How It Works: Viruses

Virus: A self-replicating piece of computer code that can partially or fully attach itself to files or applications, and can cause your computer to do something you don't want it to do.

Computer viruses are the "common cold" of modern technology. They can spread swiftly across open networks such as the Internet, causing billions of dollars worth of damage in a short amount of time. Five years ago, the chance you'd receive a virus over a 12-month period was about 1 in 1000; today, your chances have dropped to about 1 in 10. The vital statistics:

Viruses enter your system via e-mail, downloads, infected floppy disks, or (occasionally) hacking. By definition, a virus must be able to self-replicate (make copies of itself) to spread. Thousands of viruses exist, but few are found "in the wild" (roaming, unchecked, across networks) because most known viruses are laboratory-made, never released variations of common "wild" viruses. Virus behavior can range from annoying to destructive, but even relatively benign viruses tend to be destructive due to bugs introduced by sloppy programming. Antivirus software can detect nearly all types of known viruses, but it must be updated regularly to maintain effectiveness.

A virus is just a computer program. Like any other program, it contains instructions that tell your computer what to do. But unlike an application, a virus usually tells your computer to do something you don't want it to do, and it can usually spread itself to other files on your computer--and other people's computers.

If you're lucky, a virus will execute only a benign "personality quirk," such as causing your computer to make seemingly random bleeps. But a virus can be very destructive; it could format your hard drive, overwrite your hard drive boot sector, or delete files and render your machine inoperable.

You get a virus when you copy infected files to your computer, then activate the code inside by running the infected application or opening an infected document. How you copy the infected files is irrelevant: Viruses don't care if you get them as an e-mail attachment, a download, or via a shared floppy disk, though e-mail attachments are the most prevalent (and easiest) mode of transport.

Once you open an infected file or application, the malicious code copies itself into a file on your system, where it waits to deliver its payload--whatever the programmer designed it to do to your system. Simply deleting the e-mail after you open the attachment won't get rid of the virus, since it has already entered the machine.

A virus writer can set the payload to trigger immediately, at a preset future time or date, or upon the execution of a specific command, such as when you save or open a file. The Michelangelo virus, for example, was programmed to release its payload on March 6 of any year--the artist's birthday.

General Virus Types

While there are thousands of variations of viruses, most fall into one of the following six general categories, each of which works its magic slightly differently:

Boot Sector Virus: replaces or implants itself in the boot sector---an area of the hard drive (or any other disk) accessed when you first turn on your computer. This kind of virus can prevent you from being able to boot your hard disk.

File Virus: infects applications. These executables then spread the virus by infecting associated documents and other applications whenever they're opened or run.

Macro Virus: Written using a simplified macro programming language, these viruses affect Microsoft Office applications, such as Word and Excel, and account for about 75 percent of viruses found in the wild. A document infected with a macro virus generally modifies a pre-existing, commonly used command (such as Save) to trigger its payload upon execution of that command.

Multipartite Virus: infects both files and the boot sector--a double whammy that can reinfect your system dozens of times before it's caught.

Polymorphic Virus: changes code whenever it passes to another machine; in theory these viruses should be more difficult for antivirus scanners to detect, but in practice they're usually not that well written.

Stealth Virus: hides its presence by making an infected file not appear infected, but doesn't usually stand up to antivirus software.

All Malicious Code Isn't a Virus

A common misconception is that other kinds of electronic nasties, such as worms and Trojan horse applications, are viruses. They aren't. Worms, Trojan horses, and viruses are in a broader category analysts call "malicious code."

A worm program replicates itself and slithers through network connections to infect any machine on the network and replicate within it, eating up storage space and slowing down the computer. But worms don't alter or delete files.

A Trojan horse doesn't replicate itself, but it is a malicious program disguised as something benign such as a screen saver. When loaded onto your machine, a Trojan horse can capture information from your system--such as user names and passwords--or could allow a malicious hacker to remotely control your computer.

Virus experts have recorded more than 40,000 viruses and their variant strains over the years, though only about 200 of those viruses are actively spreading in the wild. While most viruses are just annoying time-wasters, the ones that do deliver a destructive payload are a real threat.

Viruses have been around since the early 1960s, almost since the earliest computers existed, though until the 1980s they were largely laboratory specimens, created by researchers and released in a controlled environment to examine their effect.

When viruses first appeared in the wild in the 1980s, they spread slowly and passed via the "sneaker net": floppy disks traded by people and shared between computers. But widely available Internet and e-mail access hastened their spread.

Two years ago, the advent of viruses that spread via e-mail (MelissaLoveLetter, for example) significantly increased the odds that the average computer user would confront a virus because they spread so rapidly. E-mail viruses today account for about 81 percent of virus infections and can infect thousands of machines in a matter of minutes.

Practice Safe Computing

The best way to protect yourself from viruses is to avoid opening unexpected e-mail attachments and downloads from unreliable sources. Resist the urge to double-click everything in your mailbox. If you get a file attachment and you aren't expecting one, e-mail the person who sent it to you before you open the attachment. Ask them if they meant to send you the file, what it is, and what it should do.

For added safety, you need to install reliable antivirus scanning software and download updates regularly. Major antivirus software vendors, including Symantec,Network Associates,Computer Associates, and Trend Micro, provide regular updates. (Computer Associates' InoculateIT is also free.) Some of the vendors also offer a service that will automatically retrieve updates for you from the company's Web site.

Regular updates are essential. Researchers at Computer Economics estimate that 30 percent of small businesses are vulnerable to viruses either because they don't keep their virus-scanning software updated or because they don't install it correctly.

How Antivirus Software Works

Scanning software looks for a virus in one of two ways. If it's a known virus (one that has already been detected in the wild and has an antidote written for it) the software will look for the virus's signature--a unique string of bytes that identifies the virus like a fingerprint--and will zap it from your system. Most scanning software will catch not only an initial virus but many of its variants as well, since the signature code usually remains intact.

In the case of new viruses for which no antidote has been created, scanning software employs heuristics that look for unusual viruslike activity on your system. If the program sees any funny business, it quarantines the questionable program and broadcasts a warning to you about what the program may be trying to do (such as modify your Windows Registry). If you and the software think the program may be a virus, you can send the quarantined file to the antivirus vendor, where researchers examine it, determine its signature, name and catalog it, and release its antidote. It's now a known virus.

If the virus never appears again--which often happens when the virus is too poorly written to spread--then vendors categorize the virus as dormant. But viruses are like earthquakes: The initial outbreak is usually followed by aftershocks. Variants (copycat viruses that emerge in droves after the initial outbreak) make up the bulk of known viruses.

Within a few hours of when the LoveLetter virus first appeared in the United States, a variant--VeryFunnyJoke--had already appeared, followed by more than 30 others during the next two months. And not all variants stem from mysterious writers. More than a few companies have been infected by variants created by a curious employee who fiddled with a virus he or she received, created a new strain of it, and unleashed it onto the company's system--sometimes accidentally, sometimes not.

Join the newsletter!

Error: Please check your email address.

More about ADVENTCA TechnologiesMicrosoftSoftware WorksSymantecTrend Micro Australia

Show Comments

Market Place