A computer virus is a program – a piece of executable code – that has the unique ability to replicate. Like biological viruses, computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to just about any type of file and are spread as files that are copied and sent from individual to individual.
Besides replication, some computer viruses have something else in common: a damage routine that can deliver the virus payload. While payloads may only display messages or images, they can also destroy files, reformat your hard drive, or cause other kinds of damage. If the virus doesn’t contain a damage routine, it can still cause trouble by taking up storage space and memory, and downgrading the overall performance of your computer.
Several years ago most viruses spread primarily via floppy disk, but the Internet has introduced new virus distribution mechanisms. With email now used as an important business communication tool, viruses are spreading faster than ever. Viruses attached to email messages can infect an entire enterprise in a matter of minutes, costing companies millions of dollars annually in productivity loss and clean-up expenses.
Viruses won’t go away any time soon. More than 10,000 have been identified, and 200 new ones are created every month, according to the International Computer Security Association. With numbers like those, it’s safe to say that most organizations will deal regularly with virus outbreaks. No one who uses computers is immune from viruses.
Computer viruses have a life cycle that starts when they’re created and ends when they’re completely eradicated. The following outline describes each stage.
Until a few years ago, creating a virus required knowledge of a computer programming language. Today anyone with even a little programming knowledge can create a virus. Usually, though, viruses are created by misguided individuals who wish to cause widespread, random damage to computers.
Viruses replicate by nature. A well-designed virus will replicate for a long time before it activates, which allows it plenty of time to spread.
Viruses that have damage routines will activate when certain conditions are met, for example, on a certain date or when a particular action is taken by the user. Viruses without damage routines don’t activate, instead causing damage by stealing storage space.
This phase doesn’t always come after activation, but it usually does. When a virus is detected and isolated, it is sent to the International Computer Security Association in Washington, D.C., to be documented and distributed to antivirus developers. Discovery normally takes place at least a year before the virus might have become a threat to the computing community.
At this point, antivirus developers modify their software so that it can detect the new virus. This can take anywhere from one day to six months, depending on the developer and the virus type.
If enough users install up-to-date virus protection software, any virus can be wiped out. So far no viruses have disappeared completely, but some have long ceased to be a major threat.
The majority of viruses fall into four main classes:
Until the mid-1990s, boot sector viruses were the most prevalent virus type, spreading primarily in the 16-bit DOS world via floppy disk. Boot sector viruses infect the boot sector on a floppy disk and spread to a user’s hard disk, and can also infect the master boot record (MBR) on a user’s hard drive. Once the MBR or boot sector on the hard drive is infected, the virus attempts to infect the boot sector of every floppy disk that is inserted into the computer and accessed.
Boot sector viruses work like this: by hiding on the first sector of a disk, the virus is loaded into memory before the system files are loaded. This allows it to gain complete control of DOS interrupts so that it can spread and cause damage.
These viruses often replace the original contents of the MBR or DOS boot sector with their own contents and move the sector to another area on the disk. Cleaning up a boot sector virus can be performed by booting the machine from an uninfected floppy system disk rather than from the hard drive, or by finding the original boot sector and replacing it in the correct location on the disk.
File infectors, also known as parasitic viruses, operate in memory and usually infect executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS. They activate every time the infected file is executed by copying themselves into other executable files and can remain in memory long after the virus has activated.
Thousands of different file infecting viruses exist, but similar to boot sector viruses, the vast majority operate in a DOS 16-bit environment. Some, however, have successfully infected the Microsoft Windows, IBM OS/2, and Apple Computer Macintosh environments.
Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.
Macro viruses currently account for about 80 percent of all viruses, according to the International Computer Security Association, and are the fastest growing viruses in computer history. Unlike other virus types, macro viruses aren’t specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.
Macro viruses are, however, application-specific. They infect macro utilities that accompany such applications as Microsoft Word and Excel, which means a Word macro virus cannot infect an Excel document and vice versa. Instead, macro viruses travel between data files in the application and can eventually infect hundreds of files if undeterred.
There are many things you can do to protect against viruses. At the top of the list is using a powerful antivirus product, such as Trend Micro’s PC-cillin for home users. Corporate users can learn how viruses can infiltrate their networks by viewing our interactive “Trend Enterprise Solution” diagram.
Source: Trend Micro. (C)2005 Trend Micro.