A computer virus is a computer program which distributes copies of itself without the permission or knowledge of the user. A computer virus is often simply called a virus. The term is commonly used to refer to a range of malware, but a true virus does not need to be harmful. To distribute itself, a virus needs to execute. Viruses often hide themselves inside other programs to be executed.
How viruses work
A computer virus will pass from one computer to another in the same way that a real life biological virus passes from person to person. For example, it is estimated by experts that the Mydoom worm infected a quarter-million computers in a single day in January 2004. Another example is the ILOVEYOU virus, which occurred in 2000 and had a similar effect. There are tens of thousands of viruses out there, and new ones are discovered every day. While a generic explanation of how viruses work is difficult due to the wide variety of infection or spreading patterns, there are broad categories commonly used to describe various types of viruses.
Basic types of viruses
File viruses, also known as parasitic or executable viruses, are pieces of code that attach themselves to executable files, driver files or compressed files, and are activated when the host program is run. After activation, the virus may spread itself by attaching itself to other programs in the system, and also carry out the malevolent activity for which it was programmed. Most file viruses spread by loading themselves in system memory and looking for any other programs located on the drive. If it finds one, it modifies the program’s code so that it contains and activates the virus the next time it’s run. It keeps doing this over and over until it spreads across the system, and possibly to other systems that the infected program may be shared with or via a network to other computers. Besides spreading themselves, these viruses also carry some type of destructive constituent that can be activated immediately or by a particular ‘trigger’. The trigger could be a specific date, or the number of times the virus has been replicated, or anything equally trivial. Some examples of file viruses are Randex, Meve and MrKlunky
Boot sector viruses
A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all information about the drive is stored, along with a program that makes it possible for the operating system to boot up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which eventually stopped such viruses from spreading. Though boot viruses still exist, they are rare compared to new-age malicious software. Another reason why they’re not so prevalent is that operating systems today protect the boot sector, which makes it difficult for them to thrive. Examples of boot viruses are Polyboot.B and AntiEXE.
According to Symantec, see http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/1999041209131106, Boot Sector Viruses differ only slightly from Master Boot Record Viruses in their respective effects- both load into memory and stay there (resident viruses), thus infecting any executable launched afterwards. In addition, both types may prevent recent Operating Systems from booting.
Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the virus infects executable files on the hard drive and spreads across the system. There aren’t too many multipartite viruses in existence today, but in their heyday, they accounted for some major problems due to their capacity to combine different infection techniques. A well-known multipartite virus is Ywinz.
Macro viruses infect files that are created using certain applications or programs that contain macros. These include Microsoft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations, Access databases and other similar application files such as Corel Draw, AmiPro etc. Since macro viruses are written in the language of the application and not in that of the operating system, they are known to be platform-independent—they can spread between Windows, Mac and any other system, so long as they are running the required application. With the ever-increasing capabilities of macro languages in applications, and the possibility of infections spreading over networks, these viruses are major threats. The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today, there are thousands of macro viruses in existence—some examples are Relax, Melissa.A and Bablas. These are usually found in attached Microsoft office documents sent via email. Current versions of Microsoft office applications will allow you to disable any scripting in a document until you can confirm that it is safe.
This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet. Usually, it propagates through shared resources, such as shared drives and folders. Once it infects a new system, it searches for potential targets by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus infects the other system, and thus spreads over the network. Some of the most notorious network viruses are Nimda and SQLSlammer.
An email virus could be a form of a macro virus that spreads itself to all the contacts located in the host’s email address book. If any of the email recipients open the attachment of the infected mail, the virus spreads to the new host’s address book contacts, and then proceeds to send itself to all those contacts as well. Email viruses can infect hosts even by previewing the infected email in a mail client.
There are many ways in which a virus can infect or stay dormant on your PC. However, whether active or dormant, it is dangerous to let one loose on your system, and it should be dealt with immediately.
Other malicious software
Earlier, the only way a computer was at risk was when you inserted an infected floppy. With the new age of technology, almost every computer is interconnected to the rest of the world at some point or other, so it’s difficult to pinpoint the source and/or time of the infection. As if that weren’t bad enough, new-age computing has also brought about a new breed of malicious software. Today, the term ‘virus’ has become a generic term used for all the different ways that your computer can be attacked by malicious software. Besides the type of viruses we mentioned, here are some of the newer problems we face today.
trojan horses (see page for an in depth discussion)
Computer Worms are programs that reproduce and run independently, and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependent on a host file or boot sector and on the transfer of files between machines to spread, while a worm can run completely independently and spread of its own accord through network connections. The security threat of worms is equivalent to that of a virus. Worms are capable of doing a whole range of damage such as destroying essential files in your system, slowing it down to a great extent, or even causing some essential programs to crash. Two famous examples of worms are the MS-Blaster and Sasser worms. Microsoft have long ago issues patches to protect against these viruses for Windows XP so these are not as prevelant today.
Viruses can be subdivided into a number of types, the main ones being:
Boot sector viruses
Logic bombs and time bombs
Cross-site scripting virus
The invisible Halo Virus
Two other types of malware are often classified as viruses, but are actually forms of distributing malware:
How do Viruses infect?
Boot sector virus
A boot sector virus alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive. Boot sector viruses were prevalent in the 1980s and had virtually died off as most programs now come on cd or dvd and so are usually read only and difficult to infect. Several new ones have however appeared due to the widespread use of usb pendrives. There are a number of boot sector viruses affecting windows machines which are very difficult to remove. With the advent of Windows 8 Microsoft have introduced "secure boot" which is a hardware support feature to prevent alteration of the boot sector. One possible side affect of this is that users wishing to dual boot between windows and linux wont be able to with secureboot turned on as you can’t install the "grub" or "lilo" boot required for linux in the master boot sector. More information on this can be found at http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx
A companion virus does not have host files per se, but exploits MS-DOS. A companion virus creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus) and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. These viruses have become increasingly rare with the introduction of Windows 2000, XP and Vista as most users do not use MS-DOS commands.
An E-mail virus is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim’s address book.
A logic bomb employs code that lies inert until specific conditions are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). Logic bombs may reside within standalone programs, or they may be part of worms or viruses. An example of a logic bomb would be a virus that waits to execute until it has infected a certain number of hosts. A time bomb is a subset of logic bomb, which is set to trigger on a particular date and/or time. An example of a time bomb is the infamous ‘Friday the 13th’ virus.
A macro virus, often written in the scripting languages for programs such as Word and Excel, is spread by infecting documents and spreadsheets.
Cross-site scripting virus
A cross-site scripting virus (XSSV) is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. A XSSV is spread between vulnerable web applications and web browsers creating a symbiotic relationship.
A sentinel is a highly advanced virus capable of empowering the creator or perpetrator of the virus with remote access control over the computers that are infected. They are used to form vast networks of zombie or slave computers which in turn can be used for malicious purposes such as a Distributed Denial of Service attack or more often to send relay ‘spam’ email.
trojan Horses are impostor files that claim to be something desirable but, in fact, are malicious. Rather than insert code into existing files, a trojan horse appears to do one thing (install a screen saver, or show a picture inside an e-mail, for example) when in fact it does something entirely different, and potentially malicious, such as erase files. trojans can also open back doors so that computer hackers can gain access to passwords and other personal information stored on a computer.
Although often referred to as such, trojan horses are not viruses in the strict sense because they cannot replicate automatically. For a trojan horse to spread, it must be invited onto a computer by the user opening an email attachment or downloading and running a file from the Internet. These are commonly found in ‘free’ screensavers and on file sharing networks.
A worm is a piece of software that uses computer networks and security flaws to create copies of itself. A copy of the worm will scan the network for any other machine that has a specific security flaw. It replicates itself to the new machine using the security flaw, and then begins scanning and replicating a new worm.
Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. Mydoom or ILOVEYOU are two examples of worms.
Effects of computer viruses
Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.
computer virus acronym V.I.R.U.S. – Vital Information Resources Under Siege
The word virus is derived from and used in the same sense as the biological equivalent. The term "virus" is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or trojans. Most popular anti-virus software packages defend against all of these types of attack. In some technical communities, the term "virus" is also extended to include the authors of malware, in an insulting sense. The English plural of "virus" is "viruses". Some people use "virii" or "viri" as a plural, but this is rare. For a discussion about whether "viri" and "virii" are correct alternatives of "viruses", see plural of virus.
The term "virus" was first used in an academic publication by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a 1972 science fiction novel by David Gerrold, When H.A.R.L.I.E. Was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "VACCINE"). The term "computer virus" with current usage also appears in the comic book Uncanny X-Men #158, written by Chris Claremont and published in 1982. Therefore, although Cohen’s use of "virus" may, perhaps, have been the first "academic" use, the term had been used earlier.
A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. This virus was originally a joke, created by the high school student and put onto a game. The game was set to play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a poem about the virus named Elk Cloner. The computer would then be infected.
The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.
Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.
traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS and modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS’s. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.
Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most of these viruses were able to spread on Macintosh computers as well. Most of these viruses did not have the ability to send infected e-mail. Those viruses which did spread through e-mail took advantage of the Microsoft Outlook COM interface.
Macro viruses pose unique problems for detection software. For example, some versions of Microsoft Word allowed macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents".
A computer virus may also be transmitted through instant messaging. A virus may send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) and follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating. With the extension of the current messaging clients to also allow users to exchange files this is now the most common way of spreading viruses, along with file sharing networks and ‘warez’ (pirated software)
The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005. This virus utilizes cross-site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.
 Why people create computer viruses
Unlike biological viruses, computer viruses do not simply evolve by themselves. Computer viruses do not come into existence spontaneously, nor are they likely to be created by bugs in regular programs. They are deliberately created by programmers, or by people who use virus creation software. Computer viruses can only do what the programmers have programmed them to do.
Releasing computer viruses (as well as worms) is a crime in most countries .
Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them or preventing access to the anti virus vendors website.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced.
Detection and virus removal
Due to the many thousands of viruses and their infection methods it is impossible to remove them all with any one method.
Anti-virus professionals such as ourselves use a variety of methods to remove viruses and other malware, including automatic and manual methods and bait files etc., keeping as much customer data intact as possible. Many high street vendors will just re-format your computer losing all customer data in order to remove viruses and other malware.
Windows and Unix have similar scripting abilities, but while Unix natively blocks normal users from having access to make changes to the operating system environment, Windows does not. In 1997, when a virus for Linux was released – known as "Bliss" – leading antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows. The Bliss virus may be considered characteristic of viruses – as opposed to worms – on Unix systems. Bliss requires that the user run it explicitly, and it can only infect programs that the user has the access to modify. Unlike Windows users, most Unix users do not log in as an administrator user except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked.