Kaspersky ANTI-VIRUS 2009 User Manual
USER GUIDE
KASPERSKY
ANTI-VIRUS
2009
Dear User of Kaspersky Anti-Virus 2009!
Thank you for choosing our product. We hope that this documentation helps you
in your work and provides answers regarding this software product.
Warning! This document is the property of Kaspersky Lab: all rights to this
document are reserved by the copyright laws of the Russian Federation, and by
international treaties. Illegal reproduction and distribution of this document or
parts thereof will result in civil, administrative or criminal liability in accordance
with the laws of the Russian Federation. Any type of reproduction or distribution
of any materials, including in translated form, is allowed only with the written
permission of Kaspersky Lab. This document and the graphic images it contains
can be used exclusively for information, non-commercial or personal purposes.
This document may be amended without prior notification. For the latest version,
refer to Kaspersky Lab's website at http://www.kaspersky.com/docs. Kaspersky
Lab assumes no liability for the content, quality, relevance or accuracy of any
materials used in this document for which the rights are held by third parties, or
for the potential damages associated with using such documents.
This document includes registered and non-registered trademarks. All
trademarks are the property of their owners.
© Kaspersky Lab, 1996-2008
+7 (495) 645-7939,
Tel., fax: +7 (495) 797-8700,
+7 (495) 956-7000
http://www.kaspersky.com/
http://support.kaspersky.com/
Revision date: 13.11.2008
TABLE OF CONTENTS
INTRODUCTION .................................................................................................. 5
Obtaining information about the application .................................................... 5
Sources of information to research on your own ....................................... 5
Contacting the Sales Department.............................................................. 6
Contacting the Technical Support service ................................................. 6
Discussing Kaspersky Lab applications on the web forum ........................ 8
What's new in Kaspersky Anti-Virus 2009....................................................... 8
Overview of application protection .................................................................. 9
Wizards and tools .................................................................................... 10
Support features ...................................................................................... 11
Heuristic analysis .................................................................................... 12
Hardware and software system requirements ............................................... 13
THREATS TO COMPUTER SECURITY ............................................................ 15
Threat applications ........................................................................................ 15
Malicious programs ................................................................................. 16
Viruses and worms ............................................................................ 16
Trojans ............................................................................................... 20
Malicious utilities ................................................................................ 26
Potentially unwanted programs ............................................................... 29
Adware .............................................................................................. 30
Pornware ........................................................................................... 30
Other Riskware programs .................................................................. 31
Methods of detecting infected, suspicious and potentially dangerous
objects by the application ........................................................................ 35
INSTALLING THE APPLICATION ...................................................................... 36
Step 1. Searching for a newer version of the application .............................. 37
Step 2. Verifying the system satisfies the installation requirements .............. 38
Step 3. Wizard's greeting window ................................................................. 38
Step 4. Viewing the License Agreement ....................................................... 39
Step 5. Selecting the installation type ........................................................... 39
Step 6. Selecting the installation folder ......................................................... 40
4 Kaspersky Anti-Virus 2009
Step 7. Selecting application components to be installed ............................. 40
Step 8. Searching for other anti-virus software ............................................. 41
Step 9. Final preparation for the installation .................................................. 42
Step 10. Completing the installation .............................................................. 43
APPLICATION INTERFACE............................................................................... 44
Notification area icon .................................................................................... 44
Shortcut menu............................................................................................... 45
Main application window ............................................................................... 47
Notifications .................................................................................................. 50
Application settings window .......................................................................... 50
GETTING STARTED .......................................................................................... 52
Updating the application ............................................................................... 53
Security analysis ........................................................................................... 54
Scanning computer for viruses...................................................................... 54
Managing license .......................................................................................... 55
Subscription for the automatic license renewal ............................................. 56
Participating in the Kaspersky Security Network ........................................... 59
Security management ................................................................................... 60
Pausing protection ........................................................................................ 62
VALIDATING APPLICATION SETTINGS ........................................................... 64
Test the EICAR “virus” and its modifications ................................................. 64
Testing the HTTP traffic protection ............................................................... 68
Testing the SMTP traffic protection ............................................................... 68
Validating File Anti-Virus settings .................................................................. 69
Validating virus scan task settings ................................................................ 70
KASPERSKY SECURITY NETWORK DATA COLLECTION STATEMENT ...... 71
KASPERSKY LAB .............................................................................................. 77
CRYPTOEX LLC ................................................................................................ 80
MOZILLA FOUNDATION ................................................................................... 81
LICENSE AGREEMENT .................................................................................... 82
IN THIS SECTION:
Obtaining information about the application ......................................................... 5
What's new in Kaspersky Anti-Virus 2009 ............................................................ 8
Overview of application protection ........................................................................ 9
Hardware and software system requirements .................................................... 13
INTRODUCTION
OBTAINING INFORMATION ABOUT THE
APPLICATION
If you have any questions regarding purchasing, installing or using the
application, answers are readily available.
Kaspersky Lab has many sources of information, from which you can select the
most convenient, depending on the urgency and importance of your question.
SOURCES OF INFORMATION TO RESEARCH ON
YOUR OWN
You can use the Help system.
The Help system contains information on managing the computer protection:
how to view the protection status, scan various areas of the computer and
perform other tasks.
To open Help, click the Help link in the main application window, or press <F1>.
6 Kaspersky Anti-Virus 2009
CONTACTING THE SALES DEPARTMENT
If you have questions regarding selecting or purchasing the application or
extending the period of its use, you can phone Sales Department specialists in
our Central Office in Moscow at:
+7 (495) 797-87-00, +7 (495) 645-79-39, +7 (495) 956-70-00.
The service is provided in Russian or English.
You can send your questions to the Sales Department to the e-mail address
sales@kaspersky.com.
CONTACTING THE TECHNICAL SUPPORT
SERVICE
If you already purchased the application you can obtain information about it from
the Technical Support service by phone or via the Internet.
The Technical Support service specialists will answer your questions about
regarding the installation and the use of the application and if your computer has
been infected, will help you eliminate the consequences of the activities of
malware.
An e-mail request to the Technical Support service (for registered users
only)
You can ask your question to the Technical Support Service specialists by
filling out a Helpdesk web form
(http://support.kaspersky.com/helpdesk.html).
You can write your question in Russian, English, German, French or
Spanish.
To send an e-mail message with your question, you must enter the client
number and password which you obtained during registration at the
Technical Support service website.
Introduction 7
Note
If you are not yet a registered user of Kaspersky Lab's applications, you can
fill out a registration form at
https://support.kaspersky.com/en/PersonalCabinet/Registration/Form/.
During registration you will have to supply the activation code or key file
name.
The Technical Support service will respond to your request in your Personal
Cabinet at https://support.kaspersky.com/en/PersonalCabinet, and to the email address you specified in your request.
In the request web form, describe the problem you encountered in as much
detail as possible. Specify the following information in the mandatory fields:
Prompt type. Questions most frequently asked by users are
grouped into special topics, for example “Product
installation/removal problem” or “Virus scan/removal problem”. If
there is no appropriate topic for your question, select the topic
“General Question”.
Application name and version number.
Prompt text. Describe the problem you encountered in as much
detail as possible.
Client number and password. Enter the client number and
password which you received during registration at the Technical
Support service website.
E-mail address. The Technical Support service will send their
answer to this e-mail address.
Technical support by phone
If you have a problem which requires urgent help, you can call your nearest
Technical Support office. You will need to supply identifying information
(http://support.kaspersky.com/support/details) when you apply to Russian
(http://support.kaspersky.com/support/support_local) or international
(http://support.kaspersky.com/support/international) Technical Support. This
will help our specialists to process your request as soon as possible.
8 Kaspersky Anti-Virus 2009
DISCUSSING KASPERSKY LAB APPLICATIONS
ON THE WEB FORUM
If your question does not require an urgent answer, you can discuss it with
Kaspersky Lab's specialists and other Kaspersky software users in our web
forum, located at http://forum.kaspersky.com/.
In this forum you can view existing topics, leave your replies, create new topics
and use the search engine.
WHAT'S NEW IN KASPERSKY ANTIVIRUS 2009
Kaspersky Anti-Virus 2009 (also referred to as “Kaspersky Anti-Virus” or “the
application”) uses a totally new approach to data security, based on restricting
each program’s rights to access system resources. This approach helps prevent
unwanted actions by suspicious and hazardous programs. The application's
ability to protect each user's confidential data has also been considerably
enhanced. The application now includes wizards and tools which substantially
simplify specific computer protection tasks.
Let's review the new features of Kaspersky Anti-Virus 2009:
New Protection Features:
Scanning the operating system and installed software to detect and
eliminate vulnerabilities, maintains a high system security level and
prevents hazardous programs penetrating your system.
The new Security Analyzer and Browser Configuration wizards facilitate
scanning for, and elimination of, security threats and vulnerabilities in
installed programs, and in the configuration of the operating system and
browser.
Kaspersky Lab now reacts more quickly to new threats through the use
of the Kaspersky Security Network, which gathers data about the
infection of users' computers and sends it to Kaspersky Lab's servers.
Introduction 9
The new System Restore wizard helps repair damage to your system
arising from malware attacks.
New protection features for internet use:
Protection against internet intruders has been improved by including the
addresses of phishing sites in the application’s databases.
Secure use of instant messaging is provided by a tool which scans ICQ
and MSN traffic.
The application’s new interface features:
The application's new interface reflects the comprehensive approach to
information protection.
The high information capacity of dialog boxes helps the user make
quick decisions.
The functionality for recording statistics and making reports has been
extended. Filters can be used to select data from reports, a powerful
and flexible tool which is irreplaceable for professionals.
OVERVIEW OF APPLICATION
PROTECTION
Kaspersky Anti-Virus protects your computer against known and unknown
threats, and against unwanted data. Each type of threat is processed by a
separate application component. This makes setup flexible, with easy
configuration options for all components, which can be tailored to the needs of a
specific user or of the business as a whole.
Kaspersky Anti-Virus includes the following protective features:
Monitors system activities by user applications, preventing any
dangerous actions by applications.
Protection components provides real-time protection of all data transfer
and input paths through your computer.
10 Kaspersky Anti-Virus 2009
Online Security provides protection against phishing attacks.
Virus scan tasks are used to scan individual files, folders, drives,
specified areas, or the entire computer for viruses. Scan tasks can also
be configured to detect vulnerabilities in installed user applications.
The updating component ensures the up to date status of both the
application’s modules and the databases used to detect malicious
programs, hacker attacks and spam messages.
Wizards and tools facilitate the execution of tasks occurring during
Kaspersky Anti-Virus’s operation.
Support features, which provide information and assistance for working
with the application and expanding its capabilities.
WIZARDS AND TOOLS
Ensuring computer security is a complex task which requires knowledge of the
operating system's features and the methods used to exploit its weaknesses.
Additionally, the volume and diversity of information about system security make
its analysis and processing difficult.
To help solve specific tasks in providing computer security, the Kaspersky AntiVirus package includes a set of wizards and tools.
Security Analyzer wizard performs computer diagnostics, searching for
vulnerabilities in the operating system and in user programs installed on
the computer.
Browser Configuration Wizard analyses the Microsoft Internet Explorer
browser settings, evaluating them primarily from a security point of view.
System Restore wizard eliminates any traces of malware attacks on the
system.
Rescue Disk wizard restores system functionality after a virus attack
has damaged the operating system’s files and made it impossible to
restart the computer.
Introduction 11
SUPPORT FEATURES
The application includes a number of support features which are designed to
keep the application up-to-date, to expand the application’s capabilities, and to
assist you in using it.
Kaspersky Security Network
Kaspersky Security Network is a system which automatically transfers
reports about detected and potential threats to Kaspersky Lab’s central
database. This database allows Kaspersky Lab to respond more quickly to
the most widespread threats, and to notify users about virus outbreaks.
License
When you purchase Kaspersky Anti-Virus, you enter into a licensing
agreement with Kaspersky Lab which governs the use of the application,
your access to application database updates, and Technical Support for a
specified period of time. The term of use and other information necessary for
the application’s full functionality are included in the license key file.
Using the License function you can obtain detailed information about your
current license, purchase a new license or renew your current one.
Support
All registered Kaspersky Anti-Virus users can take advantage of our
technical support service. To see information about how to receive technical
support, use the Support function.
By following the links you can access the Kaspersky Lab product users'
forum, send an error report to Technical Support, or give application
feedback by completing a special online form.
You also have access to the online Technical Support and Personal User
Cabinet Services. Our personnel are always happy to provide you with
telephone support about the application.
12 Kaspersky Anti-Virus 2009
Note
Using a combination of scanning methods ensures greater security.
HEURISTIC ANALYSIS
Heuristics are used in some real-time protection components, such as File AntiVirus, Mail Anti-Virus, and Web Anti-Virus, and in virus scans.
Scanning objects using the signature method, which uses a database containing
descriptions of all known threats, gives a definite answer as to whether a
scanned object is malicious, and what danger it presents. The heuristic method,
unlike the signature method, aims to detect the typical behavior of objects rather
than their static content, but cannot provide the same degree of certainty in its
conclusions.
The advantage of heuristic analysis is that it detects malware that is not
registered in the database, so that you do not have to update the database
before scanning. Because of this, new threats are detected before virus analysts
have encountered them.
However, there are methods for circumventing heuristics. One such defensive
measure is to freeze the activity of malicious code as soon as the object detects
the heuristic scan.
When scanning an object, the heuristic analyzer emulates the object’s execution
in a secure virtual environment provided by the application. If suspicious activity
is discovered as the object executes, it will be deemed malicious and will not be
allowed to run on the host, and a message will be displayed requesting further
instructions from the user:
Quarantine the object, allowing the new threat to be scanned and
processed later using updated databases.
Delete the object.
Skip (if you are positive that the object cannot be malicious).
To use heuristic methods, check the box Use heuristic analyzer and move the
scan detail slider to one of these positions: Shallow, Medium, or Detailed. The
level of detail of the scan provides a balance between the thoroughness, and
hence the quality, of the scan for new threats, and the load on operating system
Introduction 13
Warning!
New threats detected using heuristic analysis are quickly analyzed by Kaspersky
Lab, and methods for disinfecting them are added to the hourly database
updates.
If you regularly update your databases, you will be maintaining the optimal level
of protection for your computer.
resources and the scan’s duration. The higher you set the heuristics level, the
more system resources the scan will require, and the longer it will take.
HARDWARE AND SOFTWARE SYSTEM
REQUIREMENTS
To allow the computer to function normally, the computer must meet these
minimum requirements:
General requirements:
75 MB free hard drive space.
CD-ROM (for installation of the application from the installation CD).
A mouse.
Microsoft Internet Explorer 5.5 or higher (for updating the application's
databases and software modules via the Internet).
Microsoft Windows Installer 2.0.
Microsoft Windows XP Home Edition (SP2 or above), Microsoft Windows XP
Professional (SP2 or above), Microsoft Windows XP Professional x64 Edition:
Intel Pentium 300 MHz processor or higher (or a compatible equivalent).
256 MB RAM.
14 Kaspersky Anti-Virus 2009
Microsoft Windows Vista Starter x32, Microsoft Windows Vista Home Basic,
Microsoft Windows Vista Home Premium, Microsoft Windows Vista Business,
Microsoft Windows Vista Enterprise, Microsoft Windows Vista Ultimate:
Intel Pentium 800 MHz 32-bit (x86) / 64-bit (x64) processor or higher (or
a compatible equivalent).
512 MB RAM.
IN THIS SECTION:
Threat applications ............................................................................................. 15
THREATS TO COMPUTER
SECURITY
Computer security can be compromised by threat applications, spam, phishing,
hacker attacks, ad-ware and banners. The main source of these threats is the
internet.
THREAT APPLICATIONS
Kaspersky Anti-Virus can detect thousands of malware programs that may reside
on your computer. Some of these programs represent a constant threat to your
computer, while others are only dangerous in certain conditions. After the
application detects a malware application, it classifies it and assigns it a danger
level (high or medium).
Kaspersky Lab's virus analysts distinguish two main categories of threat
application: malware programs and potentially unwanted programs.
Malware programs (Malware) (see page 16) are created to damage the computer
and its user: for example, to steal, block, modify or erase information, or to
disrupt the operation of a computer or a computer network.
Potentially unwanted programs (PUPs) (see page 29), unlike malware programs,
are not intended solely to inflict damage but can assist in penetrating a
computer’s security system.
The Virus Encyclopedia (http://www.viruslist.com/en/viruses/encyclopedia)
contains a detailed description of these programs.
16 Kaspersky Anti-Virus 2009
MALICIOUS PROGRAMS
Malicious programs (“malware”) are created specifically to inflict harm on
computers and their users: to steal, block, modify or erase information, or to
disrupt the operation of computers or computer networks.
Malware programs are divided into three subcategories: viruses and worms,
Trojans programs and malware utilities.
Viruses and worms (Viruses_and_Worms) (see page 16) can create copies of
themselves, which in turn spread and reproduce again. Some of them run
without the user's knowledge or participation, others require actions on the user's
part to be run. These programs perform their malicious actions when executed.
Trojan programs (Trojan_programs) (see page 20) do not create copies of
themselves, unlike worms and viruses. They infect a computer, for example, via
e-mail or via a web browser when the user visits an “infected” website. They
must be launched by the user, and perform their malicious actions when run.
Malware utilities (Malicious_tools) (see page 26) are created specifically to inflict
damage. However, unlike other malware programs, they do not perform
malicious actions as they are run and can be safely stored and run on the user's
computer. They have functions which hackers use to create viruses, worms and
Trojan programs, to arrange network attacks on remote servers, hack computers
or perform other malicious actions.
VIRUSES AND WORMS
Subcategory: viruses and worms (Viruses_and_Worms)
Severity level: high
Classic viruses and worms perform unauthorized actions on the infected
computer, including replicating and spreading themselves.
Classic virus
After a classic virus infiltrates the system, it infects a file, activates itself,
performs its malicious action, and adds copies of itself to other files.
Threats to computer security 17
Classic viruses reproduce only within the local resources of the infected
computer, but cannot independently penetrate other computers. Distribution to
other computers can occur only if the virus adds itself to a file stored in a shared
folder or on a CD, or if the user forwards an e-mail message with an infected
attachment.
The code of a classic virus is usually specialized to penetrate a particular area of
a computer, operating system or application. Based on the environment, there is
a distinction between file, boot, script and macro viruses.
Viruses can infect files using various methods. Overwriting viruses write their
own code to replace the code of the infected file, destroying the original contents
of the file. The infected file stops working and cannot be disinfected. Parasitic
viruses modify files leaving them fully or partially operating. Companion viruses
do not modify files but duplicate them, so that when the infected file is opened, its
duplicate, that is the virus, will run instead. Other types of viruses include link
viruses, OBJ viruses that infect object modules, LIB viruses that infect compiler
libraries, and viruses that infect original text of programs.
Worm
After it penetrates the system, a network worm, similarly to the classic virus,
becomes activated and performs its malicious action. The network worm is
named for its ability to tunnel secretly from one computer to another, to
propagate itself through various information channels.
Worms are categorized by their primary method of proliferation, which are listed
in the table below:
18 Kaspersky Anti-Virus 2009
TYPE
NAME
DESCRIPTION
EmailWorm
E-mail worms
E-mail worms infect computers via e-mail.
The infected message has an attached file
containing either a copy of a worm, or a link to a
worm file uploaded to a website. The website is
usually either one that has been hacked, or is
the hacker's own site. When the attachment is
opened the worm is activated; alternatively,
when you click the link, download and open the
file, the worm will become active. After this the
worm will continue reproducing by finding other
e-mail addresses and sending infected
messages to them.
IMWorm
IM worms
These worms propagate through IM (instant
messaging) clients, such as ICQ, MSN
Messenger, AOL Instant Messenger, Yahoo
Pager and Skype.
Usually these worms use contact lists to send
messages containing a link to a worm file on a
website. When a user downloads and opens the
file, the worm is activated.
IRCWorms
IRC worms
Worms of this type get into computers through
Internet Relay channels, which are used to
communicate with other people via the internet
in real time.
These worms publish on the internet chat
channel, either a copy of the worm file, or a link
to the file. When a user downloads and opens
the file, the worm will be activated.
Table 1. Worms categorized by the method of proliferation
Threats to computer security 19
TYPE
NAME
DESCRIPTION
NetWorms
Network worms
(worms residing in
computer
networks)
These worms are distributed via computer
networks.
Unlike other types of worms, network worms
propagate without the user's participation. They
search the local area network for computers
which host programs containing vulnerabilities.
They do this by broadcasting a special network
packet (exploit) containing its code or a part of
its code to each computer. If there is a
vulnerable computer in the network, it will be
infiltrated by the packet. Once the worm fully
penetrates the computer, it becomes active.
P2PWorm
File exchange
worms
File exchange worms propagate through fileexchange peer-to-peer networks, such as
Kazaa, Grokster, EDonkey, FastTrack or
Gnutella.
To use a file exchange network, the worm
copies itself into the file-exchange folder which
is usually located on the user's computer. The
file-exchange network displays information
about the file and the user can “find” the infected
file in the network, like any other file, download it
and open it.
More complex worms imitate the network
protocols of a specific file exchange network:
they provide positive responses to search
requests and offer copies of themselves for
downloading.
20 Kaspersky Anti-Virus 2009
TYPE
NAME
DESCRIPTION
Worm
Other worms
Other network worms include:
Worms that distribute their copies via network
resources. Using the operating system's
functionality, they go through available
network folders, connect to computers in the
global network and attempt to open their
drives for full access. Unlike computer
network worms, the user has to open a file
containing a copy of the worm to activate it.
Worms that use other propagation methods
not listed here: for example, worms
propagating via mobile phones.
TROJANS
Subcategory: Trojans (Trojan_programs)
Severity level: high
Unlike worms and viruses, Trojan programs do not create copies of themselves.
They infect a computer, for example, via an infected e-mail attachment, or
through a web browser when the user visits an “infected” website. Trojan
programs must be launched by the user, and start performing their malicious
actions as they run.
Trojan programs can perform a range of malicious actions. The major functions
of Trojans are blocking, modifying and erasing data, and disrupting the operation
of computers or computer networks. Additionally, Trojan programs can receive
and send files, run them, display messages, access web pages, download and
install programs and restart the infected computer.
Intruders often use “sets” consisting of complementary Trojan programs.
The different types of Trojan programs and their behavior are described in the
table below.
Threats to computer security 21
TYPE
NAME
DESCRIPTION
TrojanArcBomb
Trojan programs archive bombs
Archives which when unpacked increase
to a size that disrupts the computer's
operation. When you attempt to unpack
the archive, the computer may start
working slowly or “freeze”, and the disk
may be filled with “empty” data. “Archive
bombs” are especially dangerous for file
and mail servers. If an automatic
incoming information processing system
is used on the server, such an “archive
bomb” can stop the server.
Backdoor
Remote
administration
Trojan programs
These programs are considered the most
dangerous among Trojan programs;
function-wise they are similar to off-theshelf remote administration programs.
These programs install themselves
without the user's knowledge, and give
the intruder remote management of the
computer.
Trojans
Trojans
Trojans include the following malicious
programs:
classic Trojan programs, which only
perform the major functions of Trojan
programs: blocking, modifying or
erasing data, disrupting the operation
of computers or computer networks.
They do not have the additional
functions characteristic of other types
of Trojan programs described in this
table;
“multi-purpose” Trojan programs,
which do have additional functions
characteristic of several types of
Trojan programs.
Table 2. Types of trojan programs categorized by behavior on the infected computer
22 Kaspersky Anti-Virus 2009
TYPE
NAME
DESCRIPTION
TrojanRansoms
Trojan programs
requiring a
ransom
They “take hostage” information on the
user's computer, modifying or blocking it
or disrupting the computer’s operation so
that the user cannot use the data. Then
the intruder demands a ransom from the
user, in exchange for a promise to send
the program that will restore the
computer's operability.
TrojanClickers
Trojan-Clickers
These programs access web pages from
the user's computer: they send a
command to the web browser, or replace
web addresses stored in the system files.
Using these programs the intruders
arrange network attacks, or increase the
traffic to particular sites to boost
revenues from displaying ad banners.
TrojanDownloaders
Trojan
downloaderprograms
These programs access the intruder's
web page, download other malware
programs from it, and install them on the
user's computer. They can either store
the name of the downloadable malware
program filename in their own code, or
receive it from the web page they
access.
Threats to computer security 23
TYPE
NAME
DESCRIPTION
TrojanDroppers
Trojan programdroppers
These programs save programs
containing other Trojan programs on the
computer's disk and then install them.
Intruders can use Trojans-Droppers in
different ways:
to install malware programs without
the user's knowledge: Trojansdroppers either do not display any
messages, or display false messages,
for example, notifying about an error
in an archive or about using the wrong
version of the operating system;
to protect another known malware
program from being detected: not
every anti-virus program can detect a
malware program located inside a
trojan-dropper.
TrojanNotifiers
Trojan-notifiers
They notify the intruder that the infected
computer is connected; and then transfer
information about the computer to the
intruder, including: IP address, number of
an open port or the e-mail address. They
communicate to the intruder using a
number of methods including e-mail,
FTP, and by accessing the intruder's web
page.
Trojan-notifiers are often used in sets of
complementary Trojan programs. They
notify the intruder that other Trojan
programs are successfully installed on
the user's computer.
24 Kaspersky Anti-Virus 2009
TYPE
NAME
DESCRIPTION
TrojanProxies
Trojan-Proxies
They allow the intruder to access web
pages anonymously using the identity of
the user's computer, and are often used
to send spam.
Trojan-PSWs
Trojans stealing
passwords
Trojans stealing passwords (Password
Stealing Ware); they steal users'
accounts, for example, software
registration information. They find
confidential information in system files
and in the registry and send it to their
developer using methods which include
e-mail, FTP, and by accessing the
intruder's website.
Some of these Trojan programs fall into
specific types described in this table,
Including Trojan-Bankers, Trojans-IMs
and Trojans-GameThieves.
Trojan-Spies
Trojan spy
programs
These programs are used for spying on
the user: they collect information about
the user's actions on the computer: for
example, they intercept data entered by
the user at the keyboard, make
snapshots of the screen and collect lists
of active applications. After they receive
this information, they transfer it to the
intruder using methods including e-mail,
FTP, or by accessing the intruder's
website.
Trojan-DoS
Trojan programs network attacks
For a Denial-of-Service (DoS) attack, the
Trojan will send numerous requests from
the user's computer to a remote server.
The server will exhaust its resources
processing these requests and will stop
functioning. These programs are often
used to infect multiple computers to
make a combined attack on the server.
Threats to computer security 25
TYPE
NAME
DESCRIPTION
Trojan-IMs
Trojan programs
stealing personal
data of IM client
users
These programs steal numbers and
passwords of IM client users (instant
messaging programs), such as ICQ,
MSN Messenger, AOL Instant
Messenger, Yahoo Pager or Skype.
They transfer information to the intruder
using methods which include e-mail,
FTP, and by accessing the intruder's
website.
Rootkits
Rootkits
These programs conceal other malware
programs and their activity and, thus,
extend the existence of such programs in
the system. They hide files, processes in
the memory of an infected computer, or
registry keys run by the malware
programs, or conceal data exchange
between applications installed on the
user's computer and other computers in
the network.
Trojan-SMS
Trojan programs SMS messages
These programs infect mobile phones
and send SMS messages to numbers for
which the user of the infected phone is
charged.
TrojanGameThieves
Trojan programs
stealing personal
data of the users
of network games.
These programs steal user account
information of network game users; they
then transfer this information to the
intruder using methods including e-mail,
FTP, or by accessing the intruder's
website.
TrojanBankers
Trojan programs
stealing banking
account
information
These programs steal banking account
information or electronic/digital money
account information; they transfer data to
the intruder using methods including email, FTP, or by accessing the intruder's
website.
26 Kaspersky Anti-Virus 2009
TYPE
NAME
DESCRIPTION
TrojanMailfinders
Trojan programs
that collect e-mail
addresses
These programs collect e-mail addresses
on the computer and transfer them to the
intruder using methods including e-mail,
FTP, and by accessing the intruder's
website. The intruder can use the
collected addresses to send spam.
TYPE
NAME
DESCRIPTION
Constructor
Constructors
Constructors are used to create new
viruses, worms and Trojan programs.
Some constructors have a standard
Windows interface, allowing the hacker to
select the type of the malicious program to
be created, the method this program will
use to resist debugging, and other similar
properties.
DoS
Network attacks
Denial-of-Service (DoS) programs send
numerous requests from the user's
MALICIOUS UTILITIES
Subcategory: malicious utilities (Malicious_tools)
Severity level: medium
These utilities are designed specifically to inflict damage. However, unlike other
malware programs, they are tools used primarily to attack other computers, and
can be safely stored and run on the user's computer. These programs provide
functionality to help create viruses, worms and Trojan programs, to arrange
network attacks on remote servers, to hack computers and other malicious
actions.
There are many types of malware utilities with different functions, which are
described in the table below.
Table 3. Malware utilities grouped by function
Threats to computer security 27
TYPE
NAME
DESCRIPTION
computer to the remote server. The server
will then exhaust its resources for
processing requests, and will stop
functioning.
Exploit
Exploits
An exploit is a set of data, or a piece of
program code, which uses an application's
vulnerabilities to perform a malicious action
on the computer. For example, exploits can
write or read files, or access “infected” web
pages.
Different exploits use the vulnerabilities of
different applications or network services.
An exploit is transferred via the network to
multiple computers in the form of a network
packet, searching for computers with
vulnerable network services. For example,
an exploit contained in a DOC file looks for
vulnerabilities of text editors, and when the
user opens an infected file, can start
performing functions programmed by the
intruder. An exploit contained in an e-mail
message searches for vulnerabilities in email client programs; it can start performing
its malicious action as soon as the user
opens an infected message using this
program.
Exploits are also used to distribute net
worms (Net-Worm). Exploit-Nukers are
network packets that make computers
inoperative.
FileCryptors
File Cryptors
File cryptors encrypt other malicious
programs, to hide them from anti-virus
applications.
Loading...