The Infomation Technology (Certifying Authority) Regulations, 2001
The Cyber Regulations Appellate Tribunal
 
Cyber Crime Branch Advisory
The Nigerian Scam
Important Links
Cyber Crime Investigation Cell
Delhi Police
Delhi Traffic Police

Viruses

A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of it. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be called a "virus".

Many people use the term loosely to cover any sort of program that tries to hide its (malicious) function and tries to spread onto as many computers as possible. Viruses are very dangerous; they are spreading faster than they are being stopped, and even the least harmful of viruses could be fatal. For example, a virus that stops a computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even the creator of a virus cannot stop it once it is "in the wild".

The main types of PC viruses

Generally, there are two main classes of viruses. The first class consists of the file infectors, which attach themselves to ordinary program files. These usually infect arbitrary .COM and/or .EXE programs, though some can infect any program for which execution is requested, such as .SYS, .OVL, .PRG, & .MNU files. File infectors can be either direct action or resident. A direct-action virus selects one or more other programs to infect each time the program that contains it is executed. A resident virus hides itself somewhere in memory the first time an infected program is executed, and thereafter infects other programs when they are executed (as in the case of the Jerusalem 185 virus) or when certain other conditions are fulfilled. The Vienna virus is an example of a direct-action virus. Most other viruses are resident. The second category is system or boot-record infectors: those viruses that infect executable code found in certain system areas on a disk, which are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called "multi-partite" viruses, though there has been criticism of this name; another name is "boot-and-file" virus.

File system or cluster viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered; only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors.

Stealth virus

A stealth virus is one that hides the modifications it has made in the file or boot record, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions so that programs which try to read these areas see the original uninfected form of the file instead of the actual infected form. Thus the viral modifications go undetected by anti-viral programs. However, in order to do this, the virus must be resident in memory when the anti-viral program is executed.

The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and redirects any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo.

Polymorphic virus

A polymorphic virus is one that produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus. The most sophisticated form of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger".

Fast and slow infectors

A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed. A fast infector is a virus which, when it is active in memory, infects not only programs which are executed, but also those which are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected all at once.

The term "slow infector" is sometimes used for a virus that, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus

 

India Cyber Law and Cases

Welcome to the largest Database of Cyber Law and Cases from India. We publish cyber law cases & news from India. Send your suggestions / articles / news


Latest News

20 November 2010
30-Month Sentence For Bot Nets Used To Obtain Information From Other Computer Systems
19 October 2010
Computer Specialist Pleads Guilty to Securities Fraud Committed through Hacking, Botnets, Spam and Market Manipulation
   
 
 
 
Cyber Crime Branch Advisory
The Nigerian Scam
 
Important Links
Cyber Crime Investigation Cell
Delhi Police
Delhi Traffic Police