How do computer viruses work?

2nd Oct 2000
Share this content

One of our main concerns when working with technology is the threat that computer viruses pose on our equipment. Originally these viruses were thought up by computer graduates as a bit of fun, but it did not take long before these bits of fun turned into cases of malicious threat and destruction, more of a nightmare for the computer user.

So how do these viruses actually work? There are a wide variety of viruses ranging from an innocent type that simply display a message to those that can wipe every file that exists on your hard drive. There are currently more than 53,000 viruses, Trojans, and other malicious software and these are designed to travel from computer to computer and replicate themselves originally via floppy diskettes, now over the Internet and on CD-ROM's.

Definition of the term Virus

A virus is a computer program file capable of attaching itself to disks or other files and replicating itself repeatedly, usually without knowledge or permission from the user. Some viruses attach to files so when the infected file executes, the virus also executes. Other viruses sit in a computer's memory and infect files as the computer opens, modifies or creates the files.

Some viruses display symptoms, and some viruses damage files and computer systems, but neither symptoms nor damage is essential in the definition of a virus; a non-damaging virus is still a virus.

There are computer viruses written for several operating systems including DOS, Windows, Amiga, Macintosh, Atari, and UNIX, and others.

The virus is made up of two parts, the replication code that allows the virus to spread and the other part called the payload, which is usually the part that does the damage. Whoever creates the virus will then place the virus into a harmless program which is then distributed.

When you open up this program containing the virus, the replication code is automatically activated and this copies itself onto other drives on the PC and even other PC's on the same network. The same then happens within this chain. Each virus that has been copied, then does the same thing itself.

As soon as you receive a virus does not mean that it will activate straight away, some remain dormant for months, thus allowing the spread to continue without anyone knowing about it. Some viruses will operate on a trigger e.g. a date of importance, such as April 1. The rest of the virus will then be activated to perform what it was expected to do. A virus can destroy the boot record of your computer and destroy files with certain extensions. Here is a list of some of the known viruses with descriptions as to what they do.

Armored virus
An armored virus tries to prevent analysts from examining its code. The virus may use various methods to make tracing, dis-assembling and reverse engineering its code more difficult.

Bimodal virus
A bimodal virus infects both boot records and files.

An unintentional fault in a program that causes actions neither the user nor the program author intended.

Cavity virus
A cavity virus overwrites a part of its host file without increasing the length of the file while also preserving the host's functionality.

Cluster virus
Cluster viruses modify the directory table entries so the virus starts before any other program. The virus code only exists in one location, but running any program runs the virus as well. As they modify the directory, cluster viruses may appear to infect every program on a disk.

Companion virus
Companion viruses use a feature of DOS that allows software programs with the same name, but with different extensions, to operate with different priorities. Most companion viruses create a COM file which has a higher priority than an EXE file with the same name.

Direct Action virus
A direct action virus works immediately to load itself into memory, infect other files, and then to unload itself.

Encrypted virus
An encrypted virus's code begins with a decryption algorithm and continues with scrambled or encrypted code for the remainder of the virus. Each time it infects, it automatically encodes itself differently, so its code is never the same. Through this method, the virus tries to avoid detection by anti-virus software.

File viruses
File viruses usually replace or attach themselves to COM and EXE files. They can also infect files with the extensions SYS, DRV, BIN, OVL and OVY. File viruses may be resident or non-resident, the most common being resident or TSR (terminate-and-stay-resident) viruses. Many non-resident viruses simply infect one or more files whenever an infected file runs.

Logic Bomb
A logic bomb is a type of trojan horse that executes when specific conditions occur. Triggers for logic bombs can include a change in a file, by a particular series of keystrokes, or at a specific time or date.

Macro virus
A macro virus is a malicious macro. Macro viruses are written a macro programming language and attach to a document file (such as Word or Excel). When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus.

Master Boot Sector virus
Master boot sector viruses infect the master boot sector of hard disks, though they spread through the boot record of floppy disks. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy disk DOS accesses.

Memory-resident virus
A memory-resident virus stays in memory after it executes and infects other files when certain conditions are met. In contrast, non-memory-resident viruses are active only while an infected application runs.

Multipartite virus
Multipartite viruses use a combination of techniques including infecting documents, executables and boot sectors to infect computers. Most multipartite viruses first become resident in memory and then infect the boot sector of the hard drive. Once in memory, multipartite viruses may infect the entire system. Removing multipartite viruses requires cleaning both the boot sectors and any infected files. Before you attempt the repair, you must have a clean, write-protected Rescue Disk.

Mutating virus
A mutating virus changes, or mutates, as it progresses through its host files making disinfection more difficult. The term usually refers to viruses that intentionally mutate, though some experts also include non-intentionally mutating viruses.

Overwriting virus
An overwriting virus copies its code over its host file's data, thus destroying the original program. Disinfection is possible, although files cannot be recovered. It is usually necessary to delete the original file and replace it with a clean copy.

Polymorphic Virus
Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection from anti-virus software. Some polymorphic virus use different encryption schemes and requires different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation-engine and random-number generators to change the virus code and its decryption routine.

Resident virus
A resident virus loads into memory and remains inactive until a trigger event. When the event occurs the virus activates, either infecting a file or disk, or causing other consequences. All boot viruses are resident viruses and so are the most common file viruses.

Self-encrypting virus
Self-encrypting viruses attempt to conceal themselves from anti-virus programs. Most anti-virus programs attempt to find viruses by looking for certain patterns of code (known as virus signatures) that are unique to each virus. Self-encrypting viruses encrypt these text strings differently with each infection to avoid detection.

Self-garbling viruses
A self-garbling virus attempts to hide from anti-virus software by garbling its own code. When these viruses spread, they change the way their code is encoded so anti-virus software cannot find them. A small portion of the virus code decodes the garbled code when activated.

Stealth virus
Stealth viruses attempt to conceal their presence from anti-virus software. Many stealth viruses intercept disk-access requests, so when an anti-virus application tries to read files or boot sectors to find the virus, the virus feeds the program a clean image of the requested item. Other viruses hide the actual size of an infected file and display the size of the file before infection.

Time Bomb
Usually malicious action triggered at a specific date or time.

Trojan Horse
A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive.
Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses.

A virus technique designed to prevent anti-virus applications from working correctly. Anti-virus programs work by intercepting the operating system actions before the OS can execute a virus. Tunneling viruses try to intercept the actions before the anti-virus software can detect the malicious code. New anti-virus programs can recognize many viruses with tunneling behavior.

Worms are parasitic computer programs that replicate, but unlike viruses, do not infect other computer program files. Worms can create copies on the same computer, or can send the copies to other computers via a network. Worms often spread via IRC (Internet Relay Chat).

A collection of viruses used for testing by researchers.

Zoo Virus
A zoo virus exists in the collections of researchers and has never infected a real world computer system.

The most common antivirus software applications are Sophos and McAfee, even though there are many about, it is worth visiting these sites for further information to prevent virus attacks.


Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.