Can't Find what you're looking for? Try Google Search Here!

Categories of viruses

Can't Find what you're looking for? Try Google Search Here!"

Depending on the source of information different types of viruses may be categorized in the following ways:

The increasing power of PDAs has spawned a new breed of viruses. Maliciously creative programmers have leveraged the PDA's ability to communicate with other devices and run programs, to cause digital mayhem.
The blissfully safe world where users of these devices could synchronize and download with impunity came to an end in August 2000 with the discovery of the virus Palm Liberty. Since then, many more viruses have been discovered.
Though not yet as harmful as their PC-based cousins, these viruses still pose a threat to unsuspecting users. Their effects vary from the harmless flashing of an unwanted message or an increase in power consumption, to the deletion of all installed programs. But the threat is growing, and the destructiveness of these viruses is expected to parallel the development of the devices they attack.

A virus that combines two or more different infection methods is called a multipartite virus. This type of virus can infect both files and boot sector of a disk. Multi-partite viruses share some of the characteristics of boot sector viruses and file viruses: They can infect .com files, .exe files, and the boot sector of the computer’s hard drive. On a computer booted up with an infected diskette, the typical multi-partite virus will first make itself resident in memory then infect the boot sector of the hard drive. From there, the virus may infect a PC's entire environment. Not many forms of this virus class actually exist. However, they do account for a disproportionately large percentage of all infections. Tequila and Anticad are the examples of multipartite viruses.

The two most prevalent types of bombs are time bombs and logic bombs. A time bomb hides on the victim’s disk and waits until a specific date before running. A logic bomb may be activated by a date, a change to a file, or a particular action taken by a user or a program. Bombs are treated as viruses because they can cause damage or disruption to a system.

Until the mid-1990s, boot sector viruses were the most prevalent virus type, spreading primarily in the 16-bit DOS world via floppy disk. Boot sector viruses infect the boot sector on a floppy disk and spread to a user's hard disk, and can also infect the master boot record (MBR) on a user's hard drive. Once the MBR or boot sector on the hard drive is infected, the virus attempts to infect the boot sector of every floppy disk that is inserted into the computer and accessed. Examples of boot sector viruses are Michelangelo, Satria and Keydrop.
Boot sector viruses work like this: Let us assume that the user received a diskette with an infected boot sector. The user copied data from it but forgot to remove it from drive A:. When he started the computer next time the boot process will execute the infected boot sector program from the diskette. The virus will load first and infect the hard disk. Note that this can be prevented by changing the boot sequence in CMOS (Let C: drive boot before A:). By hiding on the first sector of a disk, the virus is loaded into memory before the system files are loaded. This allows it to gain complete control of DOS interrupts and in the process replaces the original contents of the MBR or DOS boot sector with their own contents and move the original boot sector data to another area on the disk. Because the virus has infected a system area of the hard disk it will be loaded into memory each time the computer is started. It will first take control of the lowest level disk system services before executing the original boot sector code which it has stored in another part of the hard disk. The computer seems to behave exactly as it should. Nobody will notice the extra few fractions of a second added to the boot sequence.
During normal operation the virus will happily stay in memory. Thanks to the fact that it has control of the disk services it can easily monitor requests for disk access - including diskettes. As soon as it gets a request for access to a diskette it will determine that there is a diskette in the floppy drive. It will then examine its boot sector to see if it has already been infected. If it finds the diskette clean it will replace the boot sector with its own code. From this moment the diskette will be a "carrier" and become a medium for infections on other PC's.

The virus will also monitor special disk requests for access to the boot sector. The boot sector contains its own code, and a request to read it could be from an anti-virus program checking for virus presence. The virus will not allow the boot sector to be read and will redirect all requests to the place on the hard disk where it has backed up the original contents. In this way nothing unusual is detected. Such methods are called stealth techniques and their main goal is to mask the presence of the virus. Not all boot viruses use stealth but those which do are common.
Boot viruses also infect the non-file (system) areas of hard and floppy disks. These areas offer an efficient way for a virus to spread from one computer to another. Boot viruses have achieved a higher degree of success than program viruses in infecting their targets and spreading.
Boot virus can infect DOS, Windows 3.x, Windows 95/98, Windows NT, and even Novell Netware systems. This is because they exploit inherent features of the computer (rather than the operating system) to spread and activate.
Cleaning up a boot sector virus can be performed by booting the machine from an uninfected floppy system disk rather than from the hard drive, or by finding the original boot sector and replacing it in the correct location on the disk.

This type of virus makes changes to a disks file system. If any program is run from the infected disk, the program causes the virus to run as well. This technique creates the illusion that the virus has infected every program on the disk.

These types of viruses can be transmitted via e-mail messages sent across private networks or the internet. Some e-mail viruses are transmitted as an infected attachment- a document file or program that is attached to the message. This type of virus is run when the victim opens the file that is attached to the message. Other types of email viruses reside within the body of the message itself. To store a virus, the message must be encoded in html format. Once launched many e-mail viruses attempt to spread by sending messages to everyone in the victim’s address book; each of those contains a copy of the virus.
The latest thing in the world of computer viruses is the e-mail virus called Melissa virus which surfaced in March 1999. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. As a result, the Melissa virus was the fastest-spreading virus ever seen and it forced a number of large companies to shut down their e-mail systems at that time.
The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.
The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess.
File infectors operate in memory and usually infect executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS. They activate every time the infected file is executed by copying themselves into other executable files and can remain in memory long after the virus has activated.
Thousands of different file infecting viruses exist, but similar to boot sector viruses, the vast majority operates in a DOS 16-bit environment. Some, however, have successfully infected the Microsoft Windows, IBM OS/2, and Apple Computer Macintosh environments.
File viruses can be separated further into sub-categories by the way they manipulate their targets:

A less common type of virus is the terminate-and-stay-resident file virus. As the name suggests these infect files usually these are .com and .exe files. there are however some device driver viruses, some viruses that infect overlay files, and although over 99% of executable programs have the extension .com and .exe, some do not .For a TSR virus to spread some one has to run an infected program. The virus goes memory resident typically looking at each program run thereafter and infects it. Examples of TSR file viruses are Dark Avenger and Green Caterpillar.

These viruses infect by overwriting part of their target with their own code but, by doing so, they damage the file. The file will never serve another purpose other than spreading the virus further. Because of this they are usually detected quickly and do not spread easily.

These viruses attach themselves to executables without substantially changing the contents of the host program. They attach by adding their code to the beginning, end, or even middle of the file and divert program flow so that the virus is executed first. When the virus has finished its job, control is passed on to the host. Execution of the host is a little delayed but this is usually not noticeable.

Many older applications had simple macro systems that allowed the user to record a sequence of operations within the application and associate them with a specific keystroke. Later, the user could perform the same sequence of operations by merely hitting the specified key.
Newer applications provide much more complex macro systems. User can write entire macro-programs that run within the word processor or spreadsheet environment and are attached directly onto word processing and spreadsheet files. Unfortunately, this ability also makes it possible to create macro viruses.
Macro viruses currently account for about 80 percent of all viruses, according to the International Computer Security Association (ICSA), and are the fastest growing viruses in computer history. Unlike other virus types, macro viruses aren’t specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.
Macro viruses are, however, application-specific. A macro virus is designed to infect a specific type of document file, such as Microsoft word or excel files. They infect macro utilities that accompany such applications as Microsoft Word and Excel, which means a Word macro virus cannot infect an Excel document and vice versa. A macro virus is embedded in a document file and can travel between data files in the application and can eventually infect hundreds of files if undeterred and in the process do various levels of damage to data from corrupting documents to deleting data.
Macro viruses are written in "every man's programming language" -- Visual Basic -- and are relatively easy to create. They can infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted
A typical chronology for macro virus infection begins when an infected document or spreadsheet is loaded. The application also loads any accompanying macros that are attached to the file. If one or more of the macros meet certain criteria, the application will also immediately execute these macros. Macro viruses rely upon this auto-execution capability to gain control of the application’s macro system.
Once the macro virus has been loaded and executed, it waits for the user to edit a new document, and then kicks into action again. It attaches its virus macro programs onto the new document, and then allows the application to save the document normally. In this fashion, the virus spreads to another file and does so in a completely discrete fashion. Users have no idea of the infection. If this new file is later opened on another computer, the virus will once again load, be launched by the application, and find other unsuspecting files to infect.

Finally, as far as a macro virus is concerned, the application serves as the operating system. A single macro virus can spread to any of the platforms on which the application is installed and running. For example, a single macro virus that uses Microsoft Word could conceivably spread to Windows 3.x, Windows 95/98, Window NT, and the Macintosh.

Macro viruses for Word

In the summer of 1995, Microsoft Word 6 was the first product affected with macro virus. The first one (WM/Concept.A) was really only a proof of concept - one of the installed macros (called Payload) contained only this remark:
“That's enough to prove my point”
Most macro viruses for Word use a feature called 'automacros'. The basic principle is that some macros with special names are automatically executed when Word starts, opens a file, or closes a file. The macro virus then inserts macros into NORMAL.DOT - a standard template which is loaded every time Word starts.
In Word there are some ways to disable automacros but this isn't the ultimate solution. Some macro viruses use other methods to take control over the Word environment.
Another method of self-protection may be to set NORMAL.DOT to read only. But this can also be bypassed and, in addition, it prevents the user from customizing the template.

Macro viruses for Excel

Excel has the same opportunities for virus authors as Word. It has automacros and a directory called XLSTART from which templates are automatically loaded.
But Excel does not have just normal VBA macros like Word. In Excel there are so called 'formulas' - macros stored in spreadsheet cells. The first macro virus using this technology was XF/Paix.

Macro viruses for other MS Office products:

Writing a macro virus for other Office products is not difficult. There have been already some viruses for Access, and it is expected that there will be macro viruses for Power Point in the near future.

But those macro viruses are not as dangerous as the macro viruses for Word or Excel. Not because of some limitation of these other Office products, but because data files from these products are not so frequently shared.

There is one danger which can be seen in today's Power Point even without native macro viruses written for this product. Programmers can include in their presentation any number of objects from Excel or Word. And these objects can be infected with macro viruses - if they edit the presentation and open the infected object with its parent application, then the virus can spread further.

But the current situation may change dramatically over the next few years. Microsoft has licensed VBA technology to many firms, so one can expect to see more macro viruses for other products, too.

This type of virus can change itself each time it is copied, making it difficult to isolate. Most simple viruses attach identical copies of themselves to the files they infect. An anti-virus program can detect the virus’s code (or signature) because it is always the same and quickly ferret out the virus. To avoid such easy detection, polymorphic viruses operate somewhat differently. Unlike the simple virus, when a polymorphic virus infects a program, it scrambles its virus code in the program body. This scrambling means that no two infections look the same, making detection more difficult. These viruses create a new decryption routine each time they infect, so every infected file will have a different sequence of virus code.

Stealth viruses actively seek to conceal themselves from attempts to detect or remove them. They also can conceal changes they make to other files, hiding the damage from the user and the operating system.
Stealth viruses, or Interrupt Interceptors, as they are sometimes called, take control of key DOS-level instructions by intercepting the interrupt table, which is located at the beginning of memory. This gives the virus the ability to do two important things: 1) gain control of the system by re-directing the interrupt calls, and 2) hide itself to prevent detection. They use techniques such as intercepting disk reads to provide an uninfected copy of the original item in place of the infected copy (read-stealthing viruses), altering disk directory or folder data for infected program files (size-stealthing), or both. For example, the Whale virus is a size-stealthing virus. It infects .EXE program files and alters the folder entries of infected files when other programs attempt to read them. The Whale virus adds 9216 bytes to an infected file. Because changes in file size are an indication that a virus might be present, the virus then subtracts the same number of bytes (9216) from the file size given in the directory/folder entry to trick the user into believing that the file’s size has not changed.
An antivirus program which is not equipped with anti-stealth technology will be deceived.


A companion virus is the exception to the rule that a virus must attach itself to a file. The companion virus instead creates a new file and relies on a behavior of DOS to execute it instead of the program file that is normally executed. These viruses target EXE programs. They create another file of the same name but with a COM extension containing the virus code. These viruses take advantage of a property of MS-DOS which allows files to share the same first name in the same directory (e.g. ABC.EXE and ABC.COM) but executes COM files in preference to EXE files.
For example, the companion virus might create a file named CHKDSK.COM and place it in the same directory as CHKDSK.EXE. Whenever DOS must choose between executing two files of the same name where one has an .EXE extension and the other a .COM extension, it executes the .COM file. This is not an effective way of spreading but has one big advantage - it does not amend files in any way and so can escape integrity tests or resident protection. Another method which can be used by companion viruses is based on defined path. A virus simply puts an infected file into the path listed before the directory within the original program.

Like normal programs, program viruses must be written for a specific operating system. The vast majority of viruses are written for DOS but some have been written for Windows 3.x, Windows 95/98, and even UNIX. All versions of Windows are compatible with DOS and can host DOS viruses with varying degrees of success. Program viruses infect program files, which commonly have extensions such as .COM, .EXE, .SYS, .DLL, .OVL, or .SCR. Program files are attractive targets for virus writers because they are widely used and have relatively simple formats to which viruses can attach.

Malicious Programs and Scripts

Viruses that infect agent programs (such as those that download software from the Internet; for example, JAVA and ActiveX).


A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. An entire LAN or corporate e-mail system can become totally clogged with copies of a worm, rendering it useless. Worms are commonly spread over the internet via e-mail message attachments and through internet relay chat channels.
For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001.
A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server.
Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent. A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.
The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.
The Code Red worm was designed to do three things:
•Replicate itself for the first 20 days of each month
•Replace Web pages on infected servers with a page that declares "Hacked by Chinese"
•Launch a concerted attack on the White House Web server in an attempt to overwhelm it
The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001.


Trojans, another form of malware, are generally agreed upon as doing something other than the user expected, with that “something” defined as malicious. Most often, Trojans are associated with remote access programs that perform illicit operations such as password-stealing or which allow compromised machines to be used for targeted denial of service attacks. One of the more basic forms of a denial of service (DoS) attack involves flooding a target system with so much data, traffic, or commands that it can no longer perform its core functions. When multiple machines are gathered together to launch such an attack, it is known as a distributed denial of service attack, or DDoS.
Because Trojan horses do not make duplicates of themselves on the victims disk (or copy themselves to other disks), they are not technically viruses. But because they can do harm, many experts consider them to be a type of virus. Trojan horses are often used as by hackers to create a back door to an infected system. Trojans, such as BackOrrifice are very dangerous. If anyone runs this program and his computer is connected to the internet, then the hacker can take control of that computer - transfer files to or from the computer, capture screen contents, run any program or kill any running process, etc.

Once a Trojan is installed onto the system this program has the same privileges as the user of the computer and can exploit the system to do something the user did not intend such as:
Delete files
Transmit to the intruder any files that the user can read
Change any files that the user can modify
Install other programs with the user’s privileges
Execute privilege-elevation attacks—the Trojan can attempt to exploit a weakness to raise the level of access beyond the user running the Trojan. If successful, the Trojan can operate with increased privileges.
Install viruses
Install other Trojans

By rodel peralta with 0 comments


Leave a Reply