Computer Viruses 101

Computer viruses are malicious programs that require a host program or user interaction to spread, infecting systems to disrupt or corrupt data.

The defining characteristic of a computer virus, versus other forms of malware is in how it spreads: by attaching itself to legitimate applications, processes and systems in the host machine.

You can think of a virus (or any malware) as having two main parts:

1. The Spreading Mechanism: This is how it replicates and travels. For a virus, the defining mechanism is attaching itself to a host file and requiring a user to run that file to spread.

2. The Payload: This is what the malware does once it's active on a system. The payload is the malicious action itself.

The payload of a virus can be almost anything the creator designs it to do: destroy systems, steal data, or deliver malware. While its defining characteristic is how it spreads, its purpose can vary widely.

Common Types of Computer Viruses:

1. File Infector Virus - Attaches to executable files (e.g. .exe) and executes malicious code when the program runs.

2. Macro Virus: Embeds in documents with macros (e.g. Word, Excel) and activates upon opening.

3. Boot Sector Virus: Infects the master boot record or boot sector, loading into memory before the operating system during startup, making anti-virus detection and removal especially tricky.

4. Polymorphic Virus: Alters its code signature with each infection using encryption to evade antivirus detection.

5. Resident Virus: A type of malware that embeds itself into system memory, allowing it to infect files during access by exploiting a program’s execution flow.

6. Non-Resident Virus: Executes its code and then releases memory, relying on host programs for initial infection and spread.

7. Multipartite Virus: Targets multiple system components, such as files and boot sectors, spreading through host programs and user actions.

8. Stealth / Tunneling Virus: Hides from antivirus by intercepting system calls and presenting false data, requiring a host to spread.

9. Companion Virus: Creates a separate executable file with a name similar to a legitimate program, often using slight alterations or similar-looking character to trick users into thinking its the original application.

10. Cluster Virus: Modifies directory entries to manipulate how groups of files (or clusters) are accessed, allowing it to execute its malicious code before any legitmate program within that cluster is run.

11. Metamorphic Virus: Changes its own code each time it infects a new host file, using techniques like code alteration and obfuscation to evade detection by antivirus software while maintaining its core functionality.

12. Overwrite Virus: Replaces the file it infects with its own code, rendering original files unusable upon execution.

13. Directory Virus: Modifies directory entries to redirect access from a legitimate file to its own malicious code, allowing users to unknowingly execute the virus while the original file remains unchanged.

14. FAT Virus: Targets the File Allocation (FAT), corrupting file access on storage devices when infected files are run.

15. Sparse Infector Virus: Selectively infects files based on specific conditions (e.g. file size) to avoid detection, requiring file execution.

16. Cavity / Space Filler Virus: Hides code in unused spaces (e.g. padding, or slack space) within an executable file’s structure, without increasing file size.

17. Encrypted Virus: Uses encryption to conceal its code, decrypting only when the infected program is executed to perform its payload.

18. Armored Virus: Employs protective mechanisms to resist analysis by antivirus tools or researchers. May avoid execution if it detects it is running in a virtual machine. Spreads via infected programs.

19. Fast Infector Virus: Infects every file accessed or executed during its active period, relying on host program execution for rapid spread.

20. Slow Infector Virus: Infects files gradually during specific operations (e.g. file creation), requiring interaction with infected host files for stealthy spread.

21. Direct-Action Virus: Activates immediately upon execution of an infected host program to perform its payload, then becomes dormant, spreading only through subsequent user action.