Understanding Viruses
What is a computer virus?
A computer virus is a piece of malicious code that attaches to important areas
within computer systems, such as executable files and the boot areas of floppy
disks and hard drives. A virus can destroy data after replicating to other host
files or disks. The virus spreads when its host file is executed, and the
malicious code is unleashed. The virus can quickly spread into memory as the
computer boots from an infected disk.
Once in memory, the virus can infect other executable files
or disk boot sectors. Typically, a virus remains dormant until some trigger
event occurs, such as a system date. In addition to replication, a computer
virus often performs some other function, usually intended to do damage or
spread a message.
Viruses are created by people who know how to use and manipulate code. However,
you can take various counteractions once Norton AntiVirus detects and infection
within your system.
How Viruses spread
File viruses spread through just about any network, modem, or magnetic medium.
Most boot viruses can only spread by way of floppy disks. Multi-partite viruses
are especially elusive because they can travel as a file virus, infect a boot
sector, and be transmitted through floppy disks.
The explosive growth of LAN, Internet, and global email connectivity has
dramatically accelerated the rate at which viruses can spread. A localized virus
outbreak can spread quickly to another part of a company or the world when
infected files are sent through email. The primary threat of infection comes
from files that are shared, then opened and uses.
Types and characteristics of viruses
There are more than 8,000 known viruses. Many of these
viruses have been discovered and analyzed by antivirus vendors, but they have
not been encountered in the work or home environment. Though much of what people
have heard about viruses is hype, viruses are actually quite common and easily
spread. If left unguarded, your network runs a very real risk of data loss or
corruption. Virus types
Although some people want to know what a computer virus is,
most people are more curious about the different types of viruses. Viruses are
classified by what they infect and how they attempt to evade detection. The four
basic virus types are defined according to the area they infect. Boot
viruses
Boot sector viruses are some of the most successful viruses.
They're simple to write, and they take control of the computer at a low level. Boot
viruses insert instructions into the boot sectors of floppy disks, or the boot
sector or master boot record (partition sector) of a hard drive. When the
computer boots from an infected floppy disk, the virus infects the hard drive
and loads its code into memory. The floppy disk does not have to be bootable for
the virus to spread. The virus remains memory resident and infects any floppy
disks that are accessed. Typically the trigger for a boot virus is the system
date or time. For example, the Michelangelo virus is a boot virus taht deletes
the hard drive of its host on Marcy 6 (Michelangelo di Lodovico Buonarroti
Simoni's birthday). A floppy disk or hard drive with an
infected boot sector won't infect any files unless the virus is also
multi-partite. A true boot virus can't spread to a server or over the network. File
viruses
File viruses attach to executable files by inserting
instructions into the execution sequence. When the infected file executes, the
inserted instructions execute the virus code. After the code finishes executing,
the file continues with its normal execution sequence. This happens so quickly
that you're not aware that the virus executed. There are three
subclassifications of file viruses:
-
Memory resident viruses stay in memory as
terminate-stay-resident (TSR) programs and typically infect all executed
files.
-
Direct action viruses simply execute, infect other files,
and unload.
-
A companion virus associates itself with a executable
file without modifying it. For example, the virus might create a companion
file, WORD.COM, to the WORD.EXE file. When the Microsoft Word program opens,
the infected WORD.COM files executes, perfoms the virus activities, and then
executes the WORD.EXE file.
Macro viruses
Macro viruses use an application's programming language to
distribute themselves. Unlike other viruses, macro viruses do not infect
programs; they infect documents.
The macro virus is triggered when you open a .DOC file with
one or more macro viruses written to the NORMAL.DOT template. When you update
and save the .DOC file, the macro virus is saved within the NORMAL.DOT template.
Therefore, every time you open a .DOC file, the macro virus executes and the
.DOC file becomes infected.
Other types of destructive code include worms, Trojan horses,
and logic bombs. These types of destructive code are different than viruses
because they don't replicate.
Virus characteristics
Many viruses can also be categorized by their
characteristics, such as polymorphism or stealth tactics. For example, a boot
virus may also be polymorphic.
Polymorphism
A polymorphic virus avoids detection frrom traditional
pattern-scanning software because its code doesn't have a fixed pattern of
characters. Usually, the polymorphic virus achieves this by encrypting itself
differently each time it runs.
Stealth tactics
Stealth viruses travel like boot viruses. However, after they
infect new files, they hide their presence and cloak the changes they make to
files by hooking interrupts. When a system calls a specific function, the virus
executes by forging the results and mimicking the normal function perfectly. For
example, you can view a file infected by a stealth virus and see the contents
that you expect. Stealth viruses corrupt files by:
-
Forging files size and dates.
-
Hiding changes the virus has made to the boot sector.
-
Redirecting most read attempts.
You can disable stealth viruses by booting from a clean
floppy disk. This ensures that the virus is no longer in memory.
From the Norton Anti Virus - Back to Virus
Index
| 
