Types of Computer Viruses

Malware
● Malware, or malicious software, is a blanket term for any kind of computer software with malicious intent.
● It refers to any intrusive software developed by cybercriminals (often called hackers) to steal data and damage or
destroy computers and computer systems.
● Examples of common malware include viruses, worms, Trojan, spyware, adware, and ransomware.

● Malware is a threat-category, while viruses are one type of malware threat.

1
Virus
● Virus stands for Vital Information Resources under Siege
● Virus is any type of malicious software or malware that can cause damage to your data, files,
and software through replication. A computer virus replicates itself by modifying other
computer programs and inserting its own code into those programs. Computer viruses generally
require a host program.

● Virus phases is the life cycle of the computer virus.

○ This life cycle can be divided into four phases:
■ Dormant phase - The virus program is idle during this stage. The virus program has managed to
access the target user's computer or software, but during this stage, the virus does not take any
action.
■ Propagation phase - The virus starts propagating, which is multiplying and replicating itself. The
virus places a copy of itself into other programs or into certain system areas on the disk. The
copy may not be identical to the propagating version; viruses often "morph" or change to evade
detection by IT professionals and anti-virus software.
■ Triggering phase - A dormant virus moves into this phase when it is activated and will now
perform the function for which it was intended. The triggering phase can be caused by a variety
of system events, including a count of the number of times that this copy of the virus has made
copies of itself. The trigger may occur when an employee is terminated from their employment
or after a set period of time has elapsed, in order to reduce suspicion.
■ Execution phase - This is the actual work of the virus, where the "payload" will be released. It
can be destructive such as deleting files on disk, crashing the system, or corrupting files etc

● Computer Virus
○ In 1983, the term "computer virus" was coined by Fred Cohen
○ Virus stands for Vital Information Resources under Siege
○ The first known computer virus appeared in 1971 and was dubbed the "Creeper virus” made by Bob
Thomas. This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe
computers running the TENEX operating system.
○ The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as "The
Reaper".

○ Types of Computer Virus

■ Boot sector virus
● As the name suggests, boot sector viruses sneak into your boot sector (responsible for
loading your computer’s operating system upon startup) to infect your memory right
away in order to load before the antivirus has a chance to act.
● These types of viruses traditionally spread through hardware, such as floppy disks, USB
drives, and CDs.

2
 ● Every time a user boots up, the virus-infected code automatically runs as well. This gives
hackers full control of an entire system. They can also prevent your computer from
booting up properly, resulting in a blue or black screen error message.
● Richard Skrenta created the first boot sector virus, called Elk Cloner, in 1981.
● First boot sector virus in India - Brain (computer virus) in 1986, it affected IBM personal
computers. Brain was developed by Pakistani brothers Basit and Amjad Farooq Alvi.

■ Resident Virus
● A resident virus is malware that embeds in the computer memory, enabling it to infect
other computer files without even being executed. It does this by loading its replication
module into the RAM.

■ Direct Action Virus

● When a virus attaches itself directly to a .exe or .com file and enters the device while its
execution is called a Direct Action Virus.
● It is also known as Non-Resident Virus.

● What is the difference between Resident and Non-Resident Virus?

○ A resident virus stores itself in your computer’s memory. Whether hidden or
clearly visible, these types of malware are file infectors that operate even if you
don’t execute a particular command. They live in your computer memory and
can activate regardless of which files you execute.
○ Non-resident viruses need a command to operate. Unless a virus has attached
itself to executable commands, it doesn’t work. Direct action virus attaches itself
to executable files and activates whenever an infected file is executed, spreading
to other files in the same directory.

■ Polymorphic Virus
● A polymorphic virus can change its code or signature while maintaining its malicious
function. It creates numerous slightly different copies of itself, making it more
challenging to detect and remove by antivirus software.

■ A logic bomb / Slag code

● A logic bomb is a set of instructions in a program carrying a malicious payload that can
attack an operating system, program, or network.
● It only goes off after certain conditions are met. A simple example of these conditions is
a specific date or time.
○ Time bombs, may only detonate on a specific date or time.
○ Example – The Jerusalem virus which, every Friday the 13th, deletes all the files
on an infected computer.

3
 ■ Macro Virus
● A macro virus is a computer virus written in the same macro language used to create
software programs or Applications such as Microsoft Excel or Word. Macro viruses
work by adding their code to the macros associated with documents, spreadsheets and
other data files. It centers on software applications and does not depend on the operating
system (OS). Most macro viruses are VBA viruses.
○ VBA is Visual Basic for Applications and is the language used by Microsoft for
its applications like Word and Excel.

■ Web Script Viruses

● Web script viruses are a type of malware that targets web browsers and website servers.
● These viruses can modify web page content to include malicious code or links and take
control of your browser, changing its settings, redirecting to fraudulent sites, sending
spam or even stealing sensitive information such as login credentials. You might
encounter them through infected links or pop-ups.

■ Multipartite Virus
● A multipartite virus is a type of fast-acting malware that attacks a device's boot sector
and executable files simultaneously.
● Multipartite viruses are often considered more problematic than traditional computer
viruses due to their ability to spread in multiple ways.
● In the history of computer viruses, The Multipartite party virus is the first virus of its
kind to attack both boot sector and self-executable files at the same time, causing more
damage than any other virus.

■ Script Viruses
● Script Viruses (VBA, VBS, JS) use programming languages present on your system to
attack it.
● VBA is Visual Basic for Applications and is the language used by Microsoft for its
applications like Word and Excel.
● VBS is Visual Basic Script edition and is used for scripting in web applications like
Internet Explorer.
● JS is JavaScript, a variation on the Java programming language. Unlike the other script
languages here JavaScript cannot itself be used to harm your system as it works in a
"sandbox" or protected area of your computer. Instead, JavaScript is used to exploit
security problems in other programs such as web browsers. This is known as a Browser
exploit.

4
Ransomware
● As the name suggests, ransomware takes your device, files, and folders hostage by locking you out
and demanding a ransom to regain access. Ransomware attacks often request payment in bitcoin or
other types of cryptocurrency.
● The first documented ransomware was the 1989 AIDS Trojan, also known as PS Cyborg1 developed by Joseph
Popp.

5
Adware (or advertising software)
● It is the term used for various pop-up advertisements that show up on your computer or mobile
device. Adware has the potential to become malicious and harm your device by slowing it down,
hijacking your browser and installing viruses and/or spyware.
● Adware installs itself on your device and displays unwanted advertisements and pop-ups.

Rootkit
● A rootkit is a software program, typically malicious, that provides privileged, root-level (i.e.,
administrative) access to a computer while concealing its presence on that machine.
● A rootkit is an app that hides itself, or other forms of malware, deep within your system.
Rootkits are very difficult to detect for average anti-malware software. Working stealthily in
the background, rootkits do their damage gradually. Hackers can use rootkit attacks to steal
personal data, install malware and spam, perform a DDOS attack, or gain remote access to a system

● Potential consequences of a rootkit include:

○ Concealed malware – Rootkits allow attackers to install additional malware on infected computers.
○ Information theft – Malicious software installed with the aid of rootkits can be used to steal user
passwords, credit card information & other sensitive data.
○ File deletion on a system.
○ Eavesdropping – Hackers can use rootkits to intercept personal information.
○ File execution – After subverting anti-malware software on a system, rootkits allow perpetrators to
remotely execute other files on target computers.
○ Remote access – Rootkits can alter system configuration settings, such as opening up backdoor TCP
ports in firewall settings, or altering startup scripts. This grants attackers remote access.

○ DDoS — or “distributed denial of service”

■ A DDoS attack floods a server with so many requests that it becomes unresponsive — effectively
shutting its service down.
■ When we come to know about a website being brought down, it generally means it has become a
victim of a DDoS attack.

6
Spyware
● Malware designed to track user activity and log behavior is known as spyware. Spyware is used to
spy on your system, record your conversations, log your browsing habits, and even steal your
credit card info, passwords, and other private data through the use of keyloggers.
● If you compare spyware vs viruses, they both exploit your system in potentially devastating ways, but spyware
can’t self-replicate and usually requires an action, like clicking on a link, to cause an infection.
● Example - Pegasus spyware developed by the Israeli cyber-arms company NSO Group

● What is a keylogger?
○ Short for keystroke logger, a keylogger is monitoring software or hardware designed to record what you
write.
○ It allows hackers to keep track of everything you’ve been typing. This allows hackers to steal valuable
information like: your usernames and passwords, your credit card number and verification code, your
entire chat history, a list of the websites you’ve visited etc

Worms
● Like viruses, computer worms can self-replicate and spread over a network. But when comparing
worms and viruses, a virus needs a legitimate file to latch onto while a worm doesn’t actually
need a host.
● A worm can spread by itself without a host.
● Worm Full Form - Write Once, Read Many
● The FIRST Computer Worm: The Morris Worm (1988)
● ILOVEYOU, sometimes referred to as Love Bug was a computer worm that infected over ten million Windows
personal computers on and after 5 May 2000.
○ Onel de Guzman, a then-24-year-old resident of Manila, Philippines, created it.

Trojan Horse
● A Trojan Horse Virus is a type of malware that downloads onto a computer disguised as a
legitimate program. The delivery method typically sees an attacker use social engineering to
hide malicious code within legitimate software to try and gain users' system access with their
software.
● Unlike computer viruses or worms, a Trojan horse cannot replicate.
● A Trojan virus spreads through legitimate-looking emails and files attached to emails, which are spammed to
reach the inboxes of as many people as possible. When the email is opened and the malicious attachment is
downloaded, the Trojan server will install and automatically run every time the infected device is turned on.

Retrovirus
● A retrovirus is also referred to as an anti-anti-virus virus.
● This means that it tries to attack and disable any anti-virus or protective software on the system it is trying to
infect to avoid detection.

7
Some Important Information
● Trap door or Back Door
○ The trap door program threat is one in which the designer keeps a hole in the program, so it can be
handled only by the designer.
○ A trap door is kind of a secret entry point into a program that allows anyone to gain access to any system
without going through the usual security access procedures.
○ It is a method of bypassing normal authentication methods.

● Hacker
○ A hacker is a person who breaks into a computer system. The reasons for hacking can be many: installing
malware, stealing or destroying data, disrupting service, and more. Hacking can also be done for ethical
reasons, such as trying to find software vulnerabilities so they can be fixed.

○ White hat hackers or Ethical Hackers

■ They probe cybersecurity weaknesses to help organizations develop stronger security

○ Black hat hackers are motivated by malicious intent, they enter the system without taking owners’
permission. They hack systems illegally.

○ Gray hat hackers operate in the nebulous area in between — they're not malicious, but they're not always
ethical either. This type of hacking is still considered illegal. But they never share information with black
hat hackers.

● Spoofing
○ Spoofing is a broad term for the type of behaviour that involves a cybercriminal masquerading as a
trusted entity or device to get you to do something beneficial to the hacker — and detrimental to you.
○ Any time an online scammer disguises their identity as something else, it’s spoofing.
○ Spoofing attacks usually involve an element of social engineering, where scammers psychologically
manipulate their victims by playing on human vulnerabilities such as fear, greed, or lack of technical
knowledge.
■ Social engineering refers to all techniques aimed at talking a target into revealing specific
information or performing a specific action for illegitimate reasons.

○ How does spoofing work?

■ Spoofing typically relies on two elements – the spoof itself, such as a faked email or website, and
then the social engineering aspect, which nudges victims to take action.
■ For example, spoofers may send an email that appears to come from a trusted senior co-worker
or manager, asking you to transfer some money online and providing a convincing rationale for
the request.

8
 ■ Spoofers often know what strings to pull to manipulate a victim into taking the desired action –
in this example, authorizing a fraudulent wire transfer – without raising suspicion.

○ A successful spoofing attack can have serious consequences – including stealing personal or company
information, harvesting credentials for use in further attacks, spreading malware, gaining unauthorized
network access, or bypassing access controls.
○ For businesses, spoofing attacks can sometimes lead to ransomware attacks or damaging and costly data
breaches.

○ There are many different types of spoofing attacks – the more straightforward ones relate to emails,
websites, and phone calls.
■ The more complex technical attacks involve IP addresses, Address Resolution Protocol (ARP),
and Domain Name System (DNS) servers.

9
 ○ Website spoofing
■ Website spoofing – also known as URL spoofing – is when scammers make a fraudulent website
resemble a legitimate one. The spoofed website will have a familiar login page, stolen logos and
similar branding, and even a spoofed URL that appears correct at first glance.
■ Hackers build these websites to steal your login details and potentially drop malware onto your
computer. Often, website spoofing takes place in conjunction with email spoofing – for example,
scammers might send you an email containing a link to the fake website.

○ DNS spoofing
■ DNS spoofing – sometimes called DNS cache poisoning – is an attack in which altered DNS
records are used to redirect online traffic to a fake website that resembles its intended destination.

10
 Spoofers achieve this by replacing the IP addresses stored in the DNS server with the ones the
hackers want to use.

○ IP Spoofing: An attacker disguises their IP address with a fake one to bypass security measures and gain
unauthorized access to a system.

○ Caller ID Spoofing: An attacker manipulates their caller ID to appear as a trusted source, such as a bank,
in order to trick the recipient into providing sensitive information.

● Difference between Spoofing and Phishing

○ Spoofing is a technique used to disguise the sender's identity, while phishing is a method used to trick the
recipient into divulging personal information or performing an action.
○ Spoofing’s main aim is identity theft and phishing’s main aim is stealing information.

● Phishing
○ Phishing is one of the most common forms of cyber attack wherein the intention is to acquire critical data
in the form of passwords, credentials, credit card numbers and so on, by sending email, messages and
links, disguised from sources which the victims have reason to trust.

○ Types of Phishing
■ Email Phishing: The phishing attack is carried out through malicious emails. It is the most
common form of phishing attack.

■ Spear Phishing: It is a form of phishing attack wherein the email is sent to specific targets such as
specific individuals, business or organizations. Intention might be to steal information or install
malware on the targeted victim’s system.

11
 ■ Whaling: Also known as CEO Phishing, this attack is essentially targeted towards business
leaders or senior executives of organizations. Since, it is a highly targeted form of attack and also
uses email as the primary medium for carrying out phishing; it is a combination of spear and
email phishing. In most cases, the intention is to initiate the transfer of funds.

■ Clone Phishing: As the name suggests, this attack involves the act of cloning or creating a
replica. The attacker clones/creates a replica of a legitimate or genuine email which an individual
might have had received from an authentic source. The forged email is identical to the genuine
email and is sent from a spoofed email id. It does contain malicious content like a link which if
clicked, results in the installation of malware in the victim’s system.

■ Angler Phishing: This kind of phishing attack uses social media as the medium for instigating a
cyber attack. Attempt is to steal data and information posted on social media platforms and
consequently force victims in divulging personal information.

■ Smishing: This attack makes use of text messages for tricking users. The messages usually
involve phone numbers for the user to call or a link to a website which is controlled by the
attacker.

■ Vishing (voice or VoIP phishing) is a type of cyber attack that uses voice and telephony
technologies to trick targeted individuals into revealing sensitive data to unauthorized entities.

● Spooling
○ Spooling is an acronym for simultaneous peripheral operation online. Spooling is the process of
temporary storage of data for use and execution by a device, program, or system.
○ Data is sent to and stored in main memory or other volatile storage until it is requested for execution by a
program or computer.
○ However, this temporary storage presents a potential security vulnerability.
○ Spooling attacks occur when an attacker gains unauthorised access to the spooling system and intercepts
the data while it is being processed. By accessing the spooling cyber security queue, an attacker can
capture sensitive information such as confidential documents, financial records, or intellectual property.

● Sniffing or Eavesdropping
○ “Sniffing” refers to the monitoring of internet traffic in real time. Packet sniffers are programs or
hardware devices that can spy on you and all of your internet activity.
○ Sniffers work by capturing internet traffic and analyzing the data streams to uncover the nature — or
even the specific contents — of data sent across a network. Just as cars make up road traffic, internet
traffic consists of packets of data traveling through a network.

12
 ○ Although we generally ignore most cars driving by, we’re likely to investigate if a truck pulls up in your
driveway.
○ Similarly, our computer ignores most traffic flowing through a network, and only inspects the specific
packets of data that are sent to it. Sniffers, then, are like a tollbooth — they are set up to inspect all cars
driving down the road, not just those that park in one driveway.

● What is a virus signature file?

○ A virus signature file is where your antivirus software stores all the data on known types of viruses. That
file is updated often as cybersecurity experts discover new viruses daily.
○ In the olden days, a virus signature was a snippet of malicious code that indicated that a file was infected
by a specific virus. A virus scanner would check the file’s code and see if it matched known virus
signatures. It’s like identifying a criminal by having a sample of their DNA.

● Pharming
○ A pharming attack is a cyberattack in which victims are redirected or tricked into visiting a malicious
website. In a pharming attack, your device can be infected with malware and your personal data stolen.

13
 ● Skimming
○ Skimming occurs when devices illegally installed on ATMs, point-of-sale (POS) terminals, or fuel pumps
capture data or record cardholders’ PINs.
○ Criminals use the data to create fake debit or credit cards and then steal from victims’ accounts.

14
 ● Common Anti Viruses

○ AVG (Anti-Virus Guard)

■ HQ – Prague, Czech Republic

○ Avast
■ HQ – Prague, Czech Republic

○ Kaspersky
■ HQ - Moscow, Russia

○ Norton by Symantec
■ HQ - Tempe, Arizona, United States

○ Bitdefender
■ HQ - Bucharest, Romania

○ McAfee
■ HQ - Santa Clara, California

15