Deadly Software: A Virus Primer

Richard A. Quinnell -November 06, 2001

  For more detailed information on computer viruses, visit The CERT Coordination Center and In addition, information on specific viruses as well as virus hoaxes can be found on the Web sites of virus protection software vendors.  

"Don't open your email," runs the warning cry, "It'll delete your files, bring down your network, and melt your hard drive." Similar warnings arise about accessing bulletin boards, downloading shareware, and virtually every other computer file transfer. The source of all these concerns—the computer virus. Like its biological namesake, the computer virus finds its way into a host, takes over some of its functions, and replicates itself so that it will continue to spread its infection as far and wide as possible.

Viruses are, for the most part, a product of the personal computer revolution. Although research began before the advent of the PC, virus design and detection only started becoming a serious topic in the mid-1980s. Programmers discovered that the floppy disk's boot record was, in fact, executable code that could be modified. By augmenting the boot record with software that replicated itself on all disks the computer wrote to, programmers created the first true computer virus. Virus creation has become increasingly sophisticated ever since.

The computer virus belongs to a family of malicious software, or malware, that includes worms and Trojan Horses. Often, computer users lump all three types under the term virus, but they have distinctly different characteristics. Understanding these characteristics, which include where these programs infect your system and how they propagate, is the first step in developing an effective resistance to them.

  • Trojan Horse
    This is the name given to malicious software that masquerades as something useful. For example, a file management utility may contain hidden code that opens a back door for external users to access your computer remotely. Another might encrypt all the data on your hard disk, making it inaccessible. The defining element of Trojans is that they do not replicate themselves and spread to affect other files. They simply do something unexpected (and unpleasant) when activated. You have to execute the program for it to be dangerous.

  • Worm
    This type of program replicates itself without using a host file, spreading multiple copies as far and wide as possible. In networked and multitasking systems, the presence of a worm has the effect of overloading the system. The ever-increasing number of worms executing eventually ties up all of the system resources. Worms are self-activating, so once they enter a system they multiply rapidly. As with Trojans, worms do not use host files to spread themselves.

  • Virus
    The true computer virus has two characteristics: it is executable code that hides in a host program and it replicates itself in another host when executed. In addition, a virus will usually have some type of payload code that activates when a trigger condition is met. The effects range from displaying simple prank messages to causing catastrophic file damage. Unlike a Trojan or a worm, a virus does not exist in the computer as a complete, identifiable program in itself.

Of the three types of malware, the computer virus is arguably the most dangerous because it lies in hiding, spreading secretly. Worms make themselves obvious and Trojans require user participation to activate and spread. The virus runs hidden in other code, avoiding detection so that it can spread widely. A virus will often delay delivering its payload until the occurrence of some relatively rare event, such as a specific date, to maximize its opportunities for spreading undetected.

A key attribute of a virus is that it must hide within executable code. That need to be executable has lulled many users into a false sense of security, believing that data files have no way of being infected. While that may be true in some cases, there are several types of data files that can contain viruses.

Data files, in themselves, are not executable. Some programs, however, allow the use of powerful macro commands that are saved within the data file. When the program opens the file, it executes the macros within. Thus, the document file can harbor a macro virus with a payload limited only by the capabilities of the macro language.

It is also possible to be fooled into thinking that an executable program is really a data file. Windows allows files to be named with double extensions. If the system is configured to suppress the display of file extensions, a file such as virus.txt.vbs will appear to the user to be named virus.txt, which looks like a safe data file. Opening the file in an attempt to read the text document, however, invokes its Visual Basic code and releases the virus.

There are many different categories of viruses, which can be classified according to what they infect. Some of the major categories are:

  • File virus
    This type of virus infects executable files. When executed, it typically loads a memory-resident program that infects other files and delivers the payload.

  • Macro virus
    Instead of executable files, the macro virus infects data files for programs with powerful macro programming languages. Files for Word, Excel, Outlook, and Windows Help utilities have all been subject to macro-virus infection.

  • Boot sector virus
    This virus hides in the boot program on a floppy or hard disk, and is executed each time the computer boots and infects every floppy disk to which the system writes.

  • Tunneling virus
    In order to avoid virus-protection software, this virus follows the IRQ chain to the interrupt handlers and then replaces them. By residing at the system's lowest software level, the replacement code seeks to prevent other software from dislodging it.

  • Cluster virus
    Rather than infecting program files directly, this virus alters the disk's file directory so that, when a user attempts to run a program, the virus program gets executed first. Then, the intended program runs.

Viruses can also be categorized by their behaviors, such as the manner in which they hide themselves:

  • Armored virus
    This virus is designed to make disassembly difficult. Disassembly is a necessary step in developing effective anti-virus software.

  • Stealth virus
    By taking over the system functions that read files, this virus hides itself by giving false reports about file contents.

  • Polymorphic virus
    To prevent detection by simple search-string methods, this virus encrypts itself each time it infects a file. Further, the encryption changes with each infection, so finding one copy of the virus does not give insight into finding other copies.

  • Spacefiller virus
    Many viruses append themselves to the beginning or the end of their hosts as their method of propagation. A test such as file-length comparisons can detect such viruses. To prevent detection, the spacefiller uses an attribute of the newer Windows versions that allows blank spaces within an executable file. It writes itself into the blank spaces, so the file length is unaltered.

  • Sparse infector
    Instead of infecting every likely candidate, the sparse infector holds back in order to decrease the chances of detection. By infecting only one file in twenty, the virus tries to keep its activity below the user's notice.

  • Multipartite
    As the name implies, this virus combines several of the above characteristics.

There are more than 10,000 viruses and variants in existence, and new viruses are coming out all the time. Some stem from genuine research into virus design as part of the effort to develop protection. Others are the results of hackers who are modifying existing viruses or playing with the virus development toolkits available on the Internet.

Adding to the problem, the increasing sophistication of programs such as email handlers and word processors is creating new opportunities for virus developers. Email, for example, was relatively safe when the mail was only a text file. With the ability to include HTML and other executable commands in the message, however, email programs have opened the door for virus developers.

The user's first line of defense against viruses is to prevent their entry. Checking file extensions before opening files, disabling automatic execution options in email and document handlers, and never running programs from unknown sources are all user activities that will reduce the chances of infection. Still, given the volume and diversity of computer viruses, a good virus protection program is essential for most users.

Despite your best efforts, however, you'll eventually encounter a virus that gets through your defenses. Making regular backups of critical data is an invaluable failsafe activity. A virus won't melt your hard drive, but it can vaporize its contents.

Loading comments...

Write a Comment

To comment please Log In