Virus Protection

What is a Virus?


A computer virus is a program that attaches to other pieces of code, so that when the user tries to run the original they also unintentionally run the virus code as well; the virus code is designed to replicate itself and "infect" other programs, possibly in a modified form, and may also exhibit other behavior as well. So, in order to be a virus, the program must have the ability to do all of the following:

  • Run without the user wanting it to and/or create effects that the programmer wants but that the user did not want or request.
  • Have the ability to "infect" or modify other files or disk structures.
  • Replicate itself so it can spread to other files or systems.

Types of Viruses


  • Worms: A worm is a program that is self-contained and when run, has the ability to spread itself to other systems. In essence, a worm is a virus that doesn't infect other programs. Instead, it acts independently, seeking to spread to other computers connected to its current host. Since they do not infect programs or boot sectors, they are much less frequently encountered than viruses. They tend to spread over network connections. They can have other undesirable effects when run.
  • Trojan Horses: A Trojan horse is any program that, once run, does something that the user doesn't want or request. The program doesn't necessarily infect other files or spread to other systems. It is the generic term to refer to any software that is intentionally coded to do something other than what it is supposed to. Some people think of viruses as a special form of Trojan horse: one that can infect other files (thus turning them into Trojan horses) and duplicate itself. Trojan horses are sometimes just called "Trojans" for short.
  • Bugs: A bug is an error in a program. It is included here even though it really isn't in the same class as viruses and Trojans, because it is similar to a Trojan horse in that it causes behavior other than what the user wanted. The difference of course is that with a bug, the aberrant behavior is unintentional! With a Trojan horse the author is doing it on purpose.
  • Droppers: A dropper is a program designed to install or deliver a virus or Trojan horse onto a target system. The dropper is specially designed to avoid detection by standard virus detection programs, because the virus is specially encrypted so that the dropper itself doesn't appear to the virus scanners like a regular infected program file would. In some ways, a dropper is like a "virus egg", waiting to be hatched. They are uncommon.
  • Virus Impostors (Joke Programs): Some oh-so-clever programmers have devised cute programs that mimic the effects of true viruses when they are run. These are not considered viruses themselves, or even Trojan horses, because here the user of the file knows that the program is going to do something strange. These are often installed by humor-impaired people on coworkers' PCs to drive them nuts.

Major Virus Types and How They Work


  • Boot Sector Infectors: Also sometimes called boot record infectors, system viruses, or boot viruses, these programs attack the vulnerable boot program that is stored on every bootable floppy disk or hard disk. This code is executed by the system when the PC is started up, making it a juicy target for virus writers: by installing themselves here they guarantee that their code will be executed whenever the system is started up, giving them full control over the system to do what they wish. They are spread most commonly through infected bootable floppy disks.
  • File Infectors: These viruses directly attack and modify program files, which are usually .EXE or .COM files. When the program is run, the virus executes and does whatever it wants to do. Usually it loads itself into memory and waits for a trigger to find and infect other program files. These viruses are commonly spread through infected floppy disks, over networks, and over the Internet.
  • Macro Viruses: The newest type of virus, these clever programs make use of the built-in programming languages in popular programs such as Microsoft Word and Microsoft Excel. These programs allow users to create programs that automate tasks, called macros. As the macro languages have become more powerful, virus writers have created malevolent macros that, when opened unwittingly, duplicate themselves into other documents and spread just like a conventional virus would. These programs can cause just as much damage as regular viruses, despite the fact that they are very different: regular viruses are low-level machine language programs, while macro viruses are actually high-level interpreted BASIC programs! The most common type of macro virus right now infects Microsoft Word documents.

As virus authors have become more "creative", they have devised increasingly more sophisticated viruses that work in different ways. In particular, newer viruses get smarter and smarter in avoiding detection. In most cases these viruses are not necessarily more hazardous than older ones, but they are harder to detect and remove using anti-virus software. Some of the tricks that authors use:

  • Polymorphing: Some viruses are designed so that each time they infect, their appearance and size changes. These thwart simplistic virus scanners that look for predefined patterns and make detection much more difficult.
  • Stealth: A stealth virus actively hides the changes it has made to the hard disk so that it appears that it has not infected the system. For example, a file infector might stay memory resident and misreport the size of infected files so they don't appear to be infected. Boot sector viruses can trap attempts to read the boot sector and return forged data that makes them appear to be "clean".
  • Disassembly Protection: Many newer viruses are designed using programming tricks that make them hard to disassemble (the process of interpreting the code into a form that is easier to analyze so that the virus can be combated.)
  • Directory Viruses: Some viruses now seek to avoid detection by avoiding modifying the file they infect directly. Instead, they change the cluster pointer in the directory entry of the file to point to the virus instead of the actual program. The virus runs its code and then executes the target program afterwards. The virus is thus able to "infect" the program without actually modifying it.

Virus Hoaxes


Along with the thousands of real viruses that circulate the world, there are dozens of virus hoaxes that computer users have to contend with. Loosely speaking, a virus hoax is a rumor or warning about a virus that is spread from well-meaning person to well-meaning person, telling them not to download a program or take other action, or they will get a virus. But the virus does not exist, and in fact it is the virus warning that is really the only thing that is, in essence, a virus! If you think about it, the warning is what is spreading from system to system (even though it doesn't generally cause any damage aside from wasting people's time).

Who Writes Viruses... and Why?


The people who write viruses generally have their own reasons for what they do, and they aren't too open about identifying themselves, for obvious reasons. It is believed that most virus authors are young men in their teens or early twenties, who have a great deal of technical knowledge and have decided for various reasons to use it for destructive purposes. Some of the reasons that people write viruses:

  • Sociopathy: Many virus writers are just troublemakers--or maybe just troubled individuals--who want to create havoc and then thrive on the attention it generates. They are the electronic equivalents of graffiti artists, prank phone callers, etc., looking for fame and glory in a rather twisted way.
  • Revenge: Sometimes viruses or Trojan horses are written by disgruntled employees or others who want to get back at someone or make a statement.
  • The Challenge: Some virus writers do it just to see if they can away with it. As virus detection software gets smarter, virus writers have to employ new tricks to have their "products" evade notice.
  • Education: Writing viruses, especially ones smart enough to avoid detection, requires a great deal of technical know-how. Some people take up virus writing to teach themselves how to program at a low-level within the PC. It's ironic, but experienced virus writers are among the most technically skilled PC programmers in the world! What a waste, isn't it?
  • Infection from a Floppy
  • Infection Over PC Networks
  • Infection Via the Internet
  • Infection Through Software Installation

Symptoms of Virus Infection


Some viruses exhibit behavior that tell you immediately that they are on your system, but so many viruses mimic other system problems that it is most accurate to say "there is usually no way to rule out a virus as a possible cause of strange software or system behavior on your PC".

Despite your best efforts, you may at some point catch a virus on your PC. When this happens, you of course want to get rid of the virus immediately, and restore your system to its pre-infected state. Removing a virus from your system can be incredibly simple, or surprisingly difficult, depending on what the virus is, what sort of antivirus software you are using, and how quickly you have caught the problem. There is also the problem of dealing with any potential data loss that may have resulted from the virus's handiwork.