|
 What is a
Virus?
These software "pranks" are very serious; they are
spreading faster than they are being stopped, and even the least harmful of viruses could
be life-threatening.
A program written to enter a computer without the user's permission or knowledge. A virus
tries attach to files or boot sectors and replicates itself thus continuing to spread.
Though some viruses do little but replicate, others can cause serious damage or affect
program and system performance. A virus should never be assumed harmless and left on a
system. You should always delete infected files or try to clean them with the latest
Anti-Virus Scanner. There are several Anti-Virus programs available.
Types of
Viruses
Virus are classified by the ways they infect computer systems:
- Program: Executable program files such as .Com,
.Exe, .Ovl, .Drv, .Sys, .Bin
- Boot: Boot Record (BR), Master Boot (MBR), FAT and
Partition Table.
- Multipart: Both program and boot infector.
How Viruses
Contaminate and Spread
A virus is inactive until the infected program is run or boot record
is read. As the virus is activated it loads into the computers memory where it can perform
a triggered event or spread itself. Disks used in an infected system can then carry the
virus to another machine. Programs downloaded from bulletin boards can also spread a
virus. Data files, however, can not transfer a virus but they can become damaged.
- Boot Infectors: Every disk contains a boot sector
whether it is a bootable disk or not. When the computer is powering up looking for the
Boot information and reads an infected disk in the A: drive the virus is transfer to the
computers hard drive. Once the boot code on the drive is infected the virus will be loaded
into memory on every startup. From memory the boot virus can travel to every disk that is
read and the infection spreads. Most Boot virus's could be on a system for a long time
without causing problems. However there are some nasty ones that will destroy the boot
information or force a complete format of the hard drive.
- Program Infectors: When an infected application is
run the virus activates and is loaded into memory. While the virus is in memory any
program file subsequently run becomes infected. Multiple infections are very common and
will certainly cause system problems. Program files may function without any problems for
some time but eventualy programs have problems or multiple infection brings the sytem
down. The data the program produces may be a first sign of infection such as saving files
without proper DOS names.
Virus
Characteristics/Specials
Viruses normally have multiple characteristics. Their
characterisitics are:
- Memory Resident: Loads much like a TSR staying in
memory where it can easily replicate itself into programs of boot sectors. Most common.
- Non-Resident: Does not stay in memory after the host
program is closed, thus can only infect while the program is open. Not as common.
- Stealth: The ability to hide from detection and
repair manifests in two ways.
- Full - Virus redirects disk reads to avoid detection.
- Size - Disk directory data is altered to hide the additional bytes of
the virus.
- Encrypting: Technique of hiding by transformation.
Virus code converts itself into cryptic symbols. However, in order to launch (execute) and
spread the virus must decrypt and can then be detected.
- Trojan: Trojan is a program that does something
undocumented that the programmer intended, but that some users would not approve of if
they knew about it. According to some people, a virus is a particular case of a Trojan,
namely one which is able to spread to other programs. According to others, a virus that
does not do any deliberate damage is not a Trojan. Finally, despite the definitions, many
people use the term "Trojan" to refer only to *non-replicating* malware, so that
the set of Trojans and the set of viruses are disjoint.
- Macro: Macro Virus which consists of instructions in
Word Basic or other macro language, and resides in documents. While we do not think of
documents has capable of being infected, any application which supports macros that
automatically execute is a potential platform for macro viruses.
- Polymorphic: Ability to mutate by changing code
segments to look different from one infection to another. This type of virus is a
challenge for ant-virus detection methods.
- Fast Infectors: Fast infector is a virus that, when
it is active in memory, infects
not only programs which are executed, but even those that are merely opened. The result is
that if such a virus is in memory, running a scanner or integrity checker can result in
all programs becoming infected.
- Slow Infectors: The term "slow infector"
is sometimes used to refer to a virus that only infect files as they are modified or as
they are created. The purpose
is to fool people who use integrity checkers into thinking that modifications reported by
their integrity checker are due solely to legitimate reasons.
- Sparse Infectors: The term "sparse
infector" is sometimes used to describe a virus that infects only occasionally, or
only files whose lengths fall within a narrow range, etc. By infecting less often, such
viruses try to minimize the probability of being discovered.
- Armored: An armored virus is one that uses special
tricks to make tracing,
disassembling and understanding of its code more difficult.
- Cavity: A cavity virus is one which overwrites a
part of the host file that is filled with a constant, without increasing the length of the
file, but preserving its functionality.
- Tunnelling: A tunnelling virus is one that finds the
original interrupt handlers in
DOS and the BIOS and calls them directly, thus bypassing any activity monitoring program
which may be loaded and have intercepted the respective interrupt vectors in its attempt
to detect viral activity. Some antivirus software also uses tunnelling techniques in an
attempt to bypass any unknown or undetected virus that may be active when it runs.
- Dropper: A dropper is a program that has been
designed or modified to "install" a virus onto the target system. The virus code
is usually contained in a
dropper in such a way that it won't be detected by virus scanners that normally detect
that virus. While quite uncommon, a few droppers have been discovered. A dropper is
effectively a Trojan Horse whose payload is installing a virus infection. A dropper which
installs a virus only in memory is sometimes called an "injector".
- Triggered Event: An action built into a virus that
is set off by the date, a particular keyboard action or DOS function. It could be as
simple as a message printed to the screen or serious as in reformatting the hard drive or
deleting files.
- In the Wild: A virus is referred to as "in the
wild" if is has been verified by groups that track virus infections to have caused an
infection outside a laboratory situation. A virus that has never been seen in a real world
situation is not in the wild, and sometimes referred to as "in the zoo".
Note: Not all viruses are named the same names in
AntiVirus programs.
Troubleshooting
and Virus Infection
Anti-Virus programs are the best way to protect against virus
infection but not everyone has one and new virus's are continually developing. When
troubleshooting program or system problems watch for telltale signs of a virus presence.
When a program says it has removed a virus from memory it does not mean any files have
been disinfected.
Symptoms commonly reported:
"My program takes longer to load suddenly."
"The program size keeps changing."
"My disk keeps running out of free space."
"When I run CHKDSK it doesn't show 655360 bytes available."
"I keep getting 32 bit errors in Windows."
"The drive light keeps flashing when I'm not doing anything."
"I can't access the hard drive when booting from the A: drive."
"I don't know where these files came from."
"My files have strange names I don't recognize."
"Clicking noises keep coming from my keyboard."
"Letters look like they are falling to the bottom of the screen."
"My computer doesn't remember CMOS settings, the battery is new."
|
