Viruses are generally distinguished by the way they spread and propagate or the target they attack. The following virus types do not necessarily indicate a strict division. A file infector for example may also be a system infector. A script virus that infects other script files may be considered also to be a file inspector. There are also difficulties in drawing a hard distinction between macro and script viruses. Nevertheless, the virus types that I describe in this post provide a pretty good classification of computer viruses as researched by security scientists.
- File Infector Virus – Infects program (object) files. System Infectors that infect operating system program files (such as COMMAND.COM in DOS) are also file infectors. These type of viruses can attach to the front of the object file (prependers), attach to the back of the file and create a jump at the front of the file towards the virus code (appenders), or overwrite the file or portions of it (overwriters). A classic example is Jerusalem virus. A bug in early versions caused it to add itself over and over again to files, making the increase in file length detectable.
- System Infector Virus – A somewhat vague term. Some use the term to indicate viruses that infect operating system files, or boot sectors, such that the virus is called at boot time, and has or may have pre-emptive control over some functions of the OS. In other usage, a system infector modifies other system structures, such as the linking pointers in directory tables or the Windows Registry, in order to be called first when programs are run. Many email viruses target the Registry, such as the Magistr virus.
- Boot Sector Infector – Infects the Master Boot Record, System Boot Record, or other boot blocks on physical disks. Boot Sector Infector viruses usually copy the existing boot sector to another unused sector, and then copy themselves into the physical first sector, ending with a call to the original programming. Examples are Brain, Stoned, and Michelangelo.
- Email Virus – A virus that specifically, rather than accidentally, uses the email system to propagate. While virus infected files may be accidentally sent as email attachments, email viruses are aware of email system functions. They generally target a specific type of email system (e.g Microsoft Outlook), harvest email addresses from various sources, and may append a copy of themselves to all outgoing email, or generate email messages containing copies of themselves as attachments. Some email viruses may monitor all network activity, and followup legitimate messages with messages that they generate. Some email virus examples are Melissa, Loveletter, Hybris, Christmas etc.
- Multipartite – Originally this term was used to indicate a virus that was able to infect both boot sectors and program files. Current usage tends to mean a virus that can infect more than one type of object, or to reproduce in more than one ways. Examples are Telefonica, One Half, and Junkie.
- Macro Virus – A virus that uses macro programming of an application such as a word processor (Most known macro viruses use Visual Basic for applications in Microsoft Word: Some are able to cross between applications and function in, for example, a Powerpoint presentation and a Word Document). Macro viruses can operate across hardware or operating systems as long as the required application platform is present. Examples are Concept and CAP. Melissa is also a Macro virus in addition to being an email virus.
- Script Virus – Script viruses are generally differentiated from macro viruses in that script viruses are usually standalone files that can be executed by an interpreter, such as Microsoft Script Host (.vbs files). A script virus file can be seen as data file in that it is generally a simple text file, but it usually does not contain other data, and generally has some indicator (such as the .vbs extension) that it is executable. Loveletter is an example of script virus.
Source: CISSP CBK Review Seminar Book
Leave a Reply