Kinds of Viruses
Modern viruses come in many varieties:
■ A system or boot sector virus is designed to infect and place its own code into the master boot record (MBR) of a system. Once this infection takes place, the system’s boot sequence is effectively altered, meaning the virus or other code can be loaded before the system itself. Post-infection symptoms such as startup problems, problems with retrieving data, computer performance instability, and the inability to locate hard drives are all issues that may arise.
■ Macro viruses debuted in force around 2000. They take advantage of embedded languages such as Visual Basic for Applications (VBA). In applications such as Microsoft Excel and Word, these macro languages are designed to automate functions and create new processes. The problem with these languages is that they lend themselves very effectively to abuse; in addition, they can easily be embedded into template files and regular document files. Once the macro is run on a victim’s system, it can do all sorts of things, such as change a system configuration to decrease security or read a user’s address book and e-mail itself to others (which happened in some early cases).
■ Cluster viruses are another variation of the family tree that carries out its dirty work in yet another original way. This virus alters the file-allocation tables on a storage device, causing file entries to point to the virus instead of the real file. In practice, this means that when a user runs a given application, the virus runs before the system executes the actual file.
Making this type of virus even more dangerous is the fact that infected drive-repair utilities cause problems of an even more widespread variety. Utilities such as ScanDisk may even destroy sections of the drive or eliminate files.
■ A stealth or tunneling virus is designed to employ various mechanisms to evade detection systems. Stealth viruses employ unique techniques including intercepting calls from the OS and returning bogus or invalid responses that are designed to fool or mislead.
■ Encryption viruses are a newcomer to the scene. They can scramble themselves to avoid detection. This virus changes its program code, making it nearly impossible to detect using normal means. It uses an encryption algorithm to encrypt and decrypt the virus multiple times as it replicates and infects. Each time the infection process occurs, a new encryption sequence takes place with different settings, making it difficult for antivirus software to detect the problem.
■ Cavity or file-overwriting viruses hide in a host file without changing the host file’s appearance, so detection becomes difficult. Many viruses that do this also implement stealth techniques, so you don’t see the increase in file length when the virus code is active in memory.
■ Sparse-infector viruses avoid detection by carrying out their infectious actions only sporadically, such as on every 10th or 25th activation. A virus may even be set up to infect only files of a certain length or type or that start with a certain letter.
■ A companion or camouflage virus compromises a feature of OSs that enables software with the same name, but different extensions, to operate with different priorities. For example, you may have program.exe on your computer, and the virus may create a file called program.com . When the computer executes program.exe , the virus runs program.com before program.exe is executed. In many cases, the real program runs, so users believe the system is operating normally and aren’t aware that a virus was run on the system.
■ A logic bomb is designed to lie in wait until a predetermined event or action occurs. When this event occurs, the bomb or payload detonates and carries out its intended or designed action. Logic bombs have been notoriously difficult to detect because they do not look harmful until they are activated—and by then, it may be too late. In many cases, the bomb is separated into two parts: the payload and the trigger. Neither looks all that dangerous until the predetermined event occurs.
■ File or multipartite viruses infect systems in multiple ways using multiple attack vectors; hence the term multipartite. Attack targets include the boot sector and executable files on the hard drive. What makes such viruses dangerous and powerful weapons is that to stop them, you must remove all of their parts. If any part of the virus is not eradicated from the infected system, it can reinfect the system.
■ Shell viruses are another type of virus where the software infects the target application and alters it. The virus makes the infected program into a subroutine that runs after the virus itself runs.
■ Cryptoviruses hunt for files or certain types of data on a system and then encrypt it. Then the victim is instructed to contact the virus creator via a special e-mail address or other means and pay a specified amount (ransom) for the key to unlock the files.
