Computer expert Dr. Frederick B. Cohen defined a computer virus as: “A computer program able to infect other programs by modifying them to include possibly evolved version of itself”.
What are the general misconception about the virus?
Some of them are that it originated due to a programming error, or that it was created by none and came into existence on its own one fine day! A computer virus is a program deliberately written by somebody. It should have all the properties of a biological virus.
What makes a computer virus a virus?
Like a biological virus, a computer one should be as small as possible. The more compact the virus code is, the more efficient it becomes. *It should have the capacity to replicate*; It should do undesirable things.
Of the three, the first two are necessary for a computer program to be called as a virus whereas the third one need not be always satisfied. The four phases in the ‘life cycle’ of a computer virus are:
* Dormant: In this phase, the virus remains inactive and hence a false sense of security is instilled in the user. This enables the virus to easily enter the next phase.
* Propagation: One of the prime intentions of a virus, to spread itself far and wide, is achieved in this phase. The virus infects other programs or disks.
Triggering: Here, the virus realise that the time is ripe to start the damage! Triggers can be of various types like a particular date (As March 6th for Michelangelo) or a predetermined number of keystrokes. There are some which do not have a trigger.
* Action: The final phase of the virus infection, it’s here that the virus attains its goal. There is always some kind of damage in one way or the other!
What are the different kinds of viruses?
Computer viruses can be broadly classified into non-resident (direct action) virus and resident (indirect action) virus. A non-resident virus is active only when the infected program is executed. These viruses are very scarce as compared to resident viruses. But their number is likely to increase soon since the macro virus (which infects document files - new comer to the virus family) come under this category. A resident virus can be considered superior to non-resident one. This kind of viruses gets resident in the computer’s memory, once the virus infected file is executed. Thereafter, it monitors the system and its activities from there. Now, any file that is manipulated further is vulnerable for infection by the memory resident virus. This is achieved by a process known interrupt stealing.
An interrupt is meant to interrupt the processor for facilitating some kind of service to the interrupted program. This services are small programs written in ROM BIOS (In case of BIOS services). The memory address where the program begins, is stored in the computer memory at booting time.
The table used for this is known as Interrupt Vector Table or I.V.T. This address is modified by the virus in such a way that the new address points to some portion of it’s own memory resident code. This process is known as interrupt stealing.
So, when an interrupt occurs after the virus getting memory resident, the address in I.V.T. points to the virus and hence the control reaches the virus code. Now, the virus is “the boss”. It can do almost anything it is programmed to do. Interrupt Vector Table:
Computer viruses are classified into sub-categories depending on its different entities. Some of them are:
BOOT PARTITION virus:
This kind normally infects the BOOT sector or floppy diskettes and MASTER BOOT RECORD (Partition table) of hard disk. The virus copy the original boot sector to some other predefined area (Sector) of the disk and copy itself over the actual boot sector. When the booting is done from a virus infected diskette, the virus gets the control first. After finishing whatever it was programmed to do, the original boot record is loaded into the memory front the predefined sector and the control is passed to it in order to resume the normal functioning. Some of the commonly found Boot viruses are Antlexe, Bloody, Bravo etc.
FILE INFECTOR virus: A file infector Virus is one which infects all executable file’s other than batch files (i.e. files with extension, bar). It is also known as Program virus. A Program virus infects executable files by attaching a copy of the virus code to the infected program. Most of such viruses attach itself at end of the infected program. The Exe Header in the case of exe files and first three bytes in the case of a com file is modified by the virus in such a way that the control, at first reaches the embedded virus code. some examples of program viruses are Amin and Cascade.
STEALTH viruses: A stealth virus is programmed to tunnel the virus detecting mechanisms stealthily. Depending on the number of stealth capabilities of this virus, it can be classified into partial and complete stealth. The commonly known stealth techniques are size filtering, and date and time stamp restoration.
If a file infected with stealth virus having size filtering capacity is listed using directory command in DOS, the file will show its original size. i.e. their new size after virus infection is covered from user. Hence, the virus becomes transparent to the user.
IN date and time stamp restoration technique, the file does not show the date on which if was lastly modified (i.e. when the virus infected it). The date and time which the file had before virus infection is restored after infection. Antiexe, Bravo, Bye and one-half are some of the famous stealth viruses.
POLYMORPHIC viruses: A Polymorphic virus can encrypt itself. Of the different methods for encryption, XOR ing it’s own code by a predefined value is a commontechnique. The XOR ing value is known as encryption key. If this key is varied on each infection, it becomes very difficult for virus cleaning software’s to detect the virus using “Signature” detection mechanism. A signature of a virus is a series of hexadecimal values in the source code of that virus. This hex string is always unique for every virus. A polymorphic virus has more than one signatures.
This is because of the fact that each time encryption is done using a different key! Onehalf, Natas and tremour are some of the common Polymorphic viruses.
MULTIPARTITE viruses: This virus infects both Boot sector and Program files. Hence, they are more dangerous than ordinary ones. The boot sector and programs has to be checked for infection in this case. Junkie Boot, Natas and One half are the commonly Multipartite viruses.
MACRO viruses: A Macro virus is a new comer. It infects only document files in Windows environment. The medium of infection of this virus is Internet since a lot of dc files are transmitted through the Net. This is a direct action virus and its source code is visible to the user of infected file! A macrovirus is written in 20 or 25 lines of code! In a doc file, there is an executable part known as header. A Macro virus utilises this facility. Microsoft Visual Basic can be used to write a macro virus.