Malware activation techniques

Words are the small change of thought.
Jules Renard (1864-1910); French writer and dramatist.

Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 14, 2004 - Today's Oxygen3 24h-365d will look at the most common
techniques used by malware(*) to activate themselves.

The first types of malicious code were activated when a user executed an
infected file or, in the case of boot viruses, when the computer read an
infected floppy disk.

Viruses that infect files try to copy themselves to all the executable files
stored on all drives, including the operating system files. By doing this,
when the computer is started up or an application is launched, the virus can
activate itself in memory and carry out its actions. A typical example of a
virus that ensures that it is activated whenever the computer is started up
is Lehigh, which only infects the COMMAND.COM, the command interpreter that
starts MS-DOS.

Boot viruses work in a similar way, as when an infected floppy disk is read,
they are activated and infect the boot sector of the hard disk. Once they
have done this, whenever the operating system is started up from the hard
disk, the virus will be activated in memory and will infect any floppy disk
used on the computer.

When Windows was launched, the number of viruses using these techniques to
spread decreased. Nowadays, the most widespread malware are Internet worms
and Trojans with the capacity to create backdoors. These ensure that they
are run whenever the system starts up by inserting a key with a reference to
the infected executable file in the Windows Registry, like the following:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

This key contains references to legitimate applications that are run
whenever Windows is started, but can also contain a call to a Trojan or
worm. A recent example is the Sasser.B worm, which is activated by the
following entry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
avserve2.exe = %windir%avserve2.exe

The entries in this key can be viewed or deleted through the REGEDIT.EXE
application, which allows access to all the entries in the Windows Registry.

(*) Malware: programs, documents or messages liable to have negative effects
on IT systems.

------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's
free online scanner: 1) Sasser.ftp; 2) Netsky.P; 2); 3) Qhost.gen; 4)
Briss.A; 5) Netsky.D.