WORM
Worms were one of the first computer viruses. A program written as worm virus normally do not do any destructive work, a worm's main work is to replicate itself, i.e. to keep-on copying itself to any new disk used in the system, or in the network copying to new systems, and keep spreading.
The original worm programs were made as experimental programs in computer labs to test if a program can be made to replicate itself.
Most of the current viruses contain a worm program in them to manage the replication part of the virus.
To spread, these worms stay resident in the computer's memory and keep a watch on disk access activities. Whenever a new disk is put in the drive and a disk access command such as DIR is given, these program immediately copy themselves to some .EXE, .COM etc. executable program in the new disk.
Later when this infected disk is taken on some other machine and the infected program is executed, the virus becomes active in the new compuiter's memory, again waiting for some disk to copy itself.
These virus also spread by coping themselves to the boot sector of the floppy, after this when the infected floppy is used to boot on some machine these virus become active.
If the machine, where the virus become active contains a hard drive , then the virus also copies itself to the hard drive be writing itself to the MBR (Master Boot Record), DBR (DOS Boot Record) or the executable programs in the hard disk drive.
TORJAN
Torjan is a name given to those programs that appear as some useful utility, but they contain some hidden destructive parts. A virus that has infected a useful .COM or .EXE program makes that executble program a Torjan because the moment someone executes them, the virus will become active and starts doing its job.
For example, your word processing program WS.EXE may become infected by some virus and when you are doing some typing work in the WS, the virus active in memory, may be destroying some data on your hard disk drive.
Therefore, hiding some destructive program in a legitimate appearing program is called Torjan program. A pure Torjan virus does not replicate itself, but currently most of the virus contain a Torjan, as well as worm, so a useful looking program can destroy the data as well as can replicate itself.
BOMB
Another type of virus programs is known as bombs. These are programs that waits for some specific event to occur and when that particular event occurs the bomb becomes active destroying or corrupting the information inside the computer.
The event could be anything defined by the programmer writing this type of programs, it could be a particular date, a particular day coming on some specific date such as friday coming on 13th, it could be some event such as after virus had made 10 copies of itself it may format the hard disk drive, some programmer may write a bomb program to delete the complete FAT table, if his name is removed form payroll file.
A virus may contain bomb, worm and the Torjan horse all the three parts, to effectively replicate and destroy data.
MBR (Partition Table) Infector
Other than their working method, a virus can also be classified based on the area infected by a virus. A MBR or Partition table infector viruses infects the Master Boot Recod (MBR) of the hard dirive, (floppy disk does not contain any MBR).
These viruses become active every time the machine is booted from the hard disk drive, because during booting, first thing the BIOS does is to execute the program located in the MBR.
Removing a MBR virus is very, easy as ine needs to just overwrite the infected MBR code with a good MBR code, taking care that the partition table information is not overwritten and become corrupted.
DBR (Boot Sector) infector
Another virus type based on the area infected by them is DBR or DOS Boot Record infector viruses. These viruses very commonly spread through infected floppy disks. Every time a boot sector infected floppy is used to boot a system the virus become active in memory and starts spreading and destroying.
These viruses also infect the hard disk drive's DOS partition's boot sector and every time the machine is switched on and boot from the hard disk drive the virus becomes active in the memory.
Even if the disk is not bootable, if the disk contains a boot sector virus and by mistake if you try to boot from this disk, the virus in the DBR will become active in memory.
If you are booting from a hard disk drive, and if the A: drive of your sustem contains a floppy disk, then make sure that the drive door is open, so that the computer will not try to read the DBR of lthe floppy disk and make any DBR virus active.
Program/File Infector (Parasitic Virus)
Another type of virus do not infect the MBR or the DBR, instead they attach themselves to some executable program such as .EXE, .COM, .SYS, .OVL, .BIN, .DLL, These viruses turn the useful program which they infect into Torjan programs, anytime these infected programs are executed, the virus becomes active in memory and starts its work of replication and destruction.
Multipartite Viruses
A virus can contain all jthe above three infectors, MBR, DBR and program infector part in its program. This type of virus program is called multipartite virus.
Stealth Viruses
Stealth viruses are special type of virus, once they become active in memory they conceal themselves from detection. These viruses hide themselves from detection by a virus scanner, by constantly changing their code. The code can be changed by either using encryption or by inserting NOP (no operation) instruction at random places in the virus program.
If you try to check the MBR using the Norton's Diskedit program, the virus active in memory will show you the original MBR sector. Only when the virus is not active in memory you will be able to see the virus infected MBR. These is the reason, after a virus infection, a virus scanner program requirs you to boot from a write-protected, unindifected system disk.
Polimorphic Viruses
Viruses that change their appearance by using the encryption method to avoid detection are known as polymorphic viruses. These viruses change their code with each run by using some encryption code and also they change their encryptioon method with each run making it very difficult to detect this type of viruses by using the simple virus scanning method.
Currently, the "dark avenger" virus writer has made a mutation engine, which can make any virus a polymorophic virus. His matutation engine cause the virus program to which it is attached, to continually change its apperance, This makes detection of virus using scanning method a very difficult job.
Macro Virus
Macro viruses appeared after the introduction of macros in the various applications such as spreadsheet, work processor etc. Most of the macro viruses are written to infect Microsoft work and Microsoft Excel documents.
Macro viruses generally spread through Internet, and e-mail.
If a word or Excel file containing macro is send as attachment with the e-mail, when the document is opened by the receipent, the macro gets executed and the virus become active in his computer and starts spreading further.
Many of these viruses liik in the user's address book and send themselves as e-mail, with attachment to all available e-mail address, spreading even further.
To protect from macro virus one should never open a document with attachment, without scanning it first with latest virus scanner.
Web Applet Virus
A new type of virus can be made in the web scripting language such as Active X, Javascript, Java etc. When a web page containing infected Active X, Javascript or Java code is opened, the virus will infect your system.
Once the virus become active it can do all the works done by virus such as destroying data, spreading data, spreading itself etc.
No comments:
Post a Comment