Computer viruses can be classified according to their environment and infection methods. The environment is the application or operating system required by any given virus to infect files within these systems. Infection methods are the techniques used to inject the virus code into an object.
Most viruses can be found in one of the following environments:
File viruses use the file system of a given operating system (or more than one) to propagate. File viruses can be divided into the following categories:
- File systems
- Boot sectors
- Macro environments
- Script hosts
Boot Sector viruses write themselves either to the boot sector or to the master boot record or displace the active boot-sector. These viruses were widespread in the 1990s, but have almost disappeared since the introduction of 32-bit processors as standard and the decline of the floppy disks. It would be technically possible to write boot sector viruses for CDs and USB flash ROMs, but no such viruses have yet been detected.
- Those that infect executable files (the largest group of file viruses)
- Those that create duplicates of files (companion viruses)
- Those that create copies of themselves in various directories
- Those that utilize file systems features (link viruses)
Many word processing, accounting, editing and project applications have built-in macro scripts which automate frequently used sequences. These macro languages are often complex and include a wide range of commands.
Macro viruses are written in macro languages and infect applications with built-in macros. Macro viruses propagate by exploiting macro language properties in order to transfer from an infected file to another file.
The groups of viruses listed above can be sub-divided according to the technique a virus uses to infect objects.
File viruses use the following infection methods:
- Object modules (OBJ)
- Compiling libraries (LI
- Application source code
This is the simplest infection method: the virus replaces the code of the infected file with its own, erasing the original code. The file is rendered useless and cannot be restored. These viruses are easily detected because the operating system and affected applications will cease to function shortly after infection.
Parasitic viruses modify the code of the infected file. The infected file remains partially or fully functional.
Parasitic viruses are grouped according to the section of the file they write their code to:
Inserting file viruses use a variety of methods to write code to the middle of a file: they either move parts of the original file to the end or copy their own code to empty sections of the target file. These are sometimes called cavity viruses.
- Prepending: the malicious code is written to the beginning of the file
- Appending: the malicious code is written to the end of the file
- Inserting: the malicious code is inserted in the middle of the file
Prepending viruses write their code to target files in two ways. In the first scenario, the virus moves the code from the beginning of the target file to the end and writes its own code to this space. In the second scenario the virus adds the code of the target file to its own code.
In both cases, every time the infected file is launched, the virus code is executed first. In order to maintain application integrity, the virus may clean the infected file, re-launch it, wait for the file to execute, and once this process is over, the virus will copy itself again to the beginning of the file. Some viruses use temp files to store clean versions of infected files. Some viruses will restore the application code in memory, and reset necessary addresses in the body, thus duplicating the work of the operating system.
Most viruses fall into this category. Appending viruses write themselves to the end of the infected files. However, these viruses usually modify the files (change the entry point in the file header) to ensure that the commands contained in the virus code are executed before infected object commands.
Virus writers use a variety of methods to inject viruses into the middle of a file. The simplest methods are moving part of the file code to the end of the file or pushing the original code aside to create a space for the virus.
Inserting viruses include so-called cavity viruses; these write their code to sections of files that are known to be empty.. For instance, cavity viruses can copy themselves to the unused part of exe file headers, to the gaps between exe file sections, or to text areas of popular compilers. Some cavity viruses will only infect files where a certain block contains a certain byte; the chosen block will be overwritten with the virus code.
Finally, some inserting viruses are badly written and simply overwrite sections of code which are essential for the infected file to function. This causes the file to be irrevocably corrupted.
Entry point obscuring viruses - EPOs
There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
- Searching for frames and overwriting them with infected starting points
- Disassembling the host file code
- Or changing the addresses of importing functions
Companion viruses do not modify the host file. Instead they create a duplicate file containing the virus. When the infected file is launched the copy containing the virus will be executed first.
This category includes viruses that re-name the host file, record the new name for future reference and then overwrite the original file. For instance, a virus might rename notepad.exe as notepad.exd and write its own code to the file under the original name. Each time the user of the victim machine launches notepad.exe, the virus code will be executed, with the original Notepad file, notepad.exd, being run afterwards.
There are other types of companion viruses which use original infection techniques or exploit vulnerabilities in specific operating systems. For instance, Path-companion viruses place their copies in the Windows system directory, exploiting the fact that this directory is first in the PATH list; the system will start from this directory when launching Windows. Many contemporary worms and Trojans use such autorun techniques.
Other infection techniques
Some viruses do not use executable files to infect a computer, but simply copy themselves to a range of folders in the hope that sooner or later they will be launched by the user. Some virus writers give their viruses such as install.exe or winstart.bat in order to persuade the user to launch the file containing the virus.
Other viruses copy themselves to compressed files in formats such as ARJ, ZIP and RAR, while still others write the command to launch an infected file to a BAT-file.
Link viruses also do not modify host files. However, they force the operating system to execute the virus code by modifying the appropriate fields in the file system.
Boot Sector Viruses
The boot viruses which are currently known about infect the boot sectors of floppy disks and the boot sector or Master Boot Record (MBR) of the hard disk. Boot viruses act on the basis of the algorithm used to launch the operating system when the computer is switched on or rebooted. Once the necessary checks of memory, disks etc. have been carried out, the system boot program reads/ fetches the first physical sector of the boot disk (A:, C: or the CD-ROM, depending on the parameters configured/ installed in BIOS Setup, and passes control to this sector.
When infecting disks, a boot virus will substitute its code for that of a program which gains control when the system launches. In order to infect the system, the virus will force the system to read the memory and hand over control not to the original boot program, but the virus code.
Floppy disks can only be infected in one way. The virus writes its code in the place of the original code of the boot sector of the disk. Hard disks can be infected in three ways: the virus either writes its code in place of the MBR code; the boot sector code of the boot disk, or modifies the address of the active books sector in the Disk Partition Table in the hard disk MBR.
In the vast majority of cases, when infecting a disk the virus will move the original boot sector (or MBR) to another sector of the disk, often the first empty one. If the virus is longer than the sector, then the infected sector will contain the first part of the virus code, and the remainder of the code will be placed in other sectors, usually the first free ones.
The most widespread macro viruses are for Microsoft Office applications (Word, Excel and PowerPoint) which save information on OLE2 (Object Linking and Embedding) format. Viruses for other applications are relatively rare.
The actual location of a virus with an MS Office file depends on the file format, which in the case of Microsoft products is extremely complex. Every WORD document, Office 97 or Excel table is composed of a sequence of data blocks (each of which has its own format) which are joined/ linked/ united by service data.
When working with documents and tables, MS Office carries out a number of different actions: the application opens the document, saves it, prints it, closes it etc. MS Word will search for and execute/ launch the appropriate built-in macros. For example, using the File/Save command will call the FileSave macro, the File/SaveAs command will call the FileSaveAs macro, and so on, always assuming that such macros are defined/ configured.
There are also auto macros, which will be automatically called in a range of situations. For instance, when a document is opened, MS Word will check the document for the presence for the AutoOpen macro. If the macro is found, Word will execute it. When a document is closed, Word will execute the AutoClose macro, when Word is launched, the application will execute the AutoExec macro etc. These macros are executed automatically, without any action from the user, as are macros/ functions which are associated either with a particular key, or with a specific time or date.
As a rule, macro viruses which infect MS Office files will use one of the techniques described above. The virus will either contain an auto macro (automatic function) or one of the standard system macros (associated with a menu item) will be redefined, or the virus macro will be automatically called by a certain key stroke or key combination. Once the macro virus has gained control, it will transfer its code to other files, usually ones which are currently being edited. More rarely, the viruses will search disks for other files.