comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

Types of Viruses

There are many different types of viruses. In this article we will briefly look at some of the major virus types. Viruses can be classified by either their method for propagation or their activities on the target computers.

Macro

Macro viruses infect the macros in office documents. Many office products, including Microsoft Office, allow users to write mini-programs called macros. These macros can also be written as a virus. A macro virus is written into a macro in some business application. For example, Microsoft Office allows users to write macros to automate some tasks. Microsoft Outlook is designed so that a programmer can write scripts using a subset of the Visual Basic programming language, called Visual Basic for Applications (VBA). This scripting language is, in fact, built into all Microsoft Office products. Programmers can also use the closely re- lated VBScript language. Both languages are quite easy to learn. If such a script is attached to an email and the recipient is using Outlook, then the script can execute. That execution can do any number of things, including scanning the address book, looking for addresses, sending out email, deleting email, and more.

Multi-partite

Multi-partite viruses attack the computer in multiple ways for example, infecting the boot sector of the hard disk and one or more files.

Memory Resident

A memory-resident virus installs itself and then remains in RAM from the time the computer is booted up to when it is shut down.

Armored

An armored virus uses techniques that make it hard to analyze. Code confusion is one such method. The code is written such that if the virus is disassembled, the code won’t be easily followed. Compressed code is another method for armoring the virus.

Sparse infector

A sparse infector virus attempts to elude detection by performing its mali- cious activities only sporadically. With a sparse infector virus, the user will see symptoms for a short period, then no symptoms for a time. In some cases the sparse infector targets a specific program but the virus only executes every 10th time or 20th time that target program executes. Or a sparse infector may have a burst of activity and then lie dormant for a period of time. There are a number of variations on the theme, but the basic principle is the same: to reduce the frequency of attack and thus reduce the chances for detection.

Polymorphic

A polymorphic virus literally changes its form from time to time to avoid detection by antivirus software. A more advanced form of this is called the Metamorphic virus; it can completely change itself.


Published on Wed 12 March 2003 by Dan Little in Security with tag(s): virus