Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The Computer Virus Problem

David Stang
Seven Locks Software, Inc.

[Back to index] [Comments]

Introduction

This paper provides an overview of the computer virus problem. It was developed by Seven Locks Software, as part of our public education program.

Some of the content of this paper concerns virus prevalence, and was drawn from the best, most recent study of the subject, the International Computer Security Association's 1997 Computer Virus Prevalence Study. Seven Locks Software sponsored this survey of 300 sites representing over 700,000 desktop computers, and is proud to be a vendor member of the ICSA's Anti-virus Product Developer Consortium.

What is a Virus?

A virus is a piece of software designed and written to make additional copies of itself and spread from location to location, typically without user knowledge or permission. Thus a virus is "self-reproducing code." Many viruses go beyond "quiet" operation, and are coded to avoid detection by the most common methods used. Such stealth qualities are now found in both viruses infecting files ("file viruses") and those infecting boot areas ("boot viruses").

There are computer viruses that were written specifically for operating systems (DOS, Windows 3.x, Windows 95, Windows NT, OS/2, and UNIX) and specific machines (Intel CPU machines, Amiga, Mac, and Atari.). The most common viruses today are operating system independent: they will run under any operating system if other conditions are met.

The largest category of viruses, however, is not the most prevalent. For years, the greatest number of different viruses have been file viruses - viruses which infected programs, such as DOS COM and EXE files. Such viruses never accounted for the greatest number of infections - back in the days of DOS, boot viruses were more common than file viruses - but have always accounted for the biggest headache for vendors of anti-virus products. The sheer number of file viruses, and their continued high rate of emergence, has always kept developers busy.

Like biological viruses, computer viruses are very small, and have one characteristic of life: the ability to reproduce.

Viruses, by definition, add their code to your system in such a way that when the infected part of the system executes, the virus does too: The exact mechanism of attachment depends on whether the virus is a boot virus, file virus, macro virus, etc.[ The "companion virus" attaches to the file system. This type of virus is rare, and will not be discussed here.]

Some viruses display symptoms, and some cause damage to files in a system they have infected. But neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank. Some viruses cause damage, but not all do. Some display obvious symptoms, such as messages, but the most common are usually difficult to detect, and largely free of obvious symptoms.

There are no "good" viruses, simply because virus is code that was not intentionally installed by the user. Users must be able to control their computers, and that requires that they have the power to install and remove software; that no software is installed, modified, or removed without their knowledge and permission. A virus is surreptitiously self-installed. It may modify other software in the system without user awareness, and removal can be difficult and costly.

Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus author. For instance, when a virus finds itself in a very different environment than that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point is the boot virus: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to be the end of the system.

Even if a virus causes no direct damage to your computer, your inexperience with viruses can mean that damage occurs during the removal process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will.

Why Are Viruses Problems?

We have said that not all viruses cause damage. Some do nothing but make copies of themselves. So is this a problem?

Our answer is Yes. All viruses are problems. One reason a virus causes problems is simply that some effort must be expended to detect and remove it. The average incident [a computer virus incident here is a virus encounter where a minimum of 25 PCs, diskettes, or files were infected by the same virus at approximately the same time.] may cost us over $8,000 in a large organization, as may be seen in the table below.[From NCSA 1997 Virus Prevalence Survey.]

Table 1. Cost of Incidents, 1997

MeasureCost
Server Downtime40 minutes
Time to Recovery44 hours
Person Days Lost22
Financial Cost$8,366

The effects of viruses are not merely in machine downtime or recovery time. The greatest problem that computer viruses cause is related to loss of productivity and includes: PCs unavailable to users, loss of access to data, unreliable applications, and system crashes. Many users report corruption of PCs, applications, and data occurred via: screen message, interference, or lockup; corrupted files, lost data, and system crashes. In addition, viruses impact our confidence in our computers, and our trust of the procedures and policies we have designed to protect us. Some effects are shown in Table 2. Effects of Viruses, 1996-1997 and Figure 1. Effects of Viruses, 1996-1997.[ From NCSA 1997 Virus Prevalence Survey.]

Table 2. Effects of Viruses, 1996-1997

 19961997
Loss of user confidence in the system7%26%
Threat of someone losing their job3%1%
Loss of productivity (machine, applications or data not available for some time)81%70%
Screen message, interference, or lockup62%54%
Lost data39%37%
Corrupted files59%57%
Loss of access to data (ie. on Server, Host, Mainframe, etc.)49%30%
Unreliable applications35%30%
PC was unavailable to the user71%59%
System Crash30%26%
Other (specify)0%3%
None4%12%
Don't know0%1%

Figure 1. Effects of Viruses, 1996-1997

Figure 1. Effects of Viruses, 1996-1997

Is the Situation Under Control?

No. Virus creation is at an all-time high. Viruses are spreading more easily than ever. Your chance of infection is higher than ever.

There are two specific aspects of the problem that should be considered separately:

For a decade, computer viruses have caused problems for users and organizations. During this period, a number of vendors have developed products to address the virus problem, but the problem has only grown worse.

The Growing Number of Viruses

At the start of 1987, there were a total of six different viruses. Today there are "close to 12,000" according to one trusted source. [Virus Bulletin, "Pawn to King-four" July, 1997. P.2] In that 10 year period, the number of viruses doubled 11 and a half times., or every 10.5 months. If this doubling rate holds, there will be 24,000 viruses next year.

The approaches which vendors have used in the past are challenged by this immense rate of emergence of new viruses. If 12,000 viruses are created in the next 10.5 months, vendors will have to develop detection and removal instructions for 1,142 viruses a month, a rate of about 6 viruses per hour for every normal working hour. Since developing manual creation of detection and removal instructions can take as long as one or two working days for difficult viruses, either a large staff or an automated virus analysis system will be required of all successful vendors if they are to keep up.

The rate of emergence of new macro viruses suggests that these numbers are conservative. The number of macro viruses has gone from 1 in August 1995 to 42 in August 1996 to 1,000 in June 1997 [Virus Bulletin, "1000 Macro Virus Mark Passed" July, 1997. P. 3], a doubling rate of 2 months, rather than 10.5 months. This is primarily because macro viruses are much easier to create than boot and file viruses. But creating detection and removal instructions is just as difficult for macro viruses as it is for other kinds.

Growing Infection Rate

The probability of infection has increased considerably in the last decade, and continues to rise. Today, the probability of infection is at about 35 infected computers per 1,000 per month. Put another way, 42% of computers are likely to become infected in the next 12 months. This infection rate is about 3.5 times as high as a year ago, when the rate was about 10.3 computers per 1000 per month. There is little doubt that the virus problem is growing, and at a considerable rate. (See Figure 2. Infections Per 1,000 Computers Per Month, 1996-1997 [From NCSA 1997 Virus Prevalence Survey.]

Figure 2. Infections Per 1,000 Computers Per Month, 1996-1997

Figure 2. Infections Per 1,000 Computers Per Month, 1996-1997

Many Users Not Protected

One survey [NCSA 1997 Virus Prevalence Survey.] finds that only 73% of respondent desktop machines have an anti-virus product installed. According to a poll reported in Virus Bulletin [Virus Bulletin], "and Still too Few Precautions" July, 1997. P. 3] more than 50% of users do not update their anti-virus software on a monthly or more frequent basis. Fifty-two percent of respondents were unaware that their anti-virus product vendor offered updates free to its customers. This suggests that some part of the problem of virus prevalence might be blamed on user behavior and knowledge.

In short, despite whatever quality improvements vendors might have made in their products, the increased number and prevalence of viruses indicates that the problem is growing worse.

About the Most Common Viruses

Today, our most common virus infections are of Word macro viruses. During 1997 one virus, the Word.Concept virus (also known as WM.Concept and Prank), infected one-half (49%) of survey sites (compared with only 12% in the prior year). This year's survey witnessed the remarkable growth of this family, with macro viruses of all sorts accounting for 80% of infections reported (compared with 41% in the prior year). Word.Concept was first distributed in July, 1995, and has experienced the most rapid growth in prevalence of any virus yet. Table 3. Which viruses have affected your group's PCs during 1997? and Figure 3. Relative Dominance of Top Ten Viruses, 1997 show the most common viruses reported in the past 12 months. [NCSA 1997 Virus Prevalence Survey.]

Table 3. Which viruses have affected your group's PCs during 1997?

VirusPercent Reporting
WelcomB1.68%
Word Macro15.10%
Word Macro Concept34.23%
Word Macro Npad4.36%
Word Macro Wazzu19.13%
Word Macro MDMA2.68%
Word Macro Colors2.01%
Excel Macro0.67%
XM Laroux1.01%
Other (SPECIFY)25.17%
None5.37%
Don't know8.72%
Refused0.34%

Figure 3. Relative Dominance of Top Ten Viruses, 1997

Figure 3. Relative Dominance of Top Ten Viruses, 1997

Common Viruses Becoming More Common

Nearly all viruses shown in Figure 4 have become more prevalent over the approximately one year covered by this data (note: accounting for the survey biases might dampen this effect). Only Junkie, from these top ten, appears to be in decline. The greatest growth rates are of the top macro viruses, such as WM.Concept and WM.Wazzu.

Figure 4. Infections per Month per 1,000 Computers, Top Ten Viruses

Figure 4. Infections per Month per 1,000 Computers, Top Ten Viruses

Macro Viruses: Growing Most Rapidly

Of the top ten viruses, seven are at least five years old (NATAS, NYB, and WM.Concept were approximately 3, 3 and 1.6 years old at the time of this survey). Until WM.Concept, Natas and NYB, were apparently "growing" the fastest. By far, the rate of growth of WM.Concept is the fastest of any virus ever observed to infect computers of the general public. There are several reasons for its apparent rapid growth:

We should note that a virus which appears to be in decline may actually be increasing in prevalence. If a user is infected with an older virus that is easily dispatched with the product on hand, that user is likely to kill the virus without reporting it to management. If the virus is contained because of the effectiveness of anti-virus products, it is not likely to be remembered, and thus not likely to be reported to our survey researchers. It is those viruses which cause unpleasant experiences, data loss, massive infection, and which prove difficult to remove that are most likely to be recorded.

The Most Common Viruses

The NCSA 1997 Virus Prevalence Survey asked three questions concerning which viruses affected the group:

5a. Which viruses have affected your group's PCs during 1997? How many times? (do not read the list)

5b. Which viruses affected your group's PCs during the second half of 1996 (July-December)? How many times?

5c. Which viruses affected your group's PCs during the first half of 1996 (January-June)? How many times?

We have tabulated answers in two forms: the percentage of respondents having an incident with the virus, and the total number of infected machines (sum of "how many times" question across respondents.)

Table 4. Most Commonly Found: Percent of Organizations Infected

VirusJan/Feb '972nd half of '961st half of '96
Anti-CMOS10%12%8%
Anti-EXE18%16%12%
Form16%18%16%
Green Caterpillar<1%0%0%
Jumper0%<1%0%
Junkie2%2%1%
Michelangelo3%2%3%
Monkey B17%15%12%
NATAS<1%1%1%
NYB10%7%5%
One Half<1%<1%0%
Parity Boot1%1%<1%
Ripper3%4%3%
Stealth B or C14%13%10%
Stoned (Monkey Empire)13%14%15%
WelcomB2%2%1%
Word Macro15%12%7%
WM Concept34%31%19%
WM Npad4%3%1%
WM Wazzu19%10%5%
WM MDMA3%2%<1%
WM Colors6%<1%0%
Excel Macro1%1%<1%
XM Laroux1%<1%<1%
XM Sofa0%0%0%
Other (specify)25%19%13%
None5%2%3%
Don't know9%22%39%
Refused<1%<1%<1%

Table 5. presents an estimated total number of machines infected throughout the survey. Thus if only two respondents reported this virus at all, each reporting 100 infected machines in the time period, the number "200" would be presented in the table. As such, this table doesn't show what percentage of organizations were infected with the virus, or what percentage of machines within the average organization were infected. But it does provide a sensitive measure of the success of a virus in infecting machines.

Table 5. Viruses Most Commonly Found: Total Infections

VirusJan/Feb '972nd half '961st half '96Total
WM Concept10750136621148135893
Word Macro2392399011047486
Form3048147811875713
Anti-EXE906172112403867
WM Wazzu26326591353426
Monkey B10215124972030
NYB3906678391896
WM Npad6025402021344
Stealth B or C4144813771272
Junkie6710810401215
Stoned (Monkey Empire)1675163531036
Anti-CMOS230422290942
Excel Macro1007050220
WM MDMA19660202
Michelangelo1745128190
Ripper326658156
WelcomB2010135156
NATAS07923102
One Half1110021
WM Colors75012
XM Laroux102012
Jumper010010
Parity Boot4206
Green Caterpillar1001
XM Sofa0000

Several observations on this table:

Figure 5. Relative Prevalence of Top Ten Viruses

Figure 5. Relative Prevalence of Top Ten Viruses

The "Wild List"

Much has been made of the phrase "in the wild." The list of viruses commonly believed to be "in the wild" - sometimes found on the desktop computers in homes and offices like yours - is a short list. Some vendors boast that they detect all viruses "in the wild", whereas they really detect viruses found on the "in the wild" list.

There are many such problems with this approach. A virus can be written and distributed today, and infect your machine tomorrow. Whether it ever appears on an in-the-wild list or not is a matter of chance, but it certainly won't be on the list if it is quite new.

In the NCSA survey, respondents were asked to name other viruses found in their organization in the past year. Many were named. Few of these appear on the official "wild list." Many of these additional viruses are macro viruses. 15 years/Espejo/Esto te, Aloha, Anti-Alias, Anti-OC, Arachina, B-1, Barrotes, BLU, BOOT B, Boot Virus, Bupt/WelcomB, Cascade, D 1, Da'Boys, Dr. White, Dragon, Exabyte.3, EXEC, Form.A, Frankenstein, Fu_Manchu, Int 10, J&M, Jerusalem, Jerusalem.Mummy, Joshi, Junkie, Leandro, Meat Grinder, MICROSOFT, Mirrox General 1, Music_Bug, Natas, NYB, PacMan, Read IOSys, Sampo, Stealth.B-1, Stealth.Boot.H, Stoned, Stoned.Angelina, Stoned.Bloomington/NoInt, Stoned.Empire.Monkey, Stoned.No_Int, Tai-Pan.666/Doom2Death, Telecom.Boot, Tentacle, Trojan Horse, Typen, Urkel, V-Sign, WM.Alien, WM.Bandung, WM.CAP, WM.Concept.A-F, WM.Divina, WM.DMV, WM.Imposter,WM.Indonesia, WM.Irish, WM.Johny, WM.Lunch.A, WM.NOP, WM.Npad, WM.Nuclear, WM.Rapi, WM.ShowOff, WM.Wazzu.A-F, WM.Wazzu.C, WordPerfect virus.

While it is important for you to choose protection that can deal with everything listed on an "in the wild" list, you must recognize that your could just as easily get a virus not on the list; your product and vendor must take care of you whether or not the virus you get next is listed.

What Should I Do to Protect Myself?

Knowledge of how viruses get into our computers is useful in deciding how to defend against viruses.

Diskettes and downloads account for the majority of our infections. Table 6. Sources of Infection, 1996-1997 and Figure 6. Infection Sources shows how survey respondents believed their machines had become infected. Note that respondents could choose more than one infection source for their most recent infection, so totals exceed 100%.

Table 6. Sources of Infection, 1996-1997

Source19961997
A diskette, sales demo or similar11%8.05%
A diskette, repair/service person3%3.36%
A diskette, LAN manager/supervisor1%2.68%
A diskette, shrink-wrapped software2%4.36%
A diskette, malicious person intentionally planted0%1.01%
A diskette, brought from someone's home36%42.28%
A diskette, other21%26.51%
On a distribution CD0%0.67%
A download from BBS, AOL, CompuServe, Internet10%16.11%
Other download (terminal emulation, client server)2%2.35%
Via e-mail as an attachment9%26.17%
Via an automated software distribution0%1.68%
While browsing on the World Wide Web--5.37%
Other0%5.03%
Don't know15%7%

Figure 6. Infection Sources

Figure 6. Infection Sources

It is not surprising that diskettes predominate as a vector for infection, since nine out of the top ten most prevalent viruses and 17 out of the top 20 were boot viruses and could not travel by any other means. However, in the 1991 NCSA-Dataquest survey, the proportion of diskettes was even larger (87%), download sources were slightly lower, and e-mail attachment was not mentioned as a source or possible source.

Macro Virus Also Travels by E-mail and the Net - All viruses can, theoretically, be transferred by diskette, by e-mail, or by download.[ A boot virus can be transferred by e-mail if a "dropper" is attached to the e-mail. When the attachment is run, the dropper can insert the boot virus in the appropriate sectors of the drive. Such transfer of boot viruses is extremely rare. Similarly, a boot virus may be downloaded if the file downloaded is a dropper. The spread of boot viruses via droppers via download is extremely rare.] though all viruses can travel by diskette, only executable file-type and macro viruses can possibly travel by download or e-mail attachment. We looked at the top viruses to determine how they got to the organization. As may be seen in Table 7 and Figure 7, macro viruses are most likely to enter an organization via e-mail attachments, whereas boot viruses most often come via diskette. The home remains a common source of virus infection in offices.

Table 7. Sources of Infection, Boot and Macro Viruses, 1997.

 BootMacro
A diskette, sales demo or similar2%3%
A diskette, repair/service person7%1%
A diskette, LAN manager/supervisor0%1%
A diskette, shrink-wrapped software2%3%
A diskette, malicious person intentionally planted it2%0%
A diskette, brought from someone's home26%17%
A diskette, other23%12%
On a distribution CD0%0%
A download from BBS, AOL, CompuServe, Internet, etc.9%7%
Other download (terminal emulation, client server)2%2%
Via e-mail as an attachment2%36%
Via an automated software distribution0%0%
While browsing on the World Wide Web5%5%
Other7%2%
Don't Know12%9%

Figure 7. Sources of Infection, Boot and Macro Viruses, 1997.

Figure 7. Sources of Infection, Boot and Macro Viruses, 1997.

Table 8 shows the analysis from the 1996 survey. In both surveys, e-mail was especially important as a transmission vehicle for macro viruses. The speed and international quality of e-mail will likely continue to contribute to the rapid spread of new and old macro viruses in coming years.

Table 8. Means of Infection Summary, 1996 Survey

 E-MailDownload from BBS, AOL, C/S, Internet or Other
All Viruses Except Word.concept7.7%11.7%
All Viruses8.8%11.5%
Word.concept Encounters21.5%17.8%
Word.concept Incidents30.5%14.2%

A Look at Standard Protection Procedures

In planning your own defense, you might benefit from knowing how others defend their desktop machines.

Anti-Virus Methods Employed

Respondents in the NCSA Virus Prevalence Survey were asked to estimate the number of PCs which were protected by each of several methods: Respondents could choose more than one answer. Results are shown below for both the percentage of respondents using a method, and the number of machines protected by the method. If you add up the number of PCs protected by various methods, you find that 1,430,256 machines are protected by the methods; with only 728,798 machines represented in the study, we can conclude that each machine averages two protection methods.

Table 9. Desktop Virus Protection Methods Used

Protection% Respondents# of PCs
Users check diskettes and downloads for viruses.64%320,268
Anti-virus software scans hard drive for viruses every boot-up68%402,598
Anti-virus software scans hard drive for viruses every login39%194,526
Anti-virus software scans hard drive for viruses full time in the background60%289,740
Other periodic anti-virus detection on the desktop41%132,770
Other full-time anti-virus detection on the desktop20%58,881
Other (specify)5%31,473
None1% 
Don't know<1% 

A closer look at desktop protection methods finds that only 16% of respondents used only one of the above methods of protection, 19% used two, and 32% used three. The distribution of respondents on this question, showing the number of methods used, is provided in the table below.

Table 10. Number of Desktop Protection Methods Used

123456
16%19%32%19%11%3%

Advice to Users

The best prevention is a combination of changing your computing behavior and using an anti-virus product wisely:

Glossary

The following are common terms used in discussions of anti-virus software:

Background Scanning
Automatic scanning of files as they are created, opened, closed, or executed. Performed by memory resident anti-virus software. Synonyms: online, automatic, background, resident, active.
Behavior Blocking
A set of procedures that are tuned to detect virus-like behavior, and prevent that behavior (and/or warn the user about it) when it occurs. Some behaviors that should normally be blocked in a machine include formatting tracks, writing to the master boot record or boot record, and writing directly to sectors. Synonyms: "dynamic code analysis", "behavioral analysis."
Boot Record
The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code in (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record.
Boot Sector
The first logical sector of a drive. On a floppy disk, this is located on side 0 (the top), cylinder 0 (the outside), sector 1 (the first sector.) On a hard disk, it is the first sector of a logical drive, such as C: or D:. This sector contains the Boot Record, which is created by FORMAT (with or without the /S switch.) The sector can also be created by the DOS SYS command. Any drive that has been formatted contains a boot sector.
Boot Sector Infector
Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar "Non-system Disk or Disk Error" message if the DOS system files are not present. It is also the program that gets infected by viruses. You get a boot sector virus by leaving an infected diskette in a drive and rebooting the machine. When the program in the boot sector is read and executed, the virus goes into memory and infects your hard drive. Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.
Boot virus
A virus whose code is called during the phase of booting the computer in which the master boot sector and boot sector code is read and executed. Such viruses either place their starting code or a jump to their code in the boot sector of floppies, and either the boot sector or master boot sector of hard disks. Most boot viruses infect by moving the original code of the master boot sector or boot sector to another location, such as slack space, and then placing their own code in the master boot sector or boot sector. Boot viruses which also infect files are sometimes known as multipartite viruses. All boot viruses infect the boot sector of floppy disks; some of them, such as Form, also infect the boot sector of hard disks. Other boot viruses infect the master boot sector of hard disks.
Companion virus
A program that attaches to the operating system, rather than files or sectors. In DOS, when you run a file named "ABC", the rule is that ABC.COM would execute before ABC.EXE. A companion virus places its code in a COM file whose first name matches the name of an existing EXE. You run "ABC", and the actual sequence is "ABC.COM", "ABC.EXE"
Encrypted virus
A virus whose code begins with a decryption algorithm, and continues with the scrambled or encrypted code of the remainder of the virus. When several identical files are infected with the same virus, each will share a brief identical decryption algorithm, but beyond that, each copy may appear different. A scan string could be used to search for the decryption algorithm. Cf. Polymorphic.
File virus
Viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL, OVR, etc. The most common file viruses are resident viruses, going into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional programs as you run them. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run.
In the Wild virus
A term that indicates that a virus has been found in several organizations somewhere in the world. It contrasts the virus with one which has only been reported by researchers. Despite popular hype, most viruses are "in the wild" and differ only in prevalence. Some are new and therefore extremely rare. Others are old, but do not spread well, and are therefore extremely rare.
Macro virus
A virus which consists of instructions in Word Basic or some other macro language, and resides in documents. While we do not think of documents has capable of being infected, any application which supports macros that automatically execute is a potential platform for macro viruses. Because documents are now even more widely shared than diskettes (through networks and the Internet), document-based viruses are likely to dominate our future.
Master Boot Record
The 340-byte program located in the Master Boot Sector. This program begins the boot process. It reads the partition table, determines what partition will be booted from (normally C:), and transfers control to the program stored in the first sector of that partition, which is the Boot Sector. The Master Boot Record is often called the MBR, and often called the "master boot sector" or "partition table." The master boot record is created when FDISK or FDISK /MBR is run.
Master Boot Sector
The first sector of the hard disk to be read. This sector is located on the top side ("side 0"), outside cylinder ("cylinder 0"), first sector ("sector 1.") The sector contains the Master Boot Record.
Master Boot Sector Virus
A virus that infects the master boot sector, such as NYB, spreads through the boot sector of floppy disks. If you boot or attempt to boot your system with an infected floppy disk, NYB loads into memory and then writes itself to the master boot sector on the hard drive. If the disk is not bootable, you see the DOS error message "Non-system disk or disk error..." If the disk is bootable, the system boots to the A: prompt. Either way the system is infected, and there is no indication on the screen that this has happened. Once the hard drive is infected, NYB loads into memory each time the system is booted. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy DOS accesses.
On-Demand Scanning
Synonyms: offline, manual scanning, foreground, non-resident scanning, scanning.
Polymorphic virus
A polymorphic virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus.
Remove
To remove or clean a virus means to eliminate all traces of it, returning the infected item to its original, uninfected state. Nearly all viruses are theoretically removable by reversing the process by which they infected. However, any virus that damages the item it has infected by destroying one or more bytes is not removable, and the item needs to be deleted and restored from backups in order for the system to be restored to its original, uninfected state. There is a gap between theory and practice. In practice, a removable virus is one which the anti-virus product knows how to remove. The term "clean" is sometimes used for remove, and sometimes used to refer to the destruction of viruses by any method. Thus deleting a file which is infected might be considered cleaning the system. We do not regard this as an appropriate use of the term "clean".
Resident
A property of most common computer viruses and all background scanners and behavior blockers. A resident virus is one which loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. When the trigger event occurs, the virus becomes active, either infecting something or causing some other consequence (such as displaying something on the screen.) All boot viruses are resident viruses, as are the most common file viruses. Macro viruses are non-resident viruses.
Stealth virus
A virus that uses any of a variety of techniques to make itself more difficult to detect. A stealth boot virus will typically intercept attempts to view the sector in which it resides, and instead show the viewing program a copy of the sector as it looked prior to infection. An active stealth file virus will typically not reveal any size increase in infected files when you issue the "DIR" command. Stealth viruses must be "active" or running in order to exhibit their stealth qualities.
Trojan Horse
A program which does something unwanted and unexpected by a user, but intended by the programmer. Trojans do not make copies of themselves, as do viruses, and seem to be more likely to cause damage than viruses.
Worm
Similar to a virus in that it makes copies of itselfs, but differ in that it need not attach to particular files or sectors at all. Once a worm is executed, it seeks other systems - rather than parts of systems - to infect, then copies its code to them.
Zoo virus
A virus which is rarely reported anywhere in the world, but which exists in the collections of researchers. A zoo virus has some "escaping" virus collections, and infecting user machines. Its prevalence could increase to the point that it was considered "in the wild."
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua