The Classification of the Computer Viruses ------------------------------------------ The viruses may be subdivided by the following attributes: - the media of virus residence; - the media of infection method; - the destruction abilities; - the features of the virus algorithm; In DEPENDING OF MEDIA OF RESIDENCE the viruses may be divided on network, file and boot viruses. Network viruses spread through the computer network and incorporate into the executable files, the file viruses - into the files, the boot viruses - into the Boot-sectors or the system loader sector of the hard disk - the Master Boot Record (MBR). There are combinations of them - for example, multipartite (file and boot) viruses infecting both objects (files and disk boot sectors), such viruses, as a rule, have a rather complicated algorithm of work, they often use the original methods o penetration into the system, they use stealth and/or polymorphic - technology also. The METHODS OF INFECTION are subdivided on the resident and nonresident ones. The memory resident viruses after infecting the computer leave in RAM their resident parts which afterwards hook the operating system calls to objects of the system and incorporates into them. The resident viruses stay in memory and are active till computer is switched off or re-booted. The no memory resident viruses do not infect computer memory being active during finite period. Some viruses leave in RAM small resident programs which do not spread a virus. Such viruses are considered to be nonresident. According to their DESTRUCTION ABILITIES viruses may be divided as follows: - harmless, i.e. not affecting the computer operation (except decreasing free area on disk as a result of their propagation); - not dangerous, if the influence of which is restricted by free disk memor decrease and graphic, sound and other effects; - dangerous viruses which can cause serious failures in computer operation; - very dangerous which can result in losses of programs, corrupt data and erase information vital for computer operation and situated in memory system area. But even if there are no branches, making harm to the system, in the algorithm of the virus, this virus can't be called harmless with sure, as penetration of it into the computer can evoke unforeseen and sometimes catastrophic consequences. By the way, virus, as any other program, has mistakes, in consequence of which can be spoiled both files and sectors of discs (for example, quite harmless by the first sight virus "DenZuk" rather correctly works with 360K disks, but can delete information on the disks of a larger volume). Although possible "wedging" of a resident virus & a system with using new DOS versions, while working in MS-Windows or in any other powerful systems. And so on. Analyzing ALGORITHM FEATURES one can discern the following groups of viruses: - viruses-"companions" - these file viruses don't change the files. The algorithm of work of these viruses is in making files-companions to EXE-files, which have the same name, but with extension .COM, for example, for the file XCOPY.EXE the file XCOPY.COM is created. Virus writes down itself to a .COM-file and doesn't change .EXE-file. By launching such file DOS finds out and executes .COM-file, that is virus, first, which will launch .EXE-file. - viruses-"worms" - viruses, which spread in a computer network and, as viruses-"companions", don't change files or sectors on disks. They penetrat to the computer's memory from a computer network, calculate network addresses of other computers and send there own copies by this addresses. Such viruses sometimes work files on the system disks, but can not to apply to computer resources (with the exception of main memory) generally. Fortunately, in the IBM-computers' calculating networks such viruses haven' appear yet. - "parasitic" - all viruses, which by spreading their copies without fail change the contents of files or sectors on disks. To this group belong all viruses, which are not "companions" or "worms". - "student's" - extremely primitive viruses, often poorly debugged; - "stealth" - invisible viruses, representing fairly perfect programs which catch DOS calls to infected files or disk sectors and "replace" uncontaminated data areas with themselves. Moreover, such viruses when addressing files use rather unusual algorithms, allowing to "deceive" memory-resident antiviral monitors. One of the first "stealth"-viruses is the "Frodo" virus; - "polymorphic"-viruses - difficult enough to detect, have no signatures, i.e. don't contain any constant block of code. In most cases two samples of the same "polymorphic"-virus do not have a single similar block of code. This is achieved by encryption of the virus main body and by modifications of the deciphering program. Some viruses (for instance, viruses belonging to the "Eddie", "Murphy" families) use part of functions of valuable stealth virus. Most often they catch the DOS FindFirst and FindNext functions (INT 21h, ah=11h, 12h) decreasing the lengths of infected files. Such a virus can not be detected by file size changes, if of course it is memory-resident. Programs which do not use the mentioned DOS functions (for example Norton Utilities) and directly use contents of sectors holding directory show unchanged size of an infected file. On infecting a file the virus may perform some actions, masking and speeding its spread. Among such actions there are read-only attribute handling, its removing before infection and restoring afterwards. Many file viruses read the date of last file modification and restore it after infection. For masking their spread some viruses hook DOS interrupt, called when a write to a write-protected disk is attempted (INT 24h) and handle it by themselves. That's why to peculiarity of the algorithm of a file virus it is possible to attribute both availability or absence of processing: - attribute read-only; - time of the last modification of the file; - interrupt 24h. Propagation speed of a virus may also be regarded as a feature of its algorithm. Propagation speed of file viruses, infecting files only at their execution, will be lower than that of viruses infecting files as they are opened, renamed or as their attributes are changed, etc. Some viruses ("Eddie", "Murphy") on creating their copy in RAM try to occupy memory area with the highest addresses, corrupting provisional part of the Command Interpreter COMMAND.COM. After an infected program completes its execution, the provisional part of the interpreter is restored, COMMAND.COM is opened and, if the virus infects files at their opening, infected. Thus as such a virus is executed, the first file to be contaminated is COMMAND.COM. Propagation means and structure of computer viruses --------------------------------------------------- As there aren't known cases of infecting IBM-compatible computers by network "worms", viruses-"companions" have, as a rule, very simple algorithm and form less then 0.5 percent from all other known viruses, then only so-called "parasitic" viruses will be further considered.