To date there are three primary types of viruses that exist today: file-infector viruses, which attach themselves to program files; boot-sector viruses, which install themselves in a hard drive’s or floppy disk’s boot sector; and macro viruses, which burrow into Microsoft Word and Excel documents. Details on each of these three follow.
As one of the most popular types of viruses (with the black hats, anyway), a file-infector virus arrives embedded or attached to a computer program file — a file with an .EX extension in its name. When the program runs, the virus instructions are activated along with the original program. The virus carries out the instructions in its code — it could delete or damage files on your computer, attempt to implant itself within other program files on your computer, or do anything else that its creator dreamed up while in a nasty mood.
The presence of a file-infector virus can be detected in two major ways:
- The size of a file may have suspiciously increased. If a program file is too big for its britches, a virus may account for the extra size. At this point, you need to know two things: 1 What size the file(s) should be when fresh from the software maker. You have all of this information written down somewhere, right? (I’m only kidding — I know a lot of “propeller heads” but no one who is that cautious.)
2. Whether the virus is a cavity seeker — a treacherous type that hides itself in the unused space in a computer program. Clever. Of course, your antivirus program will only know to look for a cavity seeker if. . . .
- The signature of a known virus turns up in an antivirus scan. The signature — a known, characteristic pattern that “fingerprints” a particular virus — is a dead give- away that a virus is embedded within a program file — provided your antivirus software knows what to look for.
To stay one step ahead of antivirus programs, virus writers began to incorporate some advanced techniques in their viruses in order to avoid detection. These include
- Encryption: The virus can attempt to scramble its code to avoid detection. Some viruses can rescramble them- selves differently each time they’re scanned for, so the encrypted code cannot form a part of the virus signature.
- Cavity-seeking: Because an infected file betrays the presence of a virus by being bigger than it should be, some viruses are designed to find — and fit into — leftover space in the files they infect. The idea is to avoid changing the file size, making the virus a little harder to detect. The approach is typical of virus writers who know how antivirus programs work.
While less prevalent today, boot-sector viruses were once the mainstay of computer viruses. A boot-sector virus occupies the portion (sector) of a floppy disk or hard drive that the computer first consults when it boots up. The boot sector provides instructions that tell the computer how to start up; the virus tells the computer (in effect), While you’re at it, load me too — before you do anything else.
Here’s the especially devious part: The virus writer knows that after the computer is started, the boot sector isn’t used. It’s pretty much ignored — the standard tools used to examine a floppy disk or hard drive won’t even look in the boot sector. Unless antivirus software is used, it’s difficult to detect a boot-sector virus. That’s partly because the little sweetheart doesn’t occupy free space, change the amount of free space available, or change the size of any file on the floppy disk or hard drive. It’s pretending to be boot instructions. The only traces of its presence may be (relatively subtle) effects such as excessive hard-drive activity or slowed processing.
In the early 1990s, Microsoft developed a new capability for documents in programs such as a Word or Excel: These programs could contain computer instructions in addition to their data. After all, if a user had a handy place in the document to put tools for working with data — mini-programs called macros — a lot of time could be saved. Great idea but way too convenient. Before long, the usual persons-with- ill-intent figured out how to create document macros with destructive properties.
Windows 95 and Windows 98, the Microsoft operating systems in use at the time, had little in the way of security-access controls. A document macro could carry out practically any operation on the computer without any security mechanism to challenge it — or even record it. Macro viruses are a threat even today; if you’ve ever seen a warning box crop up to inform you that This document contains macros, that’s why.