Viruses

Boot Sector

• Also known as a system virus

• Moves the boot sector to another location on the hard drive and forces the virus code to be executed first

• These are almost impossible to get rid of once you get infected

• re-create the boot record (fdisk or mbr)

Shell

• Wraps itself around an application's code, inserts its own code before the application's

• Every time the application is run, the virus code runs first

Cluster

• Modifies the directory table entries so that user or system processes are pointed to the virus code itself instead of the application or action intended

• A single copy of the virus infects everything by launching when any application is started

Multipartite

• Infect both files and the boot sector at the same time

• A virus with multiple infection vectors

Macro

• Usually written with Visual Basic for Applications (VBA)

• Infects template files created by Microsoft Office (Word and Excel)

• Example: Melissa

Polymorphic

• Mutates its code using a built-in polymorphic engine

• Hard to find and remove because its signature constantly changes

• No part of the virus stays the same from infection to infection

Encryption

• uses encryption to hide the code from AV scanners

Metamorphic

• rewrites itself every time it infects a new file

Stealth

• Attempts to evade AV applications by intercepting the AV's requests to the OS and returning them to itself instead of the OS

• Changes the requests and sends them back to AV as uninfected making the virus appear clean

Cavity

• overwrites portions of host files so as not to increase the actual size of the file

• uses the null content sections of the file and leaves the file's actual functionality intact

Sparse infector

• Only infects occasionally, might only fire every tenth time a specific application is run

File extension

• changes the file extensions of files to take advantage of most people having files extension view turned off.