Anti-antivirus — Anti-virus virus — Computer viruses — Computer worm — Dropper — Encrypted viruses — Hoax — Memory-resident virus — MtE viruses — Other virus names — Polymorphic viruses — Script viruses — Stealth viruses — Types of viruses — Virus code, signature — Virus-companion — Virus modification — Zoo viruses

Anti-antivirus, Retrovirus - a computer virus program targeting antivirus programs.

Antivirus Virus - a computer virus program targeting other computer viruses.

Computer worm - a parasitic self-proliferating program. It can replicate itself, but it cannot damage other computer programs. It penetrates into computers from the network (most often such programs come as mail attachments or via the Internet) and sends its functional copies to other computers in the network.

Page up

Computer viruses - are programs or fragments of the program code which, once entered the computer, can despite user's will do various actions on the computer - create or delete objects, modify data files or program files, carry out actions aimed to self-outspreading around local area networks or Internet. The modification of program files, data files or boot sectors of the disks in the way they themselves become carriers of the virus code and in their turn can do mentioned above actions is called infection and is the most important function of computer viruses. Depending on the type of infected objects the different types of viruses are distinguished.

Page up

"Dropper" - file-carrier bringing the virus into the system. The technics sometime used by virus writers so as to "cover" virus from anti-virus programs .

Page up

Memory resident virus - is a virus permanently residing in the memory normally written in Assembler or C languages.

The viruses are able to infect programs and resist anti-virus programs more effectively. Such virus occupies a little of memory space. It is ready to continue its task before unloading, rebooting or turning off the computer. It is activated and performs actions set by the virus writer when, for example, computer reaches specific state (timer actuation etc.).All boot viruses are resident.

Page up

Hoax - non-viral e-mail message. The hoax comes to users’ computers as e-mail message written in emphasized neutral tone which tells about supposedly outspreading new virus.
Most of the virus hoaxes have one or several following characteristics.
Virus name the author of the message refers to is constructed without heed to conventions used by majority of anti-virus companies.
It is specifically mentioned that by now the "virus" was not detected by anti-virus programs.
A user is offered to find certain file with Windows find tool and delete it from the disk.
In the email message there is a request to inform all user's friends and those listed in his address book in case the file was found.
Despite all harmlessness of such hoax its danger is obvious - mass mailing of the copies of the useless message increases the mail traffic and takes users time.

Page up

Other virus names: anti-virus companies usually give different names to the same viruses by using their own conventions as to construction of a virus name. In most cases main name of a virus (for example, Klez, Badtrans, Nimda) is the same and present in the virus designation whatever the anti-virus company. It is mainly prefixes and suffixes of the virus names that are different because the conventions of using them can be specific for each company. For example, in the virus classification used in Dr.Web Ltd. the versions of the same virus are labeled by numbers starting from 1, whereas in Symantec company they use capital letters of Latin alphabet for the same purpose.

Page up

Polymorphic viruses - or viruses with self-modified decoders (according to N.N.Bezrukov) - are the viruses using, in addition to encoding procedure, the specific decoding that changes itself in each new copy of the virus. It leads to the absence of the byte signatures of the virus. Decoder is not permanent one - it is unique for each copy of the virus.

MtE viruses - polymorphic viruses created with polymorphism generator MtE (Mutant Engine). The generator is special algorithm responsible for functions of encoding/decoding and decoders generation. It can be attached to any objectcode of a virus. The decoder does not have a single permanent bit, its length is always different.

Page up

Script virus - are the viruses written in Visual Basic, Basic Script, Java Script, Jscript languages.

Most often such viruses enter user's computer in the form of email messages holding script-files in the attachments. Programs written in Visual Basic and Java Script can be located either in separate files or embedded in HTML-document. In the latter case they can be interpreted by browser from the remote server and also from the local disk.

Page up

Stealth virus - are virus programs taking special measures so as to mask its activities and to hide their presence in the infected objects.

So called Stealth technology can include:

• obstacles to the virus detection in RAM
• obstacles to the tracing and disassembling of the virus
• masking of the infection process
• obstacles to the virus detection in infected program and boot sector.

Depending on the type of infected objects computer viruses are classified by the following types:

• File viruses - viruses infecting binary files (mainly executable files and dynamic libraries). Most often such files have the extension .EXE, .COM, .DLL, .SYS. Besides the files with extensions .DRV, .BIN, .OVL и .OVY. can also be infected.
  The viruses infect the operating system files, get activated when infected program is run and then outspread.
• Boot viruses - viruses that infect Boot record of diskettes, hard disk partitions, and also MBR (Master Boot Record) of hard disk drives.
• Encrypted viruses - viruses that encode their code themselves so as to make obstacles to their disassembling and detecting in file, memory or sector. Each copy of such virus will contain only short common code fragment. The decoding process of the fragment can be taken as signature. Each time it infects the virus automatically encode itself and each time differently. This way the virus tries to avoid detection by anti-virus programs.

  Page up

• Macroviruses - viruses that infect files of the documents used by Microsoft Office applications and other programs allowing use of macros (most often written with Visual Basic language). The favorable factor for virus outspread is that all main components of Microsoft Office can have built-in programs (macros) written with full-featured programming language and in Microsoft Word the macros are automatically executed when a document is opened, closed, saved etc.
  Besides there is so called common template NORMAL.DOT and macros within the common template are automatically executed when a document is opened. Taking into account that coping of macros from one document to another (in particular into the common template) is done by only one command the Microsoft Word environment is ideal for macroviruses.

Virus code, signature - a set of symbols and univocal rules of their interpretation used to present information in the data type. It is a set of symbols and a sequence of bytes which can be peculiar to, and therefore, can be detected in a certain virus, in its each copy and only in it. Anti-virus scanners use signatures to detect viruses. Polymorphic viruses have no signatures.

Page up

Virus-companion - is formally a file virus. It does not infect executable files.
Such viruses use the DOS system feature which allows program files with the same names but different extensions to run with different priorities.
Priority is an attribute assigned to the task, program or operation that defines the order of their execution by computer system.
Majority of such viruses create .COM file which has higher priority compared to .EXE file with the same name. When a file is run by name (without specifying the extension) the .СОМ file is executed.

Such viruses can be resident and mask clone files.

Page up

Virus modification - a modified variant of one and the same virus. The virus code can be modified both by the author of a virus or by third persons.

Page up

Zoo virus - is a virus existing only in anti-virus labs, virus researcher's collections and never met in "the wild".

Page up

Back to F.A.Q.

	Support
F.A.Q. - common F.A.Q. - Unix Ask for support Online virus check Send a virus Beta testing

	Important news
08.08 Signature database drw44400.vdb (drw43353.vdb, drw43354.vdb, drw43355.vdb, drw43356.vdb) re-released 25.07 Signature database drw44448.vdb (drw433am.vdb) re-released 23.07 Signature database drw44443.vdb (drw433ah.vdb) re-released 21.07 Signature database drw44449.vdb (drw433an.vdb) re-released 11.07 Corrected verson of Dr.Web SpIDer Guard 4.44 released

	My five cents
What is the screen size of your monitor? 12'' 14'' 15'' 17'' 19'' more than 19'' other