A computer virus is a malware program that is written intentionally to gain access to a computer without its owner’s permission. These kinds of programs are primarily written to steal or destroy computer data.
Most systems catch viruses due to program bugs, the vulnerability of operating systems, and poor security practices. According to AV-Test, an independent organization that analyzes and rates antivirus and security suite software, about 560,000 new pieces of malware are detected every day.
There are different types of computer viruses that can be categorized according to their origin, spreading capabilities, storage location, files they infect, and destructive nature. Lets’s dig deeper and see how these viruses actually work.
1. Boot Sector Virus
Examples: Form, Disk Killer, Stone virus, Polyboot.B
Can affect: Any file after getting into the main memory
Boot Sector virus infects the storage device’s master boot record (MBR). Any media, whether it is bootable or not can trigger this virus. These viruses inject their code into the hard disk’s partition table. It then gets into the main memory once the computer restarts.
The common issues that may arise after getting infected include booting problems, unstable system performance, and inability to locate hard disks.
Since the boot sector virus can encrypt the boot sector, it may be difficult to remove. In most cases, users are not even aware they have been infected with a virus until they scan the system with an antivirus program.
However, this type of virus has become rare since the decline in floppy disks. Modern operating systems come with an inbuilt boot sector safeguard which makes it difficult to find the MBR.
Protection: Make sure that the disk you are using is write-protected. Do not start/restart the computer with unknown external disks connected.
2. Direct Action Virus
Example: VCL.428, created by the Virus Construction Laboratory
Can affect: All .exe and .com file extension
Direct Action Virus quickly gets into the main memory, infects all programs/files/folders defined in Autoexec.bat path, and then deletes itself. It can also destroy the data present in a hard drive disk or USB attached to the computer.
They usually spread when the file in which they are contained is executed. As long as you don’t run or open the file, it shouldn’t spread to other parts of your device or your network.
While these viruses are found in the hard disk’s root directory, they are capable of changing location on every execution. In many cases, they don’t delete system files but degrade the system’s overall performance.
Protection: Use an antivirus scanner. Direct action virus is easy to detect and all infected files can be completely restored.
3. Overwrite Virus
Examples: Grog.377, Grog.202/456, Way, Loveletter
Can affect: Any file
Overwrite viruses are very dangerous. They have affected a wide range of operating systems including Windows, DOS, Macintosh, and Linux. They simply delete the data (partially or completely) and replace the original code with their own.
They replace file content without changing its size. And once the file is infected, it cannot be restored and you will end up losing all data.
Furthermore, this type of virus can not only make applications un-operational but also encrypt and steal your data on execution.
While they are were very effective, attackers do not use overwrite viruses anymore. They tend to focus on tempting users with genuine Trojan horses and distributing malicious code via email.
Protection: The only way to get rid of this virus is to delete all the infected files, so it’s better to keep your antivirus program updated, especially if you are using Windows.
4. Web Scripting Virus
Examples: DDoS, JS.fornight
Can affect: Any web page by injecting hidden code in the header, footer, or root access file
A web scripting virus breaches web browser security, allowing attackers to inject client-side scripting into the web page. It propagates quite faster than other conventional viruses.
When it breaches the web browser security, it injects malicious code to alter some settings and take over the browser. Typically, it spreads with the help of infected ads that pop up on web pages.
Web scripting viruses mostly target social networking sites. Some are powerful enough to send spam emails and initiate dangerous attacks such as DDoS attacks to make the server unresponsive or ridiculously slow.
They can be further categorized into two groups:
- Persistent web scripting virus: can impersonate a user and cause a lot of damage.
- Non-persistent web scripting virus: attacks the user without getting noticed. It operates in the background and remains forever hidden to the user.
Protection: Use malicious software removal tools in Windows, disable scripts, use cookie security or install real-time protection software for the web browser.
5. Directory Virus
Can affect: The entire program in the directory
Directory Virus (also known as Cluster virus) infects the file by changing the DOS directory information. It changes DOS in such a way that it points to the virus code rather than pointing to the original program.
More specifically, this virus injects malicious code into a cluster and marks it as allocated in the FAT. It then saves the first cluster and uses it to targeter other clusters that are associated with the file it wants to infect next.
When you run a program, DOS loads and executes the virus code before running the actual program code. In other words, you unknowingly run the virus program, while the original program is previously moved by the virus. It becomes very difficult to locate the original file after getting infected.
Protection: Install the antivirus to relocate the misplaced files.
6. Polymorphic Virus
Examples: Whale, Simile, SMEG engine, UPolyX
Can affect: Any file
Polymorphic viruses encode themselves using different encryption keys each time they infect a program or create a copy of themselves. Because of different encryption keys, it becomes very difficult for the antivirus software to find them.
This type of virus depends on mutation engines to change its decryption routines every time it infects a device. It uses complex mutation engines that generate billions of decryption routines, which makes it even more difficult to detect.
In other words, it is a self-encrypted virus that is designed to avoid detection by scanners.
The first known polymorphic virus (named “1260”) was created by Mark Washburn in 1990. It infects .com files in the current or PATH directories upon execution.
Protection: Install advanced antivirus tools that are equipped with newer security technologies (such as machine learning algorithms and behavior-based analytics) to detect threats
7. Memory Resident Virus
Examples: Randex, Meve, CMJ
Can affect: Currently running files on PC as well as files that are being copied or renamed
Memory resident virus lives in primary memory (RAM) and gets activated when you switch on the computer. It affects all files currently running on the desktop.
Since the virus loads its replication module into the main memory, it can infect files without being executed. It automatically gets activated whenever the operating system loads or performs specific functions.
There are two types of memory-resident viruses:
- Fast infectors are specifically built to corrupt as many files it can as quickly as possible. They are very easy to notice because of their adverse effects.
- Slow infectors gradually degrade the performance of the computer. They spread more widely because they can go undetected for much longer.
Protection: Strong antivirus tools can remove the virus from the memory. They may come in the form of an OS patch or updates to existing antivirus software.
If you are lucky, your antivirus software may have an extension or plugin that can be downloaded on a USB flash drive and run to remove the virus from memory. Otherwise, you may have to reformat the machine and restore whatever you can from the available backup.
8. Macro Virus
Examples: Bablas, Concept, and Melissa virus
Can affect: .mdb, .PPS, .Doc, .XLs files
These viruses are written in the same macro language used for popular software programs such as Microsoft Excel and Word. They insert malicious code in the macros that are associated with spreadsheets, documents, and other data files, causing the infected program to run as soon as the document is opened.
Macro viruses are designed to corrupt data, insert words or pictures, move text, send files, format hard drives, or deliver even more destructive kinds of malware. They are transmitted through phishing emails. And they mostly target MS Excel, Word, and PowerPoint files.
Since this type of virus centers on applications (not on operating systems), it can infect any computer running any operating system, even those running Linux and macOS.
Protection: Disable macros and do not open emails from unknown sources. You can also install modern antivirus software that can detect easily detect macro viruses.
9. Companion Virus
Examples: Stator, Terrax.1096
Can affect: All .exe files
Companion viruses were more popular during the MS-DOS era. Unlike conventional viruses, they do not modify the existing file. Instead, they create a copy of a file with a different extension (such as .com), which runs in parallel with the actual program.
For example, if there is a file named abc.exe, this virus will create another hidden file named abc.com. And when the system calls a file ‘abc’, the .com (higher priority extension) runs before the .exe extension. It can perform malicious steps such as deleting the original files.
In most cases, companion viruses require human intervention to further infect a machine. After the arrival of Windows XP, which doesn’t use the MS-DOS interface much anymore, there were fewer ways for such viruses to propagate themselves.
However, the virus still works on recent versions of Windows operating systems if a user opens a file unintentionally, especially when the ‘show file extension’ option is deactivated.
Protection: The virus can be easily detected because of the presence of additional .com file. Install reliable antivirus software and avoid downloading attachments of unsolicited emails.
10. Multipartite Virus
Examples: Ghostball, Invader
Can affect: Files and boot sector
The Multipartite virus infects and spreads in multiple ways depending on the operating system. It usually stays in memory and infects the hard disk.
Unlike other viruses that either affect boot sector or program files, the multipartite virus attacks both the boot sector and executable files simultaneously, causing more damage.
Once it gets into the system, it infects all drives by altering applications’ content. You will soon start noticing performance lag and low virtual memory available for user applications.
The first reported multipartite virus was “Ghostball.” It was detected in 1989 when the Internet was still in its early phase. At that time it wasn’t able to reach many users. However, things have changed a lot since then. With more than 4.66 billion active internet users worldwide, multipartite viruses pose a serious threat to businesses and consumers.
Protection: Clean the boot sector and entire disk before storing any new data. Do not open attachments from a non-trusted internet source and install a legitimate and trusted antivirus tool.
11. FAT Virus
Example: The link virus
Can affect: Any file
FAT stands for file allocation table which is a section of storage disk that is used to store information, such as the location of all files, total storage capacity, available space, used space, etc.
A FAT virus alters the index and makes it impossible for the computer to allocate the file. It is powerful enough to force you to format the whole disk.
In other words, the virus doesn’t modify host files. Instead, it forces the operating system to execute malicious code altering particular fields in the FAT file system. This prevents your computer from accessing specific sections on the hard drive where important files are located.
As the virus spreads its infection, several files or even entire directories can be overwritten and permanently lost.
Protection: Avoid downloading files from non-trusted sources, especially those identified as “attack/unsafe sites” by browser or search engine. Use robust antivirus software.
Other Malware That Are Not Viruses But Are Equally Dangerous
12. Trojan Horse
Examples: ProRat, ZeroAccess, Beast, Netbus, Zeus
Trojan Horse (or Trojan) is a non-replicating type of malware that looks legitimate. Users are typically tricked into loading and executing it on their system. It can destroy/modify all the files, modify the registry, or crash the computer. In fact, it can give hackers remote access to your PC.
Generally, trojans are usually spread through different forms of social engineering. For example, users are tricked into clicking on fake advertisements or opening email attachments disguised to appear genuine.
Protection: Avoid opening unknown files (especially those with extension like .exe, .bat, and .vbs) attacked to email. Use reliable high-end antivirus software and update it regularly
Hex dump of the Blaster worm, displaying a message left for then Microsoft CEO Bill Gates
Example: Code red, ILOVEYOU, Morris, Nimda, Sober, WANK
A worm is a standalone malware program that replicates itself in order to spread to other computers. It relies on networks (mostly emails) and security holes to travel from one system to another. Unlike viruses, it overloads the network by replicating or sending too much data (overusing bandwidth), forcing the hosts to shut down the server.
A worm is capable of replicating itself without any human interaction. It doesn’t even need to attach an application in order to cause damage.
Most worms are designed to modify content, delete files, deplete system resources, or inject additional malicious code onto a computer. They can also steal data and install a backdoor, making it easy for attackers to gain control over a machine and its system settings.
Protection: Keep your operating system updated and make sure you are using a strong security software solution.
14. Logic Bombs
Logic bombs are not a virus but inherently malicious like worms and viruses. It is a piece of code intentionally inserted (hidden) into a software program. The code is executed when certain criteria are met.
For example, a cracker can insert a Keylogger code inside any web browser extension. The code gets activated every time you visit a login page. It then captures all your keystrokes to your steal your username and password.
Logic bombs can be inserted into existing software or into other forms of malware such as worms, viruses, or Trojan horses. They then lie dormant until the trigger occurs, and can go undetected for years.
Protection: Periodically scan all files, including compressed ones, and keep your antivirus software updated.
Frequently Asked Questions
When was the very first computer virus created?
The first-ever computer virus (named Creeper) was written by Bob Thomas at BBN Technologies in 1971. Creeper was an experimental self-replicating program that had no malicious intent. It only displayed a simple message: “I’m creeper. Catch me if you can!”
Who created the first PC virus?
In 1986, Amjad Farooq Alvi and Basit Farooq Alvi wrote a boot sector virus named ‘Brain’ to deter unauthorized copying of the software they had created. ‘Brain’ is considered to be the first computer virus for the IBM PC and compatibles.
The first virus to specifically target Microsoft Windows was WinVir. It was discovered in 1992. The virus didn’t contain any Windows API calls. Instead, it relied on the DOS API.
What is the most expensive cyberattack of all time?
The most destructive malware to date is MyDoom. First sighted in January 2004, it became the fastest-spreading email worm ever. It created network openings that allowed attackers to access infected machines.
In 2004, nearly one-fourth of all emails had been infected by MyDoom. The virus caused over 38 billion in estimated damages.