MINDPRIDE Computer Services

Home | About Us | Our Services | Contact Information | Tutorials, Articles & Dictionaries | Site Map



About Us



Virus Alerts




Refer A Friend

Site Map



Privacy Policy







1 - 2 - 3 - 4 - 5 - 6

Virus Types

Viruses come in many types; written using many different infection strategies.

Viruses come in a variety of types. Breaking them into categories is not easy as many viruses have multiple characteristics and so would fall into multiple categories. We're going to describe two different types of category systems: what they infect and how they infect. Because they are so common, we're also going to include a category specific to worms.

What They Infect

Viruses can infect a number of different portions of the computer's operating and file system. These include:

How They Infect

Viruses are sometimes also categorized by how they infect. These categorizations often overlap the categories above and may even be included in the description (e.g., polymorphic file virus). These categories include:

And, in a special category, one might include:

  • Virus Droppers
    Programs that place viruses onto your system but themselves may not be viruses (a special form of Trojan).

If you know, click on the virus topic you are interested in or read about each in sequence...


What Viruses Infect

Viruses can infect a number of different portions of the computer's operating and file system. These include:


System Sector Viruses

System sectors (Master Boot Record and DOS Boot Record) are often targets for viruses. These boot viruses use all of the common viral techniques to infect and hide themselves. While mostly obtained from an infected disk left in the drive when the computer starts, they can also be "dropped" by some file infectors.

System sectors are special areas on your disk containing programs that are executed when you boot (start) your PC. Every disk (even if it only contains data) has a system sector of some sort. Sectors are simply small areas on your disk that your hardware reads in single chunks. System sectors are invisible to normal programs but are vital for correct operation of your PC. They are a common target for viruses. There are two types of system sectors found on DOS/Windows PCs:

System sector viruses modify the program in either the DOS boot sector or the Master Boot Record. Since there isn't much room in the system sector (only 512 bytes), these viruses usually have to hide their code somewhere else on the disk. These viruses sometimes cause problems when this spot already contains data that is then overwritten.

Some viruses, such as the Pakistani Brain virus, mark the spot where they hide their code as bad. This is one reason to be suspicious if any utility suddenly reports additional bad sectors on your disk and you don't know why (don't panic, bad sectors occur frequently for a wide variety of reasons). These viruses usually go resident in memory on your PC, infect the hard disk, and infect any floppy disk that you access. Simply looking at the directory of a floppy disk may cause it to be infected if one of these viruses is active in memory.

On Macintosh systems, some viruses will even infect a diskette immediately upon inserting a diskette into the floppy drive. (PCs generally do not access a disk automatically as the Macintosh does.)

Since viruses are active in memory (resident), they can hide their presence. If Brain is active on your PC, and you use a sector editor to look at the boot sector of an infected diskette, the virus will intercept the attempt to read the infected boot sector and instead return a saved image of the original boot sector. You will see the normal boot sector instead of the infected version. Viruses that do this are known as stealth viruses.

In addition to infecting diskettes, some system sector viruses also spread by infecting files. Viruses of this type are called multipartite (multiple part) viruses. Since they can infect both files and system sectors they have more avenues to spread. (Note: Some file viruses also infect system sectors to complete the circle.)


  • System sectors (MBR and DBS) are often targets for viruses.
  • Even data disks can be infected by these viruses.
  • System sector viruses spread easily via floppy disk infections and, in some cases, by cross infecting files which then drop system sector viruses when run on clean computers.


File Viruses

While more in number, file infectors are not the most commonly found. They infect in a variety of ways and can be found in a large number of file types.

In terms of sheer number of viruses, these were the most numerous for some time. However, because of bugs in the virus code, they are not the most widely spread. Macro viruses (and system sector viruses) account for more infections in the wild and macro viruses themselves have probably overtaken file viruses in sheer numbers by now.

The simplest file viruses work by locating a type of file they know how to infect (usually a file name ending in .COM or .EXE) and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. These overwriting viruses do not tend to be very successful since the overwritten program rarely continues to function correctly and the virus is almost immediately discovered.

The more sophisticated file viruses save (rather than overwrite) the original instructions when they insert their code into the program. This allows them to execute the original program after the virus finishes so that everything appears normal.

Just as system sector viruses can remain resident in memory and use stealth techniques to hide their presence, file viruses can also hide this way. If you do a directory listing, you will not see any increase in the length of the file and if you attempt to read the file, the virus will intercept the request and return your original uninfected program to you.

Some file viruses (such as 4096) also infect overlay files as well as the more usual *.COM and *.EXE files. Overlay files have various extensions, but .OVR and .OVL are common. Files with the extension .DLL are also capable of being infected (but generally are not; typically they are only libraries of functions). Indeed, as operating systems become more advanced, typically more files become able to contain executable code and thus be vulnerable to infection. (See the file extension list for a more complete summary.)


  • File viruses number in the thousands, but are not the most widely found in the wild.
  • File viruses have a wide variety of infection techniques and infect a large number of file types.


Macro Viruses

Pure data files cannot propagate viruses, but with extensive macro languages in some programs the line between a "data" file and executable file can easily become blurred to the average user. While text E-mail messages can't contain viruses they may have attachments that do and some E-mail programs will automatically load and run these. Don't let them. Finally, be careful of programs that use other programs for reading E-mail.

As indicated throughout this tutorial, in order for a virus to do anything, first a program of some type must execute. A virus, no matter what type, is still a program and it must load into memory and run in order to do anything. Simply reading it into memory is not sufficient. Pure data files are not viruses simply because, by their nature, they do not execute.

The problem, however, is that many modern programs contain some form of macro language; in some cases a very powerful macro language with commands that include opening, manipulating, and closing files. More and more, these programs allow a user to extend their capabilities by writing powerful macros and then attaching these to data files produced by that program. In many cases, in order to make things easy for users, the macros are set up to run automatically whenever the data file is loaded. It's in cases like this where the line between a data file and program starts to blur.

Note: There are many triggers (other than loading the document) that viral code can exploit. And, once running, various elements of the program's macro language can be exploited so that all future data files produced by that program version could contain the viral macro code.

Most scanners have default settings that check the most common executable files and data files from programs that have a macro language. So, when using those programs it's a good idea to not change the default extension so scanners can find the files they need to. Also, scanners can be set to check every file instead of just files that normally execute; but most do not do this by default--that would make the scanning process too long for most people.

In order to know when to turn full scanning on you need to know something about the software you use. In particular, you need to make yourself aware of any software that uses the sort of "automatic macro" feature described here. Never use a piece of software until you've explored its manual for some time just to see its full capabilities. If these include some sort of "programming" (macro) language, be aware there is an opportunity for problems. Common programs with macro capability that can be exploited by virus writers are Microsoft Word®, Excel® and other Office programs. Windows Help files can also contain macro code (but are rarely exploited because of the difficulty in doing so). And, the latest macro code to be exploited exists in the full version of the Acrobat program which reads and writes PDF files (the free reader is not affected; only the full version).

A second vulnerability exists on the Internet. Some E-mail programs and Internet browsers allow you to click on a data file or program that might be attached to a message or displayed on a web page and have that file or program load and/or run automatically. You should not allow this to happen. Always save the file or program to disk and then check it with anti-virus software before loading or executing it (or have an anti-virus program that "attaches" to your programs such that it checks files before the program loads them or checks E-mail as it comes in).

And, even more insidious are newer E-mail programs that allow one to use programs like Microsoft Word to read and write messages. You may not even know you are using Word. But, since the E-mail program does use Word, macros can be encoded into the message and be made to run on your system when you open the message to read it. It is very important that you know the characteristics of programs you use! Only then will you be able to determine if you are at risk.


  • With macro languages the line between pure data files and executable files is blurring.
  • An infected file might be attached to an E-mail. Don't automatically run attached files.
  • Be careful of E-mail programs that use other programs with macros to display or create incoming mail.


Cluster Viruses

Cluster viruses change the directory so that when you try to run a program you first run the virus.

There is a type of virus known as a "cluster" virus that infects your files not by changing the file or planting extra files but by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. When you run a program, DOS first loads and executes the virus code, the virus then locates the actual program and executes it. Dir-2 is an example of this type of virus.

The interesting thing about this type of virus is that even though every program on the disk may be "infected," because only the directory pointers are changed there is only one copy of the virus on the disk.

One can also usually classify this type of virus as a fast infector. On any file access, the entire current directory will be infected and, if the DOS path must be searched, all directories on the path will typically be infected.

This type of virus can cause serious problems if you don't know it's there. While the virus is in memory, it controls access to the directory structure on the disk. If you boot from a clean floppy disk, however, and then run a utility such as SCANDISK the utility will report serious problems with cross-linked files on your disk. Most such utilities will offer to correct the problem and users, not knowing any better, often accept the offer. Unfortunately, in the case of this virus type, if you accept the offer you will end up with all your executable files the same length and each one will be the virus code. Your original programs will be lost.

These viruses often use stealth techniques to hide their presence. If you attempt to read the file, the virus will intercept the request and return your original uninfected program to you.

This can sometimes be used to your advantage. If you have a stealth cluster virus (such as Dir-2), you can copy your program files (*.EXE and *.COM files) to files with other extensions and allow the virus to automatically disinfect them! If you "COPY *.COM *.CON" and "COPY *.EXE *.EXX", and then cold boot your PC from a known good copy of DOS on a clean floppy disk and "REN *.CON *.COM" and "REN *.EXX *.EXE", this will effectively disinfect the renamed files. Note: This information is presented as an example of a technique that might be used in an emergency when no anti-virus software is available. It's always best to use anti-virus software to clear a virus infection.


  • A cluster virus changes the directory so the virus is run before any "infected" programs.
  • If you boot without the virus in memory a DOS utility will report serious problems, but allowing the utility to fix them will effectively erase any "infected" programs.


Companion Viruses

Companion viruses make use of a DOS quirk that runs COM files before EXE files. The virus infects EXE files by installing a same-named COM file.

Would you believe that a virus can infect your files without changing a single byte in the infected file? Well, it's true; two different ways in fact! The more common of the two ways is called the companion or spawning virus (the other is a cluster virus). The companion virus infects your files by locating all files with names ending in EXE. The virus then creates a matching file name ending in COM that contains the viral code.

Here's what happens: Let's say a companion virus is executing on your PC and decides it's time to infect a file. It looks around and happens to find a file called PGM.EXE. It now creates a file called PGM.COM containing the virus. The virus usually plants this file in the same directory as the .EXE file but it could place it in any directory on your DOS path. If you type PGM and hit enter, DOS will execute PGM.COM instead of PGM.EXE. (In order, DOS will execute COM, then EXE, then BAT files of the same root name, if they are all in the same directory.) The virus executes, possibly infecting more files and then loads and executes PGM.EXE. The user probably won't notice anything wrong.

This type of virus is fairly easy to detect by the presence of the extra COM files. Sometimes the virus attempts to hide the extra files by either placing them into a different directory (but one on the PATH) or gives them a hidden attribute so a normal DIR command will not show them. And, of course, when the virus is active in memory it can effectively hide the COM files as well (but, unlike many viruses, a companion infector need not remain in memory to do its work).

A good integrity map of what should be on the hard disk can be used to easily detect and clean companion viruses.

Note: There are some instances where it is normal to have both COM and EXE files of the same name (such as DOS 5's DOSSHELL) but this is relatively rare. When this is the case, the companion virus will usually not change the existing COM file (although some are sloppy and will).

Companion viruses were never particularly common and under Windows where specific files are associated with icons you likely won't see them.


  • A companion virus installs a COM file (the virus) for every EXE file found on the disk.
  • DOS runs COM files before EXE files and so the virus will run first, going into memory and then will execute the related EXE file.
  • Companion viruses are relatively easy to find and eliminate if you have a good integrity map of what should be on your disk.


Batch File Viruses

Batch files can be used to transmit binary executable code and either be or drop viruses.

While not often found, it is possible to write a batch file that contains a virus. In most cases the batch file is used to drop a memory or disk virus which then takes over when the computer is next started. These don't always work, but it is interesting to briefly go over the design so you can possibly recognize this type of virus if you happen to see one.

One batch file virus takes the following form (it's possible when this page displays you will receive a virus warning if you are running anti-virus software; don't worry, it's just triggering off the partial text below which has the virus code removed):

:[ a label of specific form I won't mention ]
[ binary data ]

The first line causes batch file commands to not display on the screen so you won't see what's going on. The second line is a label as far as the batch file is concerned. In reality, this label is what makes the whole thing work so, of course, we're not going to show any examples. The third line copies the batch file itself to an executable file named Q.COM in the root directory of the C: drive. The output of the COPY command is directed to the NUL device so you see nothing on the screen that indicates this copy took place. Finally, the fourth line executes the newly created Q.COM file.

On the surface you would think that trying to rename a .BAT file to .COM and execute it would result in nothing but errors. Normally, that is the case but the label changes all that. The text up to the label converts to instructions the CPU can execute, but they do nothing. When the label is "executed" this changes. The CPU interprets the label as instructions that cause the CPU to look ahead to the binary instructions in the batch file. These binary instructions are the real virus (or virus dropper).

There are several batch file viruses, but each works in a manner similar to that described above. The labels and batch file instructions may differ; but the method of operation is similar.

Use the characteristics of the virus described above to look for batch file viruses. If there are obscure labels (lines starting with a colon) at the start of a batch file, use caution. Most batch file labels are fairly straightforward words or names. Secondly, if you see a batch file that is several thousand bytes long yet when you use the DOS command TYPE to display it to the screen you only see a few lines, that is another tip-off. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file portion and the binary instruction portion.

Batch file viruses are not common; but be aware they do exist and have been seen in the wild. Indeed, a new worm version surfaced in early June 2002: Cup. This beast is complicated and arrives attached to an E-mail. If executed, Cup creates, executes, and sometimes deletes the files WORLDCUP_SCORE.VBS, EYEBALL.REG, JAPAN.VBS, ENGLAND.VBS, IRELAND.VBS, URAGUAY.VBS and ARGENTINA.BAT. The first file mass mails a file called WORLDCUP.BAT to your Outlook address book. The .REG file assures the worm is run at system start by changing the Windows registry. The worm has other payloads in the various .VBS files. So, you see that batch file viruses/worms can be fairly complicated.


  • Batch files can be used to transmit binary executable code and either be or drop viruses.
  • To detect these viruses look for two signs:
    • An odd label at the start of the batch file
    • A batch file that is too large for the text in it.


Source Code Viruses

Source code found on your system can be infected; usually by adding Trojan code to it.

While rare, it is possible to infect actual programming source code found on your computer.

Source code comes in many forms because of the many different types of compilers and languages available. This is one reason why source code viruses are not particularly common. The other is that so few people actually write programs it becomes difficult for a source code-only virus to find victims to infect.

Also, because of programming style and differing designs that individuals use when they write program code it's difficult to write a virus that actually spreads via this mechanism. More typically, a source code virus will not infect via source code but simply add Trojan material to existing source code so that when it is compiled and run it does something different than expected.

Die Hard is one example of a type of source code virus. The virus actually spreads by infecting COM and EXE files (a file virus) but, as part of its payload, in drops Trojan code into any ASM (assembly language) and PAS (Pascal) source files as they are accessed (when the virus is resident in memory).

Source code viruses are not common; but be aware they do exist and have been seen in the wild in the past.


  • Source code viruses add instructions to existing programming code found on your system.
  • They are rare and the code they add is typically a Trojan instead of a full virus.


Visual Basic Worms

Visual Basic Script files can be used for malicious purposes; particularly in the role of worms.

The exploit currently the rage seems to be Visual Basic Script (VBS) worms. What is VBS? Let's see what Microsoft says:

Microsoft® Visual Basic® Scripting Edition, a subset of the Microsoft® Visual Basic® programming language, is a fast, portable, lightweight interpreter for use in World Wide Web browsers and other applications that use Microsoft® ActiveX® Controls, Automation servers, and Java applets.

Basically, think about VBScript as a super batch language. VBScript is an interpreted language (so scripts are really the source code for whatever needs to be done). Scripts can be embedded into such things as web pages or can be standalone files (with the extension .VBS usually).

If you've got Microsoft's Internet Explorer 5 browser on your system it's likely you also have the Windows Scripting Host (WSH) which is the program used to interpret and run VBS scripts.

Even though VBScript is a scaled down language it is quite capable and can be used to, for example, connect to Microsoft's Outlook mail routines and send files to anyone in your address book. This, of course, makes it possible for VBScript to be a language used by worms to spread themselves.

VBScript can be disabled on your system. We have a page that tells you how to do this if you wish.


  • VBScript is a language that can easily be used to create worms that send themselves and possibly files from your computer to others on the Internet.
  • Consider turning scripting off to prevent your accidentally running a malicious script.


How viruses Infect

Viruses are sometimes also categorized by how they infect. These categorizations often overlap the categories above and may even be included in the description (e.g., polymorphic file virus). These categories include:


Polymorphic Viruses

Polymorphic viruses change themselves with each infection. There are even virus-writing toolkits available to help make these viruses.

To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. One virus author even created a tool kit called the "Dark Avenger's Mutation Engine" (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by most of the existing scanners.

Virus Tool Kits

Besides the mutation engine, there are also now several tool kits available to help people create viruses. Several of these programs allow someone who has no knowledge of viruses to create their own "brand new" virus. One of these tool kits even has a very slick user interface with pull down menus and on-line help. You just pick your choices from the various menus and in a flash you've created your very own virus. While this sounds like a pretty ominous development for scanning technology, it's not as bad as it sounds. All the existing tool kits (such as VCS, VCL and MPC) create viruses that can be detected easily with existing scanner technology. The danger with these tool kits lies in the fact it's possible to create such a tool kit that could create viruses that really are unique. Fortunately, this hasn't been done yet, but it's only a matter of time before such a tool kit will be created. The conflict between virus writers and anti-virus researchers continues.


  • Polymorphic viruses change with each infection. They do this in an attempt to defeat scanners.
  • Virus writing tool kits have been created to "simplify" creation of new viruses.


Stealth Viruses

A virus must change things in order to infect a system. In order to avoid detection, a virus will often take over system functions likely to spot it and use them to hide itself. A virus may or may not save the original of things it changes so using anti-virus software to handle viruses is always the safest option.

A virus, by its nature, has to modify something in order to become active. This might be a file, the boot sector, or partition sector (Master Boot Record); whatever it is, it has to change. Unless the virus takes over portions of the system in order to manage accesses to the changes it made, these changes will become visible and the virus will be exposed.

A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Of course, the virus must be resident in memory and active to do this.

Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known-clean floppy disk. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with.

Important Note: Some viruses, when they infect, encrypt and hide the original information in the sector they infect. If you are infected, some people may advise you to use generic DOS commands (e.g., SYS and/or FDISK /MBR) to correct the problem. If you do this you run the risk of making matters much worse. Monkey, for example, encrypts the partition information and moves it. If you overwrite the virus with FDISK /MBR then you will no longer be able to see your hard disk as DOS/Windows will not recognize what's in the partition table and can't access the encrypted version without Monkey helping (anti-virus software knows how to get around this problem).

Never use undocumented commands (e.g., FDISK /MBR) to fix virus contamination.

Always use an anti-virus package that can deal with the particular virus in question.

Undocumented commands are undocumented for a reason!


  • In order to infect, a virus must change something.
  • A stealth virus takes over portions of the system to effectively hide the virus from casual (and not so casual) examination.
  • To better find stealth viruses be certain to cold boot from a known-clean (write protected) floppy disk and avoid using generic DOS commands to try to fix them. Use anti-virus software to handle these viruses.



Fast and Slow Infectors

A fast infector infects any file accessed, not just run. A slow infector only infects files as they are being created or modified.

The term fast or slow when dealing with viruses pertains to how often and under what circumstances they spread the infection.

Typically, a virus will load itself into memory when an infected program is run. It sits there and waits for other programs to be run and infects them at that time.

A fast infector infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. By its nature, anti-virus software (a scanner, in particular) opens each file on a disk being checked in order to determine if a virus is present. A fast infector that has not been found in memory before the scanning starts will spread itself quickly throughout the disk.

A slow infector does just the opposite. A slow infector will only infect files when they are created or modified. Its purpose is to attempt to defeat integrity checking software by piggybacking on top of the process which legitimately changes a file. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. By its nature (and because executable code is not usually changed) a slow infector does not spread rapidly and if the integrity checker has a scanning component it will likely be caught. Also, an integrity checker that is run on a computer booted from a known-clean floppy disk will be able to defeat a slow infector.


  • A fast infector infects programs when they are accessed, not just when run. This type of virus is designed to ride on the back of anti-virus scanners and can quickly infect an entire disk if not found before the scan is performed.
  • A slow infector infects programs only when they are created or modified. This type of virus is designed to defeat integrity checkers but can usually be found if the checker has a scanner component or is started properly.


Sparse Infectors

This type of virus uses any one of a variety of techniques to minimize detection of its activity.

In order to spread widely, a virus must attempt to avoid detection. To minimize the probability of its being discovered a virus could use any number of different techniques. It might, for example, only infect every 20th time a file is executed; it might only infect files whose lengths are within narrowly defined ranges or whose names begin with letters in a certain range of the alphabet. There are many other possibilities.

A virus which uses such techniques is termed a sparse infector.


  • A wide variety of techniques can be used to help a virus avoid detection of its activity.


Armored Viruses

An armored virus attempts to make disassembly difficult.

Armored is a class that overlaps other classes of viruses; maybe multiple times.

Basically, an armored virus uses special "tricks" designed to foil anti-virus researchers. Any anti-virus researcher who wants to find out how a virus works must follow the instruction codes in the virus. By using a variety of methods, virus writers can make this disassembly task quite a bit more difficult. This usually make the virus larger as well.

Such a virus can be said to be armored.

An early virus, Whale, made extensive use of these techniques.


  • An armored virus attempts to make disassembly difficult.


Multipartite Viruses

Multipartite viruses have a dual personality. Some are file viruses that can infect system sectors; others are system sector infectors that can infect files.

Some viruses can be all things to all machines. Depending on what needs to be infected, they can infect system sectors or they can infect files. These rather universal viruses are termed multipartite (multi-part).

Sometimes the multipartite virus drops a system sector infector; other times a system sector infector might also infect files.

Multipartite viruses are particularly nasty because of the number of ways they can spread. Fortunately, a good one is hard to write.


  • Multipartite viruses have dual capabilities and typically infect both system sectors and files.


Cavity (Spacefiller) Viruses

A cavity (spacefiller) virus attempts to install itself inside of the file it is infecting. This is difficult but has become easier with new file formats designed to make executable files load and run faster.

Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.

A cavity (spacefiller) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A cavity virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a cavity virus.

Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare...however... A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more. (For more info about PE files see the Computer Knowledge PE Info Page.)


  • A cavity virus attempts to install itself inside of the file it is infecting.
  • In the past this was difficult to do properly, but new file formats make it easier.


Tunneling Viruses

Some viruses will attempt to tunnel under anti-virus monitoring programs in order to bypass their monitoring functions.

One method of virus detection is an interception program which sits in the background looking for specific actions that might signify the presence of a virus. To do this it must intercept interrupts and monitor what's going on. A tunneling virus attempts to backtrack down the interrupt chain in order to get directly to the DOS and BIOS interrupt handlers. The virus then installs itself underneath everything, including the interception program. Some anti-virus programs will attempt to detect this and then reinstall themselves under the virus. This might cause an interrupt war between the anti-virus program and the virus and result in problems on your system.

Some anti-virus programs also use tunneling techniques to bypass any viruses that might be active in memory when they load.


  • A tunneling virus attempts to bypass activity monitor anti-virus programs by following the interrupt chain back down to the basic DOS or BIOS interrupt handlers and then installing itself.


Camouflage Viruses

When scanners were less sophisticated it might have been possible for a virus to sneak by as scanners sometimes did not display some alarms, knowing them to be false. This type of virus would be extremely hard to write today.

You don't hear much about this type of virus. Fortunately it is rare and, because of the way anti-virus programs have evolved, is unlikely to occur in the future.

When anti-virus scanners were based completely on signatures there was always the possibility of a false alarm when the signature was found in some uninfected file (a statistical possibility). Further, with several scanners circulating, each had their own signature database and when scanned by another product may indicate infection where there was none simply because of the inclusion of the virus identification string. If this happened often, the public would get understandably annoyed (and frightened). In response, a scanner might therefore implement logic that, under the right circumstances, would ignore a virus signature and not issue an alarm.

While this "skip it" logic would stop the false alarms, it opened a door for virus writers to attempt to camouflage their viruses so that they included the specific characteristics the anti-virus programs were checking for and thus have the anti-virus program ignore that particular virus. Fortunately, this never became a serious threat; but the possibility existed.

Today's scanners do much more than simply look for a virus signature string. In order to identify the specific virus variant they also check the virus code and even checksum the virus code to identify it. With these cross-checks it would be extremely difficult for a virus to camouflage itself and spoof a scanner.


  • In the past it was possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore.
  • Because of scanner technology evolution this type of virus would be very difficult to write today.


NTFS ADS Viruses

The NT File System allows alternate data streams to exist attached to files but invisible to some file-handling utilities. A virus can exploit such a system.

The NT File System (NTFS) contains within it a system called Alternate Data Streams (ADS). This subsystem allows additional data to be linked to a file. The additional data, however, is not always apparent to the user. Windows Explorer and the DIRectory command do not show you the ADS; other file tools (e.g., COPY and MOVE) will recognize and process the attached ADS file.

The basic notation of an ADS file is <filename>:<ADSname>. A simple example that creates an ADS file is probably the best way to illustrate this. At the system prompt use the ECHO command to create a file and then you can also use ECHO to create an ADS attachment to that file (if doing this, create a directory/folder specifically for the test).

ECHO "This is the test file" > testfile.txt

You should now have a file called TESTFILE.TXT in your test directory. The TYPE, EDIT, and NOTEPAD commands should be able to access this file and show you its contents and a directory command will show it to be about 23 bytes long. The TESTFILE.TXT file was created in what's called the "named stream" portion of the file system. Now create an alternate data stream file:

ECHO "This is text in the ADS file" > testfile.txt:teststream1.txt

Note that this new file is in the format described above: <filename>:<ADSname>.

But, now try to find this new file. A directory command does not show it; the TYPE and EDIT commands won't find it. The command...

NOTEPAD testfile.txt:teststream1.txt

...will bring it into the editing area; but even NOTEPAD will only read the file; you can't do a File|SaveAs and try to create an ADS file with NOTEPAD. Most other programs will not see the ADS file at all. You should also note that you've added about 30 bytes to the original file but a directory command on testfile.txt only shows the original size. The ADS file is effectively hidden from view.

Further, an alternate stream file can be created that has no normal stream file association. Here is why it's suggested you try these experiments in a test directory. Try:

ECHO "This is a really invisible stream file." > :invisible.txt

This file will be created but will be completely invisible to any directory commands or Windows Explorer.

Finally, you may have some trouble trying to delete the stream files you just created. The DEL command does not work with ADS files so DEL :invisible.txt, for example, does not work. The main way to delete alternate stream files associated with a normal stream file is to delete the normal stream file. All ADS files associated with that file will also be deleted. So DEL testfile.txt would have to be used for the first test file created. The :invisible.txt file will be deleted when the directory the file is in is removed.

If you need to keep the main file but delete the stream(s) attached to it there are two ways to proceed:

  • Copy the file to a FAT or FAT32 partition and then back again to the NTFS partition. This effectively strips the ADS files off of the primary file.
  • Use the NT Resource Kit CAT utility. You'll have to rename the file, use CAT on it, and then delete the temporary file you created. The syntax would be:

REN needtokeep.exe temp.exe
CAT temp.exe > needtokeep.exe
DEL temp.exe

Virus Use

An alternate stream file can be an executable and executed in a variety of ways. For our purposes here the files can be exploited by viruses that make their way into files saved as part of the normal stream. In one such exploit the virus (Streams) creates a copy of itself as a temporary EXE file and then copies the original EXE file as an ADS file attached to the temporary EXE file. The temporary EXE file is then renamed to the original EXE name. Now, when the user tries to run the original file they actually run the virus which does its thing and then sends the original program file to the operating system which then runs the program. The only thing you might see is a slight delay in program start.

For a virus like Streams you should not just delete an infected file. If you do the original file will also be lost as it's attached. If your anti-virus software does not provide a recovery utility you will have to use the CAT utility in a manner similar to that described above:

CAT filename.exe:STR newname.exe (this copies the original file to "newname.exe")

COPY /B newname.exe filename.exe (this copies "newname.exe" back to its original name and overwrites the virus)

The virus can be operating system specific. Streams, for example, checks for Windows 2000 and only runs if it's found.

There are other ways a virus might use an alternate data stream. It could, for example, hide most of its code attached to files not normally scanned by virus scanners (e.g., INI or other text files). Only a small executable that extracts the virus would have to be visible and might be easier to hide. There are more malicious things a virus could do as well (please don't ask).


  • The NT File System allows alternate data streams to exist attached to files but invisible to some normal file-handling utilities.
  • Viruses can exploit the NTFS ADS system in a variety of ways.


Virus Droppers

A dropper is a program that, when run will attempt to install a regular virus onto your hard disk.

Normally, you obtain a virus by either attempting to boot from an infected floppy disk, by running an infected file, or by loading an infected document with viral macro commands in it. There is another way you can pick up a virus: by encountering a virus dropper. These are rare, but now and again someone will attempt to be clever and try to program one.

Basically, a dropper is just what the name implies: a program designed to run and install (or "drop") a virus onto your system. The program itself is not infected nor is it a virus because it does not replicate. So, technically, a dropper should be considered a Trojan. Often, because the virus is hidden in the program code, a scanner will not detect the danger until after the virus is dropped onto your system. (It's technically possible to write a virus that also drops other viruses, and several have been tried. Most are very buggy, however.)

It's a technical point, but there is a class of dropper that only infects the computer's memory, not the disk. These are given the name injector by some virus researchers.


  • A Trojan program that installs a virus onto your system is called a dropper.
  • Fortunately, because of technical difficulties, droppers are hard to program and therefore rare.

That's it for the discussion of virus types. Before going on to protection let's take an interesting detour...



1 - 2 - 3 - 4 - 5 - 6

  Services What We Offer Areas Covered Rates & Discounts
Estimates Maintenance Plans Links Phone Tech Support
About Us Refer A Friend Why Us? Reference Dictionaries Tutorials
Privacy Policy Service Protocol Disclaimer Contact Us

Web Page Designed By  ADAM
Copyright © 1981 - 2008
MINDPRIDE CONSULTING All rights reserved.
Revised: November 21, 2007