Virus Types

Classification

Viruses can be subdivided into a number of types based on their features.

Macro viruses

A macro virus, often written in the scripting languages for programs such as Word and Excel, is spread by infecting documents and spreadsheets. Since macro viruses are written in the language of the application and not in that of the operating system, they are known to be platform-independent. They can spread between Windows, Mac and any other system, so long as they are running the required application. With the ever-increasing capabilities of macro languages in applications, and the possibility of infections spreading over networks, these viruses are major threats.

The first macro virus was written for Microsoft Word and was discovered in August 1995. Today, there are thousands of macro viruses in existence—some examples are Relax, Melissa.A and Bablas.

Network viruses

This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet. Usually, it propagates through shared resources, such as shared drives and folders. Once it infects a new system, it searches for potential targets by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus infects the other system, and thus spreads over the network. Some of the most notorious network viruses are Nimda and SQLSlammer.

Logic bomb

A logic bomb employs code that lies inert until specific conditions are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). Logic bombs may reside within standalone programs, or they may be part of worms or viruses. An example of a logic bomb would be a virus that waits to execute until it has infected a certain number of hosts. A time bomb is a subset of logic bomb, which is set to trigger on a particular date and/or time. An example of a time bomb is the infamous ‘Friday the 13th’ virus.

Cross-site scripting virus

A cross-site scripting virus (XSSV) is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. A XSSV is spread between vulnerable web applications and web browsers creating a symbiotic relationship

Sentinels

A sentinel is a highly advanced virus capable of empowering the creator or perpetrator of the virus with remote access control over the computers that are infected. They are used to form vast networks of zombie or slave computers which in turn can be used for malicious purposes such as a Distributed Denial-of-service attack.

Archaic forms

Some forms of virus were very common in the 1980s and early 1990s, but have become much less prevalent.

Companion virus

A companion virus does not have host files per se, but exploits MS-DOS. A companion virus creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus) and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. Some companion viruses are known to run under Windows 95 and on DOS emulators on Windows NT systems. Path companion viruses create files that have the same name as the legitimate file and place new virus copies earlier in the directory paths. These viruses have become increasingly rare with the introduction of Windows XP,which does not use the MS-DOS command prompt.

Boot sector viruses

A boot sector virus alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive. The boot sector is where your computer starts reading your operating system. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus does not affect files; instead, it affects the disks that contain them.

In the 1980s boot sector viruses were common and spread rapidly from one computer to another on rewritable floppy disks which contained programs. However, with the CD-ROM revolution, it became impossible to infect read-only CDs. Though boot viruses still exist, they are much less common than in the 1980s. Additionally, modern operating systems do not allow ordinary programs to write to the boot sector. Examples of boot viruses are Polyboot.B and AntiEXE.

Multipartite viruses

Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the virus infects executable files on the hard drive and spreads across the system.

There aren’t too many multipartite viruses in existence today, but in the 1980s, they accounted for some major problems due to their capacity to combine different infection techniques. A well-known multipartite virus is Ywinz.