MadSci Network: Computer Science

Re: Computer Viruses

Area: Computer Science
Posted By: Tom Kakanowski, Computer Science
Date: Mon May 6 17:33:12 1996

Simply put, computers transfer from one computer to another because everyone shares data. A computer virus is a self-replicating program containing code that copies itself and that can "infect" other programs by modifying them or their environment so that running an infected program can mean running the virus program. Whenever any program or command is run on any computer, that's when a virus can strike and spread.

Note that many people use the term "virus" loosely to cover any sort of program that tries to hide its possibly malicious function and\or tries to spread onto as many computers as possible, though some of these programs may more correctly be called "worms" or "Trojan Horses" (see below). Also be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious--don't assume too much about what a virus can or can't do!

A WORM is a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections).

Note that unlike viruses, worms do not need to attach themselves to another program. There are two types of worms--host computer worms and network worms.

Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Host computer worms where the original program kills itself after launching a copy on another machine (so there is only one copy of the worm running somewhere on the network at any given moment), are sometimes called "rabbits."

Network worms consist of multiple parts (called "segments"), each running on different computers (and possibly performing different actions) and using the network for several communication purposes. Spreading a segment from one machine to another is only one of those purposes. Network worms that have one main segment which coordinates the work of the other segments are sometimes called an "octopus."

A TROJAN HORSE is a program that does something undocumented that the programmer intended, but that some users would not approve of if they knew about it. The Trojan Horse could do something extremely nasty, but unlike viruses, aren't made to spread.

Below is some more detailed information if you are further interested:

Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. There is also at least one PC virus that "infects" source code files by inserting code into C language source files that replicates the virus's function in any executable that is produced from the infected source code files.

File infectors can be either DIRECT-ACTION or RESIDENT. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when *they* are executed (as in the case of the Jerusalem virus) or when other conditions are fulfilled. Direct-action viruses are also sometimes referred to as NON-RESIDENT. The Vienna virus is an example of a direct-action virus. Most viruses are resident.

The second main category of viruses is SYSTEM or BOOT-RECORD INFECTORS: these viruses infect executable code found in certain system areas on a disk. On PCs there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa and Michelangelo. All common boot sector and MBR viruses are memory resident.

To confuse this classification somewhat, a few viruses are able to infect both files and boot sectors (the Tequila virus is one example). These are often called "MULTI-PARTITE" viruses, though there has been criticism of this name; another name is "BOOT-AND-FILE" virus.

Aside from the two main classes described above, many antivirus researchers distinguish either or both of the following as distinct classes of virus:

FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. The program itself is not physically altered, only the directory entry of the program file is. Some consider these to be a third category of viruses, while others consider them to be a sub- category of the file infectors. LINK virus is another term occasionally used for these viruses, though it should be avoided, as "link virus" is commonly used in the Amiga world to mean "file infecting virus."

KERNEL viruses target specific features of the programs that contain the "core" (or "kernel") of an operating system (3APA3A is a DOS kernel virus and is also multipartite). A file infecting virus that *can* infect kernel program files is *not* a kernel virus--this term is reserved for describing viruses that utilize some special feature of kernel files (such as their physical location on disk or a special loading or calling convention).

Current Queue | Current Queue for Computer Science | Computer Science archives

Return to MadSci Network

MadSci Home | Information | Search | Random Knowledge Generator | MadSci Archives | Mad Library | MAD Labs | MAD FAQs | Ask a ? | Join Us! | Help Support MadSci
© Copyright 1996, Washington University. All rights reserved.