Virus types and variants
Edited by Humboldt-Universitšt, Berlin
File viruses (Program viruses, COM viruses)
File viruses are the best known and most common type of computer virus. They infect executable programs (COM-, EXE-, OVL-, OBJ-, SYS-, BAT-, DRV-, DLL files) and can be activated when such programs are run.
Boot sector viruses
Boot sector viruses (boot viruses) are concealed in the boot sector of hard disks and disks as well as in the hard disk Master Boot Record (MBR). After booting from this data carrier, they can relocate to the main memory and cause permanent damage.
Macro viruses are found in macros (i.e. automatic program sequences) for documents, tables, graphics, databases, etc. Such viruses may be activated when these files are processed using the corresponding application programs (e.g. Word for Windows).
Hybrid viruses (Multipartite viruses)
Hybrid viruses are combinations of several types of virus, in particular document and boot sector viruses. This makes them equally useful for a variety of propagation methods and consequently renders them more difficult to remove from the system.
A completely new generation of viruses includes the harmful Java applets and in particular script viruses, based on Visual Basic Script. These may not only be hidden in VBS files but in the HTML code as well.
Link viruses/Directory viruses
Link viruses manipulate data carrier entries so that other data carrier sections containing the actual virus code are started before specific programs are queried.
Stealth viruses have special mechanisms which enable them to hide from virus search programs. A stealth virus can restore an infected file before it is examined and thus ensure that the infection goes undetected.
Polymorphic viruses regularly alter their appearance, making it nearly if not entirely impossible for virus scanners, which work by pattern recognition, to detect them.
Slow viruses are viruses which remain unrecognised for a long period of time because their manipulation of data is minimal. This increases the likelihood of their being transferred to backup data carriers; as a result, the user has no virus-free duplicates or older versions available.
If they occur at all, experimental viruses only appear within the scope of LSP programming, infecting the source code. However, they are extremely difficult to program and are paid little notice in the "normal" PC world.
Worms, which are self-copying, are technically not viruses at all as they do not require a host program.
Similarly, Trojan horses are not viruses in the classic sense (as they are not usually self-copying) but rather software with viral capability concealed behind the names of recognised (harmless) programs. They are capable of implanting viruses or spying out data such as passwords.
Logical bombs are programs which can cause damage under certain circumstances (reaching a certain date, if a special database record is deleted, if a specially-named file is created).
When an infected program is run, direct-action viruses infect other program files at once and immediately carry out any existing damage routine. The virus then transfers control back to the original program and disappears from the main memory.
ANSI viruses are not actually viruses, but merely unusually "charming" manipulations of ANSI character string function keys. They cause no damage unless the ANSI.SYS driver has been loaded.
Denial of service (E-mail bombing)
E-mail bombing entails overwhelming a target system with e-mail messages to such an extent that in extreme cases normal e-mail use is no longer possible.
E-mail viruses hide in e-mail attachments and are transmitted to the local computer when these attachments are used.
Sendmail bugs are Trojan horses which are smuggled into the critical Send Mail program, where they then spy out passwords.
A DNS attack causes a user's Internet query to a given computer to be redirected to a third computer. This is useful for such purposes as spying out passwords.
All communication between two computers is rerouted to an external attacker and spied out. The data is then sent to the correct addressee.
Backdoors permit remote control of a computer. This allows an external attacker to manipulate or spy out data via the network.
Each keystroke made by the user is secretly read and recorded by a program which has been smuggled into the computer. Passwords may be spied out using this method.
Packet sniffers are programs capable of reading data sent by users, recognising passwords and collecting them.
An attacker creates data packets with a falsified originator address; the receiver computer assumes that this is an internal user and grants access rights.
ICMP protocols are used for error messages and automatic repairs of network problems. Falsified ICMP protocols can impair network operability.