The maximum automated craigslist-type classifieds software. Same CL's basic behavior + Improvements. Full support. Any customization.
more
Custom Programming
|
|
« Back to the list of articles Computer Virus Classification Viruses can be divided into classes according to the following characteristics:
Do not forget that there also exist other "harmful" programs or so-called "malware," such as Trojan horses. According to the ENVIRONMENT, viruses can be divided into the following:
File viruses either infect executables in various ways (parasitic - the most common type of viruses), or create file doubles (companion viruses), or use file-system specific features (link viruses). Boot viruses either save themselves in a disk boot sector or to the Master Boot Record, or change the pointer to an active boot sector. Macro-viruses infect document files, electronic spreadsheets and databases of several popular software packages. Network viruses use protocols and commands of a computer network or e-mail to spread themselves. There exists a large number of combonations; for example, file-boot viruses infecting both files and boot sectors on disks. As a rule, these viruses have rather complicated working algorithms, often use unusual intrusion methods into the system, and use Stealth and polymorphic technologies. Another example of a combination is a network macro-virus, which not only infects documents being edited, but also sends copies of itself by e-mail. The target OPERATING SYSTEM (namely the OS specific objects prone to attack) is the second level of division of viruses into classes. Each file or network virus infects the files of one particular or several OS - DOS, Windows 3.xx, Windows95/NT, OS/2 etc. Macro-viruses infect Word, Excel, Office97 format files. Boot viruses are also format oriented, each attacking one particular system-data format in disk boot sectors. Among OPERATING ALGORITHMS the following features stand out:
A TSR virus, while infecting a computer, leaves its resident part in the RAM, which then intercepts system calls to target objects and incorporates into them. Resident viruses reside in memory and are active until power down or until operating system reboot. Nonresident viruses do not infect computer memory, and are active for a limited time only. Some viruses leave small resident parts in the RAM which do not spread the virus. Such viruses are considered nonresident. Macro-viruses can also be considered residents, because they reside in the computer memory during the entire running time of the infected editor program. Here the editor plays the role of the operating system, and "system reboot" means editor program termination. In multitasking operating systems, the lifetime of a resident DOS virus can also be limited by the moment of closing the infected DOS window, and the activity of boot viruses in some operating systems is limited to the moment of OS disk-drive installation. The use of Stealth algorithms allows viruses to completely or partially cover their tracks inside the OS. The most common stealth algorithm is the interception of OS read/write calls to infected objects. In such cases, stealth viruses either temporarily cure them or "substitute" themselves with uninfected pieces of information. In the case of macro-viruses, the most popular technique is to disable the ViewMacro menu(s). "Frodo" is one of the first file Stealth viruses; "Brain" is the first boot Stealth virus. SELF-ENCRYPTING and POLYMORPHIC capabilities are used by virtually all types of viruses to make the virus detection procedure as complicated as possible. Polymorphic viruses are really hard to detect; they have no signatures; that is, none of their code fragments remain unchanged. In most cases, two samples of the polymorphic virus will not have a single match when doing a byte comparison. This may be achieved by encrypting of the main body of the virus and making modifications to the decryption routine. A variety of NONSTANDARD TECHNIQUES are used in viruses to hide themselves as deep as possible in the OS kernel (as in "3APA3A"), to protect its resident copy from being detected ("TPVO", "Trout2"), makes curing more difficult (for example placing its copy into Flash BIOS) etc.. Based on their DESTRUCTIVE CAPABILITIES, viruses can be divided as follows:
But even if no destructive branches can be found in the algorithm of a virus, one cannot be perfectly sure that this virus is harmless, because its infiltration into a computer may prove to be unpredictable and sometimes have catastrophic consequences. This is due to the fact that any virus, like any program, may contain errors, which may damage both files and disk sectors (for example, the seemingly harmless "DenZuk" virus works rather correctly with 360K diskettes, but can destroy information on high capacity diskettes. There still are viruses which determine whether the file is COM or EXE, not according to the internal structure of the file, but according to its extension. And of course, if the file format does not match the file extension, this file becomes unusable after it has been infected. System lock-ups are also possible when a resident virus infects a newer version of DOS, or while running under Windows, or also with other powerful software systems, etc. Boot Viruses Gap boot viruses infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard disk. Boot viruses' operating principal is based on the algorithms of starting an operating system upon power or reboot. After the necessary hardware tests (of memory, disks etc.), the system loader routine reads the first physical sector of a boot disk (A:, C: or CD-ROM depending on the options in BIOS Setup) and passes the control to it. In the case of a diskette or CD-ROM, control is passed to the boot sector, which analyzes the BIOS Parameter Block (BPB), calculates the OS system file addresses, reads them into memory and executes them. These system files are usually MSDOS.SYS and IO.SYS, or IBMDOS.COM and IBMBIO.COM, or others depending on the DOS version, Windows or other operating system. If the boot disk does not contain operating system files, the boot sector routine outputs an error message and suggests changing the boot disk. In the case of a hard disk, control is passed to the routine placed in the MBR. This routine analyzes the Disk Partition Table, calculates the address of the active boot sector (usually this is the C:-drive boot sector), loads it into memory and passes control to it. Having received control, the active boot sector of the hard disk performs the same actions as the diskette boot sector. Upon infecting disks, boot viruses "substitute" their code in the place of the program code that received control upon system boot up. Therefore, the principle of infecting is the same in all of the above methods: upon boot up, the virus "forces" the system to read into memory and pass control to the virus code, not the original loader routine code. Diskette infecting is done using the only known method - a virus rewrites the original boot sector code with its own code. A hard disk can be infected in three known ways: a virus writes itself either in place of the MBR code or the boot sector code of the boot disk (C: drive usually), or modifies the address of the active boot sector in the Disk Partition Table, situated in the MBR of the hard disk drive. When infecting the disk, the virus, in most cases, moves the original boot sector (or MBR) to some other sector of the disk (for example, the first available sector). If the virus size exceeds the size of the sector, then the target sector will contain the first part of the virus, with the rest of it placed in the other sectors (for example in the first unoccupied). uninfected disk
0 1 2 . . . (sector No)
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
|.....| | | | | | | | |
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
|
+-- Boot sector or Master Boot Record
Infected disk (replaced boot/MBR)
0 1 2 . . .
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
|XXXXX| | | | |.....|XXXXX|XXXXX|XXXXX|
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
| | | | ... |
+-- Virus top | +---+-----+-----+
| +-- The rest of virus
|
+-- Original Boot or Master Boot Record
Infected disk (modified address of active boot sector)
0 1 2 . . .
+-----+-----+-----+--- --+-----+-----+-----+-----+---
|....X| | | | |XXXXX|XXXXX|XXXXX|
+-----+-----+-----+--- --+-----+-----+-----+-----+---
| ^ | | ... |
+-- Modified -------+ +-----+-----+
Disk Partition Table +-- Main virus code
Several options for placing the original boot sector on a disk and virus continuity are known to exist: in the sectors of free clusters of a logical drive, in the unused or rarely used system sectors, and in the off-limits sectors of the drive. If the virus continues to place itself in the sectors belonging to the free clusters of the disk (while searching for these sectors, the virus has to analyze the File Allocation Table - FAT), then, as a rule, the virus marks the sectors in the FAT as bad (the so-called pseudo-bad clusters). This method is used by the "Brain", "Ping-Pong" viruses and some others. The other method is utilized in the viruses of the "Stoned" family. These viruses place the original boot sector in an unused or rarely used sector, which may be one of the sectors of the hard disk, if available, placed between the MBR and the first boot sector, or on some of the last sectors of the root directory of a diskette. Some viruses record their code to the last sectors of the hard disk, because those sectors are used only when the hard disk is completely filled with information (which happens rarely, especially considering the size of modern hard disk drives). However, these viruses lead to the damage of the OS/2 file system, which in some cases keeps the active boot sector and system data exactly in the last sectors of the hard disk. The method of saving the rest of the virus outside the disk is met less often. This is achieved in two ways. The first one is the lowering of the size of logical drives: the virus subtracts the necessary numbers from the corresponding fields of the BPB boot sector and Disk Partition Table of the hard disk (if the hard disk is being infected), thus, lowering the size of the logical drive, and records its code into the cut-off sectors. The second way is to record data outside the physical partitions of the disk. In the case of a floppy disk, in order to achieve this, the virus must format an additional track on it (the method of non-standard formatting), for example, the 40th track on a 360K diskette or the 80th track on a 1.2M or a 1.4M diskette. There also exist viruses that write their code outside the borders of available hard disk-drive space if, of course, this is permitted by the hardware (see the "Hare" virus). Of course there exist other methods of placing a virus on a disk; for example, the v"Asuza" family viruses contain the standard MBR loader in their body and after infecting, record themselves over the original MBR without saving. When infecting the majority of the virus' copies, the system information of the original loads (for MBR, this information is the Disk Partition Table; and for the diskette boot sector it is the BIOS Parameter Block) into the code of its loader. In the opposite case, the system will be unable to load itself, because the system components disk addresses are calculated according to this information. Such viruses can be rather easily deleted by overwriting the code of the system loader in the boot sector and in the MBR. To do this, it is necessary to boot up from an uninfected system diskette and use the SYS command to disarm diskettes and logical drives on a hard disk, or FDISK /MBR to cure the infected MBR-sector. Several 100-percent stealth viruses, however, do not save this information, and even intentionally encrypt it. When the OS or other programs issue calls to the infected sectors, the virus substitutes their uninfected originals, and the system boots up flawlessly; but curing the MBR with the help of FDISK /MBR in such a case leads to the loss of partitioning information in the Disk Partition Table. Should this occur, the disk may be "revived" by either re-formatting with a loss of all the information, or by manually restoring the Disk Partition Table, which requires a certain qualification. It is also worth mentioning that boot viruses very rarely coexist together on one disk: they often use the same disk sectors to place the code/data. Therefore, the code/data of the first virus are destroyed after being infected with the second virus, and the system either hangs upon boot up, or is engaged in an endless loop (which also leads to its hanging). Boot viruses can also mean a lot of trouble for the users of new operating systems (Novell, Windows95, OS/2). Although the above-mentioned systems work with disks directly (overriding BIOS calls), which blocks the virus and makes its further spreading impossible, the virus code sometimes, although in very few cases, receives control after the system reboot. Therefore, the "March6" virus can "live" in the MBR of the server and not influence the server's operation and productivity in any way. However, in the case of an accidental reboot on the sixth of March, this virus will completely destroy all the data on the disk. File Viruses This group contains viruses using the OS (a particular one or several ones) file system in one way or another to propagate. The possibility of incorporating a file virus into virtually any executable of virtually any popular OS does exist. As of today, there are known viruses infecting all kinds of executables of standard DOS: batch command files (BAT), loadable drivers (SYS, including special purpose files IO.SYS and MS- DOS.SYS) and binary executables (EXE, COM). There also exist viruses targeting executables of other operating systems - Windows 3.x, Windows95/NT, OS/2, Macintosh, Unix, including the VxD drivers of Windows 3.x and Windows95. There also are viruses infecting files containing program source code, libraries or object modules. Viruses that also save themselves in data files, but these happen either as a result of the erratic behavior of the particular virus, or when the virus's aggressive routine is at work. Macro-viruses also save their code in databases - documents or spreadsheets - but these viruses are so peculiar that they are categorized into a separate group. According to the method of infecting files, viruses are divided into "overwriting", "parasitic", "companion" viruses, "link" viruses, worm viruses and viruses infecting object modules (OBJ), compiler libraries (LIB) and source code. Parasitic Viruses Parasitic viruses are all the file viruses which have to change the contents of target files while transferring copies of themselves, but the files themselves remain to be completely or partly usable. The main kind of these viruses are the "prepending" viruses (saving themselves and the top of file), "appending" (saving themselves at the end of file), and "inserting" (inserting themselves in the middle of file). The insertion methods may also be different - by moving a fragment of the file towards the end of file or by copying of its own code to such parts of the file which are known to be unused ("cavity" viruses). Virus Incorporation to the Top of File There are two known methods of incorporating of a parasitic file virus to the top of file. The first one consists of copying of the top of the target file to the end of file and subsequent copying of the virus body to the freed space at the top of file. In the second method the virus creates its copy in RAM, appends the target file and then saves the resulting concatenation to disk. Besides that some viruses append a block of additional information to the end of file (for example, the "Jerusalem" virus uses this block to tell the infected files from uninfected ones). +--------+--------------------+ Incorporating into the top of file
| File | by first method
+--------+--------------------+
+-------------------------------+
V
+ - - - -+--------------------+---------+
| Free | File | |
+ - - - -+--------------------+---------+
+--------+--------------------+---------+- - +
|Virus | File | | |
+--------+--------------------+---------+- - +
+-----------------------------+ Incorporating into the top of file
| File | by second method
+-----------------------------+
| +----------+
+--------+ |
V V
+ - - - -+-------------------------------+
| Free | File |
+ - - - -+-------------------------------+
+--------+-------------------------------+- - +
|Virus | File | |
+--------+-------------------------------+- - +
Virus incorporation to the top of file is being used in a vast majority of cases when infecting DOS BAT and COM files. However there are several known viruses incorporating themselves to the top of EXE files of the DOS, Windows and even Linux operating systems. In this process for the target executable to remain usable these viruses either cure the infected file, then run it, wait for it to terminate and then incorporate back to its top (sometimes for this purpose a temporary file is used, containing the "disarmed" executable), or restore the original executable code of the program in the computer RAM and relocate the necessary addresses in the program's body (in other words, do the job of an OS). Virus Incorporation to the End of a File The most common method of virus incorporation into a file is by appending the virus to the end of a file. In this process, the virus changes the top of file in such a way that the virus code is executed first. In a DOS COM file in most cases, this is achieved by changing the first three (or more) bytes to the instruction codes of JMP Loc_Virus (or to the address of the routine passing control to the body of virus). The DOS EXE file is converted to the format of a COM file and then infected as a COM file or the head of the file is modified. In the DOS EXE file header, the starting address is changed (CS:IP), the length of the executable module (file) is changed, or less often, the stack pointer registers are changed (SS:SP), then the file CRC etc. In the Windows and OS/2 executables (NewEXE - NE, PE, LE, LX), the fields in the NewEXE header are changed. The structure of this header is much more complicated than that of a conventional DOS EXE file, so there are more fields to be changed - the starting address, the number of sections in the file, properties of the sections etc. In addition to this, before infection, the size of the file may increase to a multiple of one paragraph (16 bytes) in DOS or to a section in Windows and OS/2 (the size of the section depends on the properties of the EXE file header). DOS COM file DOS EXE file New EXE file
+----+----+ +---------+ +---------+
+--|JMP | | +----|Header | |DOS stub |
| +----+ | | +---------+ +---------+
| |Program | | |Program | |New EXE |
| |code and | | |code and | +----+header |
| |data | | |data | | +---------+
| +---------+ V | | | |Program |
| |Virus | Entry +---------+ | |code and |
+->| | address |Virus | | |data |
+---------+ --------->| | V | |
+---------+ Entry +---------+
address |Virus |
--------->| |
+---------+
The viruses incorporated into the DOS SYS files append themselves to the body of the file and notify the addresses of the Strategy and Interrupt routines of the target file (there are viruses changing the address of only one of those routines). When the infected driver is initialized, the virus intercepts the corresponding operating system call and transfers it to the driver, then waits for an answer on this call, modifies it and remains in the same RAM block together with the driver. A virus like this can be very dangerous and very hard to eradicate, because it is loaded into the RAM upon the DOS boot earlier than any anti-virus program if, of course, the anti-virus program is not also a driver. +---------+----------------------+ Not infected SYS file | Header | Driver code and data | +---------+----------------------+ +------------------------------------+ Infected SYS file | +-------------------------------+ | | | V V +---------+----------------------+---------------------------+ | Header | Driver code and data | Virus | +---------+----------------------+---------------------------+ There also are viruses infecting system drivers in another way. These viruses modify the header in such a way that DOS considers the infected file to be the chain of two or more drivers. +---------+----------------------+ Not infected SYS file | Header | Driver code and data | +---------+----------------------+ +--------------------------------+ Infected SYS file | V +---------+----------------------+---------+-----------------+ | Header | Driver code and data | Header | Virus | +---------+----------------------+---------+-----------------+ In a similar way, the virus can write its code to the top of the driver, and if a file contains several drivers, then to the middle of a file also. Virus Incorporation in the Middle of File There are several ways of incorporation of virus into the middle file. In the most primitive one the virus moves a fragment of the file to its end, or "spreads" the file, and writes its own code into the freed space. This method is very much alike with the ones described earlier. Some viruses compress the transferred fragment so that the file size remains unchanged (see "Mutant"). The other method is called "cavity", when a virus records itself to initially unused areas of the file. This virus can be copied to the unused parts of the address relocation table of a DOS EXE file (see "BootExe") or to the header of New EXE file ("Win95.Murkry"), to the stack area of COMMAND.COM ("Lehigh") or to the character string area of some of the popular compilers ("NMSG"). There exist some viruses infecting only those executables which contain blocks filled with the same byte; then the virus saves its code in place of this block. Besides that virus can copy itself to the middle of file because of an error; in this case the target file may become damaged beyond repair. Overwriting Viruses This method of infection is the simplest: the virus overwrites the contents of a target executable with its own code, destroying the original contents of the target. The executable of course stops working properly and can not be restored. Such viruses uncover themselves very quickly, because of the operating system and its applications stopping to work in a rather short period of time. I do not know a single case when a virus of such kind has been found "alive" and has caused an epidemic. Another kind of overwriting viruses is the one that saves itself instead of a DOS header of New-EXE files. The main part of the file remains unchanged after that and continues working properly under the corresponding operating system, but the DOS header becomes damaged. Viruses Without an Entry Point One group of viruses must be mentioned separately. They have no entry point (Entry Point Obscuring (EPO) viruses). It also includes the viruses not recording the instructions passing control to the header of a COM file (JMP) and not changing the address of the entry point in the EXE file header. Such viruses record the instruction to jump to their own code someplace else in the middle of the file and then get control not immediately before running the code of the infected file, but after a call to the routine containing the jump code to the virus body. Furthermore, this routine can be executed extremely rarely (for example to output a very rare and specific error message). As a result this virus can "sleep" inside a file for many years and break free only under some limited conditions. Before writing a jump command to the middle of target file, the virus has to find the "correct" address in the file; if not, the infected file can become damaged. Several ways are known of how viruses determine such addresses inside the files. The first way is to look for a standard C/Pascal code sequence (the "Lucretia", "Zhengxi" viruses). These viruses look for the standard C/Pascal routine headers in files and replace them with their own code. The second way is to trace or disassemble executable code ("CNTV", "MidInfector", "NexivDer"). These viruses load file into memory then trace or disassemble them and upon various conditions choose the command (or commands) to be substituted by a jump to the code of the virus. The third way is used by TSR viruses only. When an executable starts running, they intercept and control some interrupt (mostly INT 21h). As soon as the target file calls for this interrupt, the virus records its code instead of the program's interrupt call routine (see "Avatar.Positron", "Markiz"). The fourth way to locate an address to patch is based on so called "relocations". The relocation table in EXE files refers to addresses that have to be fixed when program body is loaded into the memory. Usually the relocated areas contain instructions from quite limited set. The viruses can identify these instructions, replace them with JMP_Virus code and erase corresponding entry in relocation table to prevent JMP_Virus instruction corruption. Companion Viruses These viruses do not change the "infected" files. Their operating algorithm includes creating a clone of the target file, so that when the target file is run, its clone (i.e. virus) gets the control instead. The most commonly spread are the viruses utilizing the DOS feature to run COM file rather than the EXE one, if both xxx.COM and xxx.EXE are present in the same directory. Such viruses create COM companions for their EXE counterparts. For example, for an XCOPY.EXE there is created an XCOPY.COM, containing virus code. The XCOPY.EXE remains unchanged. Upon start of such a command DOS will execute XCOPY.COM, i.e. the virus, first, which in turn will start the EXE file. Some viruses utilize not only the COM-EXE option, but also the BAT-COM-EXE. The second group contains viruses renaming the target file, memorizing this new name (for subsequent execution of the host file) and write their own code to disk under the filename of the host executable. For example, the XCOPY.EXE file is renamed to XCOPY.EXD, allowing the virus to save itself as XCOPY.EXE. When starting XCOPY the virus code gets control first, starting the original XCOPY, saved as XCOPY.EXD. It is interesting that this method works not only under DOS but probably under all the OS in general - viruses of such kind have been found under Windows and OS/2. The third group contains so-called "Path companion" viruses, employing the features of DOS PATH. They either save their code under the name of the intended target file but residing one directory higher in the DOS PATH (so that DOS would find and run the virus code first), or move the target one subdirectory up etc. The existence of other kinds of companion viruses, using different original ideas or features of other OS, is also possible. File Worms File worms are, in a sense, a modification of companion viruses, but unlike them they do not connect their presence with any executable file. When they multiply, they just copy their code to some other disk or directory hoping that these new copies will someday be executed by user. Sometimes these viruses give their copies some "special" names in order to push user to run this copy, for example, INSTALL.EXE or WINSTART.BAT. There are worm viruses using rather unusual technique, for instance, to add their copies to archives (ARJ, ZIP and others). Such viruses are "ArjVirus" and "Winstart". Some other viruses insert the command starting the infected file into BAT files (see, for example, "Worm.Info"). One should tell file worm viruses from network worms. The first ones use only the file functions of an OS, the second ones multiply with the help of networking protocols. Link Viruses Link viruses, like companion viruses, do not change the physical contents of files, but when an infected file is started, they "force" the OS to execute their code. This is achieved by modifying the necessary fields of the file system. For now only one type of link viruses is known, the "Dir_II" family of viruses. When infecting the system, they save their body to the last cluster of the logical drive. When infecting a file these viruses modify only the number of the first cluster of the file which resides in the corresponding sector of the directory. This new starting cluster of the file will point to the cluster containing the virus body. Therefore infected files size and the contents of the clusters which they occupy remains unchanged and there is only one occurrence of virus for all the infected files on one logical drive. Before infecting, the directory data contains the number of the first cluster of the file: Directory sector Disk
+--------------+ +----------------------+
|Name 1 |------>|+--------------------+|
|- - - - - - - | ||File 1 ||
|Name 2 | |+--------------------+|
|- - - - - - - |------>|+--------------------+|
| | ||File 2 ||
|- - - - - - - | |+--------------------+|
| |
|- - - - - - - | | |
|Name n |------>|+--------------------+|
+--------------+ ||File n ||
|+--------------------+|
| |
+----------------------+
After infecting, the directory data points to the virus, i.e. if the file is run, it passes control to the virus. +--------------+ +----------------------+
|Name 1 |----+ |+--------------------+|
|- - - - - - - | | ||File 1 ||
|Name 2 | | |+--------------------+|
|- - - - - - - |--->| |+--------------------+|
| | | ||File 2 ||
|- - - - - - - | | |+--------------------+|
| | |
|- - - - - - - | | | |
|Name n |--->| |+--------------------+|
+--------------+ | ||File n ||
| |+--------------------+|
| | |
| | .................... |
+->| . Virus ............ |
| .................... |
+----------------------+
|
|
||||||||||
