4) How do viruses work? (Computer virus)
Description
This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel gwenzel@telusplanet.net and Bruce Burrell bpb@umich.edu with numerous contributions by others.
4) How do viruses work? (Computer virus)
A file virus attaches itself to a file (but see the section below
or the comp.virus FAQ on the subject of companion viruses), usually
an executable application (e.g. a word processing program or a DOS
program). In general, file viruses don't infect data files. However,
data files can contain embedded executable code such as macros, which
may be used by virus or trojan writers. Recent versions of Microsoft
Word are particularly vulnerable to this kind of threat. Text files
such as batch files, postscript files, and source code which contain
commands that can be compiled or interpreted by another program are
potential targets for malware (malicious software), though such malware
is not at present common.
Boot sector viruses alter the program that is in the first sector
(boot sector) of every DOS-formatted disk. Generally, a boot
sector infector executes its own code (which usually infects the boot
sector or partition sector of the hard disk), then continues the PC
bootup (start-up) process. In most cases, all write-enabled floppies
used on that PC from then on will become infected.
Multipartite viruses have some of the features of both the above
types of virus. Typically, when an infected *file* is executed, it
infects the hard disk boot sector or partition sector, and thus
infects subsequent floppies used or formatted on the target system.
Macro viruses typically infect global settings files such as Word
templates so that subsequently edited documents are contaminated
with the infective macros.
The following virus types are more fully defined in the
comp.virus FAQs (see preamble):
* STEALTH VIRUSES - viruses that go to some length to
conceal their presence from programs which might notice.
* POLYMORPHIC VIRUSES - viruses that cannot be detected by
searching for a simple, single sequence of bytes in a
possibly-infected file, since they change with every
replication.
* COMPANION VIRUSES - viruses that spread via a file which
runs instead of the file the user intended to run, and
then runs the original file. For instance, the file
MYAPP.EXE might be 'infected' by creating a file called
MYAPP.COM. Because of the way DOS works, when the user
types MYAPP at the C> prompt, MYAPP.COM is run instead of
MYAPP.EXE. MYAPP.COM runs its infective routine, then
quietly executes MYAPP.EXE. N.B. this is not the *only*
type of companion (or 'spawning') virus.
* ARMOURED VIRUSES - viruses that are specifically written
to make it difficult for an antivirus researcher to find
out how they work and what they do.
Continue to:
My Books
