Appendix A
123
Grouping computer viruses by the way they work or, in computer terms, the kind
of
algorithm
they use, gives the following categories:
•
Resident;
•
Stealth
features;
•
Self-encoding
and
polymorphic;
•
Using sophisticated methods.
When a MEMORY-RESIDENT virus infects a computer, it places the resident
code into RAM, where the code intercepts system calls to the objects to be
infected and infects them. The memory-resident part of the virus stays in RAM
and continues actively to infect files until the user shuts the computer down or
restarts the infected system. NON-RESIDENT viruses do not infect RAM and are
active for only a limited time. There are also non-resident viruses that place small
resident programs into RAM. However, unlike memory resident viruses, these
programs do not distribute virus copies.
Macro viruses also can be considered as memory-resident since they stay in
RAM all the time the infected editor is running. The editor performs functions of
the operating system and the notion of restarting the operating system is
interpreted as the exiting editor.
In multi-purpose operating systems, the lifetime of resident DOS viruses may last
only until a user closes the infected DOS window, and in some operating
systems the active period of the boot viruses ends when the OS disk drivers are
installed.
The use of STEALTH FEATURES enables a virus to conceal itself partially or
completely within a system. Interception of the system read/write requests is the
most popular method of distributing stealth-algorithms. Stealth viruses
temporarily disinfect the infected file or substitute themselves for the "healthy"
data blocks. In case of macro-viruses, the most popular features used are the
prohibition to activate the menu list of macros. One of the first file-stealth-viruses
was Frodo and the first boot-stealth-virus was called Brain.
SELF-ENCODING and POLYMORPHIC features are used by almost all the virus
types to make it difficult to detect them. Polymorphic viruses are difficult to detect
because they contain no constant code blocks. Generally speaking, two samples
of the same polymorph will not have even a single matching code block. It is
implemented by encoding the main virus-body and modifications of the decoder.
The UNUSUAL METHODS used by viruses to hide themselves deep in the OS
kernel (the virus called 3APA3A) include concealing the resident copy (the
viruses called TPVO and Trout2) to make it difficult to the system (for example by
placing the virus copy in Flash-BIOS) etc.
Classifying viruses by their
destructive capabilities
(or lack of) gives us the
following categories: