By Balirwa Moses

Viruses – Types and Examples

A program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves. All
computer viruses are manmade. A simple virus that can make a copy of itself over and
over again is relatively easy to produce. Even such a simple virus is dangerous
because it will quickly use all available memory and bring the system to a halt. An
even more dangerous type of virus is one capable of transmitting itself across
networks and bypassing security systems.

A very simple definition of computer viruses is:

"A program that modifies other programs by placing a copy of itself inside them."

Types of viruses

Boot viruses: These viruses infect floppy disk boot records or master boot records in
hard disks. They replace the boot record program (which is responsible for loading the
operating system in memory) copying it elsewhere on the disk or overwriting it. Boot
viruses load into memory if the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo, and Stone virus

Boot Sector Viruses

A BSV infects the boot sector on a diskette. Normally the boot sector contains code to
load the operating system files. The BSV replaces the original boot sector with itself
and stores the original boot sector somewhere else on the diskette or simply replaces it
totally. When a computer is then later booted from this diskette, the virus takes
control and hides in RAM. It will then load and execute the original boot sector, and
from then on everything will be as usual. Except, of course, that every diskette
inserted in the computer will be infected with the virus, unless it is write-protected.

A BSV will usually hide at the top of memory, reducing the amount of memory that
the DOS sees. For example, a computer with 640K might appear to have only 639K.

Many BSVs are also able to infect hard disks, where the process is similar to that
described above, although they may infect the master boot record instead of the DOS
boot record.

Boot-Sector Viruses:
When a computer boots (or starts), it looks to the boot sector of the hard disk before
loading the operating system or any other startup files. A boot-sector virus is
designed to replace the information in the hard disk's boot sectors with its own code.
When a computer is infected with a boot-sector virus, the virus' code is read into
memory before anything else. Once the virus is in memory, it can replicate itself onto
any other disks that are used in the infected computer.
The Form, Michaelangelo, Junkie Virus, and Ohio viruses are examples of this type
of virus.
A boot-sector virus can cause the following problems:
In Windows 3.x, 32-bit file or disk access may not work.
You may not be able to create a permanent swap file in Windows 3.1 or Windows
for Workgroups version 3.1x.
The CHKDSK tool may report that conventional memory stops at 638K rather than
1
 By Balirwa Moses

at 640K.
You may receive the following error message as your computer starts:
"Bad or missing command interpreter. Enter name of command interpreter."

Program viruses: These infect executable program files, such as those with
extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver).
These programs are loaded in memory during execution, taking the virus with them.
The virus becomes active in memory, making copies of itself and infecting files on
disk. Examples: Sunday, Cascade

Multipartite viruses: A hybrid of Boot and Program viruses. They infect

program files and when the infected program is executed, these viruses infect
the boot record. When you boot the computer next time the virus from the boot
record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila. Multipartite Viruses - Multipartite
Viruses are viruses th at may fall into more than one of these categories.

Stealth viruses: These viruses use certain techniques to avoid detection. They
may either redirect the disk head to read another sector instead of the one in
which they reside or they may alter the reading of the infected file’s size
shown in the directory listing. For instance, the Whale virus adds 9216 bytes
to an infected file; then the virus subtracts the same number of bytes (9216)
from the size given in the directory. Stealth Viruses - Stealth viruses actively
try to hide themselves from anti-virus and system software. Examples: Frodo,
Joshi, Whale.

Polymorphic viruses: A virus that can encrypt its code in different ways so that it
appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
Polymorphic viruses change characteristics as they infect a computer.

Macro Viruses: A macro virus is a new type of computer virus that infects the
macros within a document or template. When you open a word processing or
spreadsheet document, the macro virus is activated and it infects the Normal template
(Normal.dot)-a general purpose file that stores default document formatting settings.
Every document you open refers to the Normal template, and hence gets infected with
the macro virus. Since this virus attaches itself to documents, the infection can spread
if such documents are opened on other computers.
Examples: DMV, Nuclear, Word Concept.

Active X: ActiveX and Java controls will soon be the scourge of computing. Most
people do not know how to control there web browser to enable or disable the various
functions like playing sound or video and so, by default, leave a nice big hole in the
security by allowing applets free run into there machine. There has been a lot of
commotion behind this and with the amount of power that JAVA imparts, things from
the security angle seem a bit gloom.

These are just few broad categories. There are many more specialized types. But let us
not go into that. We are here to learn to protect our self, not write a thesis on computer
virus specification.

2
 By Balirwa Moses

Viruses vs Trojans
This definition is somewhat simplified, and does not cover all virus types, but is
sufficient to show the major difference between viruses and so-called "Trojan"
programs, which is that the virus replicates, but the Trojan does not. (The definition
does not cover the so-called "companion"-type viruses, however).

Trojan

A Trojan is a program that pretends to do something useful (or at least interesting),

but when it is run, it may have some harmful effect, like scrambling your FAT (File
Allocation Table) or formatting the hard disk.

Trojan Horse Programs: A Trojan horse program is not a virus. The key distinction
between a virus and a Trojan horse program is that a Trojan horse program does not
replicate itself; it only destroys information on the hard disk.
A Trojan horse program disguises itself as a legitimate program such as a game or
utility. A Trojan horse program often looks and initially acts like a legitimate
program, but once it is executed, it can destroy or scramble data. A Trojan horse
program can contain viruses, but is not a virus itself.
The Aids Information, Twelve Tricks A and B, and Darth Vader programs are
examples of Trojan horse programs.

Warheads
Viruses and Trojans may contain a "time-bomb", intended to destroy programs or data
on a specific date or when some condition has been fulfilled.

A time bomb is often designed to be harmful, maybe doing something like formatting
the hard disk. Sometimes it is relatively harmless, perhaps slowing the computer
down every Friday or making a ball bounce around the screen. However, there is
really no such thing as a harmless virus. Even if a virus has been intended to cause no
damage, it may do so in certain cases, often due to the incompetence of the virus
writer or unexpected hardware or software revisions.

A Harmless Virus?
A virus may be modified, either by the original author or someone else, so that a more
harmful version of it appears. It is also possible that the modification produces a less
harmful virus, but that has only rarely happened.

The damage caused by a virus may consist of the deletion of data or programs, maybe
even reformatting of the hard disk, but more subtle damage is also possible. Some
viruses may modify data or introduce typing errors into text. Other viruses may have
no intentional effects other than just replicating.

Types of Computer Viruses

Viruses are categorized by how they infect computers. Some viruses fall into more
than one of these categories.

Types of viruses include:

Fast and Slow Infectors - Fast and Slow viruses infect a computer in a
particular way to try to avoid being detected by anti-virus software.

3
 By Balirwa Moses

Sparse Infectors - Sparse Infectors don't infect very often.

Armored Viruses - Armored viruses are programmed to make eradication

difficult.

Cavity (Spacefiller) Viruses - Cavity (Spacefiller) viruses attempt to maintain

a constant file size when infecting a computer in order to try to avoid
detection.

Tunneling Viruses - Tunneling viruses try to "tunnel" under anti-virus

software while infecting.

Camouflage Viruses - Camouflage viruses attempt to appear as a benign

program.

Virus Droppers - Virus Droppers are a special category of programs that

place viruses on computers but are not by themselves an actual virus.

Virus Types
Two different groups of viruses occur on PCs, boot sector viruses (BSV) and program
viruses, although a few viruses belong to both groups.

Program Viruses
Program viruses, the second type of computer viruses, infect executable programs,
usually .COM and .EXE files, but sometimes also overlay files. An infected program
will contain a copy of the virus, usually at the end, but in some cases at the beginning
of the original program.

When an infected program is run, the virus may stay resident in memory and infect
every program run. Viruses using this method to spread the infection are called
"Resident Viruses".

Other viruses may search for a new file to infect, when an infected program is
executed. The virus then transfers control to the original program. Viruses using this
method to spread the infection are called "Direct Action Viruses". It is possible for a
virus to use both methods of infection.

Most viruses try to recognize existing infections, so they do not infect what has
already been infected. This makes it possible to inoculate against specific viruses, by
making the "victim" appear to be infected. However, this method is useless as a
general defense, as it is not possible to inoculate the same program against multiple
viruses.

In general, viruses are rather unusual programs, rather simple, but written just like any
other program. It does not take a genius to write one - any average assembly language
programmer can easily do it. Fortunately, few of them do.

A computer virus is an executable file designed to replicate itself and avoid detection.
A virus may try to avoid detection by disguising itself as a legitimate program.
Viruses are often rewritten and adjusted so that they will not be detected. Anti-virus
programs must be updated continuously to look for new and modified viruses. Viruses
are the number-one method of computer vandalism.
4
 By Balirwa Moses

Viruses are made to corrupt or scramble data on a computer's hard disk in the file
allocation table (FAT), boot sector, data files, or program files.

There are over 5000 known viruses, and new virus strains continue to show up
regularly. The rate of virus infection is also increasing.

In the United States, creating or distributing a virus is classified as a computer crime,

and is a federal offense. The Electronic Privacy Act of 1986 is the most noteworthy
legislation against the fraudulent use of computers. Europe has enacted the Computer
Misuse Act of 1991, which specifically states that creating or knowingly distributing a
computer virus is a criminal act.

File-Infecting Viruses: This is the most common type of virus. A file-infecting virus
attaches itself to an executable program file by adding its own code to the executable
file. The virus code is usually added such that it escapes detection. When the infected
file is run, the virus can attach itself to other executable files. Files infected by this
type of virus usually have a .COM, .EXE, or .SYS extension.
Some file-infecting viruses are designed for specific programs. Program types that
are often targeted are overlay (.OVL) files and dynamic-link library (DLL) files.
Although these files are not executed, they are called by executable files. The virus is
transmitted when the call is made.
Damage to data occurs when the virus is triggered. A virus can be triggered when an
infected file is executed, or when a particular environment setting is met (such as a
specific system date).
The Friday the 13th, Enigma, Loki, and Nemesis viruses are examples of this type of
virus.

Computer Virus Basics

A computer virus is created when a programmer creates computer code that

has the capability to replicate itself, hide, watch for a certain event to occur,
and/or deliver a destructive or prankish payload on a disk or in a computer
program. Viruses can attach themselves to just about any type of file and are
spread as infected files are used by other computers. Some viruses are
relatively harmless, while others are very devastating. They can destroy files,
software, program applications, and cause the loss of data.

New computer viruses are constantly being created by malicious

programmers. Because of this, it is vital to keep anti-virus software on
computers up-to-date. Some anti-virus software programs allow users to set
them to silently check for updates whenever users are connected to the
Internet. Others remind users to periodically check for updates.

Worms and Trojans are closely related to viruses. A worm makes copies of
itself on a computer, rather than infecting other files like viruses. A Trojan is a
program that secretly installs itself on a computer and opens a back door to the
computer so that malicious attacks can be remotely controlled. The actual
Trojan is usually not damaging at first, but it is usually accompanied by other
damaging programs.