|
#REDIRECT [[Nintendo GameCube]] {{R from alternate spelling}}
:''This article is concerned with malicious computer programs; for other uses of the term see [[virus (disambiguation)]]. An extensive treatment of the pluralization of the word "virus" in English is found in the article [[Plural of virus]].''
In [[computer security]] technology, a ''virus'' is a self-replicating [[computer program|program]] that spreads by inserting copies of itself into other executable code or documents made by [[Security_cracking|crackers]] (for a complete definition: see below). A computer virus behaves in a way similar to a [[Virus|biological virus]], which spreads by inserting itself into living cells. Extending the analogy, the insertion of the virus into a program is termed ''infection'', and the infected file (or executable code that is not part of a file) is called a ''host''. Viruses are one of the several types of [[malware]] or malicious software. In common parlance, the term ''virus'' is often extended to refer to [[computer worm]]s and other sorts of malware. This can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware such as worms. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, only software is damaged directly. The software in the hardware however may be damaged.
While viruses can be intentionally destructive (for example, by destroying data), many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a ''bomb''. For example, a virus might display a message on a specific day or wait until it has infected a certain number of hosts. A ''time bomb'' occurs during a particular date or time, and a ''logic bomb'' occurs when the user of a computer takes an action that triggers the bomb. However, the predominant negative effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources.
Today (as of [[2005]]), viruses are somewhat less common than network-borne worms, due to the popularity of the [[Internet]]. [[Anti-virus software]], originally designed to protect computers from viruses, has in turn expanded to cover worms and other threats such as [[spyware]].
== Definition ==
A virus is a type of program that can replicate itself by making (possibly modified) copies of itself. The main criterion for classifying a piece of executable code as a virus is that it spreads itself by means of 'hosts'. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable media. Additionally, viruses can spread to other computers by infecting files on a [[File system#Network file systems|network file system]] or a file system that is accessed by another computer. Viruses are sometimes confused with [[computer worm|worms]]. A worm, however, can spread itself to other computers without needing to be transferred as part of a host. Many personal computers are now connected to the [[Internet]] and to local-area networks, facilitating their spread. Today's viruses may also take advantage of network services such as the [[World Wide Web]], [[e-mail]], and [[file sharing]] systems to spread, blurring the line between viruses and worms.
Viruses can infect different types of hosts. The most common targets are executable files that contain application software or parts of the operating system. Viruses have also infected the executable [[boot sector]]s of [[floppy disk]]s, script files of application programs, and documents that can contain [[macro virus|macro scripts]]. Additionally, viruses can infect files in other ways than simply inserting a copy of their code into the code of the host program. For example, a virus can overwrite its host with the virus code, or it can use a trick to ensure that the virus program is executed when the user wants to execute the (unmodified) host program. Viruses have existed for many different [[operating system]]s, including [[MS-DOS]], [[AmigaOS]], [[Linux]] and [[Mac OS]]; today, the majority of viruses run on [[Microsoft Windows]].
A legitimate application program that can copy itself as a side-effect of its normal function (e.g. backup software) is not considered a virus. Some programs that were apparently intended as viruses cannot reliably self-replicate, because the infection routine contains bugs. For example, a buggy virus can insert copies of itself into host programs, but these copies never get executed and are thus unable to spread the virus. Self-replicating programs that have very limited spreading capabilities because of bugs should not be considered legitimate viruses.
== Use of the word "virus" ==
The term "virus" was first used in an academic publication by [[Fred Cohen]] in his [[1984]] paper ''Experiments with Computer Viruses'', where he credits [[Len Adleman]] with coining it. However, a mid-1970s [[science fiction]] novel by [[David Gerrold]], ''When H.A.R.L.I.E. was One,'' includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and [[John Brunner (novelist)|John Brunner]]'s 1975 novel ''[[The Shockwave Rider]]'' describes programs known as "tapeworms" which spread through a network for deleting data. The term "computer virus" with current usage also appears in the [[comic book]] "Uncanny [[X-Men]]" No. 158, published in 1982. Therefore, we may conclude that although Cohen's use of "virus" may, perhaps, have been the first "academic" use, the term had been used earlier. ''[[Westworld]]'' is often cited as containing an early usage of the term, though the exact phrase is not actually used in the film.
The term "virus" is often used in common parlance to describe all kinds of [[malware]] (malicious software), including those that are more properly classified as [[computer worm|worms]] or [[Trojan horse (computing)|trojans]]. Most popular [[anti-virus software]] packages defend against all of these types of attack.
The English plural of "virus" is "viruses". Some people use "virii" or "viri" as a plural, although computer professionals seldom use these words. For a discussion about whether "viri" and "virii" are correct alternatives for "viruses", see ''[[plural of virus]]''.
== History ==
A program called "[[Elk Cloner]]" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in [[1982]] by [[Rich Skrenta]], it attached itself to the Apple DOS 3.3 operating system and spread by [[floppy disk]].
Before computer networks became widespread, most viruses spread on [[removable media]], particularly [[floppy disk]]s. In the early days of [[personal computer]]s, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk [[boot sector]], ensuring that they would be run when the user booted the computer from the disk.
As [[bulletin board system]]s and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. [[Shareware]] and [[copyright violation|bootleg]] software were equally common [[vector (computing)|vector]]s for viruses on BBSes. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.
Since the mid-[[1990s]], [[macro virus]]es have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as [[Microsoft Word|Word]] and [[Outlook]]. These viruses spread in the [[Microsoft Windows]] [[monoculture]] by infecting documents and sending infected [[electronic mail|e-mail]]. Some versions of Word have had bugs in the calls by which macros replicate themselves, causing occasional replication errors, which has sometimes resulted in actual evolution by natural selection. Also, again closely analogous to biological viruses, sometimes when a system gets infected with two Word macro viruses at the same time, recombination can produce a new virus (much as an animal host infected with multiple strains of influenza can produce a novel strain of influenza). There is also the case in which a user gets a computer virus through instant messaging; this process is done by taking the virus code and placing it into a web site's shortcut which is accessible through Instant Messaging someone. The receiver gets the virus and within a few hours of being on the virus has the capability of transferring itself all the way to the computer's network.
== Why people create computer viruses ==
Unlike biological viruses, computer viruses do not simply evolve by themselves, except in the cases where copying errors and recombination have led to actual evolution of computer viruses; however, these cases are very rare compared to the rapid generation of new malware by human programmers. They cannot come into existence spontaneously, nor can they be created by [[Computer bug|bugs]] in regular programs. They are deliberately created by programmers, or by people who use virus creation software.
Virus writers can have various reasons for creating and spreading malware. Viruses have been written as research projects, pranks, [[vandalism]], to attack the products of specific companies, to distribute political messages, and financial gain from identity theft or [[spyware]]. Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby. Additionally, many virus writers oppose deliberately destructive payload routines. Some viruses were intended as "good viruses". They spread improvements to the programs they infect, or delete other viruses. These viruses are, however, quite rare, still consume system resources, may accidentally damage systems they infect, and, on occasion, have become infected and acted as vectors for malicious viruses. Moreover, they normally operate without asking for permission of the owner of the computer. Since self-replicating code causes many complications, it is questionable if a well-intentioned virus can ever solve a problem in a way which is superior to a regular program that does not replicate itself.
Releasing computer viruses (as well as worms) is a [[computer crime|crime]] in most jurisdictions.
See also [http://news.bbc.co.uk/1/hi/technology/3172967.stm BBC News' Why people write computer viruses]
== Replication Strategies ==
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they get executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
===Nonresident viruses===
Nonresident viruses can be thought of as consisting of a ''finder module'' and a ''replication module''. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
For simple viruses the replicator's task is to:
# Open the new file
# Check if the executable file has already been infected (if it is, return to the finder module)
# Append the virus code to the executable file
# Save the executable's starting point
# Change the executable's starting point so that it points to the start ___location of the newly copied virus code
# Save the old start ___location to the virus in a way so that the virus branches to that ___location right after its execution.
# Save the changes to the executable file
# Close the infected file
# Return to the finder so that it can find new files for the replicator to infect.
===Resident viruses===
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.
Resident viruses are sometimes subdivided into a category of ''fast infectors'' and a category of ''slow infectors''. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to [[anti-virus software]], since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they will not slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behaviour by programs. The slow infector approach doesn't seem very successful however. Viruses that are common in the wild are mostly relatively fast to extremely fast infectors.
===Host types===
Viruses have targeted various types of hosts. This is a non-exhaustive list:
* Binary [[executable file]]s (such as [[COM file|COM]]-files and [[EXE]]-files in [[MS-DOS]], [[Portable Executable]] files in [[Microsoft Windows]], and [[Executable and Linkable Format|ELF]] files in Linux)
* [[Boot sector]]s of [[floppy disk]]s and hard disk partitions
* The [[Master Boot Record]] of a harddisk
* General purpose [[Script (computer programming)|script]] files (such as [[batch file]]s in [[MS-DOS]] and [[Microsoft Windows]], and [[shell script]] files on UNIX platforms).
* Application-specific script files (such as [[Telix]]-scripts)
* Documents that can contain [[macro]]s (such as [[Microsoft Word]] documents, [[Microsoft Excel]] spreadsheets, [[AmiPro]] documents, [[Microsoft Office]] files, and [[Microsoft Access]] database files)
== Methods to avoid detection ==
In order to avoid detection by users, some viruses employ different kinds of obfuscation. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however.
Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called ''cavity viruses''. For example the [[CIH virus]], or Chernobyl Virus, infects [[Portable Executable]] files. Because those files had many empty gaps, the virus, which was 1 [[kilobyte|KB]] in length, did not add to the size of the file.
Recent viruses avoid any kind of detection attempt by attempting to forcefully kill the tasks associated with the virus scanner before it can detect them.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced.
=== Avoiding bait files and other undesirable hosts ===
A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program however. For example, many [[anti-virus software|anti-virus programs]] perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of hosts that viruses sometimes avoid is ''bait files''. Bait files (or ''goat files'') are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:
* Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small infected bait file, than to exchange a large application program that has been infected by the virus.
* Anti-virus professionals can use bait files to study the behaviour of a virus and evaluate detection methods. This is especially useful when the virus is [[Polymorphic code|polymorphic]]. In this case, the virus can be made to infect a large amount of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
* Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.
A related strategy to make baiting difficult is ''sparse infection''. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.
=== Stealth ===
Some viruses try to fool anti-virus software by intercepting its requests to the operating system. A virus can hide itself by ensuring that a request of anti-virus software to read an infected file is passed to the virus, instead of to the operating system. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
=== Self-modification ===
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called ''virus signatures''. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" the infected file. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
==== Simple self-modifications ====
In the past, some viruses [[Self-modifying code|modified themselves]] only in fairly simple ways. For example, they regularly exchanged subroutines in their code. This poses no problems to a somewhat advanced virus scanner however.
==== Encryption with a variable key ====
A more advanced method is the use of simple [[encryption]] to encode the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible.
Mostly, the decryption techniques that these viruses employ are fairly simple and mostly done by just [[xor]]ing each byte with a randomized key that was saved by the parent virus. The use of XOR-operations has the additional advantage that the encryption and decryption routine are the same (a xor b = c, c xor b = a.)
==== Polymorphic code ====
[[Polymorphic code]] was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts that stay the same on each infection, making it impossible to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical [[pattern analysis]] of the encrypted virus body. To enable polymorphic code, the virus has to have a [[polymorphic engine]] (also called ''mutating engine'' or ''mutation engine'') somewhere in its encrypted body.
Some viruses employ polymorphic code in a way which constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such ''slow polymorphic'' code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that, as a result of this, some instances of the virus may be able to avoid detection.
==== Metamorphic code ====
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that uses this technique are said to be [[metamorphic code|metamorphic]]. To enable metamorphism, a '''metamorphic engine''' is needed. A metamorphic virus is usually very large and complex. [[W32/Simile]] consisted of over 14000 lines of [[Assembly language|assembly code]], for example. 90% of it is part of the metamorphic engine.
== Viruses and legitimate software ==
===The vulnerability of operating systems to viruses ===
Another analogy to biological viruses: just as [[genetic diversity]] in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.
This became a particular concern in the 1990s, when [[Microsoft]] gained market dominance in desktop operating systems and [[office suite]]s. Users of Microsoft software (especially networking software such as [[Microsoft Outlook]] and [[Internet Explorer]]) are especially vulnerable to the spread of viruses, since Microsoft software often includes many errors and holes. Integrated applications, applications with scripting languages with access to the file system (for example [[Visual Basic Script]] (VBS), and applications with networking features) are also particularly vulnerable. Microsoft's software is also targeted by virus writers because of their desktop dominance.
Although Windows is the most popular operating system for virus writers, some viruses also exist on other platforms. It is important to note that any operating system that allows third-party programs to run can theoretically run viruses. However, some operating systems are less secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.
A well-patched and well-maintained Unix system is very well-secured against viruses. Windows has the same type of scripting ability as Unix based systems, but doesn't natively block normal users from executing such scripts written by a third-party as Unix does for users who are not running as root. More recently, Microsoft's Outlook (but not Outlook Express) e-mail client has developed similar features when dealing with executable file types that Outlook may download as attachments. Ordinary users would do well to patch their operating systems and e-mail clients to prevent viruses and worms from reproducing through security "holes" which prudence and virus scanners are unable to prevent.
=== The role of software development ===
Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit [[software bug]]s in a system or application to spread. Software development strategies which produce large numbers of bugs will generally also produce potential exploits.
Closed-source software development as practiced by Microsoft and other [[proprietary software]] companies is also seen by some as a security weakness. [[Open source]] software such as Linux, for example, allows all users to look for and fix security problems without relying on a single vendor. Some advocate that proprietary software makers practice [[vulnerability disclosure]] to ameliorate this weakness.
=== Anti-virus software and other countermeasures ===
Many users install [[anti-virus software]] that can detect and eliminate known viruses after the computer [[downloads]] or runs the executable. Some virus scanners can also warn a user if a file is likely to contain a virus based on the [[file type]]; some antivirus vendors also claim the effective use of other types of heuristic analysis. Some industry groups do not like this practice because it often increases the number of false positives the anti-virus software detects. They work by examining the contents of the computer's memory (its [[Random Access Memory|RAM]], and [[boot sector]]) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a [[database]] of known virus "signatures". Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. There have been attempts to do this but adoption of such anti-virus solutions can void the warranty for the host software. Users must therefore update their software regularly to [[patch (computing)|patch]] security holes. Anti-virus software also needs to be regularly updated in order to gain knowledge about the latest threats and hoaxes.
==See also==
*[[Computer security]]
*[[security cracking|Cracking]]
*[[Security through obscurity]]
*[[spamming|Spam]]
*[[List of computer viruses]]
*[[List of computer virus hoaxes]]
*[[Timeline of notable computer viruses and worms]]
*[[Turing-complete]]
*[[(c)Brain]]
*[[Melissa virus]], [[ILOVEYOU]]
== External links ==
* [http://www.totallygeek.com/vscdb/ Virus Source Code Database]
* [http://www.windowsecurity.com/articles/Treating-Infected-Systems.html Treating Infected Systems]
* [http://www.all.net/books/virus/part5.html Fred Cohen's 1984 paper]
* [http://www.sophos.com/virusinfo/explained/ Virus glossary and best practice]
* [http://librenix.com/?inode=80 An editorial on beneficial viruses (con)]
* [http://www.windowsecurity.com/articles/Protecting_Email_Viruses_Malware.html Email Viruses] - an article about how to protect your email from viruses
* For a thorough, hypothetical pro discussion, see: [http://vx.netlux.org/lib/avb02.html "Are Good Viruses still a Bad idea?"]
* [http://www.pcvirus.org/links Malicious Code & Viruses - Articles, Links, and Whitepapers]
* [http://vx.netlux.org/ VX Heaven - Sources & Guides]
* [http://www.hackpalace.com/virii/indexe.shtml Hackpalace Virii]
* [http://www.wildlist.org The Wildlist] List of viruses and worms 'in the wild' (i.e. regularly encountered by anti-virus companies)
* [http://www.digitalcraft.org/iloveyou/index.htm I love you <nowiki>[rev.eng]</nowiki> exhibition]
* [http://www.virusbtn.com/ Virus Bulletin] (independent research lab)
* [http://www.theglobeandmail.com/servlet/story/RTGAM.20050519.gtwvirus19/BNStory/Technology/ The Globe and Mail: Cellphone acting sick? Might be a virus]
* [http://securityresponse.symantec.com/avcenter/vinfodb.html Symantec's Virus Database]
* [http://www.antisource.com Computer Virus Alerts, News, and Help]
* [http://www.nerdhelp.com/ NerdHelp.com] Provides a free online knowledge base for everything from hardware problems to virus fixes.
[[Category:Computing|Virus]]
[[Category:Computer security|Virus]]
[[Category:Computer viruses| ]]
[[ca:Virus informàtic]]
[[cs:Počítačový virus]]
[[da:Computervirus]]
[[de:Computervirus]]
[[als:Computervirus]]
[[es:Virus informático]]
[[eo:Komputila viruso]]
[[fr:Virus informatique]]
[[ko:컴퓨터 바이러스]]
[[hi:कम्प्यूटर वायरस]]
[[it:Virus (informatica)]]
[[he:וירוס מחשב]]
[[lt:Virusas (programa)]]
[[hu:Számítógépes vírus]]
[[nl:Computervirus]]
[[ja:コンピュータウイルス]]
[[no:Datavirus]]
[[pl:Wirus komputerowy]]
[[pt:Vírus informático]]
[[ru:Компьютерный вирус]]
[[sk:Počítačový vírus]]
[[sl:Računalniški virus]]
[[fi:Tietokonevirus]]
[[sv:Datorvirus]]
[[th:ไวรัสคอมพิวเตอร์]]
[[vi:Virus (máy tính)]]
[[zh:电脑病毒]]
| 