What is a Computer
Virus?
A computer virus
is a program – a piece of executable code – that has the unique
ability to replicate. Like biological viruses, computer viruses can spread
quickly and are often difficult to eradicate. They can attach themselves
to just about any type of file and are spread as files that are copied
and sent from individual to individual.
Besides replication, some computer viruses have something else in common:
a damage routine that can deliver the virus payload. While payloads may
only display messages or images, they can also destroy files, reformat
your hard drive, or cause other kinds of damage. If the virus doesn't
contain a damage routine, it can still cause trouble by taking up storage
space and memory, and downgrading the overall performance of your computer.
Several years
ago most viruses spread primarily via floppy disk, but the Internet has
introduced new virus distribution mechanisms. With email now used as an
important business communication tool, viruses are spreading faster than
ever. Viruses attached to email messages can infect an entire enterprise
in a matter of minutes, costing companies millions of dollars annually
in productivity loss and clean-up expenses.
Viruses won't
go away any time soon. More than 10,000 have been identified, and 200
new ones are created every month, according to the International Computer
Security Association. With numbers like those, it's safe to say that most
organizations will deal regularly with virus outbreaks. No one who uses
computers is immune from viruses.
Life Cycle of
a Virus
Computer viruses
have a life cycle that starts when they're created and ends when they're
completely eradicated. The following outline describes each stage.
Creation
Until a few years
ago, creating a virus required knowledge of a computer programming language.
Today anyone with even a little programming knowledge can create a virus.
Usually, though, viruses are created by misguided individuals who wish
to cause widespread, random damage to computers.
Replication
Viruses replicate
by nature. A well-designed virus will replicate for a long time before
it activates, which allows it plenty of time to spread.
Activation
Viruses that have
damage routines will activate when certain conditions are met, for example,
on a certain date or when a particular action is taken by the user. Viruses
without damage routines don't activate, instead causing damage by stealing
storage space.
Discovery
This phase doesn't
always come after activation, but it usually does. When a virus is detected
and isolated, it is sent to the International Computer Security Association
in Washington, D.C., to be documented and distributed to antivirus developers.
Discovery normally takes place at least a year before the virus might
have become a threat to the computing community.
Assimilation
At this point,
antivirus developers modify their software so that it can detect the new
virus. This can take anywhere from one day to six months, depending on
the developer and the virus type.
Eradication
If enough users
install up-to-date virus protection software, any virus can be wiped out.
So far no viruses have disappeared completely, but some have long ceased
to be a major threat.
Virus Types
The majority of
viruses fall into four main classes:
- Boot sector
- File infector
- Multi-partite
- Macro viruses
Boot Sector Viruses
Until the mid-1990s,
boot sector viruses were the most prevalent virus type, spreading primarily
in the 16-bit DOS world via floppy disk. Boot sector viruses infect the
boot sector on a floppy disk and spread to a user's hard disk, and can
also infect the master boot record (MBR) on a user's hard drive. Once
the MBR or boot sector on the hard drive is infected, the virus attempts
to infect the boot sector of every floppy disk that is inserted into the
computer and accessed.
Boot sector viruses
work like this: by hiding on the first sector of a disk, the virus is
loaded into memory before the system files are loaded. This allows it
to gain complete control of DOS interrupts so that it can spread and cause
damage.
These viruses
often replace the original contents of the MBR or DOS boot sector with
their own contents and move the sector to another area on the disk. Cleaning
up a boot sector virus can be performed by booting the machine from an
uninfected floppy system disk rather than from the hard drive, or by finding
the original boot sector and replacing it in the correct location on the
disk.
File Infecting
Viruses
File infectors,
also known as parasitic viruses, operate in memory and usually infect
executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL,
*.BIN, *.OVL, *.SYS. They activate every time the infected file is executed
by copying themselves into other executable files and can remain in memory
long after the virus has activated.
Thousands of different
file infecting viruses exist, but similar to boot sector viruses, the
vast majority operate in a DOS 16-bit environment. Some, however, have
successfully infected the Microsoft Windows, IBM OS/2, and Apple Computer
Macintosh environments.
Multi-Partite
Viruses
Multi-partite
viruses have characteristics of both boot sector viruses and file infecting
viruses.
Macro Viruses
Macro viruses
currently account for about 80 percent of all viruses, according to the
International Computer Security Association, and are the fastest growing
viruses in computer history. Unlike other virus types, macro viruses aren't
specific to an operating system and spread with ease via email attachments,
floppy disks, Web downloads, file transfers, and cooperative applications.
Macro viruses
are, however, application-specific. They infect macro utilities that accompany
such applications as Microsoft Word and Excel, which means a Word macro
virus cannot infect an Excel document and vice versa. Instead, macro viruses
travel between data files in the application and can eventually infect
hundreds of files if undeterred.
What You Can
Do to Protect Against Viruses
There are many
things you can do to protect against viruses. At the top of the list is
using a powerful antivirus product, such as Trend Micro's PC-cillin for
home users. Corporate users can learn how viruses can infiltrate their
networks by viewing our interactive "Trend Enterprise Solution"
diagram.
Source:
Trend Micro. (C)2005 Trend Micro. |
