This is a great place to keep yourself informed on the latest news on computer viruses that may affect your computer here at WCU or even at home. If you have any questions about computer viruses, please feel free to contact IT Help Desk, x3350.
- Sophos 2019 Threat Report - Deep Dive into Malware and other evil things.
Top 10 Virus Hoaxes
- ZeuS is a modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
- TrickBot is a modular banking trojan that is known to be dropped by Emotet as well as spread via malspam campaigns. TrickBot is also known to download the IcedID banking trojan.Gh
- Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
- CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.
- Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
- Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
- Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.
- CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.
- NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
- Bifrose is a RAT that first appeared on the scene in 2004. Its capabilities include keylogging, screen capture, cam capture, remote shell, credential stealing, and registry access. Since its initial introduction, Bifrose has previously been sold to additional cybercriminal group
Practice Safe Computing
Information Services & Technology has deployed the Sophos Central Anti-Virus software package on all faculty and staff computers across campus. This software has also been installed in all of the general access computing labs. Periodic updates to the software are installed to prevent infection from new strands of computer viruses.
Computer viruses were originally created as harmless programs that would do something amusing and then disappear. A virus program contains instructions to initiate some sort of "event" that affects the infected computer. Each virus has a unique event associated with it. These events and their effects can range from harmless to devastating. For example:
- An annoying message appearing on the computer screen.
- Reduced memory or disc space.
- Modification of data.
- Files overwritten or damaged.
- Hard drive erased.
There are many types of computer viruses including file viruses, boot sector viruses and Trojan Horse programs.
Boot Sector Virus – This type of virus infects the master boot record and it is challenging and a complex task to remove this virus and often requires the system to be formatted. Mostly it spreads through removable media
Direct Action Virus – This is also called non-resident virus, it gets installed or stays hidden in the computer memory. It stays attached to the specific type of files that it infect. It does not affect the user experience and system’s performance.
Resident Virus – Unlike direct action viruses, resident viruses get installed on the computer. It is difficult to identify the virus and it is even difficult to remove a resident virus.
Multipartite Virus – This type of virus spreads through multiple ways. It infects both the boot sector and executable files at the same time.
Polymorphic Virus – These type of viruses are difficult to identify with a traditional anti-virus program. This is because the polymorphic viruses alters its signature pattern whenever it replicates.
Overwrite Virus – This type of virus deletes all the files that it infects. The only possible mechanism to remove is to delete the infected files and the end-user has to lose all the contents in it. Identifying the overwrite virus is difficult as it spreads through emails.
Spacefiller Virus – This is also called “Cavity Viruses”. This is called so as they fill up the empty spaces between the code and hence does not cause any damage to the file.
Often, a user isn't aware that his or her computer is infected with a virus until the virus executes its unique event, such as displaying an unusual message or damaging a file. It is hard for people to detect viruses because they usually don't display symptoms prior to the event taking place.
However, some viruses will provide early clues that they exist, such as:
- Changes in file or date stamp.
- Longer times to load programs.
- Slower system operation.
- A program fails to start.
- An unusual amount of disk activity (the floppy or disk drive runs for no apparent reason).
While there are still viruses that do not harm or destroy, many have become destructive in their intent. Consequently, anti-virus software is compulsory for every computer on campus. By following these few simple guidelines, the risk of a virus attack can be reduced dramatically.
- Make sure that your anti-virus software is regularly updated to take into account new viruses and variants recently written. WCU computers should be rebooted at least once a week to activate any upgrades.
- Do not boot your PC from a floppy diskette unless you are certain that the diskette is clean and free from viruses.
- Use the write-protect tab on a floppy diskette to prevent viruses from copying themselves onto the diskette.
- Call or E-mail the Help Desk with questions regarding any unusual behavior you detect from you PC.
- Do not open E-mail messages from strangers or attachments you weren't expecting.
If you receive an e-mail attachment that your anti-virus software flags, delete it immediately. It is a good idea to play it safe with attachments in general and not open any that aren't from a trusted source. If you receive an e-mail message with an attachment containing a virus you will not infect your system as long as you do not open the attachment.
If you get a virus on your University computer, or if your computer seems to be operating abnormally, please do the following:
- Write down what symptoms you observe. Was there a warning message? Funny behavior?
- Call the Help Desk (x3350)
A Help Desk Consultant will assist you with scanning and removing the virus.
To verify that your PC has anti-virus running, look in the lower right hand corner of your desktop. You should see the Sophos Shield icon in the system tray.
Although we cannot provide anti-virus software or support for your home PC, it is essential to provide protection for that equipment as well. Provided for your convenience are the top four anti-virus program web sites.
The term Virus is used by many people to mean many things. In computers, a Virus is a program or piece of a program that executes on a victims computer without the knowledge of the victim. There are 4 types of computer viruses, File, Boot, Macro, and Network viruses.
File viruses infect real programs that are installed in the computer, create file doubles, or uses "features" that are built into the system. Boot viruses infect the computer's disk drive where the computer gets instructions on how to start up the computer. Macro viruses are stored in documents, spreadsheets, or other files of popular packages such as Microsoft Word. Finally, network viruses spread themselves over the local network or over the Internet using protocols such as email.
One virus could actually be designed using one or more of the above virus types. The virus spreads itself based on the type of virus. The viruses have multiple methods of "living" inside a computer. TSR virus will stay in the computers memory while the computer is running. These viruses tend to intercept commands and messages the computer is processing. Stealth viruses are designed to hide themselves from the victim. Polymorphic and Self-Encrypting viruses are harder to detect. These viruses change themselves every time they execute. This makes it difficult for virus scanners to look for a virus's "fingerprint."
Finally, all viruses have some type of destructive capability. Some could actually be harmless. Other viruses use up a small amount of computing resources. Dangerous viruses may seriously disrupt computer use. Very Dangerous viruses may do just about anything to the victim's computer, including deleting files, erasing hard-drives, or change how programs work.
- Program files, non-file areas used on computer start up (boot sectors), and data files with macro capabilities
- Data disks and disks used to transfer programs
- Downloading of files from an online service, i.e. internet
- A file attachment from an email message
- Hardware, such as keyboards and monitors, graphic files, data files without macro capabilities, software items other than program files
- Write protected disks
- Your computer when you read messages from an online service, i.e. internet
- Text-based email messages. For small messages, it is best to "cut and paste" onto the body of the email message rather than sending it as an attachment
If your computer did not come equipped with a virus scanner or your if your virus scanner is very old, visit the IT Help Desk Sophos Anti-Virus page (WCU Students & Employees only). A list of virus scanners are available to download. Most of these virus scanners are on a thirty day trial basis. After the trial period, they may require you to uninstall the virus scanner or you are always given the option to purchase the software.
If you currently own a virus scanner, you may have the option to update it. Updating your virus scanner downloads all new virus information to your computer to help protect your files from the newest viruses.