What Is A Computer Virus Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

There has been significant attention in computer viruses through the last numerous years. One feature of this interest has been to examine if computer viruses be there as a form of artificial existence, in addition what that might indicate. To report this, we need to first recognize somewhat of the history and configuration of computer viruses. Therefore, we will start with a summarized, high-level explanation of computer viruses - their past, configuration, and how they narrate to some possessions.

Computers are intended to execute commands one by one. Those commands usually do somewhat useful - compute values, conserve databases, then communicate with users and through other methods. Occasionally, though, the instructions completed can be destructive and malicious in nature. If the foundation of the commands was an individual who planned that the abnormal actions occur, then we study this malicious coding; authorities have occasionally referred to this code as malware and vandal ware. These names relate to the common effect of such software.

There are many different forms of this software that are categorized by the way they perform, how they are activated, and how they spread. In recent years, occurrences of malware have been described almost uniformly by the media as computer viruses. In some environments, people have been quick to report almost every problem as the result of a virus. Viruses are extensive, but they are not accountable for many of the difficulties attributed to them.

The term computer virus is resultant from and is in some common sense analogous to a biological virus. The word virus itself is Latin for poisonous. Biological viral contagions are spread by the virus injecting its substances into a far larger organism's cell. The cell is infected and converted into a biological factory producing replicates of the virus.

Likewise, a computer virus is a subdivision of machine code (typically 200-4000 bytes) that will duplicate itself (or an altered version of itself) into one or more bigger "host" programs when it is activated. When these infected programs are run, the viral code is executed and the virus spreads further. Sometimes, what constitutes "programs" is more than simply applications: boot code, device drivers, and command interpreters also can be infected.

The spread of computer viruses infect not only data, data files that are not only implemented. However, some data, such as files with spreadsheet input or text files for editing; it can be understood as the application programs. For example, text files may contain special characters; editing commands are executed when the file is read by the editor. In such circumstances, the data files are "executed," and the spread of the virus. Files may data also contain "hidden" code that is executed when the file is used by the application, and can also be infected. However, in a technical sense, but the data it cannot be infected by computer virus.

The first virus to use the term for the desired computer code was the science-fiction author David Gerrold. He wrote a series of short stories is a fictional God Machine (supercomputer) in 1970 that later merged into the novel in 1972: When I Harlin. The description of the virus in this book is not currently accepted, the popular definition of computer virus - a program that modifies other programs in Claude a copy.

The actual computer viruses can be written by individuals before Cohen, although this name is not already in 1980, the Apple II. [9] The first virus is not distributed outside of a few small populations, with the notable exception of the "Elk Cloner" virus appeared in 1981, several bulletin board systems.

Although Cohen (and others, including Len Adleman [1]) attempted formal definitions of computer virus, none of them gained wide acceptance or use. This is the result of the difficulty in defining precisely the characteristics of what a virus and did not. Cohen's formal definition includes all programs capable of self-reproduction. Thus, the definition of programs, such as translators andpublishers can be classified as "virus".This led to confusion, when Cohen (and others) have said "good virus" - tha tsomething most other players in the field believe it is an oxymoron. [4, 29]

Stubbs and Hoffman quote a definition by John Inglis that captures the generally accepted view of computer viruses:

"He defines a virus as a piece of code with two characteristics:

1. Able to reproduce at least partially automated.

2. The transfer method, which depends on its ability to bind to other computer entities (programs, disk sectors, data files, etc.) that move between these systems. "[32, p.145]

after his first appearance as a novelty, real computer viruses have become a significant problem. In particular, they have thrived in the environment of lower security, the personal computer. Personal computers were originally designed for a single dedicated user - few, if any, reflection on the difficulties that may arise with others to provide direct access to the machine. The system does not contain optional security key installations as well, and had a minimal amount of software to ensure data security. Today, however, personal computers are also used for tasks far different from that originally planned, including the management of corporatedatabases and computer systems participating networks. Unfortunately, the hardwareand operating system is still based on the assumption of access to trusted users only, which allows viruses to spread and grow in these machines. The population of PC users, the problem worsens, many people like simple, and is not aware of the problems of lax security and uncontrolled division of the media.

Over time, the problem of viruses has increased on a large scale. The first seven years of the Brain virus infection in January 1986, it is generally accepted that the first primary MS-DOS viruses, the number of known viruses grew by thousands of different viruses, most of which are MS-​DOS.

The problem is not limited to the IBM PC, however, and now affects all popular PCs.Viruses can be written in a mainframe operating system that supports sharing of data and run the software, but so far all the published experimental in nature, serious academic researchers wrote in a controlled environment (eg [6]). It's probably a record, partly due to greater restrictions built into the software and hardware, and the method generally used. It also reflects a more technical nature of the population of users of these machines.

2.1 Related Software:-

Worms is another form of software, which is often referred to as a computer virus. Unlike viruses, programs that can worms are run machine across independently and travel machine for network connections, the poems themselves can be running on different machines. Worms do not change other programs, although they may carry other code that does not like a real virus. This replication of the behavior that led some to believe that a kind of viruses, worms, particularly those using the formal definition of Cohen (who is also ranked as one of the standard network programs to transfer files such as viruses). The fact that worms do not alter existing programs, a clear distinction between viruses and worms, though.

In 1982, John and Jon shock Hüppe Xerox PARC (Palo Alto Research Center) described the first computer worm. [23] They work with an experimental device, the networked environment using one of the first local networks. While looking for something that uses a network environment, one of them remembered reading TheShockwave Rider John Brunner, he wrote in 1975. This science fiction novel, the programs described in the networks of transport, carrying information with them. Theseprograms are called tapeworms in the novel. Hüppe shock and their own programscalled worms, because he saw a parallel in the tapeworm Brunner. To Xerox are reallyuseful - they travel workstation workstation, reclaiming the file, closing to idle workstations, mail carrier, and therefore other useful tasks.

The Internet worm of November 1988 is often cited as a canonical example of a worm program. [26, 27, 22] machines worm clogged networks and distributed control, replicated thousands of machines around the Internet. Some authors (e.g. [7]) said Internet worm as a virus, but these arguments are not convincing (see the discussion [25]). Most people work for self-replicating code now accepts a worm is a type of software is different from computer viruses.

Few worms were the time since then, especially in the verses that have caused injury, it is not easy to write. Worms need a network environment, and the author, who knows not only the network services and facilities, but the operational resources needed to support them once they have achieved their objectives.

3 Virus Structure and Operation:-

True viruses are two main components: one dealing with the spread of the virus, and the "cargo" or "manipulation "of work. The task of loading may not be present (no effect), or wait for a set of predetermined conditions, before the root. To make a computer virus at work, you must add something other executable code. The virus code is usually before the implementation of the code of the infected host (if the host code is never done again). One form of classification of viruses based on three modes of transmission can also add your own code to the host: the shell as an add-on, and the code intrusive.

The fourth form, known as companion viruses, it is not really a virus at all, but a sort of Trojan horse that uses the mechanism of execution path instead of a normal program. Unlike all other forms of the virus does not alter the existing code in any way: new executable files in a companion virus that name to an existing program, and selected to be implemented before the real program. Because viruses are not true companionvirus, if one uses a broad definition of a virus, it cannot be described here.

Shell viruses

The shell is one of the viruses to form a "shell" (as in "egg "instead of "Unix shell") around the original code. Indeed, the virus is a program, and program host of origin will be within the subroutine code. Extreme example is a case in which the virus moves the original code to a new location, and so the identity. When the virus is done executing, the host reads the program code, and starts its implementation.

Add-on viruses

Most viruses are add-on viruses. These features are accompanied by the code code the host and / or relocate the receiving code and insert its own code at the beginning. The add-on virus, it changes the startup information in the virus code is executed before the code for the main program. The host code is left almost entirely intact; the only visible sign that the virus is present is to grow the file, if this is indeed observed.

Intrusive viruses

Intrusive viruses work by replacing some or all of the original host code. Theexchange may be selective, rather than a subroutine of the virus, or a new routine and the interrupt vector. The replacement is extensive, as when a large part of the host program is entirely replaced by the code. In the latter case, the original program does not work correctly. Few viruses are invading viruses.

The second form is divided into virus classification and mode, file infectors or (boot) program infectors. This is not particularly clear, however, that the number of viruses have changed the code system that will not start code, not programs. Some viruses target files system directories, for example. Other viruses, applications, and the boot sector. This second form of classification is very specific and meaningful only for machines that are infected (recordable) startup code.

A third form of classification is related to the viruses are activated and select the new objectives have changed. The simplest viruses are those that are executed when the "host" program running, select the program change the destination, then transfer control to the host. These viruses are viruses or direct transition, the so-called because they work only for a short period, and directly to disk to find programs to infect.

Most of the "success" of PC viruses take advantage of different techniques has been to remain resident in memory, if the code is executed, and the host program is terminated. This means that if an infected program is executed, the virus can spread to all or part of programs in the system. This proliferation occurs throughout the session (until the system is rebooted to eliminate the virus from memory), rather than during a time when the infected program is to execute code. These viruses are resident virusesor indirect, in this so-called because they remain resident in memory, and, indirectly, to find files to infect, since they relied on by the user. These viruses are also known as TSR (Stop and Stay Resident) virus.

If the virus is present in the memory after you quit an application, how to stay active? In other words, how the virus continues to infect other programs? The answer to the personal computers running software such as MS-DOS, the virus will change thestandard used by the DOS interrupts and BIOS (Basic Input / Output System). The change is that the environment is such that the virus code is invoked by other applications during service requests.

The PC may interrupts (hardware and software), management of asynchronous events and functions of the line system. All services provided by the BIOS and DOS machine parameters cited by storing user records, you will cause software interrupt. If there is an interruption, the operating system calls the routine whose address is known to find a specific table or the interrupt vector table. Normally, this table contains management indicators routines in the ROM or memory-resident DOS. The virus can modify the table to break the code of the virus causes (memory resident) to implement.

The trap the keyboard interrupts, a virus can arrange to intercept the CTRL-ALT-DELreboot app, change the user keystrokes, or be relied on for each key press. The trap interrupt the BIOS, the BIOS virus can intercept all activities, including reading a boot sector, or disguising the disk to infect user's request as part of the disc. By trapping the DOS service

Interrupt, a virus can intercept all DOS service requests including program execution, DOS disk access and memory allocation requests. A typical virus can trap the interrupt service DOS, which is the code to execute before calling the real DOS driver to process the request.

Once infected, the virus program or start looking to expand to other programs, and finally, the other systems. Simple virus that do this, but most of the virus is not a simple virus. Common Virus waits a specific trigger condition, and then performs a certain activity. The activity can be as simple as printing a message to the user, or as complex as searching for particular data elements in a specific file, and changing values. Often, destructive viruses remove any files or reformat the entire disk. Many viruses are defective and will not damage it.

The conditions triggering virus arbitrarily complex. If you can write a program that defines a set of conditions under the same conditions can be used to trigger a virus. This includes waiting for a specific date or time, to determine the presence or absence of certain files (or content), examines the user's keystrokes to a sequence of entry, the memory of display of a particular sample, control or modifies file attributes andinformation on eligibility. Viruses can also be initiated on the basis of a random event. A common element to trigger a counter is used to determine the number of additional programs, the virus was infectious - the virus has not become as long as it spread to a certain minimum number of times. Of course, any combination of trigger conditions.

Computer viruses can infect any writable storage, including hard drives, floppy disks, magnetic tapes, optical media, or memory. Spread of infection, when the computer boots from an infected floppy disk, or if an infected program is executed. This can occur either as a direct result of the user referring to an infected program, or indirectly through a system that runs the code under the boot of the system, or administrative duties in the back plan. It is important to recognize that the chain of infection is often complicated and convoluted. The presence of networks, computer viruses can spread viruses containing machine executable code shared between machines.

Once activated, the virus can replicate in one program at once, you can infect a few random programs, or possibly infect every program on your system. Sometimes, the virus multiplies the basis of a random event, or present value of the clock. Different methods are not presented in detail because the result is the same: there are more cases of the virus in the system.

4- Evolution of Viruses;-

Since the first viruses were written, we saw what could be classified as the five "generations "of viruses. Each new class of the new features incorporated into viruses, which are much harder to detect and remove viruses. Here, as in other matters relating to the classification and naming of viruses, researchers in different terms anddefinitions. The following list describes a class from many sources. For example, several early viruses (e.g., the "brain" and "Pentagon" virus) were stealth characteristics and shielded. Rather, this list is represented by the increasing sophistication and complexity of computer viruses in the MS-DOS.

4.1 First generation: Simple

The first generation of virus in the simple virus. These viruses have not done anything, it is very important to reiterate exception. Much of this new virus was discovered still fall into this category. Damage is usually caused by viruses such as simple errors or software incompatibility, which can be expected, the virus writer. The first generation of viruses do nothing to hide, that his presence in the system, it can usually be found with a simple noting an increase in file size, or a distinctive pattern in the presence of an infected file.

4.2 Second generation: Self-recognition

The only problem is that repeated infections of viruses, the host, who has spent the early recognition and memory. In the case of boot sector viruses, this is (according to the strategy), a long chain of cause-related sectors. In the case of infectious-virus program, repeated infections can lead to a continued expansion of the program host each time you re-infected. There are indeed some of the older viruses that show this behavior. To avoid this unnecessary increase in infected files, the virus of the second generation of implants in general a unique signature, which indicates that the file system or infected. Verifies the signature of the virus before infection, and a place where the infection is made ​​if the signature is present, the virus does not re-infect the host.

The virus signature is characterized by a known offset bytes on disk or in memory, a feature of the directory entry (e.g., the conversion time or the length of the file), or a particular system call, that the virus active in memory. Signature virus presents a mixed blessing. The virus is no longer performs unnecessary infections, which are indicative of the presence, but the signature is not a method of detection. Scavenge virus programs to scan files on the disk to a known virus signatures, or "hardening "the system stating that the virus signature schemes, which try to prevent infection by the virus.

4.3 Third Generation: Stealth

Most of the virus in the contaminated system can be identified by analysis of secondary storage and research of a sample of data specific to each virus. To counterthese scans, some viruses employ resident stealth techniques. These viruses subvertthe selected system downtime when activated. Requests for these operations are captured in the virus code. If the transaction would expose the virus, the operation is redirected to bogus information.

For example, a common virus technique to intercept I / O requests that reads the disk sectors. The virus code verifies these claims. If the read operation is detected, it returns a block with a copy of the virus, the active code, instead of returning a copy of data to be present in an infected system. In this way, the antivirus cannot find the disc where the virus remains active. Similar techniques can be applied to avoid the detection of other operations.

4.4 Fourth Generation: Armored

As researchers have developed anti-virus tools to analyze new viruses and protect artifacts, virus writers turned to the techniques to hide the virus code. This "armor" toinclude a source of confusion and unnecessary and make it more difficult to analyze the virus code. The defense is in the form of attacks against anti-virus software, if it is present in the affected system. These viruses have emerged since 1990. Viruses with these forms of protection are generally much larger than the simple virus, and therefore easier to spot. In addition, the complexity required to cause significant delays in the efforts of experts qualified anti-virus seems to be far from anything that has not yet appeared.

4.5 Fifth Generation: Polymorphic

The new type of virus appears on the scene, a polymorphic virus or self-mutant. Theseare viruses that infect the objectives changed or encrypted version of them. Changes in the code sequences in the file (but functionally equivalent to the original), the producer or other random encryption key, the changed file, the virus is not easily identifiable through the use of an appropriate byte. Detect the presence of these viruses requires a more complex algorithm that applies to this effect, reverses the masking to determine if the virus is present.

Several of these viruses have become quite common. Some viruses, virus writers also published the "toolbox "that can be incorporated into a complete virus is polymorphiccapabilities. These documents were distributed to various bulletin boards around the world, and more integrated into the virus.

5 Defenses and Outlook

Several methods of protection against viruses. Unfortunately, no protection is perfect. Has been shown that the sharing of memory in writing, or communication with any other entity, introduced the possibility of transmission of the virus. Unable to write a program that will detect viruses without error.

A little help, the observation is trivial to write a program that identifies all programs infected with an accuracy of 100%. Unfortunately, this program is to identify all (or almost) the infected program, whether or not! This is not particularly useful for the user, and the challenge of writing a detection mechanism that finds the most viruses, without too many false positive reports. Protection against viruses usually takes one of three forms:

Activity monitors;-

Activity monitors are programs that reside on the system. Supervised activities, and whether any warnings or take special measures in case of suspicious activity. Thus, attempts to modify the interrupt table in memory or to rewrite the boot sector iscaptured in such monitors. This type of protection can be circumvented (if implementedin the program), the virus, which earlier in the boot sequence, as the monitor code.

They are more susceptible to virus amendment if used in machinery, hardwarememory protection - as is the case for all common personal computers. Another form ofdisplay is one that emulates, or otherwise, suspected traces of application execution.The monitor evaluates the measures taken in the code, and determine whether an activity is similar to what a virus is added. The right to issue warnings when suspicious activity was observed.


Scanners have been the most popular and most common protection against viruses. The scanner works by reading data from disk, and application filtering operationsagainst the list of known virus patterns. If a match is found in the sample, for example, the virus is announced.

The scanners are fast and easy to use, but suffer from many drawbacks. Foremost among the disadvantages that the list of samples should be maintained. The MS-DOS world, new viruses appear in more than a few dozen each week. Examples updating in this rapidly changing environment is difficult.

The second drawback scanners, false positive reports. As more samples to the list, it becomes increasingly likely that none of them correspond to a code otherwiselegitimate. Another drawback is that polymorphic viruses cannot be detected by scanners.

To benefit from the scanners, however, is speed? Scanning can be treated quickly enough. Control can be performed portably on all platforms, and [17], and samplefiles easily distribute and update. Furthermore, new viruses are discovered eachweek, some never spread. Thus, somewhat outdated design files are adequate foremost environments. Scanners equipped with a control algorithmic or heuristic can find the most polymorphic viruses. This is the reason that these scanners are the most widely used anti-virus software.

Integrity checkers/monitors:-

The integrity inspectors check codes creative programs (such as checking, cyclic redundancy code (CRC), a secure hash, message digest or cryptographic checksum) of files managed. [20] Sometimes, they recalculate the checkcodes and compares thestored versions. If the comparison fails, the change is known to have occurred in the file, and it is marked for further investigation. Integrity monitors operate continuously, and regularly check the integrity of files. Shellfish check code check the integrity before each execution. [3] Integrity check is almost certain way to discover the files changes, including data files. Because viruses need to modify the files themselves in the integrity check will find these changes, and that it does not matter if the virus is known or not -check the integrity of the experiment, the Change does not matter what causes it. Integrity checking, there are other changes caused by faulty software, equipment problems and operator error.

Integrity checking, there are drawbacks. In some systems, the executable files are modified when the user runs the file, or when new preferences to be recorded.Repeated reports of false positives can lead the user to ignore in future reports, or disable the utility. It is also true that change can be noticed that the edited file is already running, and a virus. More importantly, the initial calculation must be brought to the attention of check code-stable version of each file. Otherwise, the screen will never report the presence of the virus, which the user is likely to assume that the system is not infected. Many manufacturers have already begun to build their owncontrol over their products. This type of verification by the integrity of the program at different times, as he performs. When the home inspection reveals unexpected changes in memory or on disk, the program will end, or warn the user. This can indicate the presence of a new virus quickly so that further action may be taken.

If no computer viruses were written now, there are still many years in the problem of computer viruses. The thousands of reported computer viruses, hundreds ofwell-established, different types of computers worldwide. The population of the plant and archived media so that these viruses continue to be published in a sizable population of contaminated equipment.