Types of viruses are defined mostly by the propagation method they use. In many cases, an entire class of viruses is composed of permutations of just a single virus, so they're nearly equivalent. Viruses are categorized by their ultimate target, as described in the following sections.
Boot Sector Viruses
Boot sector viruses were the original viruses, and they spread by the only common means of sharing information in the early days of computers-on floppy disks. Twenty years ago, networks were uncommon. Most data was shared by copying it to floppy disks. It was common at that time to boot floppy disks for special purposes like playing games or simply because the floppy had been left in the drive when the computer was turned off. Boot sector viruses would copy themselves to the boot sector of the host when the floppy was booted, and then subsequently infect every floppy that was inserted into the computer.
boot sector
The first executable code stored on a disk, which is used to load the operating system. Thanks to the proliferation of networks, these viruses are practically extinct.
Executable Viruses
Executable viruses infect the startup code for programs, and propagate back to the shell or desktop application of the computer in order to infect all programs launched from it. shell
A command-line interface to an operating system.
Because of the native immunity to this activity in modern permissions-based operating systems, these viruses have become rare, except in places where older operating systems are common.
Macro Viruses
Macro viruses are written in a higher-level language, such as the Visual Basic scripting language built into Microsoft Office, so they are related to other interpreted language viruses like those that can infest Java applications. Macro viruses attach themselves to document templates and can spread to other documents that are saved after opening the infected one. They spread like wildfire through corporate networks where users share documents
indiscriminately. macro virus
Viruses that exist in the interpreted code embedded in Office documents. These viruses are not capable of escaping the confines of their interpreted environment, so they cannot infect executables.
Luckily, most Office document macro viruses are relatively harmless, and Microsoft has worked to close the security holes in the Office macro languages (the most common macro viruses are specific to Word and Excel). The latest version of Office ships with immunity enabled by default, so macro viruses will become obsolete when this software becomes widespread.
E-mail Viruses
Unfortunately, the same application language has been built into Microsoft Outlook, the e- mail software that comes with Office (and it's free with the operating system sibling, Outlook Express). Viruses written for Outlook can automatically read your list of contacts from the Address Book or Contacts folder and mail themselves to everyone you know, thus
propagating extremely rapidly. Currently, Outlook e-mail viruses are by far the fastest spreading and largest threat in the virus world.
E-mail viruses are rarely completely automatic (although there are some susceptibilities in Outlook that could allow this to happen). They almost always rely upon the recipient to click on the embedded attachment to execute it, and then immediately propagate by scanning that user's address book and e-mailing itself to everyone that the user knows. Once they've propagated, they perform their attack code.
The latest versions of Outlook are automatically immune to most of these attacks, but since these attacks rely upon human psychology to activate the virus, it's likely that they will never completely go away.
Worms
Worms are viruses that spread automatically, irrespective of human behavior, by exploiting bugs in applications that are connected to the Internet. Code Red and Nimda are two recent and very widespread worms that illustrate exactly what happens with these types of viruses: From an infected machine, the virus scans the network searching for targets. It then contacts the target, initiates a benign exchange, exploits a bug in the receiver's server software to gain control of the server momentarily, and uploads itself to the target. Once the target is infected, the process starts again on it.
Worms are basically impossible for end users to prevent, and they typically exploit newly found bugs that are either un-patched or not widely patched in a vendor's code. When they attack extremely common systems like Windows or Linux, they spread very quickly and can cause enormous damage before they're stopped.
The only defense against worms is to avoid systems that are routinely compromised, like Microsoft Internet Information Server, and to stay up to date on patches and security fixes for all your public servers. Run only those services you intend to provide on public servers-don't just install everything for the sake of convenience when you set up a public server. Use firewalls to prevent worms from reaching the interior of your network from the Internet, and keep your virus-scanning software updated. But even with all these precautions, you can only be protected against worms that the vendors know about, and it's quite likely that a worm will infest your public servers at some point, so keep good backups as well.
Virus Protection
There are three ways to keep computers virus free:
• Prevention
• Natural Immunity
• Protection
Each method is an important part of total defense, and you should implement policies to encourage all of them. Of course, the best way to prevent viruses is to avoid risky behavior and programs altogether.
Prevention
There was a time when you could avoid viruses by never pirating software and avoiding free downloadable software from the Internet. Unfortunately, with the advent of e-mail viruses, you now also must ensure that you don't know anybody who does this either, which is basically impossible.
Macro viruses took the corporate world by storm because virus-scanning software wasn't prepared for them. When they first appeared, scanning software only checked executable code, not documents, and people were used to indiscriminately trading documents. Although these viruses could only infect Office documents, they wreaked havoc because the primary job of many corporate computers is to run Office applications.
Prevention today means the following:
• Being very selective about software you install from the Internet.
• Never clicking on e-mail attachments that you didn't ask for.
• Configuring programs like Outlook to automatically quarantine executable
attachments according to the instructions at the www.Microsoft.com/security website.
• Disabling macro execution in Office applications unless you absolutely need it.
• Configuring your computer's BIOS to lock the boot sector, except when you are re- installing your operating system.
These measures will go a very long way in preventing you from getting a virus. In the two decades since viruses first appeared, no computer of mine has been infected or spread a virus to others, and I've never run virus software to protect them (although after catching an attempted worm infection in progress, I now run a personal firewall on my laptop to prevent Nimda infections).
Natural Immunity
Due to its inherent security, versions of Windows based on the NT kernel (Windows NT, Windows 2000, and Windows XP-hereafter referred to as NT to distinguish them from those based on the Windows 95 platform) are immune to executable file viruses as long as you use the NTFS file system and are not logged in as the administrator when you install software. However, NT cannot prevent the spread of viruses that infect non-executable files-like Office documents that normal users must have Write access to.
For a virus to spread to the program that loaded it, the user loading the program must have Write access to the executable file doing the loading. As soon as you hit an actual system file, the NT kernel will pop up with an Access Denied message, usually aborting the executable load. You may not know what's happening (and you may blame the operating system) but virus propagation is stopped cold by the NT kernel's inherent security.
However, users who store files on your NT-based server but run them on their Windows 95/98/Me-based computers have no such protection. Just because a virus can't spread to your server doesn't mean your server can't host it. Client operating systems see a server as just a big shared hard disk, so any executable files containing viruses they copy to your server will still contain viruses. You won't be able to run them on the server, but other users will be able to load them on other client computers running Windows 95/98/Me, MS-DOS, Apple
Macintosh, or other simpler client operating systems. This is somewhat analogous to a carrier organism that is itself immune to the effects of a virus but is still contagious to other
organisms.
Active Protection
Virus scanners provide the only way to actually recover from a virus infestation. Virus software works by scanning through every executable file looking for the signatures (unique code sequences) of viruses. The process is much like spell-checking a Word document-the scanner reads through the file looking for any virus signature in its dictionary of viruses. When a virus is found, the file is examined and the virus is removed from the file. After scanning all your mass storage devices, all viruses will be removed from your system. virus scanner
Software that scans every executable file on a computer searching for virus signatures. signature
A short sequence of codes known to be unique to a specific virus, which indicates that virus's presence in a system.
Many viruses cause corruption to files beyond simply attaching to them, and frequently virus scanners can remove the virus but cannot fix the specific corruption that the virus caused. In this case, check the virus vendor's website for a special program that can repair the corruption caused by a specific virus. Some viruses also cause such widespread damage that special virus removal programs are required to completely eradicate them. If this is the case, your virus scanner should tell you that it was unable to remove a virus.
Most modern virus-protection software also comes with inoculators that check software as it is loaded and interrupts the load process if a virus is found. This can be very convenient, because it keeps infestation from happening in the first place.
inoculator
Anti-virus software that scans data files and executables at the moment they are invoked and which block them from being loaded if they contain a virus. Inoculators can prevent viruses from spreading.
Unfortunately, viruses tend to bounce around in network environments. Eliminating a network virus infestation is difficult because people often reintroduce viruses from machines that aren't yet clean. The only way to prevent this is to either disconnect all computers from the network and disallow their re-attachment until they've been cleaned, or to use enterprise virus-
scanning software that can be centrally deployed and simultaneously scan all computers on the network.