1

Computer Virus

Computer Viruses

Computer Virus

Abstract
Computer Viruses are widely known as evil programs that are meant to
corrupt the peaceful environment of a computer. Actually a computer virus is a
piece of programming code that alters the way your computer works without
your knowledge or permission. They are often designed to replicate and
spread quickly to other computer users. Computer Viruses do not generate by
themselves. They must be written by someone and with a specific purpose. A
virus starts infecting another program, boot sector or document by attaching
itself to that medium such that when an infected file is opened, the hidden
virus is also executed, often in the background. Generally viruses cant move on
to other computers by themselves. They must be passed on via infected email
attachments, programs on disks or shared files.

Finding a virus is generally not easy, as they don't cooperate. A virus attempts
to spread before activating whatever malicious activity they may have been
programmed to deliver. So, viruses are often programmed to hide themselves.
The symptoms of a system hit with a virus usually arrive only after a long
time when the mission of a virus is almost over. Hence it is difficult even for a
virus-expert to find a virus in a system without any antivirus tools, which are
widely available nowadays.

Computer Virus

Contents
1 Introduction

1.1 What Are Viruses?.............................................................................................

1.2 Classification Of Viruses....................................................................................

1.2.1 Classification Based On What They Infect...........................................

1.2.2 Classification based on how they infect................................................

1.3 Worms, Trojan Horses And Logic Bombs........................................................

2 How Does A Virus Work?

2.1 Functional Elements of a Virus

4
.....................................................................

2.2 Virus Behaviour..................................................................................................

2.3 Few Techniques of Binary File Viruses

.........................................................

Protection Against Viruses

Conclusion

Computer Virus

1
1.1

Introduction
What Are Viruses?

A virus is a computer program that executes when an infected program is executed and
hence only executable files can be infected. On MS-DOS systems, these files usually
have the extensions .EXE, .COM, .BAT or .SYS. By definition, a virus infects other
programs with copies of itself. It has the ability to clone itself, so that it can multiply,
constantly seeking new host environments. The most harmless viruses do only that,
simply replicating and spreading to new systems. Or the virus program may damage
other programs and alter data, perhaps self-destructing when done. The only evidence
viruses like this leave is the destruction they have inflicted on the infected system. This
makes it very difficult to develop defenses against the virus. Virus programs, like the
infectious microorganisms that are their namesakes, are often small. Only a few lines of
program code are required to write a simple virus. Hence it is clear that viruses can be
easily hidden in healthy software and therefore prove very difficult to find.
Viruses enter computer systems from an external software source. Often these new
softwares are utilities available on a network or some another computer. Generally
there are several warning signs associated with viruses. Files that increase in size
randomly, the appearance of unknown files, lost files, the inability to save files,
corrupted files, sudden lack of hard drive space, the inability to access programs, system
not starting or closing correctly, or strange messages appearing on the screen are all
telltale signs that one might have a virus in his computer.
1.2

Classification Of Viruses

Viruses come in a variety of types. Breaking them into categories is not easy as many
viruses have multiple characteristics and so would fall into multiple categories. We can

Computer Virus

describe them in two different types of category systems based on what kind of files
they infect and how do they infect.

1.2.1

Classification Based On What They Infect

Boot-record infectors
Boot sector viruses are those that infect the boot sector (or master boot record) on
a computer system. They first move or overwrite the original boot code, replacing it
with infected boot code. They will then move the original boot sector information
to another sector on the disk, marking that sector as a bad spot on the disk so it
will not be used in the future. Boot sector viruses can be very difficult to detect
since the boot sector is the first thing loaded when a computer is starts. In effect,
the virus takes full control of the infected computer. Once the MBR or boot
sector of the hard drive is infected, the virus will attempt to infect the boot sector
of every floppy disk that is inserted into the computer and accessed.
File infectors
They are also known as parasitic viruses. File infecting viruses are, unsurprisingly,
viruses that infect files. Sometimes these viruses are memory resident. However,
they commonly infect most, if not all of the executable files (those with the
extensions .COM, .EXE, etc.) on a system. Some file infecting viruses will only
attack operating system files (such as COMMAND.COM), while others will attack
any file that is executable.

Computer Virus

Macro viruses
These are viruses that infect macro utilities in applications like Microsoft Word or
Excel. They are the most common type of virus at present. Macro viruses are
application-specific, meaning a Word macro virus cannot infect an Excel document
and vice versa. They are however not specific to operating systems.
1.2.2

Classification based on how they infect

Polymorphic viruses
Polymorphic viruses change their appearance with each infection. Such encrypted
viruses are usually difficult to detect because they are better at hiding themselves
from anti-virus software. That is the purpose of the encryption. Polymorphic
viruses take encryption a step further by altering the encryption algorithm with
each new infection. Some polymorphic viruses can assume over two billion different
guises. This means anti-virus software products must perform algorithmic scanning,
as opposed to standard string-based scanning techniques that can find simpler
viruses.
Stealth viruses
Stealth viruses attempt to hide from both the operating system and anti-virus
software. To do this, they must stay in memory so they can intercept all
attempts to use the operating system (system calls). The virus can hide changes it
makes to file sizes, directory structures, and/or other operating system aspects.
Since part of the virus is memory resident, there will be less memory available
to users. The virus must hide this fact as well as from both users and anti-virus
software. Stealth viruses must be detected while they are in memory. Once found,
they must be disabled in memory before the disk-based components can be
corrected.
Multi-partite viruses

Computer Virus

Multi-partite viruses are those that infect both boot sectors and executable files.
They are the worst viruses of all because they can combine some or all of the stealth
techniques, along with polymorphism to prevent detection.

1.3

Worms, Trojan Horses And Logic Bombs

There are some other destructive programs which are a little different from the usual
definition of a virus but their targets are same as that of a virus. These include
Worms, Trojan Horses and Logic Bombs.
Worms
Worms are constructed to infiltrate legitimate data processing programs and alter or
destroy the data. Often what people believe is a virus infection is, in fact, a worm
program. This is not as serious because worms do not replicate themselves. But the
damage caused by a worm attack can be just as serious as a virus, especially if not
discovered in time. For example, suppose a worm program instructs a bank's computer
to transfer funds to an illicit account. The fund transfers may continue even after the
worm is destroyed. However, once the worm invasion is discovered, recovery is much
easier because there is only a single copy of the worm program to destroy since the
replicating ability of the virus is absent. This capability may enable it to re-infect a
system several times.
Trojan Horses
A Trojan Horse is a destructive program that is disguised (or concealed in) as a
legitimate piece of software. Indeed, worm and virus programs may be concealed within
a Trojan Horse. Trojan Horses are not viruses because they do not reproduce themselves
and spread as viruses do. A trojan program may seem both attractive and innocent,
inviting the computer user to copy (or download) the software and run it but in reality

Computer Virus

can attack your hard drives, deleting files and re-writing system files, causing your
computer to become unstable, particularly when operating system files are deleted.
Logic Bombs
A logic bomb program is quite similar to a Trojan Horse. However the unique feature of
a logic bomb is that it includes a timing device such that it goes off at a particular
date and time. Hence Logic bombs are usually timed to do maximum damage catching
a user by surprise.

E-mail Viruses
Virus authors adapted to the changing computing environment by creating the e-mail virus.
For example, the Melissa virus in March 1999 was spectacular. Melissa spread in
Microsoft Word documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document and uploaded it to an Internet newsgroup.
Anyone who downloaded the document and opened it would trigger the virus. The virus
would then send the document (and therefore itself) in an e-mail message to the first 50
people in the person's address book. The e-mail message contained a friendly note that
included the person's name, so the recipient would open the document, thinking it was
harmless. The virus would then create 50 new messages from the recipient's machine. At
that rate, the Melissa virus quickly became the fastest-spreading virus anyone had seen at
the time. As mentioned earlier, it forced a number of large companies to shut down their email systems.
The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a
piece of code as an attachment. People who double-clicked on the attachment launched
the code. It then sent copies of itself to everyone in the victim's address book and started
corrupting files on the victim's machine. This is as simple as a virus can get. It is really
more of a Trojan horse distributed by e-mail than it is a virus.

Computer Virus

The Melissa virus took advantage of the programming language built into Microsoft Word
called VBA, or Visual Basic for Applications. It is a complete programming language and it
can be programmed to do things like modify files and send e-mail messages. It also has a
useful but dangerous auto-execute feature. A programmer can insert a program into a
document that runs instantly whenever the document is opened. This is how the Melissa
virus was programmed. Anyone who opened a document infected with Melissa would
immediately activate the virus. It would send the 50 e-mails, and then infect a central file
called NORMAL.DOT so that any file saved later would also contain the virus. It created a
huge mess.
Microsoft applications have a feature called Macro Virus Protection built into them to
prevent this sort of virus. With Macro Virus Protection turned on (the default option is ON),
the auto-execute feature is disabled. So when a document tries to auto-execute viral code, a
dialog pops up warning the user. Unfortunately, many people don't know what macros or
macro viruses are, and when they see the dialog they ignore it, so the virus runs anyway.
Many other people turn off the protection mechanism. So the Melissa virus spread despite
the safeguards in place to prevent it.
In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person
double-clicked on the program that came as an attachment, then the program ran and did its
thing. What fueled this virus was the human willingness to double-click on the executable.

Computer Virus

2
2.1

10

How Does A Virus Work?

Functional Elements of a Virus

Every viable computer virus must have at least two basic parts, or subroutines, if it is
even to be called a virus. Firstly, it must contain a search routine, which locates new
files or new areas on disk which are worthwhile targets for infection. This routine
determines how well the virus reproduces, e.g., whether it does so quickly or slowly,
whether it can infect multiple disks or a single disk, and whether it can infect every
portion of a disk or just certain specific areas. As with all programs, there is a size
versus functionality tradeoff here. The more sophisticated the search routine is, the
more space it takes up. So although an efficient search routine may help a virus to
spread faster, it makes the virus bigger, and that is not efficient for virus-writing.
Secondly, every computer virus must contain a routine to copy itself into the area which
the search routine locates. The copy routine has to be sophisticated enough to do its
job without getting caught. The smaller it is, the better. How small it can be depends
on how complex a virus it must copy. For example, a virus which infects only COM files
can get by with a much smaller copy routine than a virus which infects EXE files. This
is because the EXE file structure is much more complex, so the virus simply needs to
do more to attach itself to an EXE file. While the virus only needs to be able to
locate suitable hosts and attach itself to them, it is usually helpful to incorporate some
additional features into the virus to avoid detection, either by the computer user, or by
commercial virus detection software.
Antidetection routines can either be a part of the search or copy routines, or
functionally separate from them. For example, the search routine may be severely
limited in scope to avoid detection. A routine which checked every file on every disk
drive, without limit, would take a long time and cause enough unusual disk activity that
an alert user might become suspicious. Alternatively, an anti detection routine might

Computer Virus

11

cause the virus to activate under certain special conditions. For example, it might
activate only after a certain date has passed (so the virus could lie dormant for a
time).Alternatively, it might activate only if a key has not been pressed for five minutes
(suggesting that the user was not there watching his computer). Search, copy, and
antidetection routines are the only necessary components of a computer virus.
However many computer viruses have other routines added in on top of these three to
stop normal computer operation, to cause destruction, or to play practical jokes.
2.2

Virus Behaviour

Though viruses come in a great many different forms, they all potentially have two
phases to their execution, the infection phase and the attack phase.
Infection Phase
Virus writers balance the facts that how and when their viruses should infect against the
possibility of being detected. Therefore, the spread of an infection may not be
immediate. When the virus executes it has the potential to infect other programs.
What's often not clearly understood is precisely when it will infect the other programs.
Some viruses infect other programs each time they are executed; other viruses infect
only upon a certain trigger. This trigger could be anything; a day or time; an external
event on a PC, a counter within the virus, etc. The initial goal of a virus program is to
spread as far as possible before anyone notices it. Many viruses go resident in a PC's
memory in the similar way as TSR (terminate and stay) programs do. This means the
virus can wait silently in memory waiting for a user to access a diskette, copy a file or
execute a program before it infects anything. This makes viruses more difficult to
analyze since it's hard to guess what trigger condition they use for their infection.
Attack Phase
Viruses need time to infect. Not all viruses attack, but almost all of them use system

Computer Virus

12

resources and often have bugs. Many viruses do unpleasant things such as deleting files,
changing random data on a disk or merely slowing down the PC; some viruses do less
harmful things such as playing music or creating messages or animation on the screen.
Just like infection phase, attack phase can also have its own trigger. Viruses often delay
revealing their presence by launching their attack only after they have had ample
opportunity to spread. This means the attack could be delayed for days, weeks,
months or even years after the initial infection.

2.3

Few Techniques of Binary File Viruses

A file virus attaches itself to a program file (the host) and uses different techniques in
order to infect other program files. There are several basic techniques for infecting an
executable file:
A virus may not modify its host directly. Instead it maneuvers the operating
system to execute itself instead of the host file. Sometimes this is done by
renaming the host file into some other name, and then grant the virus file the
name of the original program. Or the virus infects an .EXE file by creating a
.COM file with the same name in the same directory. DOS will always execute a
.COM file first if only the program name is given, so if you type "EDIT" on a
DOS prompt, and there is an EDIT.COM and EDIT.EXE in the same directory,
the EDIT.COM is executed.
Another example is a link virus which makes changes in the low-level workings of
the file system, so that program names do no longer point to the original program,
but to a copy of the virus. Hence when the user executes that program the virus
gets executed and the link to original program is lost. It makes it possible to have
only one instance of the virus, which all program names point to.

Computer Virus

13

An overwriting virus places itself at the beginning of the program, directly over
the original program code, so the program is now damaged. When you try to run
this program, nothing happens except for the virus infecting another file.
An inserting virus copies itself into the host program. Programs sometimes
contain areas that are not used, and viruses can find and insert themselves into
such areas. The virus can also be designed to move a large chunk of the host file
somewhere else and simply occupy the vacant space.
An appending virus places a "jump" at the beginning of the program file,
moves the original beginning of the file to the end of the file, and places itself
between what was originally the end of the file and what was originally at the
beginning of the file. When we to run this program, the "jump" calls the virus, and
the virus runs. The virus then moves the original beginning of the file back to its
normal position and then lets the program run. Many file viruses also go
memory-resident so that they can monitor all actions and infect other program
files as they are run or otherwise accessed.

Computer Virus

14

Protection Against Viruses

Finding viruses and erasing them manually has almost become impossible with the
emerging trends of virus programming. Hence using antivirus tools is the only
option left which is widely used all over the world. The main goal of such
antivirus techniques is to detect and identify specific virus attacks to a computer.
There are three general methods which are usually employed by the antivirus
softwares:
Scanning
Scanning looks for known viruses by a signature of characteristics that make
new viruses similar to existing viruses. This requires that antivirus makers and
users keep products up to date. Once a virus is detected, it is possible to
wirte scanning programs that look for similar code (signature strings)
characteristics of the virus. The scanners use these signature strings to search
memory, files and system sectors. Many advanced scanners set up a virtual
RAM and actually test programs by running them in this virtual space and
observing what they do.
Integrity checking
Integrity products record information about the system for later comparison in
order to detect changes. Just detecting changes is not enough, however; the
detection must have some intelligence behind it to avoid confusion. Integrity
checking products work by reading entire disks and recording integrity data
that acts as a signature for the files and system sectors. An integrity check
program also provides the only reliable way to discover what damage a virus
has done
Interception

Computer Virus

15

Monitoring for system-level routines that perform destructive acts can help, but
such monitoring is fairly easily bypassed. Interceptors (resident monitors) are
particularly useful for deflecting logic bombs and Trojans. The interceptor
monitors operating system requests that write to disk or do other things that
the program considers threatening . If it finds such a request the interceptor
generally pops up and asks if you want to allow the request to continue.
However there is no reliable way to intercept direct branches into low level
code or to intercept direct input and output instructions done by the virus
itself.

How to Protect Your Computer from Viruses

You can protect yourself against viruses with a few simple steps:
If you are truly worried about traditional (as opposed to e-mail) viruses, you
should be running a more secure operating system like UNIX. You never hear about
viruses on these operating systems because the security features keep viruses (and
unwanted human visitors) away from your hard disk.
If you are using an unsecured operating system, then buying virus protection
software is a nice safeguard.
If you simply avoid programs from unknown sources (like the Internet),
and instead stick with commercial software purchased on CDs, you eliminate almost
all of the risk from traditional viruses.
You should make sure that Macro Virus Protection is enabled in all
Microsoft applications, and you should NEVER run macros in a document unless you
know what they do. There is seldom a good reason to add macros to a document, so
avoiding all macros is a great policy.
o

You should never double-click on an e-mail attachment that contains

Computer Virus

16

an executable. Attachments that come in as Word files (.DOC),

spreadsheets (.XLS), images (.GIF), etc., are data files and they can do
no damage (noting the macro virus problem in Word and Excel
documents mentioned above). However, some viruses can now come in
through .JPG graphic file attachments. A file with an extension like EXE,
COM or VBS is an executable, and an executable can do any sort of
damage it wants. Once you run it, you have given it permission to do
anything on your machine. The only defense is never to run executables
that arrive via e-mail.

Computer Virus

17

Conclusion

Computer viruses are destructive programs that have a potential of corrupting

a system on a large scale if an efficient and up to date security system is not
used to take care of the computer. Viruses open a wide range of limitless ways
of affecting computer systems. The techniques involved in writing a virus are
always evolving with newer characteristics employed to damage systems in
different ways. New viruses appear every day. Some experts say that the
growth of new viruses is exponential while some say that its quadratic.
However virus making is a challenging task which requires a good knowledge of
programming skills on system level. Generally high-level languages do not prove
efficient in making viruses as they depend heavily on many assumptions, so
mostly assembly language is used for creating viruses. Protection against
viruses has become an ever-continuing struggle due to the developments in virus
making. Manual use of a system to detect viruses is almost impossible now and
antivirus softwares have become a must to secure the systems. These softwares
depend heavily on the past records of the viruses and generally look for the
similar definitions.

Though viruses pose a big threat to computer world, they give us a better
understanding of computer systems. It is not always necessary that viruses must
be created for destruction; they can also be created to study the prospects of a
better future of computer security.

Computer Virus

18

References
[1] Little Black Book Of Computer Viruses Volume One: The Basic
Technology By Mark A. Ludwig, American Eagle Publications, Inc. 1996.

[2] Norman Book Of Computer Viruses,

www.download.norman.no/manuals".

[3] Computer Knowledge Virus Tutorial; "www.cknow.com/vtutor".

[4] White Paper On "An Introduction to Computer Viruses", McAfee

Network Security and Management.

[5] www.seminarsonly.com