6
Posted September 30, 2009 by Spyros in Security
 
 

What Are The Types of Computer Viruses ?

antibac_pix_virus_types
antibac_pix_virus_types

We have all probably once be presented with a computer virus in our system. Well, it’s more precise to say that we were presented with malicious code, since as you’ll see not everything is classified as a virus.

But who created the first computer virus and when? To be sincere, this is not known for sure and there are a couple of different opinions about that. However, it seems that the first one was written at about 1965-1975 and even the creator probably didn’t create it with destruction in mind.

Since then, millions of viruses have been created and possible threats lie around waiting for the next pray. Luckily it so happens that computer antivirus exist and most times they can clean up your system effectively.

How do computer antivirus programs work ?

Well, this could sometimes be a complicated process, but in most cases a simple signature check is enough. Each computer virus has some sort of code that identifies it. For example, it could be that a virus copies certain instructions to each file it spreads to. For instance it could be that it creates a new section named ‘.virus’. If in the scanning process, the antivirus gets triggered by that signature, it assumes that this virus is found. Of course, computer virus writers are cunning enough to mask their viruses with techniques like polymorphism, which i will explain more thoroughly below. Other techniques to detect such viruses could be cyclic redundancy code checks(crc checks), to identify if a file has suffered weird unexpected changes.

Is every operating system susceptible to viruses ?

The answer is partially yes. However, not every operating system would suffer from the same damages. For instance, at a windows operating system like windows xp, the most destructive viruses could erase ALL of your files or cause severe and irreversible damage to the system and your files. However, even though a virus could plague a linux system, it won’t get far. The most damaging thing is probably erasing your home files, but erasing your system or causing damage to it is not possible. The reason for that is that for instance, your /usr/bin programs are owned by the root user of the system. So, if the virus does not know your root password(which should be the case :P), there is not any damage that can be done other than messing with YOUR USER files. This is one more reason why almost all computer viruses are written for micosoft windows operating systems.

So what are basic computer virus types ?

Direct Effect viruses – Those are the standar type viruses that when executed, they replicate themselved in the current directory files and most probably the files under tha PATH directory(being main windows files etc..). They could cause partial damage or no damage at all, but they still replicate continuously.

Memory Resident Viruses – Those viruses reside in memory and the problem is that they can interfere to many programs and operations taking place in order to corrupt and render files and programs unusable.

Viruses that delete or overwrite critical file information – Probably the worst kind you could encounter, these viruses most often overwrite a file’s important bytes with random sequenced bytes and make them totally unusable and cannot be recovered. At such viruses, many files tend to be destroyed once and for all and format is most times the only solution.

Macro Viruses – The most well known macro virus is of course the Melissa virus. Macros are in fact a known programming standard, meaning a series of instructions or commands used to execute operations that most often need time programming or need to run on special occasions. The most known way for a macro virus is through microsoft Word. Microsoft has an embedded macro language and it’s possible that once a doc file gets opened, a virus gets launched. That is the reason why you should double check an email attachment sent as a doc or other macro type(and as an exe too of course).

Boot and FAT Viruses – These viruses affect the boot sector of a disk or floppy and can make it need a full format before it works again. A destroyed part of the boot sector means that the medium can no longer boot. The same applies with the FAT filesystem at which viruses launch direct attacks and make it unusable in parts.

Are Worms and Trojan horses Viruses too?

No, they are just malicious code doing other things and working in a different way. Worms tend to work like viruses, which means that they replicate themselves but have an important difference from viruses. Their main goal is to make your system unusable, mostly by eating up your RAM. I had an instance of a worm at the past, which would execute internet explorer constantly. It would run it over and over and make your system unusable since RAM was in red levels. Another well known worm type is the one that automatically creates a reboot process at your system, making it reboot without your permission.

Trojan Horses are something completely different. Their purpose is NOT to harm your system but provide access to your system by their creators. That access could mean that they steal your information, like a credit card number and more, to just reading your files or deleting and creating files. In fact, most trojans are simple tcp handshake programs, maybe enhanced with techniques like connect-back strategies, but they still consist of the standard peer to peer connections like the ones used at torrent programs or dc++ hubs.

What are polymorphic and metamorphic viruses?

As with most things where protections and breaking protections contradict, when new protections are created, new ways to break through are created too. Since signature-virus detection was created, there needed to be found a way for the virus writers, to bypass that protections. So, polymorphic viruses where coded. Polymorphism is the process of a program being able to change itself on runtime. For instance, it could have self modifying code, which means code that gets decrypted on runtime, thus making the standard disassembling unuseful. Suppose, for instance, that the signature analyser finds the pattern :

54h, 34h, 32h, 43h, AEh

These bytes are probably not a threat and are bypassed as legitimate. However, when the program runs, it changes those bytes making them something else, which is the real signature that should be found to detect the virus. Today’s detectors tend to try to catch the decoder’s bytes by signatures on their bodies.

Metamorphism is somehow close to that, but it’s the process of changing a sequence of commands to their equivalent code blocks, also trying to confuze the detectors. For instance, if you know a bit of assembly:

xor eax, eax

This simple xor command can also be written as:

mov eax, 0

or:

and eax, 0

or even:

push 0
pop eax

Therefore, you can see that blocks of code can easily be converted to other commands doing the same thing.

So, which antivirus should i use?

If you suspect that you have been hit by a virus or malicious program, i highly advice you to download the FREE online antivirus named AVG from ( the free basic edition is more than enough). AVG does also use kinda low computer memory so i think it’s the most fair solution (or, though not important you can use clamav for linux too if you want to).


Spyros