A virus is a file that can infect other files in a computer or a network and can produce undesired side-effects. These effects can range from harmless messages to data corruption or destruction. Some viruses can format your hard disk or destroy the FAT (File Allocation Table) and the disk directories, others can generate minor effects such as occasional displaying of on-screen messages, erasure or modification of data, music or interference or difficulties with printer output.

Possible sources of virus transmission are diskettes, CDs, network cables, telephone cables (with a modem) and the Internet. Closely related to computer viruses are Trojan horses and Worms.

A Trojan horse is a program that performs some undesired action while pretending to do something else. One common class of Trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does. Another is a disk defragmenter that erases files rather than reorganizing them. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself.

A Worm is a self-propagating virus. The worm disguises itself as an email attachment. This attached file is the actual worm code, and it propagates by locating valid email addresses. The worm modifies wsock32.dll and patches itself into this file so that two APIs Connect() and Send() can hook into the worm’s code. Win32/SKA.A can see all network activities on the current machine. When someone posts an email message to another user or to a news server, the worm sends a copy of its email message with an attachment of its code. These types of chain letter worms are very successful because people usually trust messages they receive from friends and associates. 32-bit worms are much more successful than viruses that spread relatively slowly. A worm can infect 100000s of machines around the globe in a single day.

 There are four main classes of computer viruses: file infectors, cluster infectors, macro viruses and system infectors. About 85 percent of all known viruses infect files containing applications such as COM or EXE files under DOS and spreadsheet programs or games. Cluster infectors modify the file system so that they are run prior to other programs, but  they do not actually attach themselves to programs. The third category, macro viruses, are independent of operating systems and infect files that are usually regarded as data rather than as programs. System infectors store themselves in the boot sector on floppies or a master boot record  (MBR) for hard disks and hence are invoked whenever the disk is used to boot the system.

A virus must be executed by someone, perhaps unwittingly, in order to spread. Such as booting from an infected floppy disk. System infectors are loaded each time an infected disk is used to boot the system. This can happen even if a disk is not equipped with the files needed to truly boot the computer, as is the case with most floppies. With PCs, the initial infection typically occurs when someone boots - or reboots - a computer with an infected floppy accidentally left in drive A. It is always a good habit to check and remove any floppies that might be in the drives before booting your machine. We recommend that you take all necessary precautions with e-mail messages that include attached files. Unless you know its source, delete it without opening the attachment.

Viruses

We can differentiate the following types of viruses: boot viruses, DOS viruses, hoaxes, Java viruses, MS Excel viruses, MS Word viruses, PalmOS viruses, script viruses, trojan horses, Windows viruses and worms.

Types of infections

Damaging the hardware under Windows 95/98
Virus attacks took a big step in 1998 when the Win95/CIH became the first virus to damage system hardware, specifically the flash BIOS. CIH, like Win95/Anxiety, implements a PE infection mechanism based on VxD calls. Because the virus executes its damage routine in Ring0 (system level), you can't prevent the damage caused by the port commands (e.g. IN, OUT).

Infecting Kernel32.dll
Virus writers have written several Win32 viruses that attack kernel32.dll, which most PE applications load and use to access the most important Win32 API set, such as file functions. These viruses work by patching the export address of one exported API (e.g., GetFileAttributesA) to point into the virus code that the virus has appended to the end of the DLL image. Because 32-bit DLLs use the PE file format, virus writers can easily infect this type of file. These viruses can be per process resident (i.e., the viruses run actively as part of a process or several processes). As a result, each process that uses kernel32.dll, which is any process that uses the basic Win32 file functions and directory functions, links to the virus code. The infected DLL attaches to every program that has kernel32.dll imports. Whenever the application calls the API with the attached virus code, the virus code gets control in the address spaces of the infected application.

Every system DLL contains a pre-calculated checksum that the linker places in the DLL's PE header. Unlike Win95, NT recalculates this checksum before it loads DLLs and drivers. If the calculated checksum doesn't match the checksum in the DLL's header, the system loader stops with an error message at the blue screen during system boot. However, this doesn't mean that a virus writer can't implement such a virus for NT. The Win32/Heretic virus was the first of its kind to implement proper kernel32.dll infection. As a result, the virus ran on NT. The Win32/Kriz virus also used this method and uses the CIH damage routine, but the damage routine doesn't work under NT because the virus runs in Ring3 (user mode).

Kernel-mode driver viruses
This type of virus adds x number of bytes to the end of applications that run in user mode. The virus modifies the entry point so that it points to the start of the virus code. The virus tries to install the virus driver to the system and uses hard-coded IDs to call native APIs. It can monitor all file access and infect applications on the fly. It can infect anything it wants. Fortunately these kind of viruses are hard to program and are scarce.

Complex Win32 viruses
These viruses use polymorphic engines to make detection of virus code extremely difficult. Some implement polymorphic engines that can change the virus code from byte to byte in different generations. So you can't use a constant search string to detect the virus code unless you use antivirus modules such as code emulation. Another approach to polymorphic viruses is writing metamorphic viruses. These viruses consist of small modules that viruses can place in a virtually endless order using various sets of instruction sequences that differ in code but have the same result when executed. Several of these viruses consist of pieces of assembly code that is encrypted multiple times.

Counter measures

Infected DLLs can be hard to clean from the system because applications map these files from the disk to memory, and you can't modify these files once they load. Whereas you can boot an infected Win9x machine from a clean system diskette, it's much more complicated when you're using Win2000 and NT with NTFS. In these situations, you need to use utilities such as NTFSDOS that can boot the system for write access. Windows System File Checker (SFC) will fix the modified system components automatically. To use SFC, type sfc.exe from the command prompt. SFC is not a virus security feature, but it helps reduce the risk of spreading viruses under Win2000.

Backups of all software (including operating systems) should be made regularly.
Prevention includes creating user awareness, implementing hygiene rules, using disk authorization software or providing isolated 'quarantine' PCs.
Detection involves the use of anti-virus software to detect, report and disinfect viruses.
Containment involves identifying and isolating the infected items.
Recovery involves disinfecting or removing infected items and recovering or replacing corrupted data.

Techniques to detect viruses

String search
The first step in detecting a virus in a file is to search for a unique piece of its code or of its data within files. This method is used for simple viruses. Although the string search technique is not considered foolproof it is still the basis of most anti virus programs.

Algorithmic search
This technique consists of determining whether a file has been infected by observing certain parameters that commonly appear in infected files.

Vaccination
This consists of recording file characteristics in the file itself or in separate files. This information is later used to determine whether the file was modified, which almost always implies a virus attack.

Investigation method
This method is very effective for unknown viruses and tries to discover viruses that are active in memory, but have not been discovered by a conventional memory scan. It basically consists of testing the virus so as to discover its infection capacity.

Anti-stealth method
It consists of controlling the system resources first, before any other application, and therefore does not allow itself to be manipulated by other applications. This isolation system only makes sense when the virus is in memory, i.e. when it is active, as this is when we try to avoid the effects of the virus on the system.

Precautions

1. Be careful when downloading software or other items.
2. Don't run programs directly from the Internet unless you trust their source..
3. Avoid opening files attached to e-mail messages, unless you trust their source.
4. Scan new programs before running or installing them onto your system.
5. After you have an anti-virus program installed, keep it on auto-detect and keep the virus signature files up to date. Most programs offer an easy online updating option.

Disinfecting a virus

You should never work with a virus in memory. A virus or any other program can only get into memory when it is run. When you run an infected program, the virus is activated, and that is what we want to prevent by booting from a clean, virus-free boot diskette. When a virus is active in memory, it interferes with the operations performed and, at best, it could re-infect cleaned files if you go on working with the computer (without re-booting) after the disinfection is finished. Click here for the latest anti-virus software.

Some necessary program features:

A good anti-virus program will check RAM, boot sectors and system files. It should: have an auto-detect function which scans your system in the background, scan email attachments, documents and spreadsheets when opening them, enable you to scan any area of your system, on demand or scheduled. It should scan for all sorts of (unknown) viruses such as Trojan horses.