In computer security terminology, a virus is a piece of program code that, by analogy with a biological virus, makes copies of itself and spreads by attaching itself to a host, often damaging the host in the process. The host is another computer program, often a computer operating system, which then infects the applications that are transferred to other computers. The plural of virus is viruses, not virii, which is sometimes used incorrectly, both knowingly and otherwise. See plural of virus.
There are a few relatively "harmless" viruses that have been written to perform a simple task (such as flashing a single message onto the user's computer screen). A small percentage of viruses are the result of computer code that operates in an unexpected manner, but the majority of viruses are programs deliberately written to interfere with, or damage, other programs or computer systems.
The term "virus" was first used in this sense in print by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E. was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and John Brunner's 1975 novel The Shockwave Rider describes programs known as "tapeworms" which spread through a network for the purpose of deleting data. The term "computer virus" with current usage also appears in the comic book "Uncanny X-Men" No. 158, published in 1982. And even earlier, in 1973, the phrase "computer virus" was used in the movie Westworld to describe a malcicious program that emerged in the computer system of the theme park. Therefore, we may conclude that although Cohen's use of "virus" may, perhaps, have been the first "academic" use, it had been in the common parlance long before that.
A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.
Since the mid-1990s, viruses which infect operating systems or applications directly have been eclipsed by macro viruses. Written in the scripting languages for Microsoft programs such as Word and Outlook, these viruses spread in the Windowsmonoculture by infecting documents and sending infected e-mail. Although Windows is the most popular operating system for virus writers, some viruses also exist on other platforms. It is important to note that any operating system that allows third-party programs to run can theoretically run viruses. However, some operating systems are less secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.
However, while not being able to detect the actual virus code (because it is encrypted), antivirus-software can still detect the decryption-engine located in the front of the body of such viruses by comparing the byte pattern of the decryption-enginge. To avoid such detection, some state-of-the-art viruses mutate their decryption engines for each new copy of themselves. Such viruses are said to be polymorphic, and are much harder to detect. To enable polymorphic code, the virus has to have a mutating engine somewhere in its encrypted body.
As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectorss for viruses on BBSes. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.
Many personal computers are now connected to the Internet and to local-area networks. Today's viruses take advantage of standard network protocols such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms.
Another hiding technique, a method DOS-era viruses commonly used to spread, is to infect the hard disk drive instead of the files saved on it. At bootstrap the computer runs the code located in the boot sector, which has been replaced by virus-code. The virus loads itself from the hard disk into memory and makes itself memory resident, then loads the original bootsector into memory and transfers control to the code in it. This way, not even the operating system notices the presence of the virus.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. The stealth methods of modern viruses often try to exploit the failings of modern antivirus software in trying to detect viral presence. Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them. If they find a byte-pattern that corresponds to any specific virus-pattern, the antivirus software tries to remove, contain, or delete the virus/file.
The CIH virus, or Chernobyl Virus, infected Portable Executable files. Because those files had many empty gaps, the virus, which was 1 kilobyte in length, did not add to the size of the file.
Modern state-of-the-art viruses try to encrypt themselves in order to avoid being detected by an antivirus search. This is often done with a combination of encryption and self-modifying code. A virus that uses this technique is said to be polymorphic.
There are usually two different parts of the virus when we speak of polymorphic viruses: The encryption/decryption engine and the infector. The crypto engine encrypts/decrypts the infector. Each time the virus runs it uses a different cryptokey. The crypto engine cannot encrypt itself, because if it did, there would be no code to decrypt the engine next time the virus ran. Therefore, the crypto-engine has to use a form of self modifying code to modify itself differently each time it runs, without any part of the original algorithm getting lost. This is possible to do with a good knowledge of assembly language and the use of polymorphic code.
This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office software. Users of Microsoft software (especially networking software such as Microsoft Outlook and Microsoft Internet Explorer) are particularly vulnerable to the spread of viruses, especially since such complicated software inevitably includes many errors.
Integrated applications, applications with scripting languages with access to the file system (eg: Visual Basic Script, or VBS, and applications with networking features) are also particularly vulnerable.
Closed-source software development as practiced by Microsoft and other proprietary software companies is also seen by some as a security weakness. Open source software such as GNU/Linux kernel, for example, allows all users to look for and fix security problems without relying on a single vendor. Some advocate that proprietary software makers practice vulnerability disclosure to ameliorate this weakness.
Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or mounts the executable. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type; some antivirus vendors also claim the effective use of other types of heuristic analysis. Some industry groups do not like this practice because it often increases the number of false positives the anti-virus software detects. They work by examining the contents of the computers memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus signatures. Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must therefore update their software regularly to patch security holes. Anti-virus software also needs to be updated in order to gain knowledge about the latest threats and hoaxes.
A well-patched and well-maintained Unix system is very well-secured against viruses. Windows has the same type of scripting ability as Unix-based systems, but doesn't natively block normal users from executing such scripts written by a third-party as Unix does for users who are not running as root. More recently, Microsoft's Outlook (but not Outlook Express) e-mail client has developed similar features when dealing with executable file types that Outlook may download as attachments. Ordinary users would do well to patch their operating systems and e-mail clients to prevent viruses and worms from reproducing through security "holes" which prudence (and most virus scanners) are unable to prevent.
