Trojan Horses - like their namesake, try to tempt or trick the user into activating the program themselves. They have innocent names, like ‘IMPORTANT.EXE’, README.EXE’,’URGENT.EXE’, or appear to be a game or application. The user clicks on them and releases the payload.
Worm Viruses - Usually found on intranets or Internets, these files would gather information as they sat on the system. Maybe recording passwords or access codes when they were typed in, or leaving ‘back doors’ open, allowing for authorized accesses. Another type of worm virus is a file that just keeps replicating itself over and over. By constantly reproducing itself it can slow a computer or an entire network to a standstill.
All these types of miscreant software are often lumped together and called viruses. And, a lot of viruses do contain these in some form or another. However, a true virus usually has a ‘host’ file. In other words, it can attach itself to a file already on your system. It has the ability to clone itself. It can reproduce itself and infect other files or drives and computer systems. Viruses can also hide themselves from detection in several different ways.
How Viruses Avoid Detection
Encryption - Virus detection programs will look for programming code that allows programs to replicate or clone. This is one way that it searches for and recognizes possible viruses. Using encryption, virus programs can change from replication code and back, trying to avoid this type of detection.
Polymorphism - Another way that a virus can be detected is by its signature. Each virus has a signature, or a piece of code that is specific to that individual program. Virus detection programs look for these signatures when scanning the files on your drive. Polymorphic viruses are created with the ability to change their signature each time they clone or reproduce.
Stealth - Detection programs note the characteristics of files and watch for any changes, which might indicate infection. When a Stealth virus infect a file, it can modify the characteristics of that file so that it still reports that same date, time, checksum, and size. It can also monitor the Operating systems call for a file and remove itself temporarily, or load an uninfected copy of the file that it has made for just that purpose.
Viruses Targeted Mainly the Following
Boot Sector Viruses - write themselves into the Boot Sector of a Hard or Floopy Diskette. Every disk has a boot partition that contains coded information.The hard drive has a Master Boot Record that contains partition information as well as another boot record for the operating system. The boot sector on bootable floppy disk contains that code necessary to load the operating system files. The boot sector on a non-systems disk contains the information that will display the message ‘Non-systems disk or disk error, remove and press any key when ready’. The boot sector of an infected floppy contains the coding that will infect the hard drives partition sector.
If an infected floppy is left in the drive at boot up, it loads the virus into memory and copies itself to the partition sector of the hard drive. Now, every time the computer is booted from the hard drive, the virus in
the partition sector loads itself into memory, then passes control to the original boot that it has stored Elsewhere on the disk. Any floppy inserted into its drive will become infected every time a read or write operation takes place. This is one of the most common results. There are also boot sector viruses that, once they’ve infected a HD, will completely scramble the partition sector or destroy the FAT. Boot Sector Viruses are difficult to remove and usually require the use of an anti-virus program. If not caught in time, infection can advance to the point where the hard drive has to be re-partitioned and reformatted. At this stage, all your files and data are lost. Hopefully, you’ve made backups!
File Infector Virus - These files wait in the memory for a suitable program file to be loaded. When the file makes a disk write operation the virus will replicate itself inside the disk file or will create another file with the same name but a .COM extension. When the operating system starts the program, the .COM file is executed, loading the virus into memory. Then the virus loads the real program. Many, many files can be infected before detection. These viruses often target files such as COMMAND.COM, OI.SYS and MSDOS.SYS. Anti-virus programs are the only way to get rid of these viruses. The only sure-fire prevention is to completely isolate your machine from the Internet, floppy disks, CD`s, and any type of removable media.
Multipartite Virus - These viruses contain properties of both boot sector and file infector viruses.
Local Memory Infection - At this stage the virus is loaded into memory and probably has not infected too many files. If your Virus Detection Program finds a virus in memory then you should perform a cold boot to a clean boot disk. A war, boot does not re-initialize the memory and may leave the virus there. Files that may have become corrupted by not closing down properly may have to be repaired or deleted using CHECKDISK or SCANDISK. These files will probably have to be replaced.
Local Disk Infection - This is a very aggressive stage. Your computer could experience loss of data, scramble FAT, damaged partitions and corrupted files. If caught in time, you can run an anti-virus program from an uninfected emergency boot disk and remove the virus. You will have to reinstall affected files and applications, probably the Operating System, and use a data recovery tool of some sort. If left too long however, your system could be destroyed to the point of having to repartition, reformat, reinstall the OS, and then using a data recovery tool (your backups, for one). A Virus free Bootable System Disk is always needed to boot-up a virus infected System Unit.