increase in power consumption, to the deletion of all installed programs. But the threat is growing, and the destructiveness of these viruses is expected to parallel the development of the devices they attack.
MULTIPARTITE VIRUSES
A virus that combines two or more different infection methods is called a multipartite virus. This type of virus can infect both files and boot sector of a disk. Multi-partite viruses share some of the characteristics of boot sector viruses and file viruses: They can infect .com files, .exe files, and the boot sector of the computer’s hard drive. On a computer booted up with an infected diskette, the typical multi-partite virus will first make itself resident in memory then infect the boot sector of the hard drive. From there, the virus may infect a PC’s entire environment. Not many forms of this virus class actually exist. However, they do account for a disproportionately large percentage of all infections. Tequila and Anticad are the examples of multipartite viruses.
BOMBS
The two most prevalent types of bombs are time bombs and logic bombs. A time bomb hides on the victim’s disk and waits until a specific date before running. A logic bomb may be activated by a date, a change to a file, or a particular action taken by a user or a program. Bombs are treated as viruses because they can cause damage or disruption to a system.
BOOT SECTOR VIRUSES
Until the mid-1990s, boot sector viruses were the most prevalent virus type, spreading primarily in the 16-bit DOS world via floppy disk. Boot sector viruses infect the boot sector on a floppy disk and spread to a user’s hard disk, and can also infect the master boot record (MBR) on a user’s hard drive. Once the MBR or boot sector on the hard drive is infected, the virus attempts to infect the boot sector of every floppy disk that is inserted into the computer and accessed. Examples of boot sector viruses are Michelangelo, Satria and Keydrop.
Boot sector viruses work like this: Let us assume that the user received a diskette with an infected boot sector. The user copied data from it but forgot to remove it from drive A:. When he started the computer next time the boot process will execute the infected boot sector program from the diskette. The virus will load first and infect the hard disk. Note that this can be prevented by changing the boot sequence in CMOS (Let C: drive boot before A:). By hiding on the first sector of a disk, the virus is loaded into memory before the system files are loaded. This allows it to gain complete control of DOS interrupts and in the process replaces the original contents of the MBR or DOS boot sector with their own contents and move the original boot sector data to another area on the disk. Because the virus has infected a system area of the hard disk it will be loaded into memory each time the computer is started. It will first take control of the lowest level disk system services before executing the original boot sector code which it has stored in another part of the hard disk. The computer seems to behave exactly as it should. Nobody will notice the extra few fractions of a second added to the boot sequence.
During normal operation the virus will happily stay in memory. Thanks to the fact that it has control of the disk services it can easily monitor requests for disk access – including diskettes. As soon as it gets a request for access to a diskette it will determine that there is a diskette in the floppy drive. It will then examine its boot sector to see if it has already been infected. If it finds the diskette clean it will replace the boot sector with its own code. From this moment the diskette will be a “carrier” and become a medium for infections on other PC’s.
The virus will also monitor special disk requests for access to the boot sector. The boot sector contains its own code, and a request to read it could be from an anti-virus program checking for virus presence. The virus will not allow the boot sector to be read and will redirect all requests to the place on the hard disk where it has backed up the original contents. In this way nothing unusual is detected. Such methods are called stealth techniques and their main goal is to mask the presence of the virus. Not all boot viruses use stealth but those which do are common.
Boot viruses also infect the non-file (system) areas of hard and floppy disks. These areas offer an efficient way for a virus to spread from one computer to another. Boot viruses have achieved a higher degree of success than program viruses in infecting their targets and spreading.
Boot virus can infect DOS, Windows 3.x, Windows 95/98, Windows NT, and even Novell Netware systems. This is because they exploit inherent features of the computer (rather than the operating system) to spread and activate.
Cleaning up a boot sector virus can be performed by booting the machine from an uninfected floppy system disk rather than from the hard drive, or by finding the original boot sector and replacing it in the correct location on the disk.
CLUSTER VIRUSES
This type of virus makes changes to a disks file system. If any program is run from the infected disk, the program causes the virus to run as well. This technique creates the illusion that the virus has infected every program on the disk.
E-MAIL VIRUSES
These types of viruses can be transmitted via e-mail messages sent across private networks or the internet. Some e-mail viruses are transmitted as an infected attachment- a document file or program that is attached to the message. This type of virus is run when the victim opens the file that is attached to the message. Other types of email viruses reside within the body of the message itself. To store a virus, the message must be encoded in html format. Once launched many e-mail viruses attempt to spread by sending messages to everyone in the victim’s address book; each of those contains a copy of the virus.
The latest thing in the world of computer viruses is the e-mail virus called Melissa virus which surfaced in March 1999. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person’s address book. The e-mail message contained a friendly note that included the person’s name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient’s machine. As a result, the Melissa virus was the fastest-spreading virus ever seen and it forced a number of large companies to shut down their e-mail systems at that time.
The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim’s address book and then started corrupting files on the victim’s machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.
The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess.
FILE INFECTING VIRUSES
File infectors operate in memory and usually infect executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS. They activate every time the infected file is executed by copying themselves into other executable files and can remain in memory long after the virus has activated.
Thousands of different file infecting viruses exist, but similar to boot sector viruses, the vast majority operates in a DOS 16-bit environment. Some, however, have successfully infected the Microsoft Windows, IBM OS/2, and Apple Computer Macintosh environments.
File viruses can be separated further into sub-categories by the way they manipulate their targets:
TSR FILE VIRUSES
A less common type of virus is the terminate-and-stay-resident file virus. As the name suggests these infect files usually these are .com and .exe files. there are however some device driver viruses, some viruses that infect overlay files, and although over 99% of executable programs have the extension .com and .exe, some do not .For a TSR virus to spread some one has to run an infected program. The virus goes memory resident typically looking at each program run thereafter and infects it. Examples of TSR file viruses are Dark Avenger and Green Caterpillar.
OVERWRITING VIRUSES
These viruses infect by overwriting part of their target with their own code but, by doing so, they damage the file. The file will never serve another purpose other than spreading the virus further. Because of this they are usually detected quickly and do not spread easily.
PARASITIC VIRUSES
These viruses attach themselves to