What is a Computer Virus?
Definition
A computer virus is a computer program or script that attempts to spread from one computer to another and/ or from one file to another on a single computer without the knowledge or consent of the computer user.
Viruses are different from other forms of malware in that they set out to reproduce themselves and spread to other files or computers.
See the antivirus page for reviews of leading antivirus programs and links to the manufacturers' sites. Protect your computer and your data today.
Most viruses have three components:
- Replicator - this segment enables the virus to make and distribute copies of itself. A number of methods are used, but this feature distinguishes viruses from other types of malware.
- Concealer - this segment attempts to hide the virus. Users are less inclined to try to eradicate the virus if they do not know it is there. A number of mechanisms are used and modern viruses use sophisticated methods to try to evade antivirus programs.
- Payload - Often viruses have a payload as well. This part of the virus can be programmed to do something malicious, such as deleting or modifying files. Sometimes the virus programmer sets a certain date and time for the payload to 'go off' - e.g. Friday 13th or April 1st.
There are different virus types, classified by their method of attack as well as how they reproduce themselves and spread.
Here are some examples:
Boot Virus
A boot virus, or boot sector virus, targets the boot sector of a computer disk. This can be the Hard Disk Drive of the computer or removable media such as a floppy disk. This forces the computer to load the virus program into memory as it starts. The virus copies itself onto boot sectors of other media (floppy disks, etc.) as they are written to by the computer.
Boot sector viruses used to be very common when the main method of transferring files between computers was via floppy disks. They are less common now that the use of floppy disks is less widespread.
Program Viruses
Program viruses are designed to infect program files (usually with *.exe extensions on modern computers, although other program types are possible). When the user runs the infected program the virus becomes active and will spread to other programs on the computer.
Multipartite Viruses
A multipartite virus is a combination of a program virus and a boot sector virus. Once activated (by running the infected program) it will affect the boot sector and operate in the same way as a boot sector virus the next time the computer is started.
Macro Viruses
Macro viruses, or script viruses, are programmed as macros concealed in documents. Many modern word processor and spreadsheet packages support macro scripts. Once a macro virus is opened the document program (Wordprocessor, spreadsheet, etc.) becomes infected and will proceed to infect every document that it opens with the virus.
Polymorphic Viruses
Antivirus programs are frequently updated with virus signatures, or binary patterns, whenever a new virus threat is identified. A polymorphic virus attempts to conceal itself by modifying its signature every time it infects a new file. This is a sophisticated concealment method, but a good antivirus program with sophisticated detection algorithms will still detect and remove them.
Email Viruses
Virus writers are constantly seeking new ways of spreading viruses as videly as possible. Boot viruses are quite rare now as few people use floppy disks nowadays, but email viruses are becoming more common. The first really destructive one started in March 1999 and was called Melissa. It was a Microsoft Word document containing a malicious script attached to an email. If the attachment was opened the user's computer became infected and it would attempt to email itself to the first 50 contacts in the user's address book. At the time this was the most destructive virus ever seen, causing millions of dollars worth of damage and infecting untold numbers of PCs.
Email remains a popular method of spreading viruses, particularly if the email masquerades as a genuine message from a trusted contact.
Another popular email attack is the practice of 'phishing'. This is a form of spam email, but no malware software is used. It is the content of the email message that is designed to trick the user into giving away information advantagious to the hacker - specifically bank details. The usual form is that a website is set up to look like a genuine bank website and the email has a message requesting the user to log on and confirm their recurity details. They are then directed to the bogus website, which collects their account number and login details. This form of attack is obvious to most email users as it has become commonplace, but there must still be enough people who follow the bogus link and enter their account details - otherwise the spammers wouldn't bother and move on to something else.
Network Viruses
Once a virus infects an office network it is difficult to eradicate. These viruses usually start with one computer on the network becoming infected and the virus spreading to shared network resources and other computers. Eradicating it completely will depend on how widespread the infection is when it is detected. Re-infection of cleaned computers is possible if the user attempts to access a network resource that is still infected.
Internet Worms
There is some disagreement about whether worms should be classified as viruses or not. A typical virus requires some sort of user intervention - clicking on a link on an infected website, opening an infected email attachment, running an infected program and so on. With a worm no user intervention is required.
It does not need to attach itself to another computer file and spreads by exploiting security flaws. A typical worm will scan the internet randomly looking for vulnerable hosts to infect.
Some have payloads with destructive consequences, but many are only designed to spread. This in itself can cause disruption due to networks slowing down and other unintentional side effects.
A typical payload is installing a back door to enable the infected computer to become a 'zombie' machine under control of the person who created the worm. MyDoom and Sobig are example of this that received a lot of media attention. Worm writers have been caught selling lists of IP addresses of infected computers to spam email companies.
Conclusion
Some virus protection is possible by being careful not to open email attachments and trying to adopt a common-sense approach to Internet use. These methods alone cannot offer 100% protection, so it is essential to install a good antivirus program and keep it up to date with the latest definitions. The greatest threat from viruses occurs just after a new one is launched, so not keeping your antivirus program up to date is as bad as not having any antivirus protection.
Several vendors offer antivirus programs and they are not all the same. See the section on Antivirus Programs for reviews, comparisons and recommendations.
|