Page 139 - DCAP516_COMPUTER_SECURITY
P. 139
Unit 11: Threats in Network
Major Types of Viruses Notes
Generally, there are two main classes of viruses. The first class consists of the file infectors,
which attach themselves to ordinary program files. These usually infect arbitrary .COM
and/or .EXE programs, though some viruses can infect any program for which execution
is requested, such as .SYS, .OVL, .PRG, & .MNU files.
File infectors can be either direct action virus or resident virus. A direct-action virus
selects one or more other programs to infect each time the program that contains it is
executed. A resident virus hides itself somewhere in memory the first time an infected
program is executed, and thereafter infects other programs when they are executed or
when certain other conditions are fulfilled.
The second category is system or boot-record infectors: those viruses that infect executable
code found in certain system areas on a disk, which are not ordinary files. On DOS systems,
there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR
viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on
diskettes. Such viruses are always resident viruses. A few viruses are able to infect both.
These are often called ‘multi-partite’ viruses.
File system or cluster viruses are those that modify directory table entries so that the virus
is loaded and executed before the desired program starts. The program itself is not
physically altered; only the directory entry is changed. Some consider these infectors to be
a third category of viruses, while others consider them to be a sub-category of the file
infectors.
(a) Boot sector virus: A boot sector virus resides on a floppy’s or hard disk’s boot sector,
a specific track on a disk where the operating system finds the information to start
the machine. When a boot sector virus infects a system, it either froze or the floppy
is no longer usable until the virus is removed. Sometimes even the spare boot sector
is overwritten and then machine’s information can only be recovered with the help
of a recovery program.
(b) Polymorphic viruses: A polymorphic virus is a virus that can change itself to prevent
detection. For example, in stead of erasing the user’s hard disk it locks the keyboard
when specific keys are pressed in a particular sequence. This virus is very hard to
detect.
(c) Stealth virus: A stealth virus is one that hides the modifications it has made in the file
or boot record, usually by monitoring the system functions used by programs to
read files or physical blocks from storage media, and forging the results of such
system functions so that programs which try to read these areas see the original
uninfected form of the file instead of the actual infected form. Thus, the virus
modifications go undetected by anti-virus programs. However, in order to do this,
the virus must be resident in memory when the anti-virus program is executed.
(d) Fast and slow infectors: A typical file infector copies itself to memory when a program
infected by it is executed, and then infects other programs when they are executed.
A fast infector is a virus which, when it is active in memory, infects not only programs
which are executed, but also those which are merely opened. The result is that if such
a virus is in memory, running a scanner or integrity checker can result in all programs
becoming infected all at once.
The term ‘slow infector’ is sometimes used for a virus that, if it is active in memory,
infects only files as they are modified or created. The purpose is to fool the users
who use integrity checkers thinking that the modification reported by the integrity
checker is due to legitimate reasons.
LOVELY PROFESSIONAL UNIVERSITY 133
