VCOM - Anti-Virus Tutorial




Anti-Virus Information

Virus Tutorial Portions of the following have been exerpted from the Frequently Asked Questions document compiled and made available by the Virus-L mailing list and the comp.virus news group. Q: What exactly are computer viruses? Q: What is a worm? Q: What is a Trojan Horse? Q: What are the main types of PC viruses? Q: What is a stealth virus? Q: What is a polymorphic virus? Q: What are fast and slow infectors? Q: What is a sparse infector? Q: What is a companion virus? Q: What is an armored virus? Q: What is a macro virus? Q: What is a virus hoax? Q: Related glossary Q: What exactly are computer viruses? A: According to Fred Cohen's well-known definition, a computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be called a "virus". However, Cohen uses the terms within his definition (e.g. "program" and "modify") a bit differently from the way most anti-virus researchers use them, and classifies as viruses some things which most of us would not consider viruses. Many people use the term loosely to cover any sort of program that tries to hide its (malicious) function and tries to spread onto as many computers as possible. (See the definition of "Trojan".) Be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious - don't assume too much about what a virus can or can't do! These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be fatal. For example, a virus that stops your computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even those who created the viruses could not stop them if they wanted to; it requires a concerted effort from computer users to be "virus-aware", rather than the ignorance and ambivalence that have allowed them to grow to such a problem. Q: What is a worm? A computer worm is a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections). Note that unlike viruses, worms do not need to attach themselves to a host program. There are two types of worms--host computer worms and network worms. Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Host computer worms where the original terminates itself after launching a copy on another host (so there is only one copy of the worm running somewhere on the network at any given moment), are sometimes called "rabbits." Network worms consist of multiple parts (called "segments"), each running on different machines (and possibly performing different actions) and using the network for several communication purposes. Propagating a segment from one machine to another is only one of those purposes. Network worms that have one main segment which coordinates the work of the other segments are sometimes called "octopuses." Q: What is a Trojan Horse? A: A TrojanHorse is a program that does something undocumented which the programmer intended, but that the user would not approve of if he knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one that is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program, so that the set of Trojans and the set of viruses are disjoint. Q: What are the main types of PC viruses? A: Generally, there are two main classes of viruses. The first class consists of the file infectors which attach themselves to ordinary program files. These usually infect arbitrary .COM and/or .EXE programs, though some can infect any program for which execution is requested, such as .SYS, .OVL, .PRG, & .MNU files. File infectors can be either direct action or resident. A direct- action virus selects one or more other programs to infect each time the program that contains it is executed. A resident virus hides itself somewhere in memory the first time an infected program is executed, and thereafter infects other programs when they are executed (as in the case of the Jerusalem) or when certain other conditions are fulfilled. The Vienna is an example of a direct-action virus. Most other viruses are resident. The second category is system or boot-record infectors: those viruses that infect executable code found in certain system areas on a disk which are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called "multi-partite" viruses, though there has been criticism of this name; another name is "boot-and-file" virus. File system or cluster viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered, only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors. Q: What is a stealth virus? A: A stealth virus is one that hides the modifications it has made in the file or boot record, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions so that programs which try to read these areas see the original uninfected form of the file instead of the actual infected form. Thus the viral modifications go undetected by anti-viral programs. However, in order to do this, the virus must be resident in memory when the anti-viral program is executed. Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo. Countermeasures: A "clean" system is needed so that no virus is present to distort the results. Thus the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation); (2) use only tools from original diskettes until virus-checking has completed. Q: What is a polymorphic virus? A: A polymorphic virus is one that produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus. One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine). One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind. A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus. The most sophisticated form of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses. Q: What are fast and slow infectors? A: A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed. A fast infector is a virus which, when it is active in memory, infects not only programs which are executed, but even those which are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected all at once. Examples are the Dark Avenger and the Frodo viruses. The term "slow infector" is sometimes used for a virus that, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus. Q: What is a sparse infector? A: The term "sparse infector" is sometimes given to a virus that infects only occasionally, e.g. every 10th executed file, or only files whose lengths fall within a narrow range, etc. By infecting less often, such viruses try to minimize the probability of being discovered by the user. Q: What is a companion virus? A: A companion virus is one that, instead of modifying an existing file, creates a new program which (unknown to the user) gets executed by the command-line interpreter instead of the intended program. (On exit, the new program executes the original program so things will appear normal.) The only way this has been done so far is by creating an infected .COM file with the same name as an existing .EXE file. Note that those integrity checkers which look only for modifications in existing files will fail to detect such viruses. (Note that not all researchers consider this type of malicious code to be a virus, since it does not modify existing files.) Q: What is an armored virus? A: An armored virus is one that uses special tricks to make the tracing, disassembling and understanding of their code more difficult. A good example is the Whale virus. Q: What is a macro virus? A: Many applications allow you to create macros. A macro is a series of commands to perform an application-specific task. Those commands can be stored as a series of keystrokes, or in a special macro language. A macro virus is a virus that propegates through only one type of program, usually either Microsoft Word or Microsoft Excel. It can do this because these types of programs contain auto open macros, which are automatically run when you open a document or a spreadsheet. Along with infecting auto open macros, the macro virus infects the global macro template, which is executed anytime you run the program. Thus, once your global macro template is infected, any file you open after that becomes infected and the virus spreads. Q: What is a virus hoax? A: As if viruses weren't enough to deal with, there are people out there with so much time on their hands that they create virus hoaxes. A virus hoax generally appears as an email message that describes a particular virus that does not exist. These emails almost always carry the same basic story: that if you download an email with a particular subject line, your hard drive will be erased (an impossibility because the text of an email cannot harbor a virus). Such messages are designed to panic computer users. The writer or writers email the warning and include a plea for the reader to forward it to others. The message then acts much like a chain letter, propagating throughout the Internet as individuals receive it and then innocently forward it. An example of a virus hoax is the "Good Times" virus -- which was written by a couple of people in 1994 and since then has circled the globe many times over. The best thing to do when you receive such an email is to ignore and delete it, and to depend on your anti-virus software, and good computing habits, to protect yourself. Q: Related glossary Boot Sector Virus = A virus that takes control when the computer attempts to boot (as opposed to a file infector). Boot sector viruses can infect the boot records of both hard disks and diskettes. They do so by replacing the existing boot record with their own code. The virus is executed when the system is booted from the hard disk or diskette, and installs its own code in the system's memory so that it can infect other hard disks or diskettes later. CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there. DBS = DOS Boot Sector: the first sector of a logical DOS partition on a hard disk or the first absolute sector of a diskette. This sector contains the startup code that actually loads DOS. Some boot sector viruses infect the DBS rather than the MBR when infecting hard disks. DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines. File Infecting Virus = A virus that infects executable files. The virus will get control when the program is first executed. MBR = Master Boot Record: the first Absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table (but on some PCs may simply contain a boot sector). This is not the same as the first DOS sector (Logical sector 0). Multipartite = A virus that infects both boot records and files. Sometimes called bimodal or bipartite. Polymorphic = A virus that attempts to hide from anti-virus programs by keeping most its its own code garbled in some way, and changing the garbling each time it spreads. RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is active simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly being active. Scan String = A sequence of bytes (characters) that occur in a known virus but (one hopes) not in legitimate programs. "Signature" is sometimes used for Scan String. Authors of virus scanners reduce the likelihood of false positives by carefully selecting their scan strings. TOM = Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change. A very few PCs with unusual memory managers/settings may report in excess of 640K. TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. Resident viruses wait in the memory for some external event such as copying a file or inserting a diskette to infect another program.
	Back: Virus FAQs	Next: Disinfecting a System

Return to Virus Introduction
Disclaimer: VCOM is not responsible for any problems or data loss to your system due to information contained herein.

Order online today!

  Registration
  Free Downloads
  Support Services
  Support Policies
  Paid Support
  Contacting Support
  International Support
  Purchase Upgrade
  Beta Programs
  Outside Product Links
  Glossary