Threats
How Computer Viruses Work?
Here is the general way that viruses work:
- An infected program is run. This is either a program file (in the case of a
file-infecting virus) or a boot sector program at boot time. In the case of a
Microsoft Word document the virus can be
activated as soon as the document that contains it is opened for reading within
Microsoft Word. If the “NORMAL.DOT” document template is infected (and this is
the most common target of these viruses) then the virus may be activated as soon
as Microsoft Word is started up.
- The infected program has been modified so that instead of the proper code running,
the virus code runs instead. This is usually done by the virus modifying the
first few instructions to “jump” to where the virus code is stored. The virus
code begins to execute.
- The virus code becomes active and takes control of the PC. There are two ways that a
virus will behave when it is run: direct-action viruses will immediately
execute, often seeking other programs to infect and/or exhibiting whatever other
possibly malicious behavior their author coded into them. Many file-infector
viruses are direct-action. In contrast, memory-resident viruses don’t do
anything immediately; they load themselves into memory and wait for a triggering
event that will cause them to “act”. Many file infectors and all boot infectors
do this (boot infectors have to become memory resident, because at the time they
are executed the system is just starting up and there isn’t that much
“interesting” for them to do immediately.)
- What exactly the virus does depends on what the virus is written to do. Their primary
goals however include replication and spreading, so viruses will generally
search for new targets that they can infect. For example, a boot sector virus
will attempt to install itself on hard disks or floppy disks that it finds in
the system. File infectors may stay in memory and look for programs being run
that they can target for infection.
- “Malevolent” viruses that damage files or wreak havoc in other
ways will often act on triggers. There are viruses that will only activate on particular days of the year (such as
the infamous “Friday the 13th”), or act randomly, say, deleting a file every 8th
time they are run. Some viruses do nothing other than trying to maximize their
own infection to as many files and systems as possible
Most Common Types of Viruses and Other Malicious programs
1. Resident Viruses
This type of virus is a permanent which dwells
in the RAM memory. From there it can overcome and interrupt all of the
operations executed by the system: corrupting files and programs that are
opened, closed, copied, renamed etc.Examples include: Randex, CMJ, Meve,
and MrKlunky.
2. Multipartite Viruses
Multipartite viruses are distributed through infected media
and usually hide in the memory. Gradually, the virus moves to the boot sector of
the hard drive and infects executable files on the hard drive and later across
the computer system.
and usually hide in the memory. Gradually, the virus moves to the boot sector of
the hard drive and infects executable files on the hard drive and later across
the computer system.
3. Direct Action Viruses
The main purpose of this virus is to replicate
and take action when it is executed. When a specific condition is met, the virus
will go into action and infect files in the directory or folder that it is in
and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch
file is always located in the root directory of the hard disk and carries out
certain operations when the computer is booted.4. Overwrite Viruses
and take action when it is executed. When a specific condition is met, the virus
will go into action and infect files in the directory or folder that it is in
and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch
file is always located in the root directory of the hard disk and carries out
certain operations when the computer is booted.4. Overwrite Viruses
Virus of this kind is characterized by the
fact that it deletes the information contained in the files that it infects,
rendering them partially or totally useless once they have been
infected.The only way to clean a file infected by an overwrite virus is
to delete the file completely, thus losing the original content.Examples
of this virus include: Way, Trj.Reboot, Trivial.88.D.5. Boot Virus
fact that it deletes the information contained in the files that it infects,
rendering them partially or totally useless once they have been
infected.The only way to clean a file infected by an overwrite virus is
to delete the file completely, thus losing the original content.Examples
of this virus include: Way, Trj.Reboot, Trivial.88.D.5. Boot Virus
This type of virus affects the boot sector of
a floppy or hard disk. This is a crucial part of a disk, in which information on
the disk itself is stored together with a program that makes it possible to boot
(start) the computer from the disk.The best way of avoiding boot viruses
is to ensure that floppy disks are write-protected and never start your computer
with an unknown floppy disk in the disk drive.Examples of boot viruses
include: Polyboot.B, AntiEXE.6. Macro Virus
a floppy or hard disk. This is a crucial part of a disk, in which information on
the disk itself is stored together with a program that makes it possible to boot
(start) the computer from the disk.The best way of avoiding boot viruses
is to ensure that floppy disks are write-protected and never start your computer
with an unknown floppy disk in the disk drive.Examples of boot viruses
include: Polyboot.B, AntiEXE.6. Macro Virus
Macro viruses infect files that are created
using certain applications or programs that
contain macros. These mini-programs make it possible to automate series of
operations so that they are performed as a single action, thereby saving the
user from having to carry them out one by one.Examples of macro viruses:
Relax, Melissa.A, Bablas, O97M/Y2K.7. Directory Virus
using certain applications or programs that
contain macros. These mini-programs make it possible to automate series of
operations so that they are performed as a single action, thereby saving the
user from having to carry them out one by one.Examples of macro viruses:
Relax, Melissa.A, Bablas, O97M/Y2K.7. Directory Virus
Directory viruses change the paths that
indicate the location of a file. By executing a program (file with the extension
.EXE or .COM) which has been infected by a virus, you are unknowingly running
the virus program, while the original file and program have been previously
moved by the virus.Once infected it becomes impossible to locate the
original files.8. Polymorphic Virus
indicate the location of a file. By executing a program (file with the extension
.EXE or .COM) which has been infected by a virus, you are unknowingly running
the virus program, while the original file and program have been previously
moved by the virus.Once infected it becomes impossible to locate the
original files.8. Polymorphic Virus
Polymorphic viruses encrypt or encode
themselves in a different way (using different algorithms and encryption keys)
every time they infect a system.This makes it impossible for
anti-viruses to find them using string or signature searches (because they are
different in each encryption) and also enables them to create a large number of
copies of themselves.Examples include: Elkern, Marburg, Satan Bug, and
Tuareg.9. File Infectors
themselves in a different way (using different algorithms and encryption keys)
every time they infect a system.This makes it impossible for
anti-viruses to find them using string or signature searches (because they are
different in each encryption) and also enables them to create a large number of
copies of themselves.Examples include: Elkern, Marburg, Satan Bug, and
Tuareg.9. File Infectors
This type of virus infects programs or
executable files (files with an .EXE or .COM extension). When one of these
programs is run, directly or indirectly, the virus is activated, producing the
damaging effects it is programmed to carry out. The majority of existing viruses
belongs to this category, and can be classified depending on the actions that
they carry out.
executable files (files with an .EXE or .COM extension). When one of these
programs is run, directly or indirectly, the virus is activated, producing the
damaging effects it is programmed to carry out. The majority of existing viruses
belongs to this category, and can be classified depending on the actions that
they carry out.
10. Encrypted Viruses
This type of viruses consists of encrypted malicious code,
decrypted module. The viruses use encrypted code technique which make antivirus software hardly to detect them. The
antivirus program usually can detect this type of viruses when they try spread
by decrypted themselves.11. Companion Viruses
decrypted module. The viruses use encrypted code technique which make antivirus software hardly to detect them. The
antivirus program usually can detect this type of viruses when they try spread
by decrypted themselves.11. Companion Viruses
Companion viruses can be considered file
infector viruses like resident or direct action types. They are known as
companion viruses because once they get into the system they “accompany” the
other files that already exist. In other words, in order to carry out their
infection routines, companion viruses can wait in memory until a program is run
(resident viruses) or act immediately by making copies of themselves (direct
action viruses).Some examples include: Stator, Asimov.1539, and
Terrax.106912. Network Virus
infector viruses like resident or direct action types. They are known as
companion viruses because once they get into the system they “accompany” the
other files that already exist. In other words, in order to carry out their
infection routines, companion viruses can wait in memory until a program is run
(resident viruses) or act immediately by making copies of themselves (direct
action viruses).Some examples include: Stator, Asimov.1539, and
Terrax.106912. Network Virus
Network viruses rapidly
spread through a Local Network Area (LAN), and sometimes throughout the
internet. Generally, network viruses multiply through shared resources, i.e.,
shared drives and folders. When the virus infects a computer, it searches
through the network to attack its new potential prey. When the virus finishes
infecting that computer, it moves on to the next and the cycle repeats itself.
spread through a Local Network Area (LAN), and sometimes throughout the
internet. Generally, network viruses multiply through shared resources, i.e.,
shared drives and folders. When the virus infects a computer, it searches
through the network to attack its new potential prey. When the virus finishes
infecting that computer, it moves on to the next and the cycle repeats itself.
The most dangerous network viruses are Nimda and
SQLSlammer.
SQLSlammer.
13. Nonresident Viruses
This type of viruses is similar to Resident Viruses by
using replication of module. Besides that, Nonresident Viruses role as finder
module which can infect to files when it found one (it will select one or more
files to infect each time the module is executed).
using replication of module. Besides that, Nonresident Viruses role as finder
module which can infect to files when it found one (it will select one or more
files to infect each time the module is executed).
14. Stealth Viruses
Stealth Viruses is some sort of viruses which try to trick
anti-virus software by intercepting its requests to the operating system. It has
ability to hide itself from some antivirus software programs. Therefore, some
antivirus program cannot detect them.
anti-virus software by intercepting its requests to the operating system. It has
ability to hide itself from some antivirus software programs. Therefore, some
antivirus program cannot detect them.
15. Sparse Infectors
In order to spread widely, a virus must attempt to avoid
detection. To minimize the probability of its being discovered a virus could use
any number of different techniques. It might, for example, only infect every
20th time a file is executed; it might only infect files whose lengths are
within narrowly defined ranges or whose names begin with letters in a certain
range of the alphabet. There are many other possibilities.
detection. To minimize the probability of its being discovered a virus could use
any number of different techniques. It might, for example, only infect every
20th time a file is executed; it might only infect files whose lengths are
within narrowly defined ranges or whose names begin with letters in a certain
range of the alphabet. There are many other possibilities.
16. Spacefiller (Cavity) Viruses
Many viruses take the easy way out when infecting files;
they simply attach themselves to the end of the file and then change the start
of the program so that it first points to the virus and then to the actual
program code. Many viruses that do this also implement some stealth techniques
so you don’t see the increase in file length when the virus is active in
memory.
they simply attach themselves to the end of the file and then change the start
of the program so that it first points to the virus and then to the actual
program code. Many viruses that do this also implement some stealth techniques
so you don’t see the increase in file length when the virus is active in
memory.
A spacefiller (cavity) virus, on the other hand, attempts
to be clever. Some program files, for a variety of reasons, have empty space
inside of them. This empty space can be used to house virus code. A spacefiller
virus attempts to install itself in this empty space while not damaging the
actual program itself. An advantage of this is that the virus then does not
increase the length of the program and can avoid the need for some stealth
techniques. The Lehigh virus was an early example of a spacefiller virus.
to be clever. Some program files, for a variety of reasons, have empty space
inside of them. This empty space can be used to house virus code. A spacefiller
virus attempts to install itself in this empty space while not damaging the
actual program itself. An advantage of this is that the virus then does not
increase the length of the program and can avoid the need for some stealth
techniques. The Lehigh virus was an early example of a spacefiller virus.
17. FAT Virus
The file allocation table or FAT is the part
of a disk used to connect information and is a vital part of the normal
functioning of the computer.
of a disk used to connect information and is a vital part of the normal
functioning of the computer.
This type of virus attack can be especially dangerous,
by preventing access to certain sections of the disk where important files are
stored. Damage caused can result in information losses from individual files or
even entire directories.18. Worms
by preventing access to certain sections of the disk where important files are
stored. Damage caused can result in information losses from individual files or
even entire directories.18. Worms
A worm is technically not a virus, but a
program very similar to a virus; it has the ability to self-replicate, and can
lead to negative effects on your system and most importantly they are detected
and eliminated by antiviruses.Examples of worms include: PSWBugbear.B,
Lovgate.F, Trile.C, Sobig.D, Mapson.19. Trojans or Trojan Horses
program very similar to a virus; it has the ability to self-replicate, and can
lead to negative effects on your system and most importantly they are detected
and eliminated by antiviruses.Examples of worms include: PSWBugbear.B,
Lovgate.F, Trile.C, Sobig.D, Mapson.19. Trojans or Trojan Horses
Another unsavory breed of malicious code (not
a virus as well) are Trojans or Trojan horses, which unlike viruses do not
reproduce by infecting other files, nor do they self-replicate like
worms.20. Logic Bombs
a virus as well) are Trojans or Trojan horses, which unlike viruses do not
reproduce by infecting other files, nor do they self-replicate like
worms.20. Logic Bombs
They are not considered viruses because they
do not replicate. They are not even programs in their own right but rather
camouflaged segments of other programs.Their objective is to destroy
data on the computer once certain conditions have been met. Logic bombs go
undetected until launched, and the results can be destructive.Other resources:
do not replicate. They are not even programs in their own right but rather
camouflaged segments of other programs.Their objective is to destroy
data on the computer once certain conditions have been met. Logic bombs go
undetected until launched, and the results can be destructive.Other resources:
