File-infecting viruses. File-infecting viruses are the most common viruses that attach themselves, i.e., inject code to executable files, to infect other programs and files. As soon as the user runs the infected file, the virus executes its own code to attach itself to other executable files on the user’s computer. Obviously, the virus goes along for the ride when the user transfers infected files to another computer and infects more files onto the new computer.
Non-resident viruses. Non-resident viruses, when executed, immediately search for other computers to infect them and ultimately transfer control to the application program they infected. Such viruses consist of a finder module to search for new files and a replication module to infect these new files.
Resident viruses. Resident viruses consist of a replication module that they load into the memory on execution, and do not search for hosts when they are executed. These viruses ensure that the replication module is executed each time the operating system is called to perform a certain task. Upon execution, such viruses transfer control to the host program and remain active in the background to infect new hosts when those files are accessed by other application programs or the operating system itself.
Depending on the rate of infection-spread, resident viruses are roughly divided into two categories of fast and slow infectors. As the name suggests, slow infectors are designed deliberately to infect hosts infrequently so that detection of such viruses becomes very hard for anti-virus programs. Fast infectors, on the other hand, infect as many hosts (including anti-virus software program) as possible at a very fast pace. So these can become a ‘piggy-back’ on the anti-virus program itself and in this way infect all the files that are scanned. Detection of such viruses is easy because they heavily affect computer performance and perform several suspicious actions.
Cavity viruses. Cavity viruses take advantage of unused areas of portable executable files to overwrite these areas with their own small codes without increasing the size or damaging the executable files.
Boot-sector viruses. Boot-sector viruses install themselves into the boot sector on a floppy disk or the master boot record on a hard disk by overwriting the original boot code with their own code. Boot-sector viruses are especially dangerous because these are executed when the user boots the computer from the disk. A boot-sector virus in the master boot record is very harmful because on each start-up of the computer, it is loaded into the memory, from where it can spread to other parts of the hard disk and result in complete system crash. In such cases, the user’s computer becomes unable to start-up or even find its hard drive.
Macro viruses. Macro viruses are written in the macro/scripting languages provided with many applications such as MS Office. These viruses spread easily because they travel in documents and spreadsheets. They can spread with infected file sharing from one computer running on an operating system (Windows) to another computer running on a different operating system (Macintosh). Most of these macro viruses have the ability to replicate themselves by sending infected e-mails to everyone they find in the user’s contacts.
Stealth viruses. Stealth viruses intercept read requests to the operating system. These viruses make the operating system unaware by modifying and forging the results of calls to functions in the infected file, so the system believes it is reading the original file. Such interception is obtained by malicious code injection of the actual operating system files that would handle the read request. This will result in either denial of the read request or serve the read request with an uninfected version of the file.
These viruses can also trick an antivirus software by intercepting its read request to the operating system, handling the request itself, and returning an uninfected version of the file to the antivirus software. In this way, stealth viruses can sometimes fool the antivirus software into concluding that the system is free from viruses. Such viruses even go to great lengths to hide the fact that these are consuming memory.
Self-modifying viruses. Generally, most of the antivirus software search, in the files to be scanned, for virus signature that is nothing but a sequence of some bytes or a string. Upon detection of such patterns or strings, the antivirus software reports that the file is infected with virus. Self-modifying viruses are cleverly designed to modify their sequence of bytes on each infection. Thus detection of such viruses becomes difficult for antivirus software programs that rely on virus signatures only.