An FAQ. An introduction. The following is plagiarized from these URLs.
A computer virus is a self-replicating program containing code that explicitly copies itself and that can ``infect'' other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus.
Note that many people use the term ``virus'' loosely to cover any sort of program that tries to hide its possibly malicious function and\or tries to spread onto as many computers as possible, though some of these programs may more correctly be called ``worms'' or ``Trojan Horses.''
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems, usually via network connections. Note that unlike viruses, worms do not need to attach themselves to a host program.
A Trojan Horse is a program that does something undocumented that users would not approve of if they knew about it.
Famous UNIX Trojan Horse: If you have . first in your shell PATH variable, then you are vulnerable to a Trojan Horse ls in a mischievous user's directory. If you cd into that user's directory and do a ls, then that user's ls and not the system one will be executed with your file permissions. Imagine the result if the Trojan Horse ls contains rm -fr $HOME!
There are two main classes of viruses.
The first class consists of the file infectors which attach themselves to ordinary program files. File infectors can be either direct-action or memory-resident. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. A memory-resident virus installs itself somewhere in RAM the first time an infected program is executed, and thereafter infects other programs when they are executed. Most viruses are memory-resident.
The second main category of viruses is system or boot-record infectors. These viruses infect executable code found in certain system areas on a disk. On PCs there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. All common boot sector and MBR viruses are memory-resident.
A boot-sector infector monitors physical disk I/O and re-directs any attempt to read a virus-infected boot sector to the disk area where the virus copied the original boot sector.
DOS Boot Sector: The first sector of a logical DOS partition on a hard disk or the first absolute sector of a diskette. This sector contains the startup code that actually loads DOS. This is often confused with the MBR. Some boot sector viruses infect the DBS rather than the MBR when infecting hard disks.
Master Boot Record (MBR): the first absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table but on some PCs may only contain a boot sector. This is not the same as the DOS Boot Sector, logical sector 0.
Partition Table: A 64-byte data structure that defines the way a PC's hard disk is divided into logical sections known as partitions. While there is often more than one partition table on a PC's hard disk, the most important is the one stored in the MBR. This one contains important extra information such as which partition (if any) should be booted from. The partition table is purely data, so is not executed.
A floppy diskette has just arrived, with some data on it (some word-processed files and a spreadsheet, perhaps). This is part of a project that you are doing jointly with a colleague. What your colleague doesn't know is that his computer is infected with a boot-sector virus (BSV), and therefore so is the diskette he sent you. You put the diskette in drive A: and start using these files. So far, the virus hasn't done anything. But when you finish for the day, you switch off the computer and go home. Next day, you come in and switch it on. The floppy disk is still in drive A:, so the computer tries to boot up from there. It loads the first sector into memory and executes it (normally, this is a little program written by Microsoft to load DOS), or if it can't find DOS on the diskette, to tell you so ``Not a system disk, please press any key to continue.'' Everyone has seen this message numerous times, and so you open the drive door and press a key.
But this diskette is infected with Stoned, so what executed was not just the program by Microsoft, but the Stoned virus, written in 1987 in New Zealand (and so sometimes called the New Zealand virus). The virus installs itself on the hard disk, replacing the MBR, and copying the original MBR to a place a little further down the disk.
When you start up from the hard disk, the MBR runs, but this is Stoned virus. Stoned virus goes memory resident, capturing the diskette read/write interrupt 13h, and then it loads the original MBR, and the boot-up process continues as normal. But, since the diskette read/write interrupt is captured, every time any write or read access (you think you're making a read, but the virus decides to write anyway) is made to drive A: the floppy is examined, and if it is not already infected, Stoned virus is installed on the boot sector. Thus, your computer is now infecting every diskette put in drive A:, and sooner or later one of these will be sent to a colleague, and the cycle continues.
A polymorphic virus is one that produces varied but operational copies of itself. These strategies have been employed in the hope that virus scanners will not be able to detect all instances of the virus.
One method of evading scan string-driven virus detectors is self-encryption with a variable key. These viruses are not termed ``polymorphic'', as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners.
A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus. A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.
One of the most sophisticated forms of polymorphism used so far is the ``Mutation Engine'' which comes in the form of an object module. With the Mutation Engine any virus can be made polymorphic by adding and linking to the mutation-engine and random-number generator modules. The mutation engine produces a new decryption routine each time the virus infects a new program.
The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses.
For more information, see the article ``Computer Virus--Antivirus Coevolution'' by Carey Nachenberg in the January 1997 issue of the Communications of the ACM (Vol. 40, No. 1). This article describes the generic decrytpion (GD) technology. A GD virus scanner contains a software computer emulator. To scan a program to see if it is infected, the scanner loads the program into the virtual computer, executes it, then scans for known viruses. By executing the program, the virus decrypts itself, but no damage is done to the physical computer! The problems with this approach are that it is very time consuming and we do not know how long to execute the program to see if a virus appears.
SJH shartley@mcs.drexel.edu February 5, 1997.