|The Classification of the Computer Viruses
The viruses may be subdivided by the following attributes:
- the media of virus residence;
- the media of infection method;
- the destruction abilities;
- the features of the virus algorithm;
In DEPENDING OF MEDIA OF RESIDENCE the viruses may be divided on network,
file and boot viruses. Network viruses spread through the computer network
and incorporate into the executable files, the file viruses - into the
files, the boot viruses - into the Boot-sectors or the system loader sector
of the hard disk - the Master Boot Record (MBR). There are combinations of
them - for example, multipartite (file and boot) viruses infecting both
objects (files and disk boot sectors), such viruses, as a rule, have a
rather complicated algorithm of work, they often use the original methods o
penetration into the system, they use stealth and/or polymorphic -
The METHODS OF INFECTION are subdivided on the resident and nonresident
ones. The memory resident viruses after infecting the computer leave in RAM
their resident parts which afterwards hook the operating system calls to
objects of the system and incorporates into them. The resident viruses stay
in memory and are active till computer is switched off or re-booted. The no
memory resident viruses do not infect computer memory being active during
finite period. Some viruses leave in RAM small resident programs which do
not spread a virus. Such viruses are considered to be nonresident.
According to their DESTRUCTION ABILITIES viruses may be divided as follows:
- harmless, i.e. not affecting the computer operation (except decreasing
free area on disk as a result of their propagation);
- not dangerous, if the influence of which is restricted by free disk memor
decrease and graphic, sound and other effects;
- dangerous viruses which can cause serious failures in computer operation;
- very dangerous which can result in losses of programs, corrupt data and
erase information vital for computer operation and situated in memory system
But even if there are no branches, making harm to the system, in the
algorithm of the virus, this virus can't be called harmless with sure, as
penetration of it into the computer can evoke unforeseen and sometimes
catastrophic consequences. By the way, virus, as any other program, has
mistakes, in consequence of which can be spoiled both files and sectors of
discs (for example, quite harmless by the first sight virus "DenZuk" rather
correctly works with 360K disks, but can delete information on the disks of
a larger volume). Although possible "wedging" of a resident virus & a system
with using new DOS versions, while working in MS-Windows or in any other
powerful systems. And so on.
Analyzing ALGORITHM FEATURES one can discern the following groups of
- viruses-"companions" - these file viruses don't change the files. The
algorithm of work of these viruses is in making files-companions to
EXE-files, which have the same name, but with extension .COM, for example,
for the file XCOPY.EXE the file XCOPY.COM is created. Virus writes down
itself to a .COM-file and doesn't change .EXE-file. By launching such file
DOS finds out and executes .COM-file, that is virus, first, which will
- viruses-"worms" - viruses, which spread in a computer network and, as
viruses-"companions", don't change files or sectors on disks. They penetrat
to the computer's memory from a computer network, calculate network
addresses of other computers and send there own copies by this addresses.
Such viruses sometimes work files on the system disks, but can not to apply
to computer resources (with the exception of main memory) generally.
Fortunately, in the IBM-computers' calculating networks such viruses haven'
- "parasitic" - all viruses, which by spreading their copies without fail
change the contents of files or sectors on disks. To this group belong all
viruses, which are not "companions" or "worms".
- "student's" - extremely primitive viruses, often poorly debugged;
- "stealth" - invisible viruses, representing fairly perfect programs which
catch DOS calls to infected files or disk sectors and "replace"
uncontaminated data areas with themselves. Moreover, such viruses when
addressing files use rather unusual algorithms, allowing to "deceive"
memory-resident antiviral monitors. One of the first "stealth"-viruses is
the "Frodo" virus;
- "polymorphic"-viruses - difficult enough to detect, have no signatures,
i.e. don't contain any constant block of code. In most cases two samples of
the same "polymorphic"-virus do not have a single similar block of code.
This is achieved by encryption of the virus main body and by modifications
of the deciphering program.
Some viruses (for instance, viruses belonging to the "Eddie", "Murphy"
families) use part of functions of valuable stealth virus. Most often they
catch the DOS FindFirst and FindNext functions (INT 21h, ah=11h, 12h)
decreasing the lengths of infected files. Such a virus can not be detected
by file size changes, if of course it is memory-resident. Programs which do
not use the mentioned DOS functions (for example Norton Utilities) and
directly use contents of sectors holding directory show unchanged size of an
On infecting a file the virus may perform some actions, masking and speeding
its spread. Among such actions there are read-only attribute handling, its
removing before infection and restoring afterwards. Many file viruses read
the date of last file modification and restore it after infection. For
masking their spread some viruses hook DOS interrupt, called when a write to
a write-protected disk is attempted (INT 24h) and handle it by themselves.
That's why to peculiarity of the algorithm of a file virus it is possible to
attribute both availability or absence of processing:
- attribute read-only;
- time of the last modification of the file;
- interrupt 24h.
Propagation speed of a virus may also be regarded as a feature of its
algorithm. Propagation speed of file viruses, infecting files only at their
execution, will be lower than that of viruses infecting files as they are
opened, renamed or as their attributes are changed, etc. Some viruses
("Eddie", "Murphy") on creating their copy in RAM try to occupy memory area
with the highest addresses, corrupting provisional part of the Command
Interpreter COMMAND.COM. After an infected program completes its execution,
the provisional part of the interpreter is restored, COMMAND.COM is opened
and, if the virus infects files at their opening, infected. Thus as such a
virus is executed, the first file to be contaminated is COMMAND.COM.
Propagation means and structure of computer viruses
As there aren't known cases of infecting IBM-compatible computers by network
"worms", viruses-"companions" have, as a rule, very simple algorithm and
form less then 0.5 percent from all other known viruses, then only so-called
"parasitic" viruses will be further considered.