7/25/2019 HowVirusesWork.pdf

1/5

How Viruses Work

By Nell Randall; PC Magazine, "Tutor" column; February 9,1999; page 211-213

Home | Back to Tech Ref | Links

If you buy a new computer these days, it's likely to ship with an antivirus package. Thisfact, more than anything else, should convince us of how widespread viruses have becomand how much the computer industry has come to accept their inevitability. Quite simply,viruses are a fact of computing life.

There are thousands of viruses out there and many different categories of virus, butgenerally they all fit a single basic definition. A virus is a computer program intentionallydesigned to associate itself with another computer program in a way that when the originaprogram is run, the virus program is run as well, and the virus replicates itself by attachingitseft to other programs. The virus associates itself with the original program by attaching

itseft to that program or even by replacing it, and the replication is sometimes in the form a modified version of the virus program. The infected program can be a macro, and it canbe a disk's boot sector, the very first program loaded from a bootable disk.

Notice the "intentionally designed" part of the definition. Viruses aren't just accidents.Programmers with significant skills author and develop them, then find ways to get themonto the computers of the unsuspecting. And the stronger antivirus programs get, theharder virus authors work to get around them. For many virus authors, the whole thing issimply a challenge; for others, the point is having a good time making computing lifeuncertain or even miserable.

Viruses have quite correctly gained a reputation for being harmful, but in reality many arenot. Yes, some damage files or perform other forms of destructiveness, but many aresimply minor annoyances or are even invisible to most users. To be considered a virus, aprogram need only replicate itself; anything else it does is extra.

Even relatively pain-free viruses aren't completely harmless, of course. They consume disspace, memory, and CPU resources and therefore affect the speed and efficiency of yourmachine. Furthermore, the antivirus programs that sniff them out and eliminate them alsoconsume memory and CPU resources; many users, in fact, claim they slow the computer

down noticeably and are more intrusive than the viruses themselves. In other words,viruses affect your computing life even when they're not actually doing anything.

VIRUSES AND VIRUSLIKE PROGRAMS

The above explanation of viruses is actually more specific than the way we tend to use thterm virus. Other types of programs exist that fit only part of that definition. What they havin common with viruses is that they act without the user's knowledge and commit somekind of act inside the computer that they are intentionally designed to do. These types

http://www.officewizard.com/default.htmhttp://www.officewizard.com/techref.htmhttp://www.officewizard.com/links.htmhttp://www.officewizard.com/links.htmhttp://www.officewizard.com/techref.htmhttp://www.officewizard.com/default.htm

7/25/2019 HowVirusesWork.pdf

2/5

include worms, Trojan horses, anddroppers. All of these programs, including viruses, arepart of a category of program known as malware, or malicious-logic software.

A wormis a program that replicates itself but doesn't infect other programs` It copies itseto and from floppy disks or across network connections, and sometimes it uses thenetwork in order to run. One type of worm - the host worm - uses the network only to copyitself onto other machines, while another type, the network worm, spreads parts of itselfacross networks and relies on network connections to run its various parts. Worms can

also exist on a non-networked computer, in which case they can copy to various locationson your hard disks,

The name Trojanhorsecomes from the Greek myth, best recounted in The Odyssey, inwhich the Greek army left a wooden horse as a gift to the Trojans, hiding troops inside thehorse as it was taken into Troy. The Greeks jumped out and captured the city, ending thelong siege. The idea in computers is the same. A Trojan horse is a program that is hiddeninside a seemingly harmless program. When that program is run, the Trojan horselaunches in order to perform actions that the user doesn't want. Trojan horses do notreplicate themselves.

Droppersare programs designed to avoid antivirus detection, usually by encryption thatprevents antivirus software from noticing them. The typical functions of droppers aretransporting and installing viruses. They wait on the system for a specific event, at whichpoint they launch themselves and infect the system with the contained virus.

Related to these programs is the concept of the bomb. Bombs are usually built intomalware as a means of activating it. Bombs are programmed to activate when a spedftcevent occurs. Some bombs activate at a specific time, typically using the system clock. Abomb could be programmed to erase all DOC files from your hard disk on New Year's Ev

or pop up a message on a famous person's birthday. Others are triggered by other eventsor conditions: A bomb might wait for the twentieth instance of a program launch, forexample, and erase the program's template files. Viewed this way, bombs are justmalicious scripts or scheduling programs.

Viruses can be thought of as special instances involving one or more of these malwareprograms. They can be spread through droppers (although they need not be), and theyuse the worm idea to replicate themselves. While viruses are not technically Trojan horsethey act like them in two ways: First, they do things the user doesn't want; second, byattaching themselves to an existing program, they effectively turn the original program int

a Trojan horse (they hide inside it, launch when it launches, and commit unwanted acts).

HOW A VIRUS WORKS

Viruses work in different ways, but here's the basic process.

7/25/2019 HowVirusesWork.pdf

3/5

First, the virus appears on your system. It usually enters as part of an infected program fi(COM, EXE, or boot sector). In the past viruses traveled almost exclusively through thedistribution of infected floppy disks` Today, viruses are frequently downloaded from

networks (including the Internet) as part of larger downloads, such as part of the setup filefor a trial program, a macro for a specific program, or an attachment on a e-mail message

Note that the e-mail message itselfcannot be a virus. A virus is a program, and it must berun to become active. A virus delivered as an e-mail attachment, therefore, does nothinguntil you run it. You run this kind of virus by launching the attachment, usually bydouble-clicking on it. One way to help protect yourself from this kind of virus is simplynever to open attachments that are executable files (EXE or COM) or data files forprograms, such as office suites, that provide macro-writing features. A graphics, sound, oother data file is safe.

A virus starts its life on your PC, therefore, as a Trojan horse-like program. It is hiddenwithin another program or file and launches with that file. In an infected executable file, thvirus has essentially modified the original program to point to the vires code and launchthat code along with its own code. Typically, it jumps to the virus code, executes that codeand then jumps back to the original code. At this point the virus is active, and your systemis infected.

Once active, the virus either does its work immediately--if it's a direct-actionvirus---or sitsin the background as a memory-resident program, using the TSR (terminate and stay

resident) procedure allowed by the operating system. Most are of this second type and arcaUedresidentvimse~ Given the vast range of activities allowed by TSRprograms---everything from launching programs to backing up files and watching forkeyboard or mouse activity (and much more)ma resident virus can be programmed to dopretty much anything the operating system can do. Using a bomb, it can wait for events totrigger it, then go to work on your system. One of the things it can do is scan your disk or(more significantly) your networked disks for other running (or executable) programs, thencopy itself to those programs to infect them as well.

http://localhost/var/www/apps/conversion/tmp/Image4.jpg

7/25/2019 HowVirusesWork.pdf

4/5

VIRUS TYPES

Virus authors are constantly experimenting with new ways to infect your system, but theactual types of vires remain few. These are boot sector viruses, file infectors, and macroviruses. There are different names for these types and some subtypes, but the idearemains the same.

Boot sector viruses or infectors reside in specific areas of the PC's hard disk, those that

are read and executed by the computer at boot time. True boot sector viruses infect onlythe DOS boot sector, while a subtype called the MBR virus infects the Master Boot RecorBoth of these areas of the hard disk are read during the boot process, during which thevirus is loaded into memory. Viruses can infect the boot sectors of floppy disks, buttypically a virus-free, write-protected boot floppy disk has always been a safe way to startthe system. The problem, of course, is guaranteeing that the floppy disk itself is uninfecteand that's a task that antivirus programs attempt to do.

File infectors, alsocalled parasitic virusesare viruses that attachthemselves toexecutable files, andthey are the mostcommon and the mostdiscussed. Such a virutypically waits inmemory for the user torun another program,

using such an event asa trigger to infect thatprogram as well. Thusthey replicate simplythrough active use ofthe computer. There adifferent types of fileinfectors, but theconcept is similar in alof them.

Macro viruses, arelatively new type,make use of the factthat many programsship with programminglanguages built-in. The

languages are designed to help users automate tasks through the creation of smallprograms called macros. The programs in Microsoft Office, for instance, ship with such a

http://localhost/var/www/apps/conversion/tmp/Image5.jpg

7/25/2019 HowVirusesWork.pdf

5/5

built-in langnage, and in fact it provides many of its own built-in macros. A macro virus issimply a macro for one of these programs, and indeed this type of virus became knownthrough its infection of Microsoft Word. When a document or template containing the virusmacro is opened in the target application, the virus runs and does its damage. In additionit is programmed to copy itself into other documents, so that continual use of the programresults in continual spread of the virus.

A fourth type, called multipartite, combines boot sector infection with file infection.

For a huge listing of viruses along with explanations of what they do, see the VirusEncyclopedia section of Symantec's AntiVirus Research Center, atwww.symantec.com/avcenter/vinfodb.html.

SMARTER AND SMARTER

The macro virus concept works because the programming language provides access tomemory and hard disks. So, in fact, do other recent technologies, including ActiveX

controls and Java applets. True, these are designed to protect the hard disk from the viruprogram (Java better than ActiveX), but the fact is that these programs can installthemselves on your computer simply because you visit a Web site. Obviously, as webecome increasingly networked and as we expect such conveniences as operating systeupgrades over the Internet (Windows 98 and NT 5 both do this), we put ourselves atgreater risk from viruses and other malware.

Virus authors are nothing if not innovative, and they constantly come up with new ways othwarting antivirus software. Stealth viruses, for example, mislead the antivirus softwareinto thinking that nothing is wrong. Essentially, a stealth virus retains information about th

files it has infected, then waits in memory and intercepts antivirus programs that arelooking for altered files. It gives the antivirus programs the old information rather than thenew. Polymorphic viruses alter themselves when they replicate, so that antivirus softwarethat looks for specific patterns won't find all instances of the viruses; those that survive cacontinue replicating. Several other types of smart viruses are appearing regularly, as thegame of cat and mouse between virus authors and antivirus software producers continueIn all likelihood, viruses are here to stay.

Home | Back to Tech Ref | Links

http://www.symantec.com/avcenter/vinfodb.htmlhttp://www.officewizard.com/default.htmhttp://www.officewizard.com/techref.htmhttp://www.officewizard.com/links.htmhttp://www.officewizard.com/links.htmhttp://www.officewizard.com/techref.htmhttp://www.officewizard.com/default.htmhttp://www.symantec.com/avcenter/vinfodb.html