Transcript CVI / PRS Computer Virus Information / Propagation Research System

CVI / PRS
Computer Virus Information / Propagation Research System
Eric Miller and Brian Schill
CS 522
Why?
There are many viruses that are not
researched by the major virus detection
companies.
 We believe this project and research could
eventually lead to more successful
proactive virus detection systems.
 Exploring the capabilities of VMWare.

Setup and Tools
VMWare – Virtual operating system
 CVI / PRS – Custom software for
monitoring software
 Virus Types

VMWare




Windows 98 guest OS running on
Windows XP host.
Disabled networking
Easy restoration
Controlled environment
CVI / PRS
Java application that monitors virus activity
on the guest OS
 Run on the guest OS
 Watches for changes in the directory



DirWatcher.java
Virus Database
Virus Research Example
Virus types
Win32
 Worms
 Scripts


Example – Bee
Undocumented virus
 Run CVI / PRS for results

Example – Continued

Enter initial data into CVI / PRS
Example Continued

Run CVI / PRS
Interpretation of Results

Win32




Worms



Affected networking files (IPConfig, Traceroute, etc)
Deleted executables
Scripts



Typically deleted executables
Damaged system files/registries
Corrupted system beyond repair after several reboots
Replicated themselves efficiently
Search through file systems to attach themselves to other
scripting files
Our program effectively identified changes to the OS
Future Improvements



Differentiate between regular and irregular activity
Various launching capabilities
Better database scheme


Interpret results



Severity report, future capability prediction
Include database for cross-virus predictions and observations
Run the program from the host operating system,
monitoring the guest operating system


XML
Difficult restart
Monitor network ports and registry files
Footnotes

Thank you to individuals previously
involved in the project
Ben Abernathy
 Zach Thomas
 Michael May

Initial source code
 Viruses
