that time in Bulgaria, since there was no law for information protection
35.
That virus data sector contains the text "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne."
Explanation
Form was a boot sector virus isolated in Switzerland in the summer of 1990 which became very common worldwide. The origin of Form is widely listed as Switzerland, but this may be an assumption based on its isolation locale. The only notable characteristics of Form are that it infects the boot sector instead of the Master Boot Record (MBR) and the clicking noises associated with some infections. Infections under Form can result in severe data damage if operating system characteristics are not identical to those Form assumes.
It is notable for arguably being the most common virus in the world for a period during the early 1990s.
Infection
Form infects the boot sector. When a computer is booted from an infected sector, Form goes resident, hooks the interrupt vector table, and runs the original boot sector which it's hidden in an area it flags as defective. It will subsequently infect any media inserted into the machine
Symptoms
Form has a range of symptoms, most of which will not be evident in all infections.
Form's most famous side effect is a clicking noise produced by typing on the keyboard on the 18th of every month. However, this payload very rarely appears on modern computers, as it will not execute if a keyboard driver is installed.
Form consumes 2KB of memory, and the DOS MEM command will report that this memory is unavailable. This appears on all infections.
On floppy disks, 1 KB (2 bad sectors) will be reported. This appears in all infections.
The Form data sector contains the text "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." Additionally, some versions of Form have had this text removed.
Form makes the assumption that the active partition is a DOS FAT partition. If this is not true, such as under Windows NT, Form will overwrite in a way that may result in irreversible data loss.
Prevalence
Form was listed as spreading by the WildList from the first ever version of the WildList in July 1993 until January 2006.
As with most boot viruses, a Form infection is a rare find in modern times. Since the advent of Windows, boot viruses have become increasingly uncommon, including Form. Generally, Form infections are due to the use of floppy disks infected during the original pandemic that have since been taken out of storage.
Variants
Form has a number of variants. The widely documented versions are as follows.
Form.A is a common variant of the original, where the clicking payload occurs every day, as opposed to just the 18th.
Form.B is a minor variant of the original, with the clicking payload set for the 18th of each month instead of the 24th. It was a rare find in the field during the mid1990s, but has since become obsolete.
Form.C is a virtually undocumented, trivial variant of the original. It is suggested that Form.C is another minor variant of Form, except only activates in May. Like Form.B, it was documented as being discovered rarely in the wild during the mid-1990s.
Form.D is the most common version of Form besides the original. Some reports indicate that it affects the partition table in some way. It was a somewhat common in 1997 and 1998.
FormII is an undocumented variant.
Form-Canada is an undocumented variant
42.
It spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. It does not spread under Windows NT, Windows 2000, Windows XP, Windows Vista, or Windows 7. It infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned it another name, "Spacefiller". The size of the virus is around 1 kilobyte
Explanation
CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows computer virus written by Chen Ing Hau (陳盈豪, pinyin: Chén Yíngháo) of Taiwan. It is one of the most damaging viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.
The name "Chernobyl Virus" was coined some time after the virus was already well-known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl accident, which happened in the Ukrainian SSR on April 26, 1986.
CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, Windows XP, Windows Vista, or Windows 7. CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.
The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang.
The second payload tries to write to the Flash BIOS. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.
For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32, and over about one gigabyte, all that will get overwritten is the MBR, the partition table, the boot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.
If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.
If the second payload executes successfully, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.
CIH v1.2/CIH.1103
This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT.
CIH v1.3/CIH.1010A and CIH1010.B
This variant also activates on June 26. It contains the string: CIH v1.3 TTIT
CIH v1.4/CIH.1019
This variant acts on the 26th of any month. It is still in the wild, although it is not that common. It contains the string CIH v1.4 TATUNG
CIH.1049
This variant activates on August 2 instead of April 26.