A computer virus is a self-replicating program that has been specifically designed to attach itself to, or infect, other programs on a host computer system. When one of these infected programs is run, the virus is surreptitiously activated, enabling it to infect other programs in turn.
Computer Viruses can be further classified by the types of objects they infect, the method used to select a potential host, and infection technique.
Infection by type:
Worms
A worm is a program that distributes multiple copies of itself within a system or across computer networks.
Worms have the ability to move from one computer to another, using networks, e-mail traffic and other channels. Because of this they can spread extremely quickly. Worms penetrate a computer and send copies of themselves to other computers. Worms can also utilize data contained in address books installed on infested machines.
Most worms find their way into your machine via a network connection. They often exploit an open port on the computer or a code error in the software that controls these ports. You will recall that I introduced the concept of a port last week.
Trojans
A Trojan is a program which appears to offer some benefit to the user, but which covertly does something else. The name comes from Greek mythology. The Greek armies laid siege to the city of Troy, but were unable to break through its defences.
Boot sector viruses
Infect boot sectors on floppy discs and the Master Boot Record (MBR) on hard drives and key operating system startup files (primarily COMMAND.COM). They effectivly take control of the computers boot process.
Floppy disks can only be infected by the virus repalcing the code of the boot sector of the disk.
Hard drives can be infected by the virus replacing the originaL MBR code; the boot sector code or the address of the active boot sector is changed in the disks partition table in the MBR.
File viruses
including Macro Viruses
Infect application .COM and .EXE files. Word Macro and Excel Macro viruses infect Microsoft Word .DOC and .XLS files, respectively. These can change the behaviour of applications. They spread by transfering themselves to files as they are edited although certain types will seek out files to infect on disk drives or over networks.
Classified by the method they use to select their host:
“Indirect action file viruses”
(TSR Terminate Stay Resident)
load into memory and hook into the system interrupt table(s) so they can infect as files are accessed. This means that the virus is active in memory even after its program has ended. They can be very stealthy and can run without the knowlege of an unprotected user. Conversely,
“direct action file viruses”
do not become a memory resident, they simply infect a file (or files) when an infected program is run.
Infection technique:
“Appending viruses”
Add code to the end of a host file, while
“Prepending viruses”
Insert their code at the beginning of a host file, effectively "shifting up" the program's original code.
Overwriting viruses
Replace the host file completely with their own code causing irreparable damage to the original host file. By contrast, companion viruses and link viruses avoid adding code to a host file at all.
Companion viruses
Create a file of the same name, but with an extension that is higher up in the execution hierarchy. Link viruses manipulate FAT (file allocation table) entries.
There are viruses that fail to work altogether. This could due to a bug in the original programming of the virus or a natural corruption (for example, a devolving virus eventually corrupts itself to the point that it can no longer function). One wonders how such corruptions can be classified as viruses at all, and yet they are the bane of the anti-virus industry. Corrupted samples show up all too often in well-intended comparative reviews, and can badly skew test results.