According to Fred Cohen's well-known definition, a COMPUTER VIRUS is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to to be called a "virus". However, Cohen uses the terms within his definition (e.g. "program" and "modify") a bit differently from the way most anti-virus researchers use them, and classifies as viruses some things which most of us would not consider viruses.
Many people use the term loosely to cover any sort of program that tries to hide its (malicious) function and tries to spread onto as many computers as possible. (See the definition of "Trojan".) Be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious - don't assume too much about what a virus can or can't do!
These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be fatal. For example, a virus that stops your computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even those who created the viruses could not stop them if they wanted to; it requires a concerted effort from computer users to be "virus-aware", rather than the ignorance and ambivalence that have allowed them to grow to such a problem.
A TROJAN HORSE is a program that does something undocumented which the programmer intended, but that the user would not approve of if he knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a *non-replicating* malicious program, so that the set of Trojans and the set of viruses are disjoint.
What are the main types of PC viruses?
Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary .COM and/or .EXE programs, though some can infect any program for which execution is requested, such as .SYS, .OVL, .PRG, & .MNU files.
File infectors can be either DIRECT ACTION or RESIDENT. A direct- action virus selects one or more other programs to infect each time the program which contains it is executed. A resident virus hides itself somewhere in memory the first time an infected program is executed, and thereafter infects other programs when *they* are executed (as in the case of the Jerusalem) or when certain other conditions are fulfilled. The Vienna is an example of a direct-action virus. Most other viruses are resident.
The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses.
Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called "MULTI-PARTITE" viruses, though there has been criticism of this name; another name is "BOOT-AND-FILE" virus.
FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those which modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered, only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors.
A STEALTH virus is one which hides the modifications it has made in the file or boot record, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions so that programs which try to read these areas see the original uninfected form of the file instead of the actual infected form. Thus the viral modifications go undetected by anti-viral programs. However, in order to do this, the virus must be resident in memory when the anti-viral program is executed.
Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (= 4096 = 4K).
Countermeasures: A "clean" system is needed so that no virus is present to distort the results. Thus the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation); (2) use only tools from original diskettes until virus-checking has completed.
A POLYMORPHIC virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners (see D1) will not be able to detect all instances of the virus.
One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine).
One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus.
The most sophisticated form of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
What are fast and slow infectors?
A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed.
A FAST infector is a virus which, when it is active in memory, infects not only programs which are executed, but even those which are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected all at once. Examples are the Dark Avenger and the Frodo viruses.
The term "SLOW infector" is sometimes used for a virus which, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus.
The term "SPARSE infector" is sometimes given to a virus which infects only occasionally, e.g. every 10th executed file, or only files whose lengths fall within a narrow range, etc. By infecting less often, such viruses try to minimize the probability of being discovered by the user.
A COMPANION virus is one which, instead of modifying an existing file, creates a new program which (unknown to the user) gets executed by the command-line interpreter instead of the intended program. (On exit, the new program executes the original program so that things will appear normal.) The only way this has been done so far is by creating an infected .COM file with the same name as an existing .EXE file. Note that those integrity checkers which look only for *modifications* in *existing* files will fail to detect such viruses.
(Note that not all researchers consider this type of malicious code to be a virus, since it does not modify existing files.)
An ARMORED virus is one which uses special tricks to make the tracing, disassembling and understanding of their code more difficult. A good example is the Whale virus.
Miscellaneous Jargon and Abbreviations
BSI = Boot Sector Infector: a virus which takes control when the computer attempts to boot (as opposed to a file infector).
CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there.
DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines.
MBR = Master Boot Record: the first Absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table (but on some PCs may simply contain a boot sector). This is not the same as the first DOS sector (Logical sector 0).
RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is active simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly being active.
TOM = Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change (see C11). A very few PCs with unusual memory managers/settings may report in excess of 640K.
TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. These can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.