Types Of Viruses
There are thousands of viruses exist today and more a being created each day. Computer viruses exist in Windows, OS/2, Mac, DOS, and UNIX environments.
Computer viruses can be classified in categories:
Boot sector virus
File virus
Macro Virus Multipartite
virus
Polymorphic virus
Stealth virus
Boot Sector Virus
Boot sector is the most common type of viruses. Boot sector virus infects hard drives and floppy disks by putting itself on the boot sector disk, which has the code that is run at boot up. The boot sector code on a diskette is only executed when the PC is turned on or rebooted with a diskette in the A: drive. Booting up from an infected floppy, allows the virus to transfer from the floppy to the hard drive. These viruses are loaded at first, and gain control of the system before MS-DOS could be loaded. Since the virus is run before the operating system, it is not MS-DOS specific and can infect any PC operating system. These viruses stay in the RAM and infect every disk that is read by the computer until the computer is rebooted. If the PC is turned on or rebooted without a diskette in the A: drive, the system will execute the code in the Master Boot Record of the hard disk. The infected Master Boot Record will activate the virus every time the PC boots from the hard disk. When the virus is active it will seek to infect diskettes accessed on that PC. Eventually one of the infected diskettes can be distributed to other users and the pattern of the infection repeats. This method of transmission may appear inefficient but boot sector virus one of the most wide-spread type of the computer viruses that infects IBM compatible personal computers.
File Virus
File virus infects applications. This virus attach itself in files with executable code, most often files with a COM or EXE file name extension and sometimes files with extensions such as SYS, OVL, PRG, or MNU. These viruses spread when the host programs are copied, transferred or downloaded. When the host program is run the virus code becomes active and capable of infecting other programs. The host program often appears to function normally while the virus operates in the background. The virus may remain active in the computer’s memory even after the host program has been closed. Thousands of different file infecting viruses exist, but similar to boot sector viruses, the majority of these viruses operates in a DOS 16-bit environment. Some, however, have successfully infected the Microsoft Windows, IBM OS/2, and Apple Computer Macintosh environments.
Macro Virus
Macro viruses are written in macro language of specific computer programs, such as Word or Excel. These applications allow user to embed a macro in a document, and have the macro execute each time the document is opened. These viruses are usually transmitted by e-mail. Once a macro virus gets onto the computer, it can embed itself in all future documents the user create with the application. When the document is opened, macro virus disables the Tools macro in Word so users can’t see virus listed. The virus then selects 50 contacts from Microsoft Outlook and sends itself via e-mail. Macro viruses can be written with very little specialist knowledge, and these viruses can spread to any platform (Windows 3.1, WFW 3.11, Win 95, Windows NT, and Macintosh) on which the application is running. According to some estimates, 75% of all viruses today are macro viruses.
Multipartite Virus
Multipartite viruses infect both executable files and boot sectors and sometimes floppy boot sectors too. They are called multipartite because they infect in multiple ways rather than specific disk locations or file type. When the user runs a file infected with a multipartite virus, it infects the boot sector and next time the user boot his system the virus activates again and sits in memory, then it infects every program the user runs.
Polymorphic Virus
A Polymorphic virus is a virus that has the capability of changing its own code allowing the virus to have hundreds sometimes thousands of different variants. Some polymorphic viruses use different encryption schemes and require different decryption routines. This way the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation-engine and random-number generators to change the virus code and its description routine. Polymorphic computer viruses are difficult to detect. Anti-virus solution providers use their virus protection technology to create generic description routines that expose the virus.
Stealth Virus
A Stealth virus is a virus that hides its tracks after infecting the computer. This virus able to hide modifications it has made to files or boot sector. Stealth viruses escape normal anti-virus detection efforts because they contain a unique code. The stealth is a type of polymorphic virus. For example, a boot sector virus may copy the original boot sector to somewhere else on the hard disk, then wait for attempts by other programs to look at the actual boot sector. If the virus detects such an attempt by, say, an anti-virus program, it intercepts the attempt and redirects the anti-virus program to the original boot sector sitting out on the hard disk. The anti-virus program then reports that all is well with the boot sector, and the virus goes undetected.
Malicious Code That Is Not A Virus
What is the difference between a Virus, Trojan Horse and Worm?
Virus must execute itself. It will often place its own code in the path of execution of another program. It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers. Trojans, on the other hand, do not replicate themselves, as viruses do. Trojans contain malicious code, that, when triggered, cause loss, or even theft of data. Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file.
Trojan Horse
The term Trojan horse comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the inhabitants of Troy drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy. Like the Homeric horse, a Trojan horse is a program that the user himself voluntary welcome into the computer system because he expects it to be benign. It could be a digital greeting card, a pong game, or any executable program. As it enters to the system, the Trojan performs malicious act. Trojan horse doesn’t replicate, but once the system is infected, users will pass them on and replicate the virus on their own. Trojan horses are a hacker’s favorite tools because they can be programmed to probe a network for passwords and back doors, and then send this data back to the hacker. Two of the most famous Trojans are Back Orifice and NetBus.
Worm
Like a virus, a worm program replicates, but it doesn’t infect other files. Worms spread by diskette or network connections, especially e-mail and chat. On a single machine, the danger of a worm is that it will replicate so many times that it will fill the hard drive and choke the computer system. Today, worms are commonly spread through the e-mail. . Oftentimes, there is an attachment to the e-mail, and when the user opens the attachment, the worm is executed. Worms commonly attempt to send copies of themselves to everyone in the user's address books. This method ensures that the worm will be spread, since many uninformed computer users will open any attachment if it is from someone they know. Typically, the attachment will be given a name meant to trick the user into thinking he is opening a file of another type. For example, the recent "Anna Kournikova" virus used an attachment named "AnnaKournikova.jpg.vbs." Some users will not notice the .vbs extension (signifying a Visual Basic script) and open the attachment, expecting to see a picture of Anna Kournikova. What is more frightening, however, is that now there are viruses that can execute on a user's computer even if the user does not open the attachment. These viruses take advantage of a feature of many e-mail programs to display embedded HTML code in the body of an e-mail, and exploit a security hole in Microsoft Outlook and Outlook Express which allows files to be copied to the user's computer without his knowledge. Besides destroying files on infected computers, some worms simply send so many copies of themselves through e-mail that they cause the e-mail servers to go down, which is a large inconvenience for schools and companies.
