Types of viruses
Anti-antivirus, Retrovirus - a computer virus program targeting antivirus programs.
- a computer virus program targeting other computer viruses.
- are programs or fragments of the program code which, once entered the computer, can despite user's will do various actions on the computer - create or delete objects, modify data files or program files, carry out actions aimed to self-outspreading around local area networks or Internet. The modification of program files, data files or boot sectors of the disks in the way they themselves become carriers of the virus code and in their turn can do mentioned above actions is called infection and is the most important function of computer viruses. Depending on the type of infected objects the different types of viruses are distinguished
Computer worm - a parasitic self-proliferating program. It can replicate itself, but it cannot damage other computer programs. It penetrates into computers from the network (most often such programs come as mail attachments or via the Internet) and sends its functional copies to other computers in the network.
"Dropper" - file-carrier bringing the virus into the system. The technics sometime used by virus writers so as to "cover" virus from anti-virus programs.
Encrypted viruses - viruses that encode their code themselves so as to make obstacles to their disassembling and detecting in file, memory or sector. Each copy of such virus will contain only short common code fragment. The decoding process of the fragment can be taken as signature. Each time it infects the virus automatically encode itself and each time differently. This way the virus tries to avoid detection by anti-virus programs.
- non-viral e-mail message. The hoax comes to users’ computers as e-mail message written in emphasized neutral tone which tells about supposedly outspreading new virus.
Most of the virus hoaxes have one or several following characteristics.
Virus name the author of the message refers to is constructed without heed to conventions used by majority of anti-virus companies.
It is specifically mentioned that by now the "virus" was not detected by anti-virus programs.
A user is offered to find certain file with Windows find tool and delete it from the disk.
In the email message there is a request to inform all user's friends and those listed in his address book in case the file was found.
Despite all harmlessness of such hoax its danger is obvious - mass mailing of the copies of the useless message increases the mail traffic and takes users time.
Memory resident virus
- is a virus permanently residing in the memory normally written in Assembler or C languages.
The viruses are able to infect programs and resist anti-virus programs more effectively. Such virus occupies a little of memory space. It is ready to continue its task before unloading, rebooting or turning off the computer. It is activated and performs actions set by the virus writer when, for example, computer reaches specific state (timer actuation etc.).All boot viruses are resident.
- polymorphic viruses
created with polymorphism generator MtE (Mutant Engine). The generator is special algorithm responsible for functions of encoding/decoding and decoders generation. It can be attached to any object code of a virus
. The decoder does not have a single permanent bit, its length is always different.
Other virus names: anti-virus companies usually give different names to the same viruses by using their own conventions as to construction of a virus name. In most cases main name of a virus (for example, Klez, Badtrans, Nimda) is the same and present in the virus designation whatever the anti-virus company. It is mainly prefixes and suffixes of the virus names that are different because the conventions of using them can be specific for each company. For example, in the virus classification used in Dr.Web Ltd. the versions of the same virus are labeled by numbers starting from 1, whereas in Symantec company they use capital letters of Latin alphabet for the same purpose.
- or viruses with self-modified decoders (according to N.N.Bezrukov) - are the viruses using, in addition to encoding procedure, the specific decoding that changes itself in each new copy of the virus. It leads to the absence of the byte signatures
of the virus. Decoder is not permanent one - it is unique for each copy of the virus.
- are the viruses written in Visual Basic, Basic Script, Java Script, Jscript languages.
Most often such viruses enter user's computer in the form of email messages holding script-files in the attachments. Programs written in Visual Basic and Java Script can be located either in separate files or embedded in HTML-document. In the latter case they can be interpreted by browser from the remote server and also from the local disk.
Stealth virus - are virus programs taking special measures so as to mask its activities and to hide their presence in the infected objects.
So called Stealth technology can include:
- obstacles to the virus detection in RAM
- obstacles to the tracing and disassembling of the virus
- masking of the infection process
- obstacles to the virus detection in infected program and boot sector.
Depending on the type of infected objects computer viruses are classified by the following types:
- File viruses - viruses infecting binary files (mainly executable files and dynamic libraries). Most often such files have the extension .EXE, .COM, .DLL, .SYS. Besides the files with extensions .DRV, .BIN, .OVL и .OVY. can also be infected.
The viruses infect the operating system files, get activated when infected program is run and then outspread.
- Boot viruses - viruses that infect Boot record of diskettes, hard disk partitions, and also MBR (Master Boot Record) of hard disk drives.
- Encrypted viruses - viruses that encode their code themselves so as to make obstacles to their disassembling and detecting in file, memory or sector. Each copy of such virus will contain only short common code fragment. The decoding process of the fragment can be taken as signature. Each time it infects the virus automatically encode itself and each time differently. This way the virus tries to avoid detection by anti-virus programs.
Virus code, signature - a set of symbols and univocal rules of their interpretation used to present information in the data type. It is a set of symbols and a sequence of bytes which can be peculiar to, and therefore, can be detected in a certain virus, in its each copy and only in it. Anti-virus scanners use signatures to detect viruses. Polymorphic viruses have no signatures.
Virus-companion - is formally a file virus. It does not infect executable files.
Such viruses use the DOS system feature which allows program files with the same names but different extensions to run with different priorities.
Priority is an attribute assigned to the task, program or operation that defines the order of their execution by computer system.
Majority of such viruses create .COM file which has higher priority compared to .EXE file with the same name. When a file is run by name (without specifying the extension) the .СОМ file is executed.
Such viruses can be resident and mask clone files.
- a modified variant of one and the same virus. The virus code
can be modified both by the author of a virus or by third persons.
Zoo virus - is a virus existing only in anti-virus labs, virus researcher's collections and never met in "the wild".