What is a computer virus?


This question has many different answers from the specialists - all having in common a basic definition of the virus:

  • The virus is a computer program that is able to replicate.

While there is no widely-accepted definition of the term computer virus, the following loose definition should suffice: A computer virus is executable code that, when run by someone, infects or attaches itself to other executable code in a computer in an effort to reproduce itself. Some computer viruses are malicious, erasing files or locking up systems; others merely present a problem solely through the act of infecting other code. In either case, though, computer virus infections should not go untreated.

One who thinks that the virus is a malefic and genial creation of a programmer is wrong. Viruses are usually written by mediocre programmers. Due to the expansion of the Internet, it is very easy for viruses authors to exchange opinions, discoveries, even sources. That is why, after one author makes public a virus's sources, many variants of that virus appear immediately. Let's take for example the virus WIN95/CIH. There are, at this moment, tens of variants for this virus and other viruses based on it, just because its author made public its sources for the interested programmers. More than that, other authors are using routines of old viruses; an example being the routine for destroying the Flash BIOS from WIN95/CIH, already integrated in many other viruses.

People are used to consider trojans and viruses as the same thing. Trojan Horses and worms are closely related to computer viruses but not the same thing. However, these are distinct software types and we should pay attention to each of these categories. A Trojan Horse is a program that performs some undesired yet intended action while, or in addition to, pretending to do something else. One common class of trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does. Another is a disk defragger that erases files rather than reorganizing them. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself. A Worm is just a self-propagating virus. The Internet Worm from November '88 is a famous example.

What we must remember is that:

Are programs capable to replicate. For example, a virus for executables will try to infect other executables on disk when launched from an infected program.

Are programs that replicate through systems. For example, I_Worm/Happy replicates using electronic mail. When one user affected by this worm sends an e-mail, I_Worm/Happy will attach itself to that e-mail, spreading to other systems. There are several types of worms, classified by the way they replicate:

  • I_Worm they use the e-mail for replication;
  • mIRC_Worm, pIRC_Worm, vIRC_Worm - use IRC clients for replication;
  • network worms - search systems that they will infect by attacking the computers from the local network or by randomly searching computers connected to the Internet.

Are (as their name suggests), programs that gain access to a computer claiming a fake functionality, generating unwanted side effects. This category can be divided into the following subcategories:

  • Backdoors once launched, enable the host system to be controlled remotely. There are several commercial or non-commercial applications that do the same thing; the difference is that the backdoors run without the user awareness.
  • Passwords stealers - decrypt the passwords from the Windows 9x PWS files or the Windows NT RAS files, and send them to the authors of the password stealers.
  • D.O.S. tools D.O.S. (Denial-of-Service) are a newer class. These programs try to block Internet sites by sending very large information packages or incorrect requests. A very well known case is that of the Trojan/D_O_S.Trinoo or Trojan/D_O_S.Tfn2k that tried to block the Internet access for some very well known Internet sites.
  • Simple Trojans they produce damages to the affected system upon launching or when a condition is activated. That is why this class is also known under the name of 'logic bomb'.


The three categories presented above (viruses, worms and trojans) can merge very well into a single program. Let's take for example Win32/Moridin; it contains all the three characteristics: virus it infects Win32 executables and Word documents; worm - it replicates using MAPI-compliant e-mail clients and IRC programs; backdoor - it accepts remote commands.
All these categories can be included in a super-class, named malware. Viruses, worms and trojans can be included in other programs . Those programs are named droppers.

Taking into account the target of infection, viruses can be classified in several categories. It is not necessary for a virus to have only one target for infection. Viruses having multiple targets are named multipartite.