Free Web Hosting by Netfirms
 Web Hosting by Netfirms | Free Domain Names by Netfirms

Virus Definitions 
                			Virus Definitions 



What are computer viruses 
A computer virus is a self-replicating program containing code that
explicitly copies itself and that can "infect" other programs by
modifying them or their environment such that a call to an infected
program implies a call to a possibly evolved copy of the virus.

Note that many people use the term "virus" loosely to cover any sort of
program that tries to hide its possibly malicious function andor tries
to spread onto as many computers as possible, though some of these
programs may more correctly be called "worms" or "Trojan
Horses" . 


computer WORM is a self-contained program (or set of programs), that
is able to spread functional copies of itself or its segments to other
computer systems (usually via network connections).

Note that unlike viruses, worms do not need to attach themselves to a
host program. There are two types of worms--host computer worms and
network worms.

Host computer worms are entirely contained in the computer they run on
and use network connections only to copy themselves to other computers.
Host computer worms where the original terminates itself after launching
a copy on another host (so there is only one copy of the worm running
somewhere on the network at any given moment), are sometimes called
"rabbits."

Network worms consist of multiple parts (called "segments"), each
running on different machines (and possibly performing different
actions) and using the network for several communication purposes.
Propagating a segment from one machine to another is only one of those
purposes. Network worms that have one main segment which coordinates
the work of the other segments are sometimes called "octopuses." 

What is a Trojan Horse? 
A TROJAN HORSE is a program that does something undocumented that the
programmer intended, but that some users would not approve of if they
knew about it. According to some people, a virus is a particular case
of a Trojan Horse, namely one which is able to spread to other programs
(i.e., it turns them into Trojans too). According to others, a virus
that does not do any deliberate damage (other than merely replicating)
is not a Trojan. Finally, despite the definitions, many people use the
term "Trojan" to refer only to *non-replicating* malware, so that the
set of Trojans and the set of viruses are disjoint.


What are the main types of PC viruses? 
Generally, there are two main classes of viruses. The first class
consists of the FILE INFECTORS which attach themselves to ordinary
program files. These usually infect arbitrary COM and/or EXE programs,
though some can infect any program for which execution or interpretation
is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. There is
also at least one PC virus that "infects" source code files by inserting
code into C language source files that replicates the virus's function
in any executable that is produced from the infected source code files
(see E5 for a more detailed discussion of the issue of "executable"
code).

File infectors can be either DIRECT-ACTION or RESIDENT. A direct-action
virus selects one or more programs to infect each time a program
infected by it is executed. A resident virus installs itself somewhere
in memory (RAM) the first time an infected program is executed, and
thereafter infects other programs when *they* are executed (as in the
case of the Jerusalem virus) or when other conditions are fulfilled.
Direct-action viruses are also sometimes referred to as NON-RESIDENT.
The Vienna virus is an example of a direct-action virus. Most viruses
are resident.

The second main category of viruses is SYSTEM or BOOT-RECORD INFECTORS:
these viruses infect executable code found in certain system areas on a
disk. On PCs there are ordinary boot-sector viruses, which infect only
the DOS boot sector, and MBR viruses which infect the Master Boot Record
on fixed disks and the DOS boot sector on diskettes. Examples include
Brain, Stoned, Empire, Azusa and Michelangelo. All common boot sector
and MBR viruses are memory resident.

To confuse this classification somewhat, a few viruses are able to
infect both files and boot sectors (the Tequila virus is one example).
These are often called "MULTI-PARTITE" viruses, though there has been
criticism of this name; another name is "BOOT-AND-FILE" virus.

Aside from the two main classes described above, many antivirus
researchers distinguish either or both of the following as distinct
classes of virus:

FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify
directory table entries so that the virus is loaded and executed before
the desired program is. The program itself is not physically altered,
only the directory entry of the program file is. Some consider these to
be a third category of viruses, while others consider them to be a sub-
category of the file infectors. LINK virus is another term occasionally
used for these viruses, though it should be avoided, as "link virus" is
commonly used in the Amiga world to mean "file infecting virus."

KERNEL viruses target specific features of the programs that contain the
"core" (or "kernel") of an operating system (3APA3A is a DOS kernel
virus and is also multipartite). A file infecting virus that *can*
infect kernel program files is *not* a kernel virus--this term is
reserved for describing viruses that utilize some special feature of
kernel files (such as their physical location on disk or a special
loading or calling convention).


What is a stealth virus? 
STEALTH virus is one that, while "active", hides the modifications it
has made to files or boot records. This is usually achieved by
monitoring the system functions used to read files or sectors from
storage media and forging the results of calls to such functions. This
means programs that try to read infected files or sectors see the
original, uninfected form instead of the actual, infected form. Thus
the virus's modifications may go undetected by antivirus programs.
However, in order to do this, the virus must be resident in memory when
the antivirus program is executed and *this* may be detected by an
antivirus program.


What is a polymorphic virus? 
A POLYMORPHIC virus is one that produces varied but operational copies
of itself. These strategies have been employed in the hope that virus
scanners will not be able to detect all instances of the virus.

One method of evading scan string-driven virus detectors is self-
encryption with a variable key. These viruses (e.g. Cascade) are not
termed "polymorphic", as their decryption code is always the same.
Therefore the decryptor can be used as a scan string by the simplest
scan string-driven virus scanners (unless another virus uses the
identical decryption routine *and* exact identification (see B15) is
required).

A technique for making a polymorphic virus is to choose among a variety
of different encryption schemes requiring different decryption routines:
only one of these routines would be plainly visible in any instance of
the virus (e.g. the Whale virus). A scan string-driven virus scanner
would have to exploit several scan strings (one for each possible
decryption method) to reliably identify a virus of this kind.

More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of
instructions in their variants by interspersing the decryption
instructions with "noise" instructions (e.g. a No Operation instruction
or an instruction to load a currently unused register with an arbitrary
value), by interchanging mutually independent instructions, or even by
using various instruction sequences with identical net effects (e.g.
Subtract A from A, and Move 0 to A). A simple-minded, scan string-based
virus scanner would not be able to reliably identify all variants of
this sort of virus; rather, a sophisticated "scanning engine" has to be
constructed after thorough research into the particular virus.

One of the most sophisticated forms of polymorphism used so far is the
"Mutation Engine" (MtE) which comes in the form of an object module.
With the Mutation Engine any virus can be made polymorphic by adding
certain calls to its assembler source code and linking to the mutation-
engine and random-number generator modules.

The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more scan strings
to simple scanners will not adequately deal with these viruses.



A typical file infector (such as the Jerusalem) copies itself to memory
when a program infected by it is executed, and then infects other
programs when they are executed.

A FAST infector is a virus that, when it is active in memory, infects
not only programs which are executed, but even those that are merely
opened. The result is that if such a virus is in memory, running a
scanner or integrity checker can result in all (or at least many)
programs becoming infected. Examples are the Dark Avenger and the Frodo
viruses.

The term "SLOW infector" is sometimes used to refer to a virus that only
infect files as they are modified or as they are created. The purpose
is to fool people who use integrity checkers into thinking that
modifications reported by their integrity checker are due solely to
legitimate reasons. An example is the Darth Vader virus.


What is a sparse infector? 
The term "sparse infector" is sometimes used to describe a virus that
infects only occasionally (e.g. every tenth program executed), or only
files whose lengths fall within a narrow range, etc. By infecting less
often, such viruses try to minimize the probability of being discovered. 



A COMPANION virus is one that, instead of modifying an existing file,
creates a new program which (unknown to the user) is executed instead of
the intended program. On exit, the new program executes the original
program so that things appear normal. On PCs this has usually been
accomplished by creating an infected .COM file with the same name as an
existing .EXE file. Integrity checking antivirus software that only
looks for modifications in existing files will fail to detect such
viruses.



What is an armored virus? 
An ARMORED virus is one that uses special tricks to make tracing,
disassembling and understanding of its code more difficult. A good
example is the Whale virus.


What is a cavity virus? 
A CAVITY VIRUS is one which overwrites a part of the host file that is
filled with a constant (usually nulls), without increasing the length of
the file, but preserving its functionality. The Lehigh virus was an
early example of a cavity virus.



A TUNNELLING VIRUS is one that finds the original interrupt handlers in
DOS and the BIOS and calls them directly, thus bypassing any activity
monitoring program (see D1) which may be loaded and have intercepted the
respective interrupt vectors in its attempt to detect viral activity.
Some antivirus software also uses tunnelling techniques in an attempt to
bypass any unknown or undetected virus that may be active when it runs. 


What is a dropper? 
A DROPPER is a program that has been designed or modified to "install" a
virus onto the target system. The virus code is usually contained in a
dropper in such a way that it won't be detected by virus scanners that
normally detect that virus (i.e., the dropper program is not *infected*
with the virus). While quite uncommon, a few droppers have been
discovered. A dropper is effectively a Trojan Horse whose
payload is installing a virus infection. A dropper which installs a
virus only in memory (without infecting anything on the disk) is
sometimes called an "injector".