In 1983, Fred Cohen coined the term “computer virus”, postulating a virus was "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself.” The term virus is actually an acronym for Vital Information Resources Under Seize. Mr. Cohen expanded his definition a year later in his 1984 paper, “A Computer Virus”, noting that “a virus can spread throughout a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows.” Computer viruses, as we know them now, originated in 1986 with the creation of Brain - the first virus for personal computers. Two brothers wrote it (Basid and Farooq Alvi who ran a small software house in Lahore, Pakistan) and started the race between viruses and anti-virus programs which still goes on today.
Using the above explanation, it can be said that viruses infect program files. However, viruses can also infect certain types of data files, specifically those types of data files that support executable content, for example, files created in Microsoft Office programs that rely on macros.
Compounding the definition difficulty, viruses also exist that demonstrate a similar ability to infect data files that don't typically support executable content - for example, Adobe PDF files, widely used for document sharing, and .JPG image files. However, in both cases, the respective virus has a dependency on an outside executable and thus neither virus can be considered more than a simple ‘proof of concept’. In other cases, the data files themselves may not be infectable, but can allow for the introduction of viral code. Specifically, vulnerabilities in certain products can allow data files to be manipulated in such a way that it will cause the host program to become unstable, after which malicious code can be introduced to the system. These examples are given simply to note that viruses no longer relegate themselves to simply infecting program files, as was the case when Mr. Cohen first defined the term. Thus, to simplify and modernize, it can be safely stated that a virus infects other files, whether program or data.
Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person.
There are similarities at a deeper level, as well. A biological virus is not a living thing. A virus is a fragment of DNA inside a protective jacket. Unlike a cell, a virus has no way to do anything or to reproduce by itself -- it is not alive. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the new virus particles bud off the cell one at a time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on top of some other program or document in order to get executed. Once it is running, it is then able to infect other programs or documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks.
A computer virus is a program that replicates. To do so, it needs to attach itself to other program files (for example, .exe, .com, .dll) and execute whenever the host program executes. Beyond simple replication, a virus almost always seeks to fulfill another purpose: to cause damage.
Called the damage routine, or payload, the destructive portion of a virus can range from overwriting critical information kept on the hard disk's partition table to scrambling the numbers in the spreadsheets to just taunting the user with sounds, pictures, or obnoxious effects.
It’s worth bearing in mind, however, that even without a ”damage routine”, if viruses are allowed to run unabated then it will continue to propagate--consuming system memory, disk space, slowing network traffic and generally degrading performance. Besides, virus code is often buggy and can also be the source of mysterious system problems that take weeks to understand. So, whether a virus is harmful or not, its presence on the system can lead to instability and should not be tolerated.
Some viruses, in conjunction with "logic bombs," do not make their presence known for months. Instead of causing damage right away, these viruses do nothing but replicate--until the preordained trigger day or event when they unleash their damage routines on the host system or across a network.
Impact of Viruses on Computer Systems
Virus can be reprogrammed to do many kinds of harm including the following.
1.Copy themselves to other programs or areas of a disk.
2.Replicate as rapidly and frequently as possible, filling up the infected system’s disk and memory rendering the systems useless.
3.Display information on the screen.
4.Modify, corrupt or destroy selected files.
5.Erase the contents of entire disks.
6.Lie dormant for a specified time or until a given condition is met, and then become active.
7.Open a back door to the infected system that allows someone else to access and even control of the system through a network or internet connection.
8.Some viruses can crash the system by causing some programs (typically Windows) to behave oddly.
How viruses spread from one system to another?
The most likely virus entry points are email, Internet and network connections, floppy disk drives, and modems or other serial or parallel port connections. In today's increasingly interconnected workplace (Internet, intranet, shared drives, removable drives, and email), virus outbreaks now can spread faster and wider than ever before.
The following are some common ways for a virus to enter the users’ computer system:
•Email attachments
•Malicious scripts in web pages or HTML email
•FTP traffic from the Internet (file downloads)
•Shared network files & network traffic in general
•Demonstration software
•Pirated software
•Shrink-wrapped, production programs (rare)
•Computer labs
•Electronic bulletin boards (BBS)
•Diskette swapping (using other people’s diskettes for carrying data and programs back and forth)
High risk files
The most dangerous files types are:
.EXE, .COM, .XLS, .DOC, .MDB
Because they don't need any special conversion to infect a computer -- all they've got to do is run and consequently the virus spreads. It has been estimated that 99% of all viruses are written for these file formats.
A list of possible virus carriers includes:
EXE - (Executable file)
SYS - (Executable file)
COM - (Executable file)
DOC - (Microsoft Word)
XLS - (Microsoft Excel)
MDB - (Microsoft Access)
ZIP - (Compressed file, common in the USA)
ARJ - (Compressed file, common in the USA)
DRV - (Device driver)
BIN - (Common boot sector image file)
SCR - (Microsoft screen saver)
Common Symptoms Of Virus Infection
Computer does not boot.
Computer hard drive space is reduced.
Applications will not load.
An application takes longer to load than normal time period.
Hard dive activity increases especially when nothing is being done on the computer.
An anti virus software message appears.
The number of hard drive bad sectors steadily increases.
Unusual graphics or messages appear on the screen
Files are missing (deleted)
A message appears that hard drive cannot be detected or recognized.
Strange sounds come from the computer.
Some viruses take control of the keyboard and occasionally substitute a neighboring key for the one actually pressed. Another virus "swallows" key presses so that nothing appears on the screen.
Also interesting are system time effects. Clocks going backwards are especially frightening for workers who cannot wait to go home. More seriously though, this type of virus can cause chaos for programs which depend on the system time or date.
Some viruses can cost the user dearly by dialing out on his modem. We do not know of one which dials premium telephone numbers but no doubt we shall see one soon. One particularly malicious virus dials 911 (the emergency number in the USA) and takes up the valuable time of the emergency services.
Categories of viruses
Depending on the source of information different types of viruses may be categorized in the following ways:
PDA VIRUSES
The increasing power of PDAs has spawned a new breed of viruses. Maliciously creative programmers have leveraged the PDA's ability to communicate with other devices and run programs, to cause digital mayhem.
The blissfully safe world where users of these devices could synchronize and download with impunity came to an end in August 2000 with the discovery of the virus Palm Liberty. Since then, many more viruses have been discovered.
Though not yet as harmful as their PC-based cousins, these viruses still pose a threat to unsuspecting users. Their effects vary from the harmless flashing of an unwanted message or an increase in power consumption, to the deletion of all installed programs. But the threat is growing, and the destructiveness of these viruses is expected to parallel the development of the devices they attack.
MULTIPARTITE VIRUSES
A virus that combines two or more different infection methods is called a multipartite virus. This type of virus can infect both files and boot sector of a disk. Multi-partite viruses share some of the characteristics of boot sector viruses and file viruses: They can infect .com files, .exe files, and the boot sector of the computer’s hard drive. On a computer booted up with an infected diskette, the typical multi-partite virus will first make itself resident in memory then infect the boot sector of the hard drive. From there, the virus may infect a PC's entire environment. Not many forms of this virus class actually exist. However, they do account for a disproportionately large percentage of all infections. Tequila and Anticad are the examples of multipartite viruses.
BOMBS
The two most prevalent types of bombs are time bombs and logic bombs. A time bomb hides on the victim’s disk and waits until a specific date before running. A logic bomb may be activated by a date, a change to a file, or a particular action taken by a user or a program. Bombs are treated as viruses because they can cause damage or disruption to a system.
BOOT SECTOR VIRUSES
Until the mid-1990s, boot sector viruses were the most prevalent virus type, spreading primarily in the 16-bit DOS world via floppy disk. Boot sector viruses infect the boot sector on a floppy disk and spread to a user's hard disk, and can also infect the master boot record (MBR) on a user's hard drive. Once the MBR or boot sector on the hard drive is infected, the virus attempts to infect the boot sector of every floppy disk that is inserted into the computer and accessed. Examples of boot sector viruses are Michelangelo, Satria and Keydrop.
Boot sector viruses work like this: Let us assume that the user received a diskette with an infected boot sector. The user copied data from it but forgot to remove it from drive A:. When he started the computer next time the boot process will execute the infected boot sector program from the diskette. The virus will load first and infect the hard disk. Note that this can be prevented by changing the boot sequence in CMOS (Let C: drive boot before A:). By hiding on the first sector of a disk, the virus is loaded into memory before the system files are loaded. This allows it to gain complete control of DOS interrupts and in the process replaces the original contents of the MBR or DOS boot sector with their own contents and move the original boot sector data to another area on the disk. Because the virus has infected a system area of the hard disk it will be loaded into memory each time the computer is started. It will first take control of the lowest level disk system services before executing the original boot sector code which it has stored in another part of the hard disk. The computer seems to behave exactly as it should. Nobody will notice the extra few fractions of a second added to the boot sequence.
During normal operation the virus will happily stay in memory. Thanks to the fact that it has control of the disk services it can easily monitor requests for disk access - including diskettes. As soon as it gets a request for access to a diskette it will determine that there is a diskette in the floppy drive. It will then examine its boot sector to see if it has already been infected. If it finds the diskette clean it will replace the boot sector with its own code. From this moment the diskette will be a "carrier" and become a medium for infections on other PC's.
