| Coded
Corruption - Virus Types
Viruses are more than
the commonly perceived single entity
of code with only the intent of destruction.
There are several ways to classify viruses
such as type, origin, methods of infection,
location, files affected, scale of damage,
and operating system. All of these are
common attributes to most viruses. Based
on these we can classify the actual
type of virus.
The following are the
most common types of viruses:
Resident Viruses
This type of virus hides permanently
in the RAM memory. From here it can
control and intercept all of the operations
carried out by the system: corrupting
files and programs that are opened,
closed, copied, renamed etc. Resident
viruses can be treated as file infector
viruses. When a virus goes memory resident,
it will remain there until the computer
is switched off or restarted (waiting
for certain triggers to activate it,
such as a specific date and time). In
the meantime it sits and waits in hiding,
unless of course an antivirus can locate
and eliminate it.
Some examples of resident
viruses include: Randex,
CMJ,
Meve,
MrKlunky.
Direct Action
Viruses
The principal aim of these viruses is
to replicate and take action when they
are run. When a specific condition is
met, the virus will go into action and
infect files in the directory or folder
that it is in and in directories that
are specified in the AUTOEXEC.BAT file
path. This batch file is always located
in the root directory of the hard disk
and carries out certain operations when
the computer is booted. Files infected
with this type of virus can be disinfected,
and completely restored to their original
condition.
Overwrite Viruses
This type of virus is characterized
by the fact that it deletes the information
contained in the files that it infects,
rendering them partially or totally
useless once they have been infected.
Infected files do not change size, unless
the virus occupies more space than the
original file, because instead of hiding
within a file, the virus replaces the
files content. The only way to clean
a file infected by an overwrite virus
is to delete the file completely, thus
losing the original content.
Some examples of overwrite viruses include:
Way,
Trj.Reboot
,
Trivial.88.D.
Boot Sector
Virus
This type of virus affects the boot
sector of a floppy or hard disk. This
is a crucial part of a disk, in which
information on the disk itself is stored
together with a program that makes it
possible to boot (start) the computer
from the disk. This kind of virus does
not affect files, but rather the disks
that contain them. First they attack
the boot sector of the disk then, once
you start your computer, the boot virus
will infect the hard drive of your computer.
The best way of avoiding boot sector
viruses is to ensure that floppy disks
are write-protected and never start
your computer with an unknown floppy
disk in the disk drive.
Some examples of boot sector viruses
include: Polyboot.B,
AntiEXE.
Macro Virus
Macro viruses infect files that are
created using certain applications or
programs that contain macros. These
include Word documents (DOC extensions
, Excel spreadsheets (XLS extensions),
PowerPoint presentations (PPS extensions),
Access databases (MDB extensions), Corel
Draw
and such. A macro is a small
program that a user can associate to
a file created using certain applications.
These mini-programs make it possible
to automate series of operations so
that they are performed as a single
action, thereby saving the user from
having to carry them out one by one.
When a document containing macros is
opened, they will automatically be loaded
and may be executed immediately or when
the user decides to do so. The virus
will then take effect by carrying out
the actions it has been programmed to
do, often regardless of the program's
built-in macro virus protection. There
is not just one type of macro virus,
but one for each tool: Microsoft Word,
Microsoft Excel, Microsoft PowerPoint,
Microsoft Access, Corel Draw, Lotus
Ami Pro, etc.
Some examples of macro viruses: Relax,
Melissa.A,
Bablas,
O97M/Y2K.
Directory Virus
An operating system finds files by looking
up the path (composed of the disk drive
and directory) in which each file is
stored. Directory viruses change the
paths that indicate the location of
a file. By executing a program (file
with the extension .EXE or .COM) which
has been infected by a virus, you are
unwittingly running the virus program,
while the original file and program
have been previously moved by the virus.
Once infected it becomes impossible
to locate the original files.
Encrypted
Encryption is a technique used by viruses
so that they cannot be detected by antivirus
programs. The virus encodes or encrypts
itself so as to be hidden from scans,
before performing its task it will decrypt
itself. Once it has unleashed its payload
the virus will then go back into hiding.
Examples of encrypted viruses include:
Elvira,
Trile.
Polymorphic
Virus
Polymorphic viruses encrypt or encode
themselves in a different way (using
different algorithms and encryption
keys) every time they infect a system.This
makes it impossible for antiviruses
to find them using string or signature
searches (because they are different
in each encryption) and also enables
them to create a large number of copies
of themselves.
Some examples include: Elkern,
Marburg,
Satan
Bug, Tuareg.
Multipartite
Virus
These advanced viruses can create multiple
infections using several techniques.
Their objective is to attack any elements
that can be infected: files, programs,
macros, disks, etc. They are considered
fairly dangerous due to their capacity
to combine different infection techniques.
Some examples include: Ywinz.
File Infectors
This type of virus infects programs
or executable files (files with an .EXE
or .COM extension). When one of these
programs is run, directly or indirectly,
the virus is activated, producing the
damaging effects it is programmed to
carry out. The majority of existing
viruses belong to this category, and
can be classified according to the actions
that they carry out.
Companion Viruses
Companion viruses can be considered
file infector viruses like resident
or direct action types. They are known
as companion viruses because once they
get into the system they "accompany"
the other files that already exist.
In other words, in order to carry out
their infection routines, companion
viruses can wait in memory until a program
is run (resident viruses) or act immediately
by making copies of themselves (direct
action viruses).
Some examples include: Stator,
Asimov.1539,
Terrax.1069.
FAT Virus
The file allocation table or FAT is
the part of a disk used to connect information
and is a vital part of the normal functioning
of the computer. This type of virus
attack can be especially dangerous,
by preventing access to certain sections
of the disk where important files are
stored. Damage caused can result in
information losses from individual files
or even entire directories.
Worms
A worm is a program very similar to
a virus; it has the ability to self-replicate,
and can lead to negative effects on
your system and most importantly they
are detected and eliminated by antiviruses.
However, worms are not strictly viruses,
as they do not need to infect other
files in order to reproduce. Worms can
exist without damaging files, and can
reproduce at rapid speeds, saturating
networks and causing them to collapse.
Worms almost always spread through e-mail,
networks and chat (such as IRC or ICQ).
They can also spread within the memory
of a computer.
Some examples of worms include: PSWBugbear.B,
Lovgate.F,
Trile.C,
Sobig.D,
Mapson.
Trojans or Trojan
Horses
Another unsavory breed of malicious
code are Trojans or Trojan horses, which
unlike viruses do not reproduce by infecting
other files, nor do they self-replicate
like worms. Trojans work in a similar
way to their mythological namesake,
the famous wooden horse that hid Greek
soldiers so that they could enter the
city of Troy undetected. They appear
to be harmless programs that enter a
computer through any channel. When that
program is executed (they have names
or characteristics which trick the user
into doing so), they install other programs
on the computer that can be harmful.
A Trojan may not activate its effects
at first, but when they do, they can
wreak havoc on your system. They have
the capacity to delete files, destroy
information on your hard drive and open
up a backdoor to your system. This gives
them complete access to your system
allowing an outside user to copy and
resend confidential information.
Some examples of Trojans are: IRC.Sx2,
Trifor.
Logic Bombs
They are not considered viruses because
they do not replicate. They are not
even programs in their own right but
rather camouflaged segments of other
programs. Their objective is to destroy
data on the computer once certain conditions
have been met. Logic bombs go undetected
until launched, and the results can
be destructive.
False Viruses
These messages are often confused for
viruses but are something else entirely.
It is important to know the difference
between a real virus threat and a false
virus. Hoaxes are not viruses, they
are false messages sent by e-mail, warning
users of a non-existent virus. The intention
is to spread rumors causing panic and
alarm among users who receive this kind
of information. Occasionally, hoax warnings
include technical terms to mislead users.
On some other occasions, the names of
some press agencies are mentioned in
the heading of the warnings. In this
way, the hoax author attempts to trick
users into believing that they have
received a warning about a real virus.
Hoaxes try to fool the user into performing
a series of actions to protect themselves
from the virus, sometimes leading to
negative results. Users are advised
not to pay attention to these misleading
warnings and delete these messages once
received without sending them to others.
|
