Computer Viruses ... Part 2
Reasons for creating viruses
Unlike biological viruses, computer viruses do not simply evolve by themselves, except in the cases where copying errors and recombination have led to actual evolution of computer viruses; however, these cases are very rare compared to the rapid generation of new malware by human programmers. They cannot come into existence spontaneously, nor can they be created by bugs in regular programs. They are deliberately created by programmers, or by people who use virus creation software.
Virus writers can have various reasons for creating and spreading malware. Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies, and to distribute political messages. Some people think that the majority of viruses are created with malicious intent. On the other hand, some virus writers consider their creations to be works of art, and see virus writing as a creative hobby. Additionally, many virus writers oppose deliberately destructive payload routines. Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect, and, on occasion, have become infected and acted as vectors for malicious viruses. Moreover, they normally operate without asking for permission of the owner of the computer. Since self-replicating code causes many complications, it is questionable if a well-intentioned virus can ever solve a problem in a way which is superior to a regular program that does not replicate itself.
Releasing computer viruses (as well as worms) is a crime in most jurisdictions.
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they get executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
For simple viruses the replicator's task is to:
Open the new file
Check if the file has already been infected (if it is, return to the finder module)
Append the virus code to the executable file
Save the executables starting point
Change the executables starting point so that it points to the start location of the newly copied virus code
Save the old start location to the virus in a way so that the virus branches to that location right after its execution.
Save the changes to the executable file
Close the infected file
Return to the finder so that it can find new files for the replicator to infect.
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.
Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they will not slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behaviour by programs. The slow infector approach doesn't seem very successful however. Viruses that are common in the wild are mostly relatively fast to extremely fast infectors.
Viruses have targeted various types of hosts. This is a non-exhaustive list:
Binary executable files (such as COM-files and EXE-files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)
Boot sectors of floppy disks and hard disk partitions
The Master Boot Record of a harddisk
General purpose script files (such as batch files in MS-DOS and Microsoft Windows, and shell script files on UNIX platforms).
Application-specific script files (such as Telix-scripts)
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, Microsoft Office files, and Microsoft Access database files)