Introduction to computer viruses

May 26, 1998 Sophos Press Release

What is a computer virus?

A computer virus is a special kind of computer program which:

  • Spreads across disks and networks by making copies of itself, usually surreptitiously.
  • Can produce undesired side-effects in computers in which it is active.

How infection occurs

In order to infect a computer, a virus has to have the chance to execute its code.

Viruses usually ensure that this happens by behaving like a parasite, i.e. by modifying another item so that the virus code is executed when the legitimate item is run or opened.

Good vehicles for viruses include the parts of a disk which contain code executed whenever that disk is booted, and documents which contain macros executed whenever that document is opened with the relevant application.

As long as the virus is active on the computer, it can copy itself to other files or disks that are accessed.

How viruses escape detection

The successful spread of a virus depends on how long it can replicate unnoticed, before its presence is made known by the activation of side-effects. Viruses use two main methods of disguise:

  • Encrypting (scrambling) their code to avoid recognition.
  • Preventing applications from seeing the virus in memory, by interrupt interception or (in the case of macro viruses) by disabling the options to view macros.

Virus side-effects

As well as self-replicating code, a virus normally contains a 'payload'. The former is like the propulsion unit of a missile; the latter is like the warhead it delivers. The payload can be programmed to have malicious side-effects.

These effects can range from harmless messages to data corruption or destruction.

How viruses spread

Infections spread from machine to machine, and from organisation to organisation, in a number of ways.

Viruses can be transmitted by:

  • Booting a PC from an infected medium.
  • Executing an infected program.
  • Opening an infected file.

Common routes for virus infiltration include:

  • Floppy disks or other media that users can exchange.
  • Email attachments.
  • Pirated software.
  • Shareware.

Anti-virus measures

The fight against computer viruses involves five kinds of counter-measure:

Preparation includes making backups of all software (including operating systems) and making a contingency plan.

Prevention includes creating user awareness, implementing hygiene rules, using disk authorisation software, or providing isolated 'quarantine' PCs.

Detection involves the use of anti-virus software to detect, report and (sometimes) disinfect viruses.

Containment involves identifying and isolating the infected items.

Recovery involves disinfecting or removing infected items, and recovering or replacing corrupted data.