Divya's Blog

Archive for the ‘computer virus’ Category

OLE2 Virus

  • This type of virus could easily spread by disguising itself as an OLE2 server of any common service.
  • Then, when an OLE2 client asks an OLE2 server to provide this common service, the virus could actually gain control.
  • It could propagate itself to other files or computers, then run the original OLE2 server it replaced. The application wouldn’t even know that it was talking with a virus rather than the actual OLE2 server.
  • And if the OLE2 server were on a completely different network computer, the virus could quickly spread itself throughout the network.

Extension virus

  • Another possible type of virus is a shell extension virus.
  •  Microsoft has made the shell in Windows 95 completely extensible to allow for customization. Technically, a virus could be one of those extensions.
  • Windows 95 requires no validation for shell extensions, so a virus could be written as an extension that could gain control and propagate itself

Virtual Device Driver(VxD) virus

  •  Another type of virus that could become popular is a Virtual Device Driver (VxD) virus.
  • A Windows 95 VxD has complete control over the entire computer system.
  • It can write directly to a hard disk if programmed to do so. It has the same privileges as the Windows 95 kernel, so it has a wide latitude of control over the system.
  • With Windows 95, Microsoft has added the ability to load VxDs dynamically—a VxD doesn’t need to be in memory at all times, but only when needed. That means that a virus could have a small amount of code that activates a dynamic VxD, which could then cause severe disruptions to the computer. Because there are no restrictions on what it can do, a VxD virus could bypass any type of protection mechanism you may have employed.
  • Another area that may present new opportunities for viruses is the proliferation of easy to-use programming tools for Windows.
  • In the past, virus writers required a more intimate knowledge of assembly language and the operating system to create TSRs to propagate.
  •  For Windows, viruses can be written in high-level languages with visual programming toolkits by more novice programmers. These viruses are also harder to detect since they look very much like all the other programs a user is running.


  • A STEALTH virus is one that, while “active“, hides the modifications it has made to files or boot records.
  • This is usually achieve by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions.
  • This means programs that try to read infected files or sectors see the original,uninfected form instead of the actual, infected form.
  • Thus the virus’s modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed and *this* may be detected by an antivirus program.


  • A COMPANION virus is one that, instead of modifying an existing file, creates a new program which (unknown to the user) is executed instead of the intended program.
  • On exit, the new program executes the original program so that things appear normal.
  • On PCs this has usually been accomplished by creating an infected .
  • COM file with the same name as an existing .EXE file.
  • Integrity checking antivirus software that only looks for modifications in existing files will fail to detect such viruses


  • An ARMORED virus is one that uses special tricks to make tracing, disassembling and understanding of its code more difficult.
  •  Example : Whale virus.


  • A CAVITY VIRUS is one which overwrites a part of the host file that is filled with a constant (usually nulls), without increasing the length of the file, but preserving its functionality.
  • Example: Lehigh virus


  • A TUNNELLING VIRUS is one that finds the original interrupt handlers in DOS and the BIOS and calls them directly, thus bypassing any activity monitoring program (see D1) which may be loaded and have intercepted the respective interrupt vectors in its attempt to detect viral activity.
  •  Some antivirus software also uses tunnelling techniques in an attempt to bypass any unknown or undetected virus that may be active when it runs.

  • A POLYMORPHIC virus  produces varied but operational copies of itself.
  • These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus.
  • One method of evading scan string-driven virus detectors is self-encryption with a variable key.
  • These viruses (e.g. Cascade) are not termed “polymorphic”, as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners.

A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus).

A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.

More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with “noise” instructions (e.g. a No Operation instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A).

A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated “scanning engine” has to be constructed after thorough research into the particular virus.

  • One of the most sophisticated forms of polymorphism used so far is the “Mutation Engine” (MtE) which comes in the form of an object module.
  • With the Mutation Engine any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
  • The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses.

There are two main classes of viruses.

  • The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files.
  • There is also at least one PC virus that “infects” source code files by inserting code into C language source files that replicates the virus’s function in any executable that is produced from the infected source code files.
  • File infectors can be either DIRECT-ACTION or RESIDENT.
  • A direct-action virus or non-resident selects one or more programs to infect each time a program infected by it is executed. e.g vienna virus
  •  A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when *they* are executed.

The second main category of viruses is SYSTEM or BOOT-RECORD


These viruses infect executable code found in certain system areas on a disk. On PCs there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa and
Michelangelo. All common boot sector and MBR viruses are memory resident. These are often called “MULTIPARTITE” and another name is “BOOT-AND-FILE” virus.

Distinct classes of virus:

  • FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. The program itself is not physically altered, only the directory entry of the program file is.
  • LINK virus is another term occasionally used for these viruses, though it should be avoided, as “link virus” is commonly used in the Amiga world to mean “file infecting virus.”
  • KERNEL viruses target specific features of the programs that contain the “core”(or “kernel”) of an operating system

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 6 other followers

Subscribe our Blog

CLUSTER MAPS Locations of visitors to this page


Error: Please make sure the Twitter account is public.