|
System or boot sector viruses:
System sectors are special areas on your disk containing programs that are executed when you boot (start) your PC. Every disk (even if it only contains data) has a system sector of some sort. System sectors are invisible to normal programs but are vital for correct operation of your PC. There are two types of system sectors found on DOS/Windows PCs: DOS Boot Sectors (DBS), Partition Sectors (often called Master Boot Record or MBR). System sectors (Master Boot Record and DOS Boot Record) are often targets for viruses.
System sector viruses infect executable code found in certain system areas on a disk. There are boot-sector viruses, which infect only the DOS boot sector, this kind of virus can prevent you from being able to boot your hard disk, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. All common boot sector and MBR viruses are memory resident.
Since there isn't much room in the system sector (only 512 bytes), these viruses usually have to hide their code somewhere else on the disk.
System sector viruses spread easily via floppy disk infections and, in some cases, by cross infecting files which then drop system sector viruses when run on clean computers.
File Viruses: infect applications. These viruses usually infect COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. The simplest file viruses work by locating a type of file they know how to infect (usually a file name ending in .COM or .EXE) and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. These overwriting viruses do not tend to be very successful since the overwritten program rarely continues to function correctly and the virus is almost immediately discovered.
The more sophisticated file viruses save (rather than overwrite) the original instructions when they insert their code into the program. This allows them to execute the original program after the virus finishes so that everything appears normal.
File infectors can be either direct-action (non-resident) or resident. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. File sector viruses can remain resident in memory and use stealth techniques to hide their presence. If you do a directory listing, you will not see any increase in the length of the file and if you attempt to read the file, the virus will intercept the request and return your original uninfected program to you. A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when they are executed or when other conditions are fulfilled. Most viruses are resident.
File viruses have a wide variety of infection techniques and infect a large number of file types, but are not the most widely found in the wild.
Macro Virus: a program or code segment written in the internal macro language of an application and attached to a document file (such as Word or Excel). Infect files you might think of as data files. But, because they contain macro programs they can be infected.
In order for a virus to do anything, first a program of some type must execute. A virus, no matter what type, is still a program and it must load into memory and run in order to do anything. Simply reading it into memory is not sufficient. Pure data files are not viruses simply because, by their nature, they do not execute.
When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus. Some macros replicate, while others infect documents.
In many cases, in order to make things easy for users, the macros are set up to run automatically whenever the data file is loaded. You need to make yourself aware of any software that uses "automatic macro" feature. Never use a piece of software until you've explored its manual for some time just to see its full capabilities. Always save the file or program to disk and then check it with anti-virus software before loading or executing it (or have an anti-virus program that "attaches" to your programs such that it checks files before the program loads them or checks E-mail as it comes in). While text E-mail messages can't contain viruses they may have attachments that do and some E-mail programs will automatically load and run these. So, be careful of programs that use other programs for reading E-mail.
Some e-mail programs and Internet browsers allow you to click on a data file or program that might be attached to a message or displayed on a web page and have that file or program load and/or run automatically. You should not allow this to happen.
Companion Virus: uses a feature of DOS that allows software programs with the same name, but with different extensions, to operate with different priorities. Instead of modifying an existing file, creates a new program which (unknown to the user) is executed instead of the intended program. On exit, the new program executes the original program so that things appear normal. Most companion viruses create a COM file which has a higher priority than an EXE file with the same name.
Cluster Viruses: infect your files not by changing the file or planting extra files but by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. When you run a program, DOS first loads and executes the virus code, the virus then locates the actual program and executes it. Dir-2 is an example of this type of virus.
On any file access, the entire current directory will be infected and, if the DOS path must be searched, all directories on the path will typically be infected.
These viruses often use stealth techniques to hide their presence. If you attempt to read the file, the virus will intercept the request and return your original uninfected program to you.
Batch File Virus
Batch files can be used to transmit binary executable code and either be or drop viruses.
To detect Batch File Viruses look for two signs: An odd label at the start of the batch file, batch file that is too large for the text in it.
Source Code Virus
Source code viruses add instructions to existing programming code found on your system. A source code virus doesn't ususally infect via source code but simply add Trojan material to existing source code so that when it is compiled and run it does something different than expected. Source code viruses are not particularly common.
|
