Virus Classifications
A computer virus is technically any piece of executable code(program) that replicates (copies itself). In the real world, computer viruses almost always have something else: a damage routine.
The damage routine is the part of the computer virus that, when activated, will attempt to make your life miserable by destroying some important data. Some damage routines reformat hard drives,while others may scramble the numbers in your documents. Either way, you're going to spend a lot of time cleaning up the mess.
But even computer viruses that don't have specific damage routines may still cause a lot of trouble. First of all, computer viruses must take up storage space and system memory. If a computer virus is allowed to replicate, it will cause your system performance to be significantly downgraded. This in itself is "damage" and thus all types of computer viruses should be eliminated.
Computer viruses, like biological "viri" have lifecycles:
Creation: is when some guy sweats over assembly code for a few weeks and comes up with a new virus that he hopes can spread quickly and do a lot of damage.
Gestation: describes the process whereby the virus is copied somewhere so that it can spread. Usually this is done by infecting a popular program and placing it on a BBS or distributing copies through an office, school,etc.
Replication: viruses, by their very nature, replicate. A virus with a "good" design will replicate for quite a long time before activating. This allows it plenty of time to spread.
Activation: viruses thathave damage routines will activate when certain conditions are met. Some viruses activate on a certain date while others mayhave some kind of internal countdown. But even viruses that don't have damage routines (and thus don't activate) may still be harmful to your system because they steal system resources.
Discovery: this phase of the virus life cycle doesn't necessarily have to come after activation, but it usually does. This is when somebody notices the virus and isolates it. Usually, it then gets into the hands of the NCSA(National Computer Security Association) in Washington DC and then gets documented and distributed to anti-virus developers. Discovery usually happens at least a year before a virus becomes a major threat to the computing community.
Assimilation: after the discovery phase, software developers modify their software so that it can detect the virus. This typically takes anywhere from a day to six months, depending on the developer.
Eradication: If enough software developers are able to handle the virus and enough users buy the right anti-virus software, the virus can nearly be wiped out. So far, no viruses have completely disappeared, but some have long since ceased to become a major threat to the computing community.
Boot Sector viruses hide on the first sector of a disk. Because of the way DOS is structured, the virus gets loaded into memory before system files are loaded. This allows it to gain complete control of DOS interrupts and thus have a tremendous opportunityto spread and do damage.
Boot strap sector viruses modify either the contents of the master bootstrap sector or the DOS boot strap sector by replacing the original with its own. The original contents in the sector is moved to another area on the disk and the virus takes the origin allocation. The virus sends a pointer to the new location of the original boot sector contents to so the virus will be executed first so it can continue loading the virus code before it continues with normal boot strapping.
Boot strap sector viruses will usually load themselves into memory and remain there until the power to the computer is turned off.
File Infector Viruses attach themselves to .COM, .EXE, or .SYS files and thus are executed each time the infected file is executed. They only operate when the file is first loaded and they don't pose a serious challenge to most anti-virus systems.
Parasitic Viruses append themselves to a file in order to be executed. A parasitic virus has no means on its own to execute and replicate. It must modify the contents of an executable file (.EXE, .COM) so that it can control the execution flow of the appended file. The normal flow of the infected program file is redirected so that the virus is executed before the rest of the program. Most of the time the infection process is unnoticed by the user because after the virus is executed it usually passes on to the original program to continue executing normally. Some viruses append themselves to the end of a program file, while some prepend themselves to the beginning of a file yet others append themselves to each end.
Following is an example of how a virus appends itself to a file:
1. The virus first locates the ending bytes of the target file (either an .EXE or .COM file).
Virus Gif
2. The virus modifies the first few bytes of the program (#1) to contain a branch instruction (a command that gives control of the system to the virus). When the infected file is executed, the virus gains control first. After the virus finished executing,it passes control back to the program (#2).
Non-memory resident viruses attach themselves to .COM, .EXE, or.SYS files and thus are executed each time the infected file is executed.
They complete the execution of the virus code at the first execution stage and then their finished. Other programs are infected at this time and they generally infect only one other file at a time. The infection rate of these types of viruses are comparably as high as any other since they are usually small and they don't change the interrupt table or establish themselves memory-resident. Also the method of infection can be highly unpredictable.
Memory Resident Viruses hide in memory and act like parasites to various low-level machine functions (interrupts). From this vantage point, RAM viruses can do a lot of damage while avoiding detection by some anti-virus systems.
The first time that a memory resident virus is executed it will check to see if it is already loaded into memory, if not it will load itself in to conventional or high memory. At this point anytime that an uninfected file is executed the virus will infectit. This method of infection is both a quick and effective form of spreading for the virus.
The only way to get the virus out of memory is to turn the power to the infected computer completely off. Don't just "warmboot" the computer, because there is now a discovered method of living out a warm boot.
Multi-partite viruses have characteristics of both the boot strap sector virus and the parasitic virus. Viruses like this can infect both .COM and .EXE files as well as infecting the boot sector of diskettes and hard drives.
A computer that is booted up with a diskette that is infected with a multi-partite virus will most generally place itself resident in memory as well as infecting the boot sector of the computer's hard drive.
By utilizing both these methods of virus infection it easily and quickly infects the entire enviroment of a PC. There are actually not many of this type of virus in existence but they make up a large portion of the virus infections.
Stealth Viruses or Interrupt Interceptors, as they are sometimes called, take advantage of key DOS-level interrupts to make DOS and many anti-virus systems think that all the files are clean. It does this intercepting the interrupt table located at the beginning of memory. When an application issues an request for an interrupt jump it normally is directed to the interrupt table and the request goes through normally. But if a virus is intercepting these requests it is then able to redirect the request and perform anything it decides to do.
The stealth virus's ability to control the interrupt table so well allows it to hide very effectively. It makes it difficult to detect.
Polymorphic Viruses (mutation engine viruses) encrypt or scramble their code with each replication so that no copy of the virus appears the same. This makes them extremely difficult to detect with most virus scanners, because scanners to locate a virus rely on a known virus code pattern.
Polymorphic viruses have been inceasing in popularity due to thedevelopment of a "Mutation Engine." The Mutation Engine was designed by a person or group called the "Dark Avenger." It was placed on BBS stations with the mutation code available to everyone. It even comes with a set of instructions to make any normal virus into a polymorphic virus.
Network-Specific Viruses are designed to attack a network operating system (usually NetWare) and then use the network to spread itself. They utilize NetWare controller interrupts to modify the behavior of interrupt requests.
Bounty Hunter Viruses target specific anti-virus software and defeat it. These types of viruses are extremely rare, but quite effective against some anti-virus software.