Viruses are software programs, and they can do the same things as any other programs running on a computer. The actual effect of any particular virus depends on how it was programmed by the person who wrote the virus. Some viruses are deliberately designed to damage files or otherwise interfere with your computer's operation, while others don't do anything but try to spread themselves around. But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of spreading. Note that viruses can't do any damage to hardware: they won't melt down your CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings about viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings.
Viruses come in many shapes and sizes, such as:
File Infectors.
These viruses attach themselves to regular programs, such as COM or EXE files under DOS. Thus, they are invoked each time the infected program is run.
Cluster Infectors.
They modify the file system so that they are run prior to other programs. Note that, unlike file infectors, they do not actually attach themselves to programs.
Macro Viruses.
Word processing documents can serve as sources of transmission for viruses that take advantage of the auto-execution macro capabilities in products such as Microsoft Word. Simply by opening an infected document, the virus, written in a product's macro language, can spread. Macro viruses are placed inside one or more of the macros inside the document. At this moment, the number of macro viruses is growing very fast (more than 6,000 in August 2000). Due to the powerful features of Visual Basic for Applications, it is very easy to use all the facilities offered by Microsoft in Windows. For example, to send an e-mail you need at most 10 code lines. That is probably why many macro viruses have worm capabilities (the best example is W97M/Melissa.A@MM).
System Infectors.
Computer operating systems typically set aside a portion of each disk for code to boot the computer. Under DOS, this section is called a boot sector on floppies or a master boot record (MBR) for hard disks. System infectors store themselves in this area and hence are invoked whenever the disk is used to boot the system. System infector viruses, when infecting a drive, do not change the MBR content or the boot sector, but partially modify the FAT allocation of IO.SYS (or its equivalent, IBMBIO.COM) to allow inclusion of their own viral code sequence at the beginning of this file. Because, at boot time, DOS reads IO.SYS in a linear way, the virus will be read before the IO.SYS code. On the other hand, if the IO.SYS file is opened with a text viewer, it will appear perfectly normal, because the FAT allocation chain correctly includes the area overwritten by the virus, which has been saved to another area on the disk.
A virus must be executed by someone, perhaps unwittingly, in order to spread.
Some ways in which this occurs include:
Booting from an infected floppy
System infectors are loaded each time an infected disk is used to boot the system. This can happen even if a disk is not equipped with the files needed to truly boot the computer, as is the case with most floppies. With PCs, the initial infection typically occurs when someone boots - or reboots - a computer with an infected floppy accidentally left in drive A. It is always a good habit to check and remove any floppies that might be in the drives before booting your machine.
Running An Infected Program.
As programs infected with a file infector are run, the virus spreads. For this reason, you should regularly scan for viruses any programs you retrieve from a BBS, the net, a colleague, etc... There are even instances of commercial, shrink-wrapped software that have been infected with viruses!
Here under you can find what some other viruses can do:
Boot Viruses.
They use for replication the boot sector of the floppies, MBR (master boot record) or the boot sectors of the fixed disks. The only way of replication for these viruses is booting from the infected disk. Accessing or copying the infected disks are not dangerous operations as long as the system is not started from the infected disk.
Tips against boot viruses:
Change the boot sequence from BIOS, so the floppy won't be the first in that sequence. That way, you are protected when you accidentally forget an infected floppy in your floppy drive. Booting from the floppy drive could be necessary only when installing/reinstalling the Operating System or scanning for some special viruses. We recommend you to scan the floppy disk using an antivirus program after formatting and copying system files on it; after that, activate the floppy write-protection.
Parasitic Viruses.
They infect executable files, so that when the infected file is launched, the virus code gains control. They usually execute prior to normal executable code. Then, the original code regains control and, in most cases, executes normally. There are viruses that gains control after the execution of the original code ends or when a routine from this code is called. These viruses are more difficult to detect, but they are less spread too, due to their complexity and the way they replicate.
Because these viruses infect executable files, they could spread through any data storage or transfer media: floppies, CDs, modems, networks. The virus spreads when the host file is executed.
Parasitic viruses may be memory resident (after the launching of an infected file, the virus stays in memory and infects other active files) and non-resident parasitic viruses. The non-resident parasitic viruses infect a number of files, then return control to the host program.
Parasitic viruses need to be able to distinguish between infected and non-infected files. If a virus is unable to do this (such as certain versions of the Jerusalem or Vienna viruses), they will repeatedly infect a file until this will become too large and the virus will be easily detected.
Tips against parasitic viruses:
- When you notice that the programs you usually work with became larger, use an antivirus program. Because the virus can hide itself in your system (stealth viruses), you must launch the antivirus from a bootable clean floppy disk.
- When an installing kit or a program that is capable to verify itself warns you that it is corrupted and you are sure about the functionality of that program, use an antivirus program. If you have a backup copy, we recommend you to use it, after you verify it too. Even if the antivirus cleans the viral code, many viruses change parts of the original program, leading to the impossibility of using that program. The best example is that of Win95/CIH, which overwrites parts of the file supposed to be unused; that is why the installing kits (which verify themselves) won't work properly after being infected with Win95/CIH.
Companion Viruses.
Create a file having the same name, but another executable extension; for example, if you have a file named PROGRAM.EXE and you notice that a file named PROGRAM.COM appears, this is a possible infection with a companion virus (when the operating system encounters two executable files, with the same name but different extensions, it will first launch the .COM file). If the effect is the same for more executable files, the infection is obvious.
Link Viruses.
Extremely dangerous because they use an unusual infection method. Link viruses do not change the content of an executable file; they alter the directory structure, redirecting the directory entry of an infected file to the area that contains the viral code. Once the virus has executed, it can load the executable file, knowing the correct directory entry of the file. Eliminating such a virus from the system is both difficult and risky.
Multipartite Viruses.
combine two or more basic types from those described above. There are viruses capable to infect executables and Word documents, or viruses capable to infect boot sectors and executables, etc. Viruses' authors are trying to include as many facilities as possible in their creations. A perfect example is Esperanto, capable to infect files on different operating systems and to run on different hardware architectures (i386 and Mac).
Some viruses are boring, while others are extremely dangerous. The least they can do is to increase the file size and slow down the computer. Many viruses only try to spread, not to damage your computer. There is, however, the possibility for such benign viruses to occasionally interact with other software and damage your computer. That is why there are no viruses that do not produce any damage; even a simple change in an installing kit might be considered one.
Other viruses are far more dangerous, intentionally modifying or destroying data, or deleting files and / or formatting your drive. Till Win95/CIH it was said that viruses couldn't destroy or damage hardware components. CIH was the first virus (and unfortunately not the last) that was able to modify the Flash BIOS so that the computer would not work when subsequently booting the system.
Another virus capable of hardware damage (but in a strange way) is {Win32,W97M}/Beast. During the night, Beast opens and closes the door of the CD-ROM unit for two hours! This will damage that unit for sure!
Viruses come in many shapes and sizes, such as:
File Infectors.
These viruses attach themselves to regular programs, such as COM or EXE files under DOS. Thus, they are invoked each time the infected program is run.
Cluster Infectors.
They modify the file system so that they are run prior to other programs. Note that, unlike file infectors, they do not actually attach themselves to programs.
Macro Viruses.
Word processing documents can serve as sources of transmission for viruses that take advantage of the auto-execution macro capabilities in products such as Microsoft Word. Simply by opening an infected document, the virus, written in a product's macro language, can spread. Macro viruses are placed inside one or more of the macros inside the document. At this moment, the number of macro viruses is growing very fast (more than 6,000 in August 2000). Due to the powerful features of Visual Basic for Applications, it is very easy to use all the facilities offered by Microsoft in Windows. For example, to send an e-mail you need at most 10 code lines. That is probably why many macro viruses have worm capabilities (the best example is W97M/Melissa.A@MM).
System Infectors.
Computer operating systems typically set aside a portion of each disk for code to boot the computer. Under DOS, this section is called a boot sector on floppies or a master boot record (MBR) for hard disks. System infectors store themselves in this area and hence are invoked whenever the disk is used to boot the system. System infector viruses, when infecting a drive, do not change the MBR content or the boot sector, but partially modify the FAT allocation of IO.SYS (or its equivalent, IBMBIO.COM) to allow inclusion of their own viral code sequence at the beginning of this file. Because, at boot time, DOS reads IO.SYS in a linear way, the virus will be read before the IO.SYS code. On the other hand, if the IO.SYS file is opened with a text viewer, it will appear perfectly normal, because the FAT allocation chain correctly includes the area overwritten by the virus, which has been saved to another area on the disk.
A virus must be executed by someone, perhaps unwittingly, in order to spread.
Some ways in which this occurs include:
Booting from an infected floppy
System infectors are loaded each time an infected disk is used to boot the system. This can happen even if a disk is not equipped with the files needed to truly boot the computer, as is the case with most floppies. With PCs, the initial infection typically occurs when someone boots - or reboots - a computer with an infected floppy accidentally left in drive A. It is always a good habit to check and remove any floppies that might be in the drives before booting your machine.
Running An Infected Program.
As programs infected with a file infector are run, the virus spreads. For this reason, you should regularly scan for viruses any programs you retrieve from a BBS, the net, a colleague, etc... There are even instances of commercial, shrink-wrapped software that have been infected with viruses!
Here under you can find what some other viruses can do:
Boot Viruses.
They use for replication the boot sector of the floppies, MBR (master boot record) or the boot sectors of the fixed disks. The only way of replication for these viruses is booting from the infected disk. Accessing or copying the infected disks are not dangerous operations as long as the system is not started from the infected disk.
Tips against boot viruses:
Change the boot sequence from BIOS, so the floppy won't be the first in that sequence. That way, you are protected when you accidentally forget an infected floppy in your floppy drive. Booting from the floppy drive could be necessary only when installing/reinstalling the Operating System or scanning for some special viruses. We recommend you to scan the floppy disk using an antivirus program after formatting and copying system files on it; after that, activate the floppy write-protection.
Parasitic Viruses.
They infect executable files, so that when the infected file is launched, the virus code gains control. They usually execute prior to normal executable code. Then, the original code regains control and, in most cases, executes normally. There are viruses that gains control after the execution of the original code ends or when a routine from this code is called. These viruses are more difficult to detect, but they are less spread too, due to their complexity and the way they replicate.
Because these viruses infect executable files, they could spread through any data storage or transfer media: floppies, CDs, modems, networks. The virus spreads when the host file is executed.
Parasitic viruses may be memory resident (after the launching of an infected file, the virus stays in memory and infects other active files) and non-resident parasitic viruses. The non-resident parasitic viruses infect a number of files, then return control to the host program.
Parasitic viruses need to be able to distinguish between infected and non-infected files. If a virus is unable to do this (such as certain versions of the Jerusalem or Vienna viruses), they will repeatedly infect a file until this will become too large and the virus will be easily detected.
Tips against parasitic viruses:
- When you notice that the programs you usually work with became larger, use an antivirus program. Because the virus can hide itself in your system (stealth viruses), you must launch the antivirus from a bootable clean floppy disk.
- When an installing kit or a program that is capable to verify itself warns you that it is corrupted and you are sure about the functionality of that program, use an antivirus program. If you have a backup copy, we recommend you to use it, after you verify it too. Even if the antivirus cleans the viral code, many viruses change parts of the original program, leading to the impossibility of using that program. The best example is that of Win95/CIH, which overwrites parts of the file supposed to be unused; that is why the installing kits (which verify themselves) won't work properly after being infected with Win95/CIH.
Companion Viruses.
Create a file having the same name, but another executable extension; for example, if you have a file named PROGRAM.EXE and you notice that a file named PROGRAM.COM appears, this is a possible infection with a companion virus (when the operating system encounters two executable files, with the same name but different extensions, it will first launch the .COM file). If the effect is the same for more executable files, the infection is obvious.
Link Viruses.
Extremely dangerous because they use an unusual infection method. Link viruses do not change the content of an executable file; they alter the directory structure, redirecting the directory entry of an infected file to the area that contains the viral code. Once the virus has executed, it can load the executable file, knowing the correct directory entry of the file. Eliminating such a virus from the system is both difficult and risky.
Multipartite Viruses.
combine two or more basic types from those described above. There are viruses capable to infect executables and Word documents, or viruses capable to infect boot sectors and executables, etc. Viruses' authors are trying to include as many facilities as possible in their creations. A perfect example is Esperanto, capable to infect files on different operating systems and to run on different hardware architectures (i386 and Mac).
Some viruses are boring, while others are extremely dangerous. The least they can do is to increase the file size and slow down the computer. Many viruses only try to spread, not to damage your computer. There is, however, the possibility for such benign viruses to occasionally interact with other software and damage your computer. That is why there are no viruses that do not produce any damage; even a simple change in an installing kit might be considered one.
Other viruses are far more dangerous, intentionally modifying or destroying data, or deleting files and / or formatting your drive. Till Win95/CIH it was said that viruses couldn't destroy or damage hardware components. CIH was the first virus (and unfortunately not the last) that was able to modify the Flash BIOS so that the computer would not work when subsequently booting the system.
Another virus capable of hardware damage (but in a strange way) is {Win32,W97M}/Beast. During the night, Beast opens and closes the door of the CD-ROM unit for two hours! This will damage that unit for sure!
BEWARE WITH THE VIRUS!!!!!!!
No comments:
Post a Comment