Solved Currious about how viruses are detected

[Jskid]

It seems to me many viruses check to see if a computer is already compromised, so shouldn't that make it really easy to detect or even protect a computer from a virus?

EXAMPLE: "It creates the following event so that only one instance of the threat is running on the compromised computer:
Vx_5" from http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=2
So wouldn't a virus scan just check for the event? Better yet can't a fake event be made so the virus never infects?

 

[Bobbye]

Ah, if only it were that easy! First of all, all malware isn't a virus. Secondly, different malware infects in different ways- so it would then be reasonable to understand why a virus scan alone isn't enough to fix an/or fix all malware. And a virus program alone isn't enough to protect a system. Viruses and other malware frequently 'hide' within what you may see as a legitimate process name.

So how did I get infected in the first place? AKA Safe Computing Practices
To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
[url]http://www.spywareinfoforum.com/index.php?showtopic=60955[/url]
============================================
And the following presents 14 ways to get Infected without trying
A humorous approach to a very serious subject:

1) Look for cracks, subdivided in illegal software and .....
2) Practice unsafe hex, browse the web for free pOrn
3) Look for software that adds smileys to your posts, mail etc
4) Look for kewl skins, screensavers etc
5) Look for spyware removers, concentrate on the kind that makes you pay before it removes anything
6) Install a P2P program and repeat all of the above
7) You always want the best; use p2p to download anti-virus/firewall software.
8) Do NOT pay for anything, the internet is a place where you can steal anything from everyone without even saying as much as thank you
9) Don't have/use/update antivirus/security software
10) Look for pokergames, slotmachines and other gambling outfits
11) Look for ringtones and other stuff to bling your phone
12) Click on those unexpected links and attachments in email, because you're curious...
13) Do loan your laptop to the next door neighbour for the weekend and give him your Admin account login so he can get his project done with no hassles
14) Let the Babysitter use your laptop for 'schoolwork'
----------------------

Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life.

And one other subject that is often overlooked: Maintenance - what´s that?

For the record, I see logs every day not only abusing the 14 pieces of 'humor', but also ignoring most or all of the suggestions made by Tony Klein.

 

[Bobbye]

I checked the Symamnntec reference site you left and I am amazed to see them rate a Virut risk infection low! Did you think this name was "Virus" and not "Virut"? Be careful what you read!!

Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Another infection of equal consequence is Ramnit. Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files. We consider both of those 'incurable' and recommend a reformat/reinstall immediately!

 

[Jskid]

Interesting. Symantec doesn't mention anything polymorphic, what does the word mean?
Symantec rates Ramnit as very low
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99&tabid=2 Do they ever rate things as high?

 

[Bobbye]

Polymorphic > < Greek polýmorphos
Poly= "many, much," related to base *pele- "to spread."
morphic= [from Greek -morphos, from morphē shape]

Polymorphic viruses change themselves with each infection. There are even virus-writing toolkits available to help make these viruses.

 

[Jskid]

polymorphic > < Greek polýmorphos
Poly= "many, much," related to base *pele- "to spread."
morphic= [from Greek -morphos, from morphē shape]

Polymorphic viruses change themselves with each infection. There are even virus-writing toolkits available to help make these viruses.

What's the difference between that and metamorphic viruses?
http://www.dslreports.com/faq/14139

 

[Bobbye]

The main difference between implementation of polymorphism and metamorphism lays in the fact that polymorphism doesn’t change the original code. It only hides it.

On the other hand, metamorphism changes the original code and thus has to cope with several problems:

 

[Jskid]

Since virut and smilie are polymorphic file infectors how can they tell if they've allready infected a certain file?

 

[Bobbye]

Google is your friend! I recommend that you make use of the search engine to look for answers to your particular questions.