Computer Viruses

Virus Definition

Viruses are malicious software programs that have been designed by other computer users to
cause destruction and havoc on a computer and spread themselves to other computers where they
can repeat the process.
It is different from worms. A worm is structured as a complete stand alone program, a virus is a
fragmented code embedded in a legitimate program.
Viruses are a major problem to users of micro computer systems(single user systems).
Multi user systems generally are not prone to viruses because the executable programs are
protected from writing by the operating system.
Programs must always have an extent of “COM”, “EXE”, or “SYS”.

Infection Sources
It is often distributed through shareware, pirated software, e-mail, p2p programs, infected storage
media or other programs where users share data.

The Functional Elements of a Virus

Every viable computer virus must have at least two basic parts, or subroutines, if it is even to be
called a virus. Firstly, it must contain a search routine, which locates new files or new areas on
disk which are worthwhile targets for infection. This routine will determine how well the virus
reproduces.
Secondly, every computer virus must contain a routine to copy itself into the area which the
search routine locates. The copy routine will only be sophisticated enough to do its job without
getting caught.
Anti-detection routines can either be a part of the search or copy routines, or functionally
separate from them.

Tools Needed for Writing Viruses

Viruses are written in assembly language. High level languages like Basic, C, and Pascal have
been designed to generate stand-alone programs.

Number of Viruses
There are currently over 50,000 known computer viruses and that number is growing rapidly.
Fortunately, only a small percentage of these are circulating widely. There are more MS-
DOS/Windows viruses than all other types of viruses combined (by a large margin).

UNIX and viruses

The computer virus problem is much less prevalent under the Unix platform, but that does not at
all mean it is nonexistent. Unix viruses (though very few) do exist.
(Name one Linux virus? Okay... Bliss.)
That said, there are certainly (and not surprisingly) very few viruses in the wild viable under
Unix. This is partly because of access restrictions in the environment. For example, if a user runs
a file that is infected with a virus, it can only do what this user has privileges to do (under normal
conditions-not much) so at very least, it cannot spread to other systems. But, if a superuser (or
anyone with full permissions) runs a virus, it could possibly infect the whole system and travel to
other systems... etc.
Also, one must remember that viruses are much less prevalent under UNIX operating systems
simply because those operating systems are not as widely used for home systems as
DOS/Windows operating systems. If more people used UNIX operating systems at home,
obviously more viruses would target them. The rise in popularity of the GNU/Linux operating
system, has certainly shown this to be true.

Types
There are three major types of viruses, each very different from the other.
• Boot Sector Infectors: Also sometimes called boot record infectors, system viruses, or
boot viruses, these programs attack the vulnerable boot program that is stored on every
bootable floppy disk or hard disk. This code is executed by the system when the PC is
started up, by installing themselves here they guarantee that their code will be executed
whenever the system is started up, giving them full control over the system to do what
they wish. They are spread most commonly through infected bootable floppy disks.
• File Infectors: These viruses directly attack and modify program files, which are
usually .EXE or .COM files. When the program is run, the virus executes and does
whatever it wants to do. Usually it loads itself into memory and waits for a trigger to find
and infect other program files. These viruses are commonly spread through infected
floppy disks, over networks, and over the Internet.
• Macro Viruses: The newest type of virus, these clever programs make use of the built-in
programming languages in popular programs such as Microsoft Word and Microsoft
Excel. These programs allow users to create programs that automate tasks, called macros.
As the macro languages have become more powerful, virus writers have created
malevolent macros that, when opened unwittingly, duplicate themselves into other
documents and spread just like a conventional virus would. These programs can cause just
as much damage as regular viruses, despite the fact that they are very different: regular
viruses are low-level machine language programs, while macro viruses are actually high-
level interpreted BASIC programs! The most common type of macro virus right now
infects Microsoft Word documents. In computing terminology, a macro virus is a virus
that is written in a macro language: that is to say, a language built into a software
application such as a word processor. Since some applications (notably, but not
exclusively, the parts of Microsoft Office) allow macro programs to be embedded in
documents, so that the programs may be run automatically when the document is opened,
this provides a distinct mechanism by which viruses can be spread. This is why it may be
dangerous to open unexpected attachments in e-mails.
Virus types based on What they infect
• System Sector Viruses
These infect control information on the disk itself.
• File Viruses
These infect program (COM and EXE) files.
• Macro Viruses
• Companion Viruses
A special type that adds files that run first to your disk. Companion viruses can be considered file
infector viruses like resident or direct action types. They are known as companion viruses
because once they get into the system they "accompany" the other files that already exist. In
other words, in order to carry out their infection routines, companion viruses can wait in memory
until a program is run (resident viruses) or act immediately by making copies of themselves
(direct action viruses).
Some examples include: Stator, Asimov.1539, Terrax.1069.
• Directory viruses An operating system finds files by looking up the path (composed of the
disk drive and directory) in which each file is stored.
Directory viruses change the paths that indicate the location of a file. By executing a program
(file with the extension .EXE or .COM) which has been infected by a virus, you are unwittingly
running the virus program, while the original file and program have been previously moved by
the virus.
• Batch File Viruses
These use text batch files to infect. The first line causes batch file commands to not display on
the screen so you won't see what's going on. The second line is a label as far as the batch file is
concerned. In reality, this label is what makes the whole thing work so, of course, we're not going
to show any examples. The third line copies the batch file itself to an executable file named
Q.COM in the root directory of the C: drive. The output of the COPY command is directed to the
NUL device so you see nothing on the screen that indicates this copy took place. Finally, the
fourth line executes the newly created Q.COM file.
• Source Code Viruses
These add code to actual program source code. Source code comes in many forms because of the
many different types of compilers and languages available. This is one reason why source code
viruses are not particularly common. The other is that so few people actually write programs it
becomes difficult for a source code-only virus to find victims to infect.
• Visual Basic Worms
These worms use the Visual Basic language to control the computer and perform tasks.

Virus types based on How They Infect

• Polymorphic Viruses
Viruses that change their characteristics as they infect. Viruses that try to actively hide
themselves from anti-virus or system software. Polymorphic viruses encrypt or encode
themselves in a different way (using different algorithms and encryption keys) every time they
infect a system.
This makes it impossible for anti viruses to find them using string or signature searches (because
they are different in each encryption) and also enables them to create a large number of copies of
themselves.
Some examples include: Elkern, Marburg, Satan Bug, Tuareg.
• Stealth: A stealth virus actively hides the changes it has made to the hard disk so that it
appears that it has not infected the system. For example, a file infector might stay memory
resident and misreport the size of infected files so they don't appear to be infected. Boot sector
viruses can trap attempts to read the boot sector and return forged data that makes them appear to
be "clean".
• Multipartite Viruses
Viruses that may fall into more than one of the top classes.
• Cavity (Spacefiller) Viruses
Viruses that attempt to maintain a constant file size when infecting. A cavity (spacefiller) virus
attempts to install itself inside of the file it is infecting. This is difficult but has become easier
with new file formats designed to make executable files load and run faster. Most viruses take the
easy way out when infecting files; they simply attach themselves to the end of the file and then
change the start of the program so that it first points to the virus and then to the actual program
code. Many viruses that do this also implement some stealth techniques so you don't see the
increase in file length when the virus is active in memory.
• Tunneling Viruses
Viruses that try to "tunnel" under anti-virus software while infecting. Some viruses will attempt
to tunnel under anti-virus monitoring programs in order to bypass their monitoring functions.
• NTFS ADS Viruses
Viruses that ride on the alternate data streams in the NT File System.
And, in a special category, one might include:
Programs that place viruses onto your system but themselves may not be viruses (a special form
of Trojan).
Hoaxes are not viruses, they are false messages sent by e-mail, warning users of a non-existent
virus. The intention is to spread rumors causing panic and alarm among users who receive this
kind of information.

Protection Strategies

● Keep your computer up-to-date with the latest patches: We know this sounds obvious but,
we are still amazed at the number of machines we deal with that don't have the most
recent patches on them. These patches seal up security holes that viruses take advantage
of, so it's in your best interest to stay as recent as possible with patches.
● Update AV Software.
● Safe Boot Disk.
● Hard Disk Boot. Change your boot sequence so that the hard disk is the first boot disk
instead of the floppy disk.
● Use RTF Not DOC.
Consider Alternate Software. In the politest sense this would be a recommendation to
switch to software that is not as likely to be affected by viruses/worms. For many offices a
switch away from Word, Excel, and Outlook/Outlook Express would be difficult as these
programs came as standard software on many systems. But it's worth consideration.
● Don't Open Attachments.
● Disable Scripting. Turn off the Windows Scripting Host if you don't need it. Scripts are
just fancy macros that can apply across programs and are a major vehicle for worms.
Instructions here.
● Show Extensions. Set all programs to show you the full file name, particularly E-mail
programs. If your program drops the extension you don't really know if the attachment is
executable or not.
● Be smart in the websites you choose to visit: There are a lot of bad websites out there that
actually have viruses programmed right into the website. Through a process called
malicious scripting, viruses can be installed onto your computer just by visiting a website.
● Protect Floppies.
● Backup. Finally, but most importantly: backup, backup, backup!

References:

The Little Black Book of Computer Viruses, Electronic Edition, by Mark Ludwig
http://www.virusportal.com/com/training/train_dat3.shtml
http://www.essentialcomputersecurity.com/Viruses.html
http://www.pcguide.com/care/data/virus/bgTypes-c.html
http://www.cknow.com/vtutor

Joby K James
Roll No.13
S4 MCA, RIT
Computer Viruses