|
|
Types of viruses:
Basically viruses are catagorised into four, they are
1. Boot viruses.
2. File viruses.
3. Multi purpose viruses.
4. Macro viruses.
1.Boot viruses:
Boot viruses are those viruses that only infects the boot sector of a disk.
The boot sector is the first sector of a disk. This sector has a small
program that gets executed during booting of the system. Boot viruses are
easy to write and detect as well. Since they reside in the boot sector
of the disk one can easily detect the presence of a boot virus. Boot viruses
take the control of the system even before the operating system gets loaded.
So they monitor the system for any disk activity and do the intended destruction
without the knowledge of the user. If a disk access is sensed then the
virus checks if the disk is already infected by itself or not, if not then
the virus infects the disk by writing its own code in the boot sector of
the disk. It may or may not shift the original boot sector which depends
on the design of the virus. Now the disk is infected by the boot virus.
Some virus may have stealth technique. (i.e) If such a virus is active
and if the boot sector is accessed then it will show the clean boot sector
instead of the infected one. Normally most of the boot virus loads itself
in the top of RAM by reducing the base memory. This makes it self-secured
form other programs overwriting the virus.
Most of the boot viruses infect the MASTER BOOT RECORD (MBR) in the harddisk. Such type of viruses are called MBR infectors and they do belong to the boot virus family. MBR is the first sector of the harddisk. It is important to note that the partition information is held by the MBR, so any damage to MBR may cause data loss. Floppys do not have MBR but they do have DOS BOOT RECORD (DBR) which is the boot sector. Harddisk in addition to MBR it also has DBR. The physical location of DBR and MBR is given below.
Floppy Harddisk
DBR
track 0
track 0
sector 1
sector 1
head 0
head 1
MBR
----
track 0
sector 1
head 0
To know more about boot viruses see the discussion on Writing boot viruses.
2.File viruses:
File viruses are those viruses that infects executable files such as EXE,COM,OVL
files. These viruses are dangerous because their presence may not be known
as easily as a boot virus. It takes over the computer if the infected file
is executed, after which it infects other clean executable files. Stealth
feature may be found in these viruses. (i.e) They may not increase the
file size of the file they infect. There are quite a few techniques by
which the file viruses infect. They are
1. Overwriting.
2. Appending.
3. Directory based.
4. Filling.
1.Overwriting:
Very few file viruses infect files by overwriting. The virus infects the
file by overwriting the first few bytes of the file by its own code, so
that when the file is executed the virus gets executed. It dose not care
about the normal functioning of the infected program. These virus do not
proliferate in wild because of their overwriting feature. The files infected
by this type of viruses may not be recovered back since overwriting erases
the original bytes.
2.Appending:
Most of the file viruses infects by this method. It appends itself to the
end of the executable file. It makes certain calculation with the original
file size and the virus size to get the entry point to the virus code.
It then places a path to the virus code through a JMP instruction or by
setting the entry point. This is done so that the virus gets executed when
the program is run. If this infected program is run the virus gets executed
first. It establishes itself in the memory, captures certain interrupts
and then executes the original program. Some of the viruses may run the
infected original program first and when the program terminates, it gets
back the control to establish itself in memory. In this method of infection
the file size will increase.
Infected file size = Clean file size + size of the virus
Hence the file virus may be found by checking the file sizes. Some COM file infectors may not infect larger COM files because of this increase in file size. Actually COM files are compiled using tiny memory model in which the code and data has to be well within 64k boundary. So if the virus infects a COM program in which Original file size + Size of virus > 64k then the file may not obey the COM file specification.
The drawback in appending the virus code is that every executable file will have its own copy of the virus. So there may be delay in execution of the original host program.
Directory based:
Very few file viruses uses this method of infection. This method is a bit
complicated but very efficient and quicker. When such a virus is active
in memory and if a file is executed then the virus searches for that file
name in the corresponding directory. It finally locates the files entry
in the directory and changes the starting cluster number of the file with
that of its own cluster in which the virus is residing. It may save the
original cluster number somewhere else for future use. This original cluster
number is used for proper execution of the original host program. By this
method of infection the entire disk will be having only one virus copy
and all executable files will be pointing to this virus code. When the
virus is active if scandisk or chkdsk is run it will not report any error.
whereas if scandisk or chkdsk is run without virus in memory then it will
report a number of crosslinked clusters. Ofcourse, scandisk or chkdsk should
not be infected by the virus. If you try to repair the crosslinked clusters
by using chkdsk/F then complete data loss may occur since the starting
cluster of each file is known only by the viruse's database. By this method
of infection the infected file may not grow in size.
Filling:
These type of infectors finds the empty unused spaces in the cluster and
store the virus code in these areas. DOS allocates space for storage in
form of clusters which is the fundamental unit of storage. Assume that
the cluster size is 32768 bytes. To store a file of size exactly 32768
bytes DOS allocates 1 cluster. Simillarly to store a file of size just
1 byte DOS allocates 32768 bytes which is mere wastage of 32767 bytes.
Again to store a file of size 65539 bytes DOS allocates 3 clusters. Again
a wastage of 32765 bytes.(i.e) DOS stores the files in form of segments
of length the cluster size available. The unused area after the end of
cluster allocation is exploited to store the virus code. By this method
of infection the infected file size may not increase. See below for more
explaination.
Cluster1 filled --> Cluster2 filled --> Cluster3 half filled (END)
Here cluster1 is filled completely so does cluster2
but cluster3, the last cluster of the file is half filled the other half
is unused and may be used by the virus to hide itself. The CIH virus infects
by this technique.
3.Multi purpose viruses:
These type of viruses have the property of boot viruses and file viruses.
They infect both files and boot sector. The discussion on boot virus and
file virus may be appropriate to the multipurpose viruses. There are quite
a few virus of this type. eg: Paralysis.
4.Macro viruses:
These viruses dose not infect the executable file but the MS-WORD documents.
They use the windows internals for infection. Macro viruses are easy to
write. The infection is very fast and so they may be found in wild. They
corrupt the document and the information is lost. The latest virus scanners
searches for any macro viruses and even cleans them.
If a floppy is infected by a boot virus is it safe to run
a DIR command on that floppy ?
Yes, it is absolutely safe to run DIR command on that floppy. The boot virus will not be executed by the computer. Ofcourse, the boot sector may be loaded by the operating system in a buffer to find the drive parameters form the BPB (see DOS Diskette structure for BPB). This may trigger some antivirus programs to give an alert, since the antivirus program scans through this buffer. It may even give an alert that the virus is active in memory. Actually the virus will be loaded in memory but it will not be executed. So it is safe to run DIR command on the floppy having a boot virus.
How about a File virus ?
Again Yes. You can run a DIR command on the floppy but don't execute the file having the file virus. Viruses are not magic they are just programs. If you give them a chance for execution then they will take control of your computer. So don't give them the chance to execute.
Is it possible that a floppy is infected by more than one boot virus ?
Yes, it is possible to have a floppy infected by more than one boot virus. The floppy may or may not boot properly which depends on the viruses design.
Can I remove a boot virus by running the SYS command ?
Yes, you can remove the boot virus by running the SYS command. In case of MBR (master boot record) infectors run FDISK/MBR command to reconstruct the MBR.
Even If I format the harddisk the MBR virus is not removed. why ?
MBR is not a part of DOS. Format command dose not format the MBR so the virus code will be safe in MBR. Hence to get around the problem run FDISK/MBR to reconstruct the MBR. You need not have to format the disk.
"My harddisk dosen't boot after formatting" - why?
Form virus point of view, the harddisk may be infected by a STYLE2 type(see Writing boot viruses for STYLE2 ) virus. The VIRUS LOADER PROGRAM (VPL) will be safe in MBR but the virus main code will be formatted. So during booting the VPL will load the formatted virus which is not a meaningful code. Eventually the system hangs.
How does viruses know the disk activity ?
Normally for each and every disk access interrupt 13h is invoked. Viruses captures this interrupt so if this interrupt is called then the virus is triggered and it checks for infection.
Can a boot virus infect a non-bootable disk ?
Yes, it can. Every disk has a boot sector so the virus infects this sector. Even if you put this infected non-bootable disk in the drive and try to boot you will get the "Non-system disk" error message. But that dose not prevent the boot virus from infecting your harddisk.
Can virus infect non-executable files ?
Most of the viruses infect only executable files except for macro viruses. There is no point in infecting the non-executable files.
If I format a floppy is it true that all viruses will be erased ?
Yes, it is true provided there should not be any virus resident in memory during formatting.
"A DIR command is enough for infection." - is this true ?
Absolutely. If a boot virus is resident in memory and if you run DIR command on a clean disk then there is no doubt the floppy will be infected. But the virus should be read consious. (i.e) It should infect even in a read operation. Most boot viruses do so.
Can a virus latch an a write protected floppy ?
No never. Any virus, be it a boot or file virus will not latch on a write protected floppy.
In which language viruses are written ?
Mostly Assembley language, some in C,C++, rarely
in BASIC, pascal.
However Boot viruses may be written efficiently only in assembley
since it gives a smaller code.
Why assembley language ?
Assembley language generates code which are smaller and faster in operation. So virus designers us this language for efficient virus codes.
Why people write virus ?
Some of them do it for fun, some for purpose , some for envy, the list goes on. But I respect the minds behind it.
Can I write a virus ?
Why not? Try to understand the internals of your computer, then learn assembley, C. Then you can do it.
Back
to main page