TYPES OF VIRUSES

themaharana

Par 100 posts (V.I.P)
TYPES OF VIRUSES

REPORT PREPARED BY:
PRAMOD CHORDIA
MITHIBAI COLLEGE
2004-2007 BATCH





Contents



Sr.No. Topic Page No.
1. Introduction 2
I. What is a Virus 3
II. How Viruses Spread 3
III. How Viruses Escape Detection 4
IV. Effects Of Virus 4

2. Classification Of Viruses 5
I. What They Attack 5
II. How They Attack 9
III. Operating System 14
IV. Destructive Capabilities 14

3. Virus Prevention 15

4. Other Malicious Programs 16

5. References 17







Introduction

What Is a "Virus"?

A computer virus is a program designed to spread itself by first infecting executable files or the system areas of hard and floppy disks and then making copies of itself. Viruses usually operate without the knowledge or desire of the computer user.

A virus must meet two criteria:
1. It must execute itself. It will often place its own code in the path of execution of another program. This means when the other program runs, the virus does at the same time. Viruses usually attach themselves to a program that starts automatically with your computer, ensuring it runs all the time.

2. It must replicate itself. For example, it may replace other executable files with a copy of the virus-infected file. Viruses can infect desktop computers and network servers alike. Many viruses can also replicate themselves to other people, distributing themselves through e-mail.





How Viruses Spread

Infections spread from machine to machine, and from organisation to organisation, in a number of ways.

Viruses can be transmitted by:

• Booting a PC from an infected medium.

• Executing an infected program.

• Opening an infected file.

Common routes for virus infiltration include:

• Floppy disks or other media that users can exchange.

• Email attachments.

• Pirated software.

• Shareware.






How Viruses Escape Detection

The successful spread of a virus depends on how long it can replicate unnoticed, before its presence is made known by the activation of side effects. Viruses use two main methods of disguise:

• Encrypting (scrambling) their code to avoid recognition.
• Preventing applications from seeing the virus in memory, by interrupt interception or (in the case of macro viruses) by disabling the options to view macros.



Effects Of Virus

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden and poorly programmed, and these bugs may lead to system crashes and data loss.




Classification Of Viruses

Viruses can be divided into classes according to the following characteristics:
 Environment (What they attack)
 By method of infection (How they attack)
 Operating system (OS)
 Destructive capabilities

1. According to the ENVIRONMENT viruses can be divided into:
 File
 Boot
 Macro
 Network

File viruses either infect executables in various ways (parasitic - the most common type of viruses), or create file doubles (companion viruses), or use file system specific features (link viruses).

File Viruses attack by infecting files. Each file virus is specific to a set of files, which it can locate and infect. It then overwrites a portion of that file with viral code. When the file is executed, the viral code is executed and may infect more files. The most common sorts of files infected by this type of virus are files with the extension .com, .exe, and even .ovr, .ovl and .dll files. File viruses only infect executable files - if the program cannot be run, the viral code remains dormant.
Example of file type: COM-MS DOS Application, JS-JScript File
VB-VBScript File, SYS-System Config/Driver, EXE-Application


 Companion Viruses is a kind of file virus: These viruses do not change the "infected" files. Their operating algorithm includes creating a clone of the target file, so that when the target file is run, its clone (i.e. virus) gets the control instead. The companion virus infects your files by locating all files with names ending in EXE. The virus then creates a matching file name ending in COM that contains the viral code. The virus usually plants this file in the same directory as the .EXE file but it could place it in any directory on your DOS path. The virus executes, possibly infecting more files and then loads and executes the EXE file. The user probably won't notice anything wrong.
 Cluster Viruses There is a type of virus known as a "cluster" virus that infects your files not by changing the file or planting extra files but by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. When you run a program, DOS first loads and executes the virus code, the virus then locates the actual program and executes it. Dir-2 is an example of this type of virus.
The interesting thing about this type of virus is that even though every program on the disk may be "infected," because only the directory pointers are changed there is only one copy of the virus on the disk. One can also usually classify this type of virus as a fast infector. On any file access, the entire current directory will be infected and, if the DOS path must be searched, all directories on the path will typically be infected.
Boot viruses either save themselves in disk boot sector, or to the Master Boot Record, or change the pointer to an active boot sector.

The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately, and it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine.



Macro viruses infect document files, electronic spreadsheets and databases of several popular software packages.

Macro viruses are in fact programs written in macro languages, built into some systems of data processing (text editors, electronic spreadsheets, etc.). To propagate, such viruses use the capabilities of macro languages and with their help transfer themselves from one infected file (documents or spreadsheets) to another. Macro viruses for Microsoft Word, Microsoft Excel and Office97 are most common.






Network viruses use protocols and commands of computer network or email to spread themselves.
Network viruses make extensive use of networking protocols and capabilities of local and global access networks to multiply. The main operating principle of the network virus is its capability to transfer is code to a remote server or workstation on its own. (Full-scale) network viruses also are capable of running their code on remote computers or at least "pushing" users to run the infected file.






















2. Among Method of infection the following features stand out:

• TSR capability (Terminate and Stay Resident)
• Stealth Viruses
• Self-encryption and Polymorphic Viruses
• Fast and Slow Infectors
• Sparse Infectors
• Armored Viruses
• Multipartite Viruses
• Cavity Viruses
• Tunneling Viruses
• Camouflage Viruses



A TSR virus while infecting a computer leaves its resident part in RAM, which then intercepts system calls to target objects and incorporates into them. Resident viruses reside in memory and are active until power down or until operating system reboot. Nonresident viruses do not infect computer memory and are active for a limited time only. Some viruses leave small resident parts in RAM, which do not spread the virus. Such viruses are considered nonresident.
Macro viruses can also be considered residents, because they reside in computer memory during all the run time of the infected editor program. Here the editor plays the role of operating system, and "system reboot" means the editor program termination.




Stealth Viruses.
A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.
A stealth virus hides the modifications it makes. It does this by taking over the system functions, which read files or system sectors, and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.


Self-encryption and Polymorphic (Viruses) capabilities are used by virtually all kinds of viruses to make virus detection procedure as complicated as possible. Polymorphic viruses are really hard to detect; they have no signatures that is none of their code fragments remain unchanged. In most cases two samples of the polymorphic virus will not have a single match when doing a byte compare. This may be achieved by encrypting of the main body of the virus and making modifications to the decryption routine.



Fast and Slow Infectors infect your system at different rates. Viral infections need to load themselves into memory when an infected program runs. It then waits for other programs to be run and infects them then.
Fast infectors infect programs that are run, and programs that are accessed. This type of virus can attach itself to anti-virus software, and then infect all the files the antiviral software accesses to check. Slow infectors only infect programs when they are created or modified. This sort of virus can trick integrity checkers - the integrity checker may mention that the file has changed, but you have just created the file or changed it and are expecting the change. Scanning components of antiviral packages should find these sorts of viruses.

Sparse Infectors.
In order to spread widely, a virus must attempt to avoid detection. To minimize the probability of its being discovered a virus could use any number of different techniques. It might, for example, only infect every 20th time a file is executed; it might only infect files whose lengths are within narrowly defined ranges or whose names begin with letters in a certain range of the alphabet. There are many other possibilities.
A virus, which uses such techniques, is termed a sparse infector.



Armored Viruses, like Stealth viruses, are viruses that have more than one characteristic. They may be file viruses, or system sector viruses, or almost any of the other classes of viruses, and also be armored viruses. Basically, armored viruses are viruses that try to make disassembly of the virus exceedingly difficult. This slows down anti-virus researchers, and may extend the life span of this virus in the wild until the researchers finally find the weak spot and a new version of the antiviral package can come out. In general, these viruses are also larger, as a result of the extra code needed to armor it.



Multipartite Viruses are dual personality viruses. They have the ability to use more than one method to infect files or your system, and they often have more than one target as well. These viruses can spread in several different ways - if they can't infect your system with one method, they will simply utilize a different method.



Cavity Viruses employ a different method of attack than most viruses. Most viruses, simply try to attach themselves to an executable file, cavity viruses attempt to install themselves within the file. Some program files have an empty space within them - that is the cavity viruses’ target. It attempts to install itself in that space without damaging the program. However, this sort of virus is difficult to write, and is rare in the wild.



Tunneling Viruses.
One method of virus detection is an interception program, which sits in the background looking for specific actions that might signify the presence of a virus. To do this it must intercept interrupts and monitor what's going on. A tunneling virus attempts to backtrack down the interrupt chain in order to get directly to the DOS and BIOS interrupt handlers. The virus then installs itself underneath everything, including the interception program. Some anti-virus programs will attempt to detect this and then reinstall themselves under the virus.

Camouflage virus.
You don't hear much about this type of virus. Fortunately it is rare and, because of the way anti-virus programs have evolved, is unlikely to occur in the future.
When anti-virus scanners were based completely on signatures there was always the possibility of a false alarm when the signature was found in some uninfected file (a statistical possibility). Further, with several scanners circulating, each had their own signature database and when scanned by another product may indicate infection where there was none simply because of the inclusion of the virus identification string. If this happened often, the public would get understandably annoyed (and frightened). In response, a scanner might therefore implement logic that, under the right circumstances, would ignore a virus signature and not issue an alarm.
While this "skip it" logic would stop the false alarms, it opened a door for virus writers to attempt to camouflage their viruses so that they included the specific characteristics the anti-virus programs were checking for and thus have the anti-virus program ignore that particular virus. Fortunately, this never became a serious threat; but the possibility existed.
Today's scanners do much more than simply look for a virus signature string. In order to identify the specific virus variant they also check the virus code and even checksum the virus code to identify it. With these cross-checks it would be extremely difficult for a virus to camouflage itself and spoof a scanner.
















3. OPERATING SYSTEM
The target operating system (namely the OS specific objects prone to attack) is the second level of division of viruses into classes. Each file or network virus infects files of one particular or several OS - DOS, Windows 3.xx, Windows95/98/XP/NT, OS/2 etc. Macro viruses infect the Word, Excel, and Office97 format files. Boot viruses are also format oriented, each attacking one particular format of system data in boot sectors of disks.


4. On their DESTRUCTIVE CAPABILITIES viruses can be divided as follows:

• Harmless, that is having no effect on computing (except for some lowering of free disk space as a result of propagation).

• Not dangerous, limiting their effects to lowering of free disk space and a few graphical, sound or other FX).

• Dangerous viruses, which may seriously disrupt the computer's work.

• Very dangerous, the operating algorithms of which intentionally contain routines which may lead to losing data, data destruction, erasure of vital information in system areas, and even according to one of the unconfirmed computer legends inflict damage to the moving mechanical parts by causing resonance in some kinds of Hard Disk Drives.

Virus Prevention

Install anti-virus software on your computers, and ensure they are kept up to date. Because new viruses can spread extremely quickly, it is important to have an updating infrastructure in place, which can update your computers seamlessly, frequently, and at short notice. This ensures that the latest virus protection is in place against the latest threats.

Set your filtering
Consider filtering potentially malicious emails as this can provide a level of pro-active protection against new virus threats.
You could:
• Block file types that are often virus carriers
These include .EXE, .COM, .PIF, .SCR, .VBS, .SHS, .CHM and .BAT file types.

• Block any file with more than one file type extension
Some viruses attempt to disguise their true executable nature by using "double extensions". Files such as LOVE-LETTER-FOR-YOU.TXT.VBS or ANNAKOURNIKOVA.JPG.VBS may appear to be ASCII text or a harmless graphic to the inexperienced.

• Disable booting from floppy disks
Although they are not as commonly encountered as they used to be, boot sector viruses can still affect computers and yet can be easily countered. Change the CMOS boot-up sequence on PCs so that rather than booting from drive A: if you leave a floppy in your machine, you boot by default from drive C: instead. This should stop all pure boot sector viruses (like Form, CMOS4, AntiCMOS, Monkey, etc) from infecting you.
Other Malicious Programs


Trojan Horse
Trojan Horses are impostors, files that claim to be something desirable but, in fact, are malicious. A very important distinction from true viruses is that they do not replicate themselves, as viruses do. Trojans contain malicious code, that, when triggered, cause loss, or even theft, of data. In order for a Trojan horse to spread, you must, in effect, invite these programs onto your computers, for example, by opening an email attachment. The PWSteal.Trojan is a Trojan.



Worm
Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. PrettyPark.Worm is a particularly prevalent example.






References

http://www.cknow.com/vtutor/index.htm

http://www.avp.ch/avpve/classes/classes.stm

http://www.itassist.unsw.edu.au/security/antivirus/intro#intro

http://www.sophos.com/virusinfo/

http://www.timberwolfsoftware.com/avic/index.asp

http://computer.howstuffworks.com/virus.htm
 

keshav

New member
Thanks for this useful post
I was in search for it but I was not getting it
But now I have got it
Really thank you very much
Keshav
 
Computer virus is software program which is design to get into a computer without having the user's permission and it can duplicate itself and distribute gradually in whole computer. A virus can be very harmful and damage your computer very badly.
 
Top