Viruses 101

Anti-Virus Software

The Role of CERT

Legal Implications

Social Impact

The Future

Viruses 101 
[Definition]  [Virus Types]  [Virus Forms]  [Trojans and Droppers]  [Sources]

What is a computer virus?
Like a biological virus, a computer virus is a program that executes and replicates itself without the knowledge of the "host," or in this case, the computer user. While a virus is not necessarily destructive in nature, some viruses can overwrite or corrupt files, rendering a computer useless.
According to the alt.comp.virus FAQ, you can define a computer virus as follows:
1. A virus is a program that is able to replicate - that is, create (possibly modified) copies of itself.

2. The replication is intentional, not just a side-effect.

3. At least some of the replicants are also viruses, by this definition.

4. A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus.

So we can see that the definition of a computer virus follows very closely the definition of a biological virus.

What are the main types of viruses?
There are a few major types of viruses: boot sector viruses, file infectors, and macro viruses. According to our definition, worms are not technically viruses since they do not attact themselves to a host program, but because they have become so common, we will discuss them here.

A boot sector virus is a virus that resides in a portion of a computer drive that is only read when the computer is booted up, at which time the virus is loaded into memory. Boot sector viruses often spread through floppy disks, which also have a boot sector which can become infected. If an infected floppy is left in the disk drive when a computer is booted up, the virus will be loaded into memory and can spread to other disks and computers. A well-known boot sector virus is the Michelangelo virus.

File infectors, as their name implies, "infect" files on a computer by attaching themselves to executable files. They do this by either appending their code to the file or overwriting portions of the file code. This name is also used to describe viruses which to not attach themselves to a file, but rather associate themselves with a file name. The Romeo and Juliet virus, which recently spread throughout the campus, has a file infector portion. This file infector takes files with a certain extensions, such as .jpg or .doc, creates a virus file with the same name but with a .exe extension so that a user might inadvertently execute virus code when he is attempting to open one of his documents.

A Multipartite virus combines the features of a boot sector virus and a file infector virus. Most of the time, an infected file is used to infect the boot sector.

Macro viruses are relatively new but experts now estimate that they are the most common type of virus. A macro is a set of instructions within an application that can be used to automate tasks. While this sounds relatively harmless, macros can often perform system operations such as creating or deleting files, or writing into already existing files, and thus have the potential to cause a great deal of damage. Most macros are written for Microsoft Word and Excel. These often work by infecting the template for a new document. Therefore, each time a new document in created, the virus replicates and executes. Macros are especially dangerous because they can often be cross platform, unlike most viruses, which are written for the PC only.

Worms are spread over computer networks, and are distinct from viruses in that they do not have a host file. However, worms today are commonly spread through e-mail. Oftentimes, there is an attachment to the e-mail, and when the user opens the attachment, the worm is executed. Worms commonly attempt to send copies of themselves to everyone in the user's address books. This tactic ensures that the worm will be spread, since many uninformed computer users will open any attachment if it is from someone they know. Typically, the attachment will be given a name meant to trick the user into thinking he is opening a file of another type. For example, the recent "Anna Kournikova" virus used an attachment named "AnnaKournikova.jpg.vbs." Some users will not notice the .vbs extension (signifying a Visual Basic script) and open the attachment, expecting to see a picture of Anna Kournikova. What is more frightening, however, is that now there are viruses that can execute on a user's computer even if the user does not open the attachment. These viruses take advantage of a feature of many e-mail programs to display embedded HTML code in the body of an e-mail, and exploit a security hole in Microsoft Outlook and Outlook Express which allows files to be copied to the user's computer without his knowledge or consent. The Romeo and Juliet virus is such a virus. However, users can protect themselves from these viruses by installing security patches. Besides destroying files on infected computers, some worms simply send so many copies of themselves through e-mail that they cause the e-mail servers to go down, which is a large inconvenience for schools and companies.

What is a stealth virus? What about a polymorphic virus? What other forms of viruses are there?
Stealth viruses are viruses which actively try to hide themselves from anti-virus software. They do this by taking over some system functions so that even if the virus has changed part of the hard drive, for example, it will return the correct, uninfected version, so that it might not be detected

Polymorphic viruses are viruses which change slightly each time they are executed. These are meant to defeat anti-virus scanners which search for certain strings of code to identify viruses. Some virus writers have written toolkits so that novice users can write their own viruses. One such toolkit is called "Dark Avenger's Mutation Engine" and creates polymorphic viruses.

As their names imply, fast and slow infectors attempt to avoid detection by either quickly infecting all the files on a system or by infecting them slowly. Fast infectors often "piggyback" on anti-virus software so that when a scan is being run, each time the anti-virus software opens a file to scan it, the virus will infect that file. After a scan is complete, every file the anti-virus software has touched will be infected. Slow infectors take the opposite approach. They only infect a file when it is modified or created. This is so the modification times of files will appear legitimate to the user.

Sparse infectors infect only occasionally so that they might escape detection. For example, a virus which infects only the 20th time a file is executed would be a sparse infector.

Armored viruses are viruses which are designed to make disassembly difficult. Anti-virus researchers will often have to dissasemble a virus' code to learn how it works and how to defeat it. Armored viruses deliberately make this process difficult so that it is less likely countermeasures can be discovered.

One way that a user might become suspicious of an infected program is if the file size increases suddenly, since the virus has attached its code to the program file. Cavity viruses attempt to get around this by installing themselves in empty space which sometimes exists in programs. This way, the infected file keeps a constant size.

Some anti-virus software has a component which runs in the background and constantly scans files on the system. A tunneling virus tries to install itself beneath the anti-virus software by directly intercepting the interrupt handlers of the OS, thus evading detection.

What are "Trojan Horses"? What about "droppers"? What do they have to do with viruses?
As in Homer's Iliad, a Trojan Horse is a program which has some hidden, generally malicious functionality that the user does not expect or know about. One function could be to execute a virus. Some Trojans appear to be anti-virus software, but actually themselves execute virus code. A widely accepted distinction between viruses and Trojans, however, is that Trojans do not self-replicate.

Droppers are programs that install viruses on computers. The purpose is often that the dropper itself is not infected with a virus, and thus will not be detected by anti-virus software. Some droppers also have a component which can connect to the internet and download updates to the virus. The MTX virus has such a dropper.

So we can see that there are a myriad of virus types, and there is a constant battle between virus writers and anti-virus researchers to stay ahead of each other. Howver, vigilance and good security practices can keep any computer virus free.

http://www.symantec.com/avcenter/vinfodb.html Symantec AntiVirus Research Center's Online Encyclopedia.

http://www.cknow.com/vtutor/vttypes.htm Computer Knowledge Virus Tutorial, CKnow.com

http://www.landfield.com/faqs/computer-virus/alt-faq/ VIRUS-L/comp.virus FAQ

http://www.landfield.com/faqs/computer-virus/alt-faq/ [alt.comp.virus] FAQ

http://www.zdnet.com/zdhelp/stories/main/0,5594,2309018-4,00.html ZDNet: Help & How-To: Virus Types

Hobbs, Scott. "Cyber Threaths: Viruses, Worms, Trojans, and DoS Attacks". http://www.sans.org/infosecFAQ/malicious/threats.htm December 18, 2000.