Crime Branch Advisory
The Nigerian Scam
computer virus is a computer program that can infect other computer
programs by modifying them in such a way as to include a (possibly
evolved) copy of it. Note that a program does not have to perform
outright damage (such as deleting or corrupting files) in order
to be called a "virus".
Many people use the term
loosely to cover any sort of program that tries to hide its (malicious)
function and tries to spread onto as many computers as possible.
Viruses are very dangerous; they are spreading faster than they
are being stopped, and even the least harmful of viruses could
be fatal. For example, a virus that stops a computer and displays
a message, in the context of a hospital life-support computer,
could be fatal. Even the creator of a virus cannot stop it once
it is "in the wild".
The main types of PC viruses
Generally, there are two main classes
of viruses. The first class consists of the file infectors, which
attach themselves to ordinary program files. These usually infect
arbitrary .COM and/or .EXE programs, though some can infect any
program for which execution is requested, such as .SYS, .OVL, .PRG,
& .MNU files. File infectors can be either direct action or
resident. A direct-action virus selects one or more other programs
to infect each time the program that contains it is executed. A
resident virus hides itself somewhere in memory the first time an
infected program is executed, and thereafter infects other programs
when they are executed (as in the case of the Jerusalem 185 virus)
or when certain other conditions are fulfilled. The Vienna virus
is an example of a direct-action virus. Most other viruses are resident.
The second category is system or boot-record infectors: those viruses
that infect executable code found in certain system areas on a disk,
which are not ordinary files. On DOS systems, there are ordinary
boot-sector viruses, which infect only the DOS boot sector, and
MBR viruses which infect the Master Boot Record on fixed disks and
the DOS boot sector on diskettes. Examples include Brain, Stoned,
Empire, Azusa, and Michelangelo. Such viruses are always resident
viruses. Finally, a few viruses are able to infect both (the Tequila
virus is one example). These are often called "multi-partite"
viruses, though there has been criticism of this name; another name
is "boot-and-file" virus.
File system or cluster viruses (e.g.
Dir-II) are those that modify directory table entries so that the
virus is loaded and executed before the desired program is. Note
that the program itself is not physically altered; only the directory
entry is. Some consider these infectors to be a third category of
viruses, while others consider them to be a sub-category of the
A stealth virus is one that hides
the modifications it has made in the file or boot record, usually
by monitoring the system functions used by programs to read files
or physical blocks from storage media, and forging the results of
such system functions so that programs which try to read these areas
see the original uninfected form of the file instead of the actual
infected form. Thus the viral modifications go undetected by anti-viral
programs. However, in order to do this, the virus must be resident
in memory when the anti-viral program is executed.
The very first DOS virus, Brain,
a boot-sector infector, monitors physical disk I/O and redirects
any attempt to read a Brain-infected boot sector to the disk area
where the original boot sector is stored. The next viruses to use
this technique were the file infectors Number of the Beast and Frodo.
A polymorphic virus is one that produces
varied (yet fully operational) copies of itself, in the hope that
virus scanners will not be able to detect all instances of the virus.
The most sophisticated form of polymorphism discovered so far is
the MtE "Mutation Engine" written by the Bulgarian virus
writer who calls himself the "Dark Avenger".
Fast and slow infectors
A typical file infector (such as
the Jerusalem) copies itself to memory when a program infected by
it is executed, and then infects other programs when they are executed.
A fast infector is a virus which, when it is active in memory, infects
not only programs which are executed, but also those which are merely
opened. The result is that if such a virus is in memory, running
a scanner or integrity checker can result in all (or at least many)
programs becoming infected all at once.
The term "slow infector"
is sometimes used for a virus that, if it is active in memory, infects
only files as they are modified (or created). The purpose is to
fool people who use integrity checkers into thinking that the modification
reported by the integrity checker is due solely to legitimate reasons.
An example is the Darth Vader virus