How Viruses Work

By Nell Randall; PC Magazine, "Tutor" column; February 9,1999; page 211-213

Home | Back to Tech Ref | Links

If you buy a new computer these days, it's likely to ship with an antivirus package. This
fact, more than anything else, should convince us of how widespread viruses have become
and how much the computer industry has come to accept their inevitability. Quite simply,
viruses are a fact of computing life.
There are thousands of viruses out there and many different categories of virus, but
generally they all fit a single basic definition. A virus is a computer program intentionally
designed to associate itself with another computer program in a way that when the original
program is run, the virus program is run as well, and the virus replicates itself by attaching
itseft to other programs. The virus associates itself with the original program by attaching
itseft to that program or even by replacing it, and the replication is sometimes in the form of
a modified version of the virus program. The infected program can be a macro, and it can
be a disk's boot sector, the very first program loaded from a bootable disk.
Notice the "intentionally designed" part of the definition. Viruses aren't just accidents.
Programmers with significant skills author and develop them, then find ways to get them
onto the computers of the unsuspecting. And the stronger antivirus programs get, the
harder virus authors work to get around them. For many virus authors, the whole thing is
simply a challenge; for others, the point is having a good time making computing life
uncertain or even miserable.
Viruses have quite correctly gained a reputation for being harmful, but in reality many are
not. Yes, some damage files or perform other forms of destructiveness, but many are
simply minor annoyances or are even invisible to most users. To be considered a virus, a
program need only replicate itself; anything else it does is extra.
Even relatively pain-free viruses aren't completely harmless, of course. They consume disk
space, memory, and CPU resources and therefore affect the speed and efficiency of your
machine. Furthermore, the antivirus programs that sniff them out and eliminate them also
consume memory and CPU resources; many users, in fact, claim they slow the computer
down noticeably and are more intrusive than the viruses themselves. In other words,
viruses affect your computing life even when they're not actually doing anything.
VIRUSES AND VIRUSLIKE PROGRAMS
The above explanation of viruses is actually more specific than the way we tend to use the
term virus. Other types of programs exist that fit only part of that definition. What they have
in common with viruses is that they act without the user's knowledge and commit some
kind of act inside the computer that they are intentionally designed to do. These types

include worms, Trojan horses, and droppers. All of these programs, including viruses, are
part of a category of program known as malware, or malicious-logic software.
A worm is a program that replicates itself but doesn't infect other programs` It copies itself
to and from floppy disks or across network connections, and sometimes it uses the
network in order to run. One type of worm - the host worm - uses the network only to copy
itself onto other machines, while another type, the network worm, spreads parts of itself
across networks and relies on network connections to run its various parts. Worms can
also exist on a non-networked computer, in which case they can copy to various locations
on your hard disks,
The name Trojan horse comes from the Greek myth, best recounted in The Odyssey, in
which the Greek army left a wooden horse as a gift to the Trojans, hiding troops inside the
horse as it was taken into Troy. The Greeks jumped out and captured the city, ending the
long siege. The idea in computers is the same. A Trojan horse is a program that is hidden
inside a seemingly harmless program. When that program is run, the Trojan horse
launches in order to perform actions that the user doesn't want. Trojan horses do not
replicate themselves.
Droppers are programs designed to avoid antivirus detection, usually by encryption that
prevents antivirus software from noticing them. The typical functions of droppers are
transporting and installing viruses. They wait on the system for a specific event, at which
point they launch themselves and infect the system with the contained virus.
Related to these programs is the concept of the bomb. Bombs are usually built into
malware as a means of activating it. Bombs are programmed to activate when a spedftc
event occurs. Some bombs activate at a specific time, typically using the system clock. A
bomb could be programmed to erase all DOC files from your hard disk on New Year's Eve
or pop up a message on a famous person's birthday. Others are triggered by other events
or conditions: A bomb might wait for the twentieth instance of a program launch, for
example, and erase the program's template files. Viewed this way, bombs are just
malicious scripts or scheduling programs.
Viruses can be thought of as special instances involving one or more of these malware
programs. They can be spread through droppers (although they need not be), and they
use the worm idea to replicate themselves. While viruses are not technically Trojan horses,
they act like them in two ways: First, they do things the user doesn't want; second, by
attaching themselves to an existing program, they effectively turn the original program into
a Trojan horse (they hide inside it, launch when it launches, and commit unwanted acts).
HOW A VIRUS WORKS
Viruses work in different ways, but here's the basic process.

First, the virus appears on your system. It usually enters as part of an infected program file
(COM, EXE, or boot sector). In the past viruses traveled almost exclusively through the
distribution of infected floppy disks` Today, viruses are frequently downloaded from
networks (including the Internet) as part of larger downloads, such as part of the setup files
for a trial program, a macro for a specific program, or an attachment on a e-mail message.
Note that the e-mail message itself cannot be a virus. A virus is a program, and it must be
run to become active. A virus delivered as an e-mail attachment, therefore, does nothing
until you run it. You run this kind of virus by launching the attachment, usually by
double-clicking on it. One way to help protect yourself from this kind of virus is simply
never to open attachments that are executable files (EXE or COM) or data files for
programs, such as office suites, that provide macro-writing features. A graphics, sound, or
other data file is safe.
A virus starts its life on your PC, therefore, as a Trojan horse-like program. It is hidden
within another program or file and launches with that file. In an infected executable file, the
virus has essentially modified the original program to point to the vires code and launch
that code along with its own code. Typically, it jumps to the virus code, executes that code,
and then jumps back to the original code. At this point the virus is active, and your system
is infected.
Once active, the virus either does its work immediately--if it's a direct-action virus---or sits
in the background as a memory-resident program, using the TSR (terminate and stay
resident) procedure allowed by the operating system. Most are of this second type and are
caUedresidentvimse~ Given the vast range of activities allowed by TSR
programs---everything from launching programs to backing up files and watching for
keyboard or mouse activity (and much more)ma resident virus can be programmed to do
pretty much anything the operating system can do. Using a bomb, it can wait for events to
trigger it, then go to work on your system. One of the things it can do is scan your disk or
(more significantly) your networked disks for other running (or executable) programs, then
copy itself to those programs to infect them as well.

VIRUS TYPES
Virus authors are constantly experimenting with new ways to infect your system, but the
actual types of vires remain few. These are boot sector viruses, file infectors, and macro
viruses. There are different names for these types and some subtypes, but the idea
remains the same.
Boot sector viruses or infectors reside in specific areas of the PC's hard disk, those that
are read and executed by the computer at boot time. True boot sector viruses infect only
the DOS boot sector, while a subtype called the MBR virus infects the Master Boot Record.
Both of these areas of the hard disk are read during the boot process, during which the
virus is loaded into memory. Viruses can infect the boot sectors of floppy disks, but
typically a virus-free, write-protected boot floppy disk has always been a safe way to start
the system. The problem, of course, is guaranteeing that the floppy disk itself is uninfected,
and that's a task that antivirus programs attempt to do.
File infectors, also
called parasitic viruses,
are viruses that attach
themselves to
executable files, and
they are the most
common and the most
discussed. Such a virus
typically waits in
memory for the user to
run another program,
using such an event as
a trigger to infect that
program as well. Thus
they replicate simply
through active use of
the computer. There are
different types of file
infectors, but the
concept is similar in all
of them.
Macro viruses, a
relatively new type,
make use of the fact
that many programs
ship with programming
languages built-in. The
languages are designed to help users automate tasks through the creation of small
programs called macros. The programs in Microsoft Office, for instance, ship with such a

built-in langnage, and in fact it provides many of its own built-in macros. A macro virus is
simply a macro for one of these programs, and indeed this type of virus became known
through its infection of Microsoft Word. When a document or template containing the virus
macro is opened in the target application, the virus runs and does its damage. In addition,
it is programmed to copy itself into other documents, so that continual use of the program
results in continual spread of the virus.
A fourth type, called multipartite, combines boot sector infection with file infection.
For a huge listing of viruses along with explanations of what they do, see the Virus
Encyclopedia section of Symantec's AntiVirus Research Center, at
www.symantec.com/avcenter/vinfodb.html.
SMARTER AND SMARTER
The macro virus concept works because the programming language provides access to
memory and hard disks. So, in fact, do other recent technologies, including ActiveX
controls and Java applets. True, these are designed to protect the hard disk from the virus
program (Java better than ActiveX), but the fact is that these programs can install
themselves on your computer simply because you visit a Web site. Obviously, as we
become increasingly networked and as we expect such conveniences as operating system
upgrades over the Internet (Windows 98 and NT 5 both do this), we put ourselves at
greater risk from viruses and other malware.
Virus authors are nothing if not innovative, and they constantly come up with new ways of
thwarting antivirus software. Stealth viruses, for example, mislead the antivirus software
into thinking that nothing is wrong. Essentially, a stealth virus retains information about the
files it has infected, then waits in memory and intercepts antivirus programs that are
looking for altered files. It gives the antivirus programs the old information rather than the
new. Polymorphic viruses alter themselves when they replicate, so that antivirus software
that looks for specific patterns won't find all instances of the viruses; those that survive can
continue replicating. Several other types of smart viruses are appearing regularly, as the
game of cat and mouse between virus authors and antivirus software producers continues.
In all likelihood, viruses are here to stay.
Home | Back to Tech Ref | Links