|
Types of Computer Viruses
Nowadays number of
viruses is about 55000. It increases constantly. New unknown types of viruses
appear. To classify them becomes more and more difficult. In common they can
be divided by three basic signs: a place of situating, used operation system
and work algorithms. For example according these three classifications virus
Chernobyl can be classified as file
infector and resident Windows virus. Further it will be explained what it
means.
A place of existence
File Infectors
These are viruses that
attach themselves to (or replace) .COM and .EXE files, although in some cases
they can infect files with extensions .SYS, .DRV, .BIN, .OVL and .OVY. With
this type of virus, uninfected programs usually become infected when they are
executed with the virus in memory. In other cases they are infected when they
are opened (such as using the DOS DIR command) or the virus simply infects
all of the files in the directory is run from (a direct infector).
There are three groups of
file infectors.
Viruses of the first
group are called overwriting viruses because they overwrite their code into
infected file erasing contents. But these viruses are primitive and they can
be found very quickly.
Other group is called
parasitic or cavity viruses. Infected file is capable of work fully or partly
but contents of last one are changed. Viruses can copy itself into begin,
middle or end of a file. They record their code in data known not to be used.
Third group is called
companion viruses. They don’t change files. They make double of infected file
so when infected file is being started a double file becomes managing, it
means virus. For example companion viruses working with DOS use that DOS
firstly runs COM. file and after if this file is not found runs EXE. file.
Viruses make double file with a same name and with extension COM and copies
itself in this file. During start of infected file DOS runs a COM. file with
a virus firstly and then a virus starts an EXE. file.
Sometime companion viruses
rename file will be infected and record their code in a double file with old
name. For example the file XCOPY.EXE is renamed into XCOPY.EXD and virus
record itself in file XCOPY.EXE. When this file is started computer runs a
virus code firstly and after virus starts original XCOPY, saved as XCOPY.EXD.
Viruses like this were found not only in DOS. They were found in Windows and
OS/2.
It is not only one way to
make double files. For example there is subgroup of companion viruses called
path-companion viruses. They use special feature of DOS - PATH: hierarchical
record of file location. Virus copies itself in file with the same name but
situated one level higher. In this case DOS will find file with virus.
Boot viruses
Boot Sector Infectors
Every logical drive, both
hard disk and floppy, contains a boot sector. This is true even of disks that
are not bootable. This boot sector contains specific information relating to
the formatting of the disk, the data stored there and also contains a small
program called the boot program (which loads the DOS system files). The boot
program displays the familiar "Non-system Disk or Disk Error"
message if the DOS system files are not present. It is also the program that
gets infected by viruses. You get a boot sector virus by leaving an infected
diskette in a drive and rebooting the machine. When the boot sector program
is read and executed, the virus goes into memory and infects your hard drive.
Remember, because every disk has a boot sector, it is possible (and common)
to infect a machine from a data disk. NOTE: Both floppy diskettes and hard
drives contain boot sectors.
Master Boot Record Infectors
The first physical sector
of every hard disk (Side Ш, Track Ш,
Sector 1) contains the disk's Master Boot Record and Partition Table. The
Master Boot Record has a small program within it called the Master Boot
Program, which looks up the values in the partition table for the starting
location of the bootable partition, and then tells the system to go there and
execute any code it finds. Assuming your disk is set up properly, what it
finds in that location (Side 1, Track Ш, Sector 1) is a valid boot sector. On floppy
disks, these same viruses infect the boot sectors. You get a Master Boot
Record virus in exactly the same manner you get a boot sector virus -- by
leaving an infected diskette in a drive and rebooting the machine. When the
boot sector program is read and executed, the virus goes into memory and
infects the MBR of your hard drive. Again, because every disk has a boot
sector, it is possible (and common) to infect a machine from a data disk.
Multi-partite Viruses
Multi-partite viruses are
a combination of the viruses listed above. They will infect both files and
MBRs or both files and boot sectors. These types of viruses are currently
rare, but the number of cases is growing steadily.
Macro Viruses
Until recently, the macro languages included
with most applications were not powerful or robust enough to support writing
an effective virus. However, many of the more advanced applications that are
being developed today include built-in programming capabilities that rival
some of the larger development packages. This has recently been demonstrated
by the various strains of Microsoft Word viruses, including the so-called Word
Concept and Word Nuclear viruses. These viruses transport themselves through
Microsoft Word documents. When opened in Word, they perform various actions,
including spreading themselves into the user's installation of Word, thus
preparing to infect all future documents on the system.
An additional concern is
that macro viruses can be cross-platform. The Word Concept virus has the
claim to fame of being the first prominent cross-platform virus, because it
can infect both Windows and Macintosh systems.
Because most application
macro languages support passing execution to an external shell, such as
COMMAND.COM or CMD.EXE, the power of the macro virus is not limited to the
constraints of the macro language itself.
Used operation system.
Any computer or net virus
can infect files of one or more operation systems: DOS, Windows, OS/2, Linux,
MacOS and others. It is a base of this way of classification. For example
virus BOZA working with Windows only is classified as Windows virus, virus
BLISS – as Linux virus.
Work algorithms.
Viruses can be differed
by used algorithms making them danger and hard for catching.
Firstly viruses can be
divided on resident and nonresident.
Resident virus having
come in operation memory of computer doesn’t infect memory. They are capable
of copying when they are started only. We can call any macro virus resident.
They present in memory during application infected by them works.
Second viruses are visible and invisible. To be
invisible means that users and antivirus programs can’t notice changes of
infected file done by virus. Invisible virus catches all requires of
operation system to read file and to record in file and shows uninfected
version of file. So we can see only ‘clear’ programs during virus works. One
of first invisible file infectors was FRODO and boot infector – BRAIN.
Almost any virus uses
methods of self-coding or polymorphism to escape antivirus programs. It means
that they can change itself. Changing itself helps virus to be able work.
|
