A computer virus is malicious code that replicates by copying itself to another program, computer boot sector or document and changes how a computer works. The virus requires someone to knowingly or unknowingly spread the infection without the knowledge or permission of a user or system administrator. In contrast, a computer worm is stand-alone programming that does not need to copy itself to a host program or require human interaction to spread. Viruses and worms may also be referred to as malware.
A virus can be spread by opening an email attachment, clicking on an executable file, visiting an infected website or viewing an infected website advertisement. It can also be spread through infected removable storage devices, such USB drives. Once a virus has infected the host, it can infect other system software or resources, modify or disable core functions or applications, as well as copy, delete or encrypt data. Some viruses begin replicating as soon as they infect the host, while other viruses will lie dormant until a specific trigger causes malicious code to be executed by the device or system.
Many viruses also include evasion or obfuscation capabilities that are designed to bypass modern antivirus and antimalware software and other security defenses. The rise of polymorphic malware development, which can dynamically change its code as it spreads, has also made viruses more difficult to detect and identify.
Types of viruses
File infectors. Some file infector viruses attach themselves to program files, usually selected .com or .exe files. Some can infect any program for which execution is requested, including .sys, .ovl, .prg, and .mnu files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly contained programs or scripts sent as an attachment to an email note.
Macro viruses. These viruses specifically target macro language commands in applications like Microsoft Word and other programs. In Word, macros are saved sequences for commands or keystrokes that are embedded in the documents. Macro viruses can add their malicious code to the legitimate macro sequences in a Word file. Microsoft disabled macros by default in more recent versions of Word; as a result, hackers have used social engineering schemes to convince targeted users to enable macros and launch the virus. As macro viruses have seen a resurgence in recent years, Microsoft added a new feature in Office 2016 that allows security managers to selectively enable macro use for trusted workflows only, as well as block macros across an organization.
Overwrite viruses. Some viruses are designed specifically to destroy a file or application's data. After infecting a system, an overwrite virus begins overwriting files with its own code. These viruses can target specific files or applications or systematically overwrite all files on an infected device. An overwrite virus can install new code in files and applications that programs them to spread the virus to additional files, applications and systems.
Polymorphic viruses. A polymorphic virus is a type of malware that has the ability to change or mutate its underlying code without changing its basic functions or features. This process helps a virus evade detection from many antimalware and threat detection products that rely on identifying signatures of malware; once a polymorphic virus' signature is identified by a security product, the virus can then alter itself so that it will no longer be detected using that signature.
Resident viruses. This type of virus embeds itself in the memory of a system. The original virus program isn't needed to infect new files or applications; even if the original virus is deleted, the version stored in memory can be activated when the operating system loads a specific application or function. Resident viruses are problematic because they can evade antivirus and antimalware software by hiding in the system's RAM.
Rootkit viruses. A rootkit virus is a type of malware that installs an unauthorized rootkit on an infected system, giving attackers full control of the system with the ability to fundamentally modify or disable functions and programs. Rootkit viruses were designed to bypass antivirus software, which typically scanned only applications and files. More recent versions of major antivirus and antimalware programs include rootkit scanning to identify and mitigate these types of viruses.
System or boot-record infectors. These viruses infect executable code found in certain system areas on a disk. They attach to the DOS bootsector on diskettes and USB thumb drives or the Master Boot Record on hard disks. In a typical attack scenario, the victim receives storage device that contains a boot disk virus. When the victim's operating system is running, files on the external storage device can infect the system; rebooting the system will trigger the boot disk virus. An infected storage device connected to a computer can modify or even replace the existing boot code on the infected system so that when the system is booted next, the virus will be loaded and run immediately as part of the master boot record. Boot viruses are less common now as today's devices rely less on physical storage media.
History of computer viruses
The first known computer virus was developed in 1971 by Robert Thomas, an engineer at BBN Technologies. Known as the "Creeper" virus, Thomas' experimental program infected mainframes on ARPANET, displaying the teletype message, "I'm the creeper: Catch me if you can."
The first computer virus to be discovered in the wild was "Elk Cloner," which infected Apple II operating systems through floppy disks and displayed a humorous message on infected computers. Elk Cloner, which was developed by 15-year-old Richard Skrenta in 1982, was designed as a prank but it demonstrated how a potentially malicious program could be installed in an Apple computer's memory and prevent users from removing the program.
The term "computer virus" wasn't used until a year later. Fred Cohen, a graduate student at the University of California, wrote an academic paper titled "Computer Viruses -- Theory and Experiments" and credited his academic advisor and RSA Security co-founder Leonard Adleman with coining the phrase "computer virus" in 1983.
Famous computer viruses
Notable examples of early computer viruses include the "Brain" virus, which initially appeared in 1986 and is considered to be the first MS-DOS personal computer virus. Brain was a boot sector virus; it spread through infected floppy disk boot sectors and, once installed on a new PC, it would install itself to the system's memory and subsequently infect any new disks inserted into that PC.
The "Jerusalem" virus, also known as the "Friday the 13th" virus, was discovered in 1987 and spread throughout Israel via floppy disks and email attachments. The DOS virus would infect a system and delete all files and programs when the system's calendar reached Friday the 13th.
The Melissa virus, which first appeared in 1999, was distributed as an email attachment. If the infected systems had Microsoft Outlook, the virus would be sent to the first 50 people in an infected user's contact list. The "Melissa" virus also affected macros in Microsoft Word and disabled or lowered security protections in the program.
The "Archiveus" Trojan, which debuted in 2006, was the first known case of a ransomware virus that used strong encryption to encrypt users' files and data. Archiveus targeted Windows systems, used RSA encryption algorithms (earlier versions of ransomware used weaker and easily defeated encryption technology) and demanded victims purchase products from an online pharmacy.
The "Zeus" Trojan, one of the most well-known and widely spread viruses in history, first appeared in 2006 but has evolved over the years and continued to cause problems as new variants emerge. The Zeus Trojan was initially used to infect Windows systems and harvest banking credentials and account information from victims. The virus spread through phishing attacks, drive-by downloads and man-in-the-browser techniques to infect users. The Zeus malware kit was adapted by cybercriminals to include new functionality to evade antivirus programs as well as spawn new variants of the Trojan such as "ZeusVM," which uses steganography techniques to hide its data.
"Cabir" virus is the first verified example of a mobile phone virus for the now defunct Nokia Symbian operating system. The virus was believed to be created by a group from the Czech Republic and Slovakia called 29A, who sent it to a number of security software companies, including Symantec in the United States and Kapersky Lab in Russia. Cabir is considered a proof-of-concept virus, because it proves that a virus can be written for mobile phones, something that was once doubted.