Viruses and its Classification

A computer virus is a piece of software that can “infect” other programs by modifying them; The modification includes injecting the original program with routine to make copies of the virus program, which can then go on to infect other programs. A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion. The key to its operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program.

Viruses classified along two orthogonal axes: the type of target the virus tries to infect and the method the virus uses to conceal itself from detection by users and antivirus software.

A virus classification by target includes the following categories:

  1. Boot sector infector:
     Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
  2. File infector:
     Infects files that the operating system or shell consider to be executable.
  3. Macro virus:
     Infects files with macro code that is interpreted by an application.

A virus classification by concealment strategy includes the following categories:

  1. Encrypted virus:
     A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus.
     When the virus replicates, a different random key is selected..
  2. Stealth virus:
     A form of virus explicitly designed to hide itself from detection by antivirus software. Thus, the entire virus, not just a payload is hidden.
  3. Polymorphic virus:
     A virus that mutates with every infection, making detection by the “signature” of the virus impossible.
  4. Metamorphic virus:
     As with a polymorphic virus, a metamorphic virus mutates with every infection.

Virus countermeasures

  • The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first place, or block the ability of a virus to modify any files containing executable code or macros.
  • This goal is, in general, impossible to achieve, although prevention
    can reduce the number of successful viral attacks.
  • The next best approach is to be able to do the following :
  • Detection : Once the infection has occurred, determine that it has occurred and locate the virus.
  • Identification : Once detection has been achieved, identify the specific virus that has infected a program.
  • Removal : Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the virus cannot spread further.