Analysis Of Two Recent Worms Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Worms are malicious programs designed to spread via computer networks. Worms are a form of malware with viruses and Trojans. A person usually installs worms by accidentally opening an attachment or a message that contains executable scripts.

Once installed on a computer, spontaneously generate e-mail containing additional copies of the worm. They can also open TCP ports to create holes in network security for other applications; they may attempt to "flood" the LAN with false Denial of Service (DoS) data transmissions.

Being surrounded in a software system every day, worms easily penetrate most firewalls and other network security measures. Antivirus software applications attempt to fight against worms and viruses. (By Bradley Mitchell, About.com Guide)

[http://compnetworking.about.com/cs/worldwideweb/g/bldef_worm.htm]

Computer Worm Examples

The original worm was (perhaps accidentally) unleashed on the Internet by Robert Tappan Morris in 1988. The Internet Worm used send mail, fingered, and rsh / rexec to spread across the Internet.

The SQL Slammer worm founded in 2003 used the vulnerability in Microsoft SQL Server 2000 to spread across the Internet. Glossary Link Blaster worm also founded in 2003 used the vulnerability in Microsoft RPC DCOM to propagate.

The Melissa worm was founded in 1999, founded in 2003 to Sobig and Mydoom founded in 2004, all spread by e-mail. These lines share some characteristics of a Trojan horse; they propagate in a user attempting to open an infected attachment e-mail.

MyDoom also attempted to spread through peer-to-peer file-sharing application called Kazaa Link Glossary. Mydoom worms attempt a Denial of Service (DoS) attack against SCO and Microsoft.

[http://www.tech-faq.com/computer-worm.html]

Different types of Computer Worms.

Email Worms

The spread is through infected e-mails. Any form of attachment or a link in an e-mail may contain a link to an infected site. In the first case the activation begins when the user clicks on the attachment while in the second case the activation starts clicking on the link in the email.

Known methods of transmission are:

- MS Outlook services

- Direct connection to SMTP servers using their own SMTP API

- Windows MAPI functions

This type of worm is known to harvest an infected computer for email addresses from various sources.

- Windows Address Book database [WAB]

- MS Outlook Address Book

- The files with appropriate extensions will be scanned for e-mail as strings

Know that during spreading worms to build new sender addresses based on names as possible in combination with a common domain name. Thus, the address of the sender in the email does not need to be at the origin of the email.

Instant Messaging Worms

The application is used by instant messaging applications by sending links to infected Web sites all on the list of local contacts. The only difference between these and email worms are the way chosen to send links.

Internet worms

The Nasty. These will scan all available network resources using the local operating system and / or scan the Internet for vulnerable machines. It will attempt to connect to these machines and gain full access to them.

Another way is that scanning the machines still open for exploitation is not patched. Data packets or requests to be sent to install the worm or worm downloader. If the worm successfully execute and there he goes again!

IRC Worms

Chat channels are the main target and the same infection / spreading method is used as above - sending infected files or links to infected websites. Email an infected file is less efficient than the recipient must confirm receipt, save the file and open it before infection takes place.

File sharing networks Worms

Copies itself to a shared folder, usually located on the local machine. The worm places a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spread the infected file will continue.

[http://virusall.com/computer%20worms/worms.php]

How to prevent computer worms:

To help prevent infections and to get rid of worms:

* Use a firewall.

* Update operating system and software you use. (Use Windows Update to automatically update all Microsoft products.)

* Use antivirus and spyware, such as Microsoft Security Essentials, a free download from Microsoft.

* Please note that files attached to e-mail and links to websites.

* Use a standard user account instead of an administrator account.

[http://www.microsoft.com/security/worms/whatis.aspx]

Features of Valentin E and Nuwar OL

Nuwar OL Worm:

Nuwar OL is delivered to the inbox of a user with such topics as "Are You In My Dreams," "I Love You So Much," "Inside My Heart Is You", etc. The content of the message contains a link to the site that downloads the malicious code when accessed. To disguise its activities, the worm will redirect you to the simple web page with the theme of a romantic greeting card. Once the computer is infected, the infection spreads by sending messages to contact names in the record of the user. The most severe impact of OL Nuwar slows performance of a single computer or network. Once detected, it is generally easy to remove.

Systems at risk:

Windows 2000, Windows ME, Windows XP, Windows Vista, Windows 7

Valentin E Worm

Like the worm Nuwar, Valentin E is distributed by e-mail. It contains subjects like "True Love", "Finding True Love" and "Love Of My Life". The worm also includes an attached file entitled "FRIENDS4U." When the user opens the attachment targeted, a copy of the worm is downloaded on their computer. His malicious code is installed on the machine as a file with an SCR. If the user runs the file, Valentin E. displays a new screen to distract them, while it spreads on the host machine. He then distributes the e-mail with copies of it attached to the spread of infection to other computers.

Both Valentin and Nuwar E are essentially using the same techniques used in the forms of malware can, especially worms and viruses. They send e-mails with subject's attractive, colorful Valentine's Day e-cards, desktop themes and more romantic. All this is done to lure the user into executing the attachment and unknowingly launch malicious code on their systems.

Windows 2000, Windows XP, Windows Vista, Windows 7

[http://www.spamlaws.com/types-of-recent-worms.html]

Overview of Nuwar OL Worm:

Effects:

The main objective of Nuwar.OL is to spread and affect as many computers as possible.

Additionally, it uses rootkit techniques in order to make its detection more difficult. In order to do so, it drops the rootkit detected as Rootkit/Nuwar.ON, which hides the files belonging to Nuwar.OL.

Infection strategy

Nuwar.OL creates the following files in Windows system directory:

* SERVICES.EXE, which is a copy of itself.

* BURITO2F06-838.SYS, BURITO2FC7-1E51.SYS, BURITO7620-1C4E.SYS, BURITOE79-3D90.SYS and BURITO.INI.

These files belong to a rootkit detected as Rootkit/Nuwar.ON, which hides the files belonging to Nuwar.OL.

Nuwar.OL creates the following entries in the Windows Registry:

* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ burito2f06-838

* HKEY_LOCAL_MACHINE \ SYSTEM\ ControlSet001\ Services\ burito2fc7-1e51

* HKEY_LOCAL_MACHINE \ SYSTEM\ ControlSet001\ Services\ burito7620-1c4e

* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ buritoe79-3d90

By creating these entries, the rootkit registers itself as a service. This way, it would be run whenever Windows is started.

Means of transmission

Nuwar.OL is spreads through emails. The process of transmitting and infection is as shown below:

* Nuwar.OL reaches in to the system through an email having any of the below characteristics:

A Dream is a Wish

A Is For Attitude

A Kiss So Gentle

A Rose

A Rose for My Love

A Toast My Love

A Token of My Love

Come Dance with Me

Come Relax with Me

Dream of You

Eternal Love

For You….My Love

Heavenly Love

Hugging My Pillow

I Dream of you

I Love Thee

I Love You Because

I Love You Soo Much

I Would Dream

If Loving You

Inside My Heart

Love Is…

Love Remains

Magic Power Of Love

Memories of You

Miracle of Love

My Love

Our Journey

Our Love is Free

Our Love is Strong

Our Love Nest

Our Love Will Last

Pages from My Heart

Path We Share

Sending You All My Love

Sending You My Love

Sent with Love

Special Romance

Surrounded by Love

The Dance of Love

The Miracle of Love

The Mood for Love

The Moon & Stars

The Time for Love

When I'm With You

Why I Love You

Words in my Heart

You're in my Soul

You're my Dream

You're the One

You… In My Dreams

[http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=det&idvirus=185368&sitepanda=particulares]

Overview of Valentin E:

Description

Valentin.E is a worm that reaches the computer in a file attached to an e-mail with a subject variable.

To increase its ability to infect, it uses a vulnerability whereby it is activated automatically when the message is read by Outlook. This is vulnerability in the MIME header that allows the files attached to e-mails to be run automatically.

If the message is open to other messaging services such as Hotmail or Yahoo, it is necessary that the user runs the attachment to be infected.

Valentin.E is dangerous because:

* It is executed every time a file having an extension EXE is run.

* It ends several processes belonging to security tools and firewalls.

* It includes information on the infected computer: all file names and locations. These data can be used to perform more malicious actions.

Effects:

Valentin.E carries out the following actions:

* At the time of it`s running, the message that displays with the text Ur My Best Friend on system screen, as shown in below:

* Valentin.E is run every time a file with an EXE extension is run.

* It ends several processes if they are active in the affected computer.

These processes belong to antivirus programs and firewalls, among others, and are the following:

ANTIVIR

ATRACK

AVCONSOL

AVP.EXE

AVSYNMGR

CFINET

CFINET32

F-PROT95

FP-WIN

F-STOPW

IAMAPP

IOMON98

LOCKDOWN2000

LUCOMSERV

MCAFEE

NAVAPSVC

NAVAPW32

NAVLU32

NAVRUNR

NAVW32

NAVWNT

NISSERV

NORTON

PCCIOMON

PCCMAIN

PCCWIN98

POP3TRAP

PVIEW95

RESCUE32

SAFEWEB

SCAM32

SIRC32

SYMPROXYSVC

VSHWIN32

VSSTAT

WEBSCANX

WEBTRAP

ZONEALARM

[http://www.pandasecurity.com/homeusers/security-info/185368/information/Valentin.E]

* It gathers the following data about the affected computer:

- All the file names.

- The names of the processes, events and files that are being run when the virus took place.

Infection strategy:

Valentin.E creates the following files in the Windows directory:

* %????%.EXE, which is a copy of itself.

where %????% stands for 4 random characters.

* %????????%.DLL. In this file it stores all the email addresses it finds in the affected computer.

This file consists of 8 characters and its name is created by taking two times the 4 random characters of the copy of itself.

* %????%.TXT, text file where the creator's signature is stored.

The content of this file is the following:

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

w32.yAHa.D

aUThor :H^H, h2h@ach<blocked>ans.com

oRigIN :inDia, kERala(gODS own cOUntrY)

KANagaaa ,mANdi pEnnee nJan Ninne sNEhikkunnuu..

oRu sITe kITTiyirunnegggil.. hACK CHEyyyamayirunnuuu..

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

Additionally, it creates two files DSK$$$.$$2 and REG$$$.$$2, where the information obtained from the computer is stored.

Valentin.E modifies the following entry from the Windows Registry:

* HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command

(Default) = "%1"%*

It changes this entry to:

HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command

(Default) = %windir%\%????%"%1"%*

where %windir% is the Windows directory.

By modifying this entry, Valentin.E ensures that it is run whenever a file with an EXE extension is run.

Means of transmission

Valentin.E spreads via email.

* It reaches the computer in an email message with the following characteristics:

Subject: it is related to friendship and love

It can be one of the following:

Are you looking for Love

Best Friends

Bullshit

charming

Check ur friends Circle

Cool

Dont wait for long time

Easy Way to revel ur love

Enjoy friendship

Enjoy Romantic life

excite

Find a good friend

for you

Free Screen saver

Friendship

Friendship

Friendship Screen saver

Funny

Great

Hi

how are you

How sweet this Screen saver

humour

I am For u

Idiot

Interesting

Interesting

Joke

Learn How To Love

Let's Dance and forget pains

Let's Laugh

Life for enjoyment

Looking for Friendship

Love

love speaks from the heart

LoveGangs

make ur friend happy

Need a friend?

New

Nice

Nothink to worryy

One

One Hackers Love

One Way to Love

Origin of Friendship

powful

relations

Romantic

Say 'I Like You' To ur friend

Screensaver

searching for true Love

Send This to everybody u like

Shake it baby

Shake ur friends

Shaking

stuff

The world of Friendship

The world of lovers

to check

to enjoy

to see

to share

to ur friends

to ur lovers

to watch

True Love

U r the person?

U realy Want this

Ur My Best Friend

war Againest Loneliness

Who is ur Best Friend

Wonderfool

Wowwwwwwwwwww check it

you care ur friend

Message:

The message starts with any of the following texts:

Text 1

Hi dear

check the attach

see u

Text 2

Hi

Check the Attachment ..

See u

Text 3

Attached one Gift for u..

Text 4

wOW CHECK THIS

Text 5

Check the attachment

Text 6

See the attachement

Text 7

Enjoy the attachement

Text 8

More details attached

and continues with the text below, in which a screensaver is attached and users are required to send it to their friends:

This e-mail is never sent unsolicited. If you need to unsubscribe,

follow the instructions at the bottom of the message.

***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from <web address> to everyone you

consider a FRIEND, even if it means sending it back to the person

who sent it to you. If it comes back to you, then you'll know you

have a circle of friends.

* To remove yourself from this mailing list, point your browser to:

<web address>

* Enter your email address (<recipient address>) in the field provided

and click "Unsubscribe".

OR...

* Reply to this message with the word "REMOVE" in the subject line.

This message was sent to address <recipient address>

X-PMG-Recipient: <sender address>

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

Attachment: the file name is variable and has a double extension.

The file name can be any of the following:

BIODATA

BULLSHITSCR

CHECKFRIENDS

DAILYREPORT

ENJOYLOVE

FREESCREENSAVER

FRIENDS

FRIENDS

FRIENDS4U

FRIENDSCIRCLE

FRIENDSCR

FRIENDSEARCH

FRIENDSGREETINGS

FRIENDSHIP

FRIENDSHIP4U

FRIENDSHIPBIRD

FRIENDSHIPFORU

FRIENDSWORLD

FUCKER

GOLDFISH

GREETINGS

LOVE

LOVE

LOVE4U

LOVEFINDER

LOVEGREETINGS

LOVELETTER

LOVERS

LOVERS

LOVERSCREENSAVER

LOVERSGANG

LOVESCR

LOVESHORE

MOUNTAN

PASSION

PASSIONUP

REPORT

RESUME

RISHTHA

SCREENSAVER

SCREENSAVER4U

SCREENSAVER4U

SCREENSAVERFORU

SHAKEIT

SHAKESCR

SHAKINGFRIENDSHIP

SHAKINGLOVE

SHAREIT

SHARELOVE

TRUEFRIENDS

TRUELOVERS

URFRIEND

WEEKLYREPORT

WERFRIENDS

First extension:

BMP

DAT

DOC

GIF

HTM

JPG

MDB

MP3

MPG

TXT

WAV

XLS

ZIP

Second extension:

BAT

PIF

SCR

[http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=det&idvirus=185368&sitepanda=particulares]

The following image is an example of the email message Valentin.E sends:

# Valentin.E is automatically executed when the message is opened in Outlook. What happens in systems with older versions of Internet Explorer (prior to version 6). In other systems, # nombrevrius# will be executed when the attachment is opened.

# Valentin.E searches for email addresses in the address book of various services, such as Outlook, Hotmail, Yahoo and IRC, among others.

# Valentin.E sends itself to addresses it has collected, using its own SMTP engine.

# However, it does send to those addresses that contain any of the following strings: gov, mil.

[http://www.pandasecurity.com/homeusers/security-info/185368/information/Valentin.E]

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.