Mail services with virus messages. How viruses are transmitted by email. Virus worm Nimda

A special kind of network viruses. Mail viruses use the capabilities of protocols to propagate. Email. They send their body by e-mail as an attached file. When a user opens such a file, the virus is activated and performs its functions. Due to various bugs present in client mail programs (especially Microsoft Outlook), the attachment file can start automatically when you open the letter itself, for example, the “I Love You” virus. For distribution, the virus can use the list of addresses stored in the address book of the mail client.

To disguise themselves, virus distributors often use the fact that by default Microsoft Windows Explorer does not display the extensions of registered files. As a result, the file attached to the letter with the name, for example, FreeCreditCard.txt.exe, will be shown to the user as FreeCreditCard.txt. And if the user does not control the external attributes of the file and tries to open it, then the malicious program will be launched. Another widely used move is to include 70-100 or more spaces between the name and the true resolution in the filename. The file name becomes:

« readme.txt.exe",

moreover, Explorer Microsoft Windows Explorer, due to developers' flaws, shows only " readme.txt". As a result, the user, without any suspicion, can try to open the file, and thereby launch the malicious program.

In addition, email messages often come in the form HTML documents, which may include links to ActiveX controls, Java applets, and other active components. When a message is received in HTML format, the mail client displays its contents in its window. If the message contains malicious active components, they are immediately launched and do their dirty work. Most often, Trojans and network worms are distributed in this way.

Macro - viruses.

Macro viruses (or script viruses) use the capabilities of macro languages ​​built into various Operating Systems and information processing tools text editors, spreadsheets, financial systems, etc.). Today, such viruses are widely known for applications of the MSOffice package, as well as cases of the appearance of macro-viruses for the 1C package. Viruses for Windows OS written in VISUAL BASIC can also be considered a type of macro viruses.

A distinctive feature of macro viruses is the following:

The body of the virus is a text file containing macro-language commands and data;

Macro-virus can be activated only in the environment where the interpreter of the given macro-language functions;

The body of a macro virus, as a rule, is placed inside a document file intended for processing in a software package that includes an appropriate macro language interpreter;

The body of a virus, when a program is infected, is usually saved in the program along with the user's settings (for example, the normal.dot template of the MSWord editor), or with additional loadable modules.

Macro-viruses launched from an infected document take control when an infected file is opened, intercept some file functions, and then infect files that are accessed. Macro-viruses are able to "live" not only on individual computers, but also interact with the network if such functions are implemented in the environment in which the infected document is processed.

The environment of "life" of macro-viruses also has external signs of infection. For example, one of the symptoms of MSWord infection is that it is not possible to save files using the "Save As..." command. Or, if you cannot enter the “Macro” item in the “Tools” menu, this is also a sign of infection.

Since macro viruses under MSWord were the most popular, we will dwell on them in more detail.

First, you need to remember that the entire MS Office package consists of macros. Any action performed on a document is performed using a macro. For example: printing a document - " FilePrint", saving the file - " FileSave", saving the document in another file - " FileSaveAs».

To automatically run a macro from a template on a particular event, the macro must have one of the following names:

- autoexec – Runs when MSWord is started or a global template is loaded

- autonew – Runs when a new document is created

- auto open - Runs when a document is opened

- auto close - Runs when the document is closed

- autoexit – Runs when Word exits or when the global template is closed.

In principle, the execution of such macros can be canceled by pressing the key Shift when performing the steps above.

In addition, the creators Microsoft office made the task of attackers easier by introducing the ability to replace MSWord commands with user macros. Thus, if the loaded document has a macro named, for example, " File Open”, then it will be executed every time another document is opened. That is, a macro virus with the corresponding name will run instead of the corresponding built-in editor macro.

When infecting MSWord, macro viruses save their body in a template Normal.dot, but there may also be other templates that are loaded when the editor starts and contain macro viruses. To do this, the editor uses the settings option "Autoloaded" available to the user from the menu: Service/ Options/ Location.

In principle, MSWord itself is able to control the process of loading macros when opening a document. To do this, you need to set the security level in the menu: Service\Macro\Security. The security level of MSWord is controlled by the registry key, for example: MSWord 2000, controlled by the key: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security, for later versions of the editor, "9.0" must be replaced with "10.0", "11.0", etc. Key values, respectively: 1, 2, 3 and more. 1 is the lowest security level, allowing any macro to run without notifying the user. Any macro executed under Win 9x, or under Win 2000, Win XP, Win Vista under a user with administrator rights, can change the value of the key to 1 , and the user will then be unable to track subsequent macro virus downloads.

First of all, we need to make a small digression about what is considered a virus. Now any program or file that an antivirus swears at is usually called a virus, although in reality it is not. A virus is a program that reproduces itself (copies itself many times) in order to infect as many files and computers as possible (network viruses). Everything else is just malware that is not capable of self-propagation. In order to exist, viruses need to somehow spread to other computers. Therefore, they are designed in such a way that, having penetrated one PC, they can move from it to others. This is how infection occurs.

The first group includes boot viruses. This method of penetration is quite common. Any of the storage media (flash drive and memory card, floppy disk, CD-DVD, HDD) has a boot sector. When you turn on your computer, the first thing it reads is boot information. If the boot information is contained on the disk, then the computer uses it on its own for proper operation. However, if the disk was infected with a virus, then even from the CD it immediately enters the computer, activating itself. Most of these viruses "live" on the user's PC for a long time without detecting themselves. They are designed to be distributed on the network, and they do not harm your computer. Malicious programs often have a kind of sensor: they activate themselves at the time allotted for them (New Year or Halloween). This is done in order to accumulate a sufficient mass of infected computers and antiviruses do not interfere with this. However, some viruses begin to harm as soon as they enter the PC. Very often they are programmed to completely format (clean up the contents) of your PC disk.

Programs for infecting files belong to the second group. The virus remains in the computer's memory immediately after launching the application that was infected. If this virus is not removed, then all applications that you open on your PC will be infected automatically. This will lead to an increase in the number of dangerous applications. Infection of several applications at once is very harmful to the system. As a rule, files that have been infected may not cause problems for a while. This is precisely what they are dangerous for: during the time that the applications will work normally, the virus will have time to destroy the entire system. Incorrect saving of file names or partial memorization of contents is the first sign that the computer is infected. Programs belonging to this group impair the performance of all programs that are used to transfer information with other users or computers on the network. For example, transfer office documents, screenservers, applications that allow you to work with mail and compressed files that decompress on their own, suffer in the first place.

"Mail" viruses make up the group of the most dangerous and widespread programs for damaging computer software. An email with a file attached to it is the most common carrier of viruses. If the computer was infected in this way, then the user will continue to send viruses by simply attaching the file necessary for sending to the letter. At the same time, he will not even guess that when attaching an application, the virus attaches itself. After opening the letter, the procedure is repeated. You should pay attention to letters from users you do not know. But even if the author of the letter is familiar to you, he may be a distributor of viruses without knowing it. Therefore, if you receive an email with attached animations, jokes, spreadsheets, greeting cards, photos or documents, check the email for viruses. Often such viruses independently send out infected emails to all users whose emails are stored in the computer's memory. Thus, while spreading, the virus harms the reputation of the user. That is why, before opening a letter, you should learn as much as possible about it. Even letters from well-known people are best checked with an antivirus. This is the only way to protect your computer and the computers of other users from infection with various kinds of viruses. useful links

215. File viruses infect:

graphic files

spreadsheet files

text documents

Executable files

service areas on disk

216. Macroviruses infect

Service areas of the disk

Programs that have a macro language

executable files

boot files

graphic documents

217. Bomb viruses are characterized by the fact that

infect executable files

not detected by OS tools

Do not have a breeding phase

do not have a permanent code

infect boot files

218 Stealth viruses are programs that…

infect text files

destroy service areas on the disk

disturbed by unexpected messages

Cannot be seen by means of the OS

infect executable files

219 Destructive viruses destroy

executable files

Service areas on the hard disk

text files

Spreadsheet files

graphic files

220 Programs dubbed Trojan horses are

file viruses

Malicious codes

macro viruses

harmless programs

221 .Virus is

program that affects only system files

A program capable of performing unauthorized actions on a computer

program that destroys only boot files

program that disturbs unexpected messages

file hiding program

223 Computer viruses may affect

all answers are correct

Programs and documents

video files

sound files

graphic files

concept of physical structure hard drive Excluded

224 A virus in the computer may appear

when solving a mathematical problem

when connecting a modem to a computer

spontaneously

when archiving data

Move from floppy disk

225 Infection with computer viruses can turn up

all answers are correct

Programs and documents

sound files

graphic files

video files

226 Computer viruses are…

A special program of small size that can attribute itself to other programs, it has the ability to "multiply"

disc check and repair program

disk defragmentation software

any program written in low-level languages

scanning software from a badly formatted floppy disk

227 Programs dubbed "Trojan horses" refer to:

harmless programs

file viruses

Malicious codes

macro viruses

228. A computer can become infected with a virus when:

Working with an "infected program"

formatting a floppy disk

launching an antivirus program

computer testing

restarting the computer

229 Specify non-existent type of virus

Installation viruses

boot viruses

macro viruses

viruses are companions

file viruses.

230 Viruses that infect files with the .com extension. exe

file viruses

installation viruses

Boot viruses

macro viruses

DIR viruses

231 Auditor program detects viruses...

periodically check all the files on the disk

controls important computer functions and ways of possible infection

tracks changes in disk boot sectors

When opening a file, it calculates the checksums and compares them with the data stored in the database

by virus infection date

232 Specify a non-existent type of anti-virus software

Program screeners

program auditors

programs filters

programs detectors

doctor auditors

233 Boot viruses

Affects system areas of hard and floppy drives.

always changes the code of the infected file;

infects files;

always changes the beginning of the file;

changes the beginning and length of the file.

234 Purpose of anti-virus programs called detectors

detection and destruction of viruses;

control possible ways distribution of computer viruses;

Detection of computer viruses;

“cure” infected files;

destruction of infected files.

235 Specify programs that are not anti-virus

Scanning programs

programs detectors

Phage programs

program auditors

all answers are correct

236 Infection with the "mail" virus occurs ...

When connecting to a web server infected with a "mail" virus

When opening an infected file sent with an e-mail

When using the Internet

When connecting to a mail server

When you receive an infected file with a letter sent by e-mail

The Internet is a universal virtual space that has given humanity a lot of amazing opportunities. Today it is difficult to imagine a time spent without using the Internet or its services. This is such a huge space that already contains billions of different sites and communities, portals and forums, and much more. But, as is usually the case, with great opportunities come global challenges. And the first danger that arose because of the Internet was the opportunity to engage in hacking. Today, there are entire communities around the world that are actively engaged in illegal activities and constantly steal data or cause panic, both for ordinary users and large companies. An example of this is the huge company Sony, which at one time was subjected to a massive attack by hackers and could not resist. As a result, the personal data of 77 million PlayStation system users were stolen from them. But not only Sony is a victim of these intruders. Every day hacker attack many companies, websites, databases and other constituent elements that use the Internet are exposed.

But, hackers, this is not the only modern problem, in addition to them, there are also virus attacks that have a much larger scope. These viruses can harm several million users at the same time. One careless use of a program with a virus can endanger entire cities and countries. To fight viruses and protect your computer, you can use the tips on this page. And today we will analyze the most terrible viruses in the history of the computer world.

Morris Worm

This is the legendary and very first virus that was created by Robert T. Morris sometime in 1988. The creator himself did not want to harm Internet users, he just wanted to measure the scale of the entire network in the world, as a result, he caused harm, which was estimated at several tens of millions of dollars. The result of his curiosity was the defeat of Internet nodes, the number of which exceeded 5000 pieces. What is most interesting, his virus not only hit these Internet sites, it completely paralyzed them, depriving them of any opportunity to conduct activities, which is comparable to a simple shutdown. For those times, the defeat of so many nodes was just a global catastrophe.

Melissa virus

Another representative of the most dangerous viruses, which, oddly enough, is named after a stripper. This virus instantly hit the top companies in the world, including even Microsoft with their supposedly incomparable protection. But after the attack of the virus, Microsoft had to close all its mail gateways to prevent active infection with this virus. So it was through them that the global infection of users went.

ILOVEYOU mail virus

The simplest virus, which was developed in the Philippines in 2000, turned out to be in fact frightening and destructive. This is the first mail virus that humanity has encountered.

The virus was a simple letter that came to the user. With the intriguing title "I love you", of course, everyone was curious to look into it, but in the end it seemed empty. Although this emptiness was only at first glance. In fact, a special ".vbs" script was hidden in the letter, which was activated after opening the letter and distributed itself (again in the format of the letter "I love you") to all users whose addresses were mentioned in mailbox affected user. As a result, the chain of this virus has spread almost all over the world. The total damage from it amounted to almost 15 billion dollars.

And, based on the fact that this damage was of such magnitude, the ILOVEYOU virus was included in the Guinness Book of Records.

Worm Code Red

Code Red is the founder of the appearance of viruses classified as "worms". He proved himself on July 13, 2001, when a mass attack was carried out by users of a well-known and popular server at that time, which had the name "Microsoft IIS".

The worm actively penetrated the very core of the server and began to act out there, to be more precise, it replaced all site data with the phrase embedded in it. And, when users opened a site where the Code Red worm had penetrated, instead of information, they displayed the phrase “Hello, the site was hacked by the Chinese!”. Thus, hundreds of projects were disrupted and the performance of many companies was disrupted. The total damage from the virus amounted to almost 2.6 billion dollars.

Virus worm Nimda

A curious coincidence occurred with a certain virus called "Nimda". The fact is that he appeared exactly when the tragedy occurred in the United States. The sad fate of the two twin towers where the plane was sent. As a result, there were hundreds of victims and huge destruction. It was at this time that he appeared this virus. Therefore, he is prescribed a terrorist origin, allegedly, with the help of this virus, the terrorists continued to terrorize the population.

The purpose of the virus was to infect as many users as possible, as a result, the United States suffered a loss of 635 million dollars.

SQL Slammer

SQL Slammer is another piece of malware that has managed to break into Microsoft system and infect most users. The infection went through an unnoticed hole in SQL, which allowed the virus to spread freely and spoil the performance of Internet browsers. It slowed down or completely cut off the Internet.

MS Blast virus

MS Blast is the most dangerous virus in existence. With the right combination of circumstances, he is able to infect Windows users through a special system update system. But it does not just infect users, it completely paralyzes the system, thereby disrupting the operating system.

Mydoom mail virus

Another representative of a seemingly empty and harmless letter. Many users received a strange letter in the mail, opening which, the user found the message "I'll just do my job, nothing personal", after which the user was blocked from accessing Microsoft's web resources, specialized anti-virus resources (and their applications) and news portals.

Worm Sasser

A practically harmless, but highly contagious and annoying virus called Sasser caused a lot of trouble. After the virus penetrated the user's computer, it infected other computers, or rather, it looked for any ways to get into other computers, which it did just fine, so it infected a huge number of computers. The only thing he could harm was a simple reboot of the computer, which took place when he liked.

Witty virus

BlackICE, a popular firewall at the time, turned out to be a source of danger for all its users. The fact is that he had one small error in the protection, which allowed the attackers to spread the Witty virus. Hundreds of thousands of users were affected by this massive infection. The virus penetrated their computers and filled the free space on their hard drives with arbitrary data.

Sending spam with malicious attachments is a fairly popular way to spread malware and infect users' computers on the Internet. According to various antivirus companies, emails with malicious attachments account for between 3 and 5 percent of total spam traffic, meaning that at least every thirtieth email in a spam stream contains a malicious surprise.

Despite the fact that Russia (surprise!) is not among the leaders in the number of computer infections in this way (the top three are traditionally the USA, Germany and England), we think it would be useful to find out what makes many users in different parts of the world click the pointer click on attachments in emails from unknown senders. Go!

EVIL LETTER

Sender address (From field)

The first thing that an attacker who sends malicious spam should take care of is on whose behalf the mailing will be carried out. Messages on behalf of individuals (if you do not take into account the mailing from a hacked mail account to the address book) are not very effective in this case, so various companies, organizations and even some judicial or executive authorities are used.

Top 10 email malware

Recently, international delivery services (DHL, FedEx, United Parcel Service (UPS) or TNT) have been especially popular. If you remember, that's how, under the guise of a delivery report from FedEx or UPS, distributed
Cryptolocker.

The problem with the sender's address in the From: (From:) field is solved by the villains in several ways:

They hack into the mail of the desired company and send letters from there (which is extremely difficult to implement and almost unrealistic, especially when it comes to a large and serious company);
register a domain with a name very similar to the name of the desired company;
use the free mail service by registering
it has something like [email protected];
they replace the real address of the sender (there are several ways to do this, ranging from various programs and services on the Internet to scripts for sending letters).

Email subject (Subject field)

The subject of the email should grab the recipient's attention and encourage them to open the email. Naturally, it must correspond to the type of activity of the office on behalf of which the letter was sent.
If the mailing list is conducted, for example, on behalf of a delivery service, then the most popular email topics will be:

Everything related to the shipment, tracking or delivery of shipments (shipment notifications, delivery status, shipment confirmation, shipment documents, delivery information);
information about the order and invoice for payment;
notifications about messages and accounts (creating and verifying an account, receiving new messages).

Examples of filling in the Subject field in letters on behalf of popular delivery services

For our country, mailings on behalf of various state bodies are more typical, and in this case, the attackers choose the appropriate topics, for example, “Judicial decision” (on behalf of the Federal Bailiffs Service) or “Receipt for payment of a fine for traffic violations” (on whose behalf letters are sent with such a theme, I think you guessed it).

Letter text and design

To add credibility to letters, attackers actively use the logos of the companies under whose name they work, contact details and other information. In order not only to convince the recipient of the veracity of the letter, but also to push him to open the attachment, notifications about errors in the delivery of items (incorrect address of the recipient, absence of the recipient, etc.), requests to take any action indicating possible sanctions in case of non-compliance or phrases indicating what is in the attachment (for example, "reconciliation act", "bill of lading" or "invoice for payment").

In addition, very often various typical phrases typical for official mailing lists are used (something like please do not reply to this email or this is automatically generated email ).

TYPES OF MALICIOUS INVESTMENTS

Executable Attachment

Despite the fact that most mail servers no longer allow executable files through themselves, this type of malicious attachment still occasionally occurs. As a rule, such a file is disguised as some harmless document (doc or PDF) or an image.

At the same time, the corresponding icon is written into the file, and the file itself is called, for example, “invoice.pdf.exe” (in this case, the exe extension is very often separated from the file name by a large number of spaces so that it is not very visible).

Attachments with a password-protected archive

A password-protected archive allows you to bypass all anti-virus checks on mail servers, firewalls and security scanners. The malicious file itself, as in the first case, is disguised as something harmless. The most important thing in this case is to encourage the recipient to enter the password specified in the letter, unzip the attachment and open it.

Document attachment with exploit or malicious VBA script

Such a letter will be able to overcome the ban on sending executable files, and in many cases, anti-virus checks on mail servers (especially if the exploit is fresh).
The most commonly exploited vulnerabilities are:

Adobe Acrobat reader(CVE-2013-0640,CVE-2012-0775);
Adobe Flash Player(CVE-2012-1535);
MS Office (CVE-2012-0158, CVE-2011-1269, CVE-2010-3333, CVE-2009-3129).

In addition to exploits, MS Office documents with malicious VBA macros can be used as malicious attachments (yes, there are still people who do not prohibit macros in Word, and antiviruses do not always respond to such scripts).

Nested HTML Documents

The letter is accompanied by an HTML document with code that implements a drive-by attack. This method allows in many cases to bypass the anti-virus filters of mail servers, as well as prohibitions that block transitions through the iframe.

Hyperlinks in the body of the email

As a rule, such emails do not contain attachments, and the body of the email itself contains several links leading to the same resource, which either contains a bunch of exploits or redirects to another malicious resource. All of these links are disguised as links to decent and safe sites or plain text.

CONCLUSION

Despite everything, spam mailings are still a very effective way to distribute malicious code. And it can be assumed that as the number of vulnerabilities in software and hardware decreases, this method will be used more and more often, acquiring more and more sophisticated forms in order to exploit the most important vulnerability of any information system- its user.