The term “virus” is often loosely used in reference to any type of malicious program, or it is used to describe any negative event that a malicious program causes to a host system.
In the simplest terms, a virus is defined as program code that replicates from one host file to another. This simple definition leaves room for further sub-division, which has become necessary due to the evolution of malicious code over the last two decades.
Computer Viruses can be further classified by the types of objects they infect, the method used to select a potential host, and infection technique.
Infection by type:
Boot sector viruses
Infect boot sectors on floppy discs and the Master Boot Record (MBR) on hard drives and key operating system startup files (primarily COMMAND.COM). They effectivly take control of the computers boot process.
Floppy disks can only be infected by the virus repalcing the code of the boot sector of the disk.
Hard drives can be infected by the virus replacing the originaL MBR code; the boot sector code or the address of the active boot sector is changed in the disks partition table in the MBR.
File viruses
including Macro Viruses
Infect application .COM and .EXE files. Word Macro and Excel Macro viruses infect Microsoft Word .DOC and .XLS files, respectively. These can change the behaviour of applications. They spread by transfering themselves to files as they are edited although certain types will seek out files to infect on disk drives or over networks.
Classified by the method they use to select their host:
“Indirect action file viruses”
(TSR Terminate Stay Resident)
load into memory and hook into the system interrupt table(s) so they can infect as files are accessed. This means that the virus is active in memory even after its program has ended. They can be very stealthy and can run without the knowlege of an unprotected user. Conversely,
“direct action file viruses”
do not become a memory resident, they simply infect a file (or files) when an infected program is run.
Infection technique:
“Appending viruses”
Add code to the end of a host file, while
“Prepending viruses”
Insert their code at the beginning of a host file, effectively "shifting up" the program's original code.
Overwriting viruses
Replace the host file completely with their own code causing irreparable damage to the original host file. By contrast, companion viruses and link viruses avoid adding code to a host file at all.
Companion viruses
Create a file of the same name, but with an extension that is higher up in the execution hierarchy. Link viruses manipulate FAT (file allocation table) entries.
There are viruses that fail to work altogether. This could due to a bug in the original programming of the virus or a natural corruption (for example, a devolving virus eventually corrupts itself to the point that it can no longer function). One wonders how such corruptions can be classified as viruses at all, and yet they are the bane of the anti-virus industry. Corrupted samples show up all too often in well-intended comparative reviews, and can badly skew test results.