What are the main types of PC viruses?
Generally, there are two main classes of viruses. The first class
consists of the FILE INFECTORS which attach themselves to ordinary
program files. These usually infect arbitrary COM and/or EXE programs,
though some can infect any program for which execution or interpretation
is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. There is
also at least one PC virus that "infects" source code files by inserting
code into C language source files that replicates the virus's function
in any executable that is produced from the infected source code files
(see E5 for a more detailed discussion of the issue of "executable"
File infectors can be either DIRECT-ACTION or RESIDENT. A direct-action
virus selects one or more programs to infect each time a program
infected by it is executed. A resident virus installs itself somewhere
in memory (RAM) the first time an infected program is executed, and
thereafter infects other programs when *they* are executed (as in the
case of the Jerusalem virus) or when other conditions are fulfilled.
Direct-action viruses are also sometimes referred to as NON-RESIDENT.
The Vienna virus is an example of a direct-action virus. Most viruses
The second main category of viruses is SYSTEM or BOOT-RECORD INFECTORS:
these viruses infect executable code found in certain system areas on a
disk. On PCs there are ordinary boot-sector viruses, which infect only
the DOS boot sector, and MBR viruses which infect the Master Boot Record
on fixed disks and the DOS boot sector on diskettes. Examples include
Brain, Stoned, Empire, Azusa and Michelangelo. All common boot sector
and MBR viruses are memory resident.
To confuse this classification somewhat, a few viruses are able to
infect both files and boot sectors (the Tequila virus is one example).
These are often called "MULTI-PARTITE" viruses, though there has been
criticism of this name; another name is "BOOT-AND-FILE" virus.
Aside from the two main classes described above, many antivirus
researchers distinguish either or both of the following as distinct
classes of virus:
FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify
directory table entries so that the virus is loaded and executed before
the desired program is. The program itself is not physically altered,
only the directory entry of the program file is. Some consider these to
be a third category of viruses, while others consider them to be a sub-
category of the file infectors. LINK virus is another term occasionally
used for these viruses, though it should be avoided, as "link virus" is
commonly used in the Amiga world to mean "file infecting virus."
KERNEL viruses target specific features of the programs that contain the
"core" (or "kernel") of an operating system (3APA3A is a DOS kernel
virus and is also multipartite). A file infecting virus that *can*
infect kernel program files is *not* a kernel virus--this term is
reserved for describing viruses that utilize some special feature of
kernel files (such as their physical location on disk or a special
loading or calling convention).
Internet FAQ top