A computer virus is malicious code that replicates by copying itself to another program, computer boot sector or document and changes how a computer works. The virus requires someone to knowingly or unknowingly spread the infection without the knowledge or permission of a user or system administrator. In contrast, a computer worm is stand-alone programming that does not need to copy itself to a host program or require human interaction to spread. Viruses and worms may also be referred to as malware.
A virus can be spread by opening an email attachment, clicking on an executable file, visiting an infected website or viewing an infected website advertisement. It can also be spread through infected removable storage devices, such USB drives. Once a virus has infected the host, it can infect other system software or resources, modify or disable core functions or applications, as well as copy, delete or encrypt data. Some viruses begin replicating as soon as they infect the host, while other viruses will lie dormant until a specific trigger causes malicious code to be executed by the device or system.
Many viruses also include evasion or obfuscation capabilities that are designed to bypass modern antivirus and antimalware software and other security defenses. The rise of polymorphic malware development, which can dynamically change its code as it spreads, has also made viruses more difficult to detect and identify.
Types of viruses
File infectors. Some file infector viruses attach themselves to program files, usually selected .com or .exe files. Some can infect any program for which execution is requested, including .sys, .ovl, .prg, and .mnu files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly contained programs or scripts sent as an attachment to an email note.
Macro viruses. These viruses specifically target macro language commands in applications like Microsoft Word and other programs. In Word, macros are saved sequences for commands or keystrokes that are embedded in the documents. Macro viruses can add their malicious code to the legitimate macro sequences in a Word file. Microsoft disabled macros by default in more recent versions of Word; as a result, hackers have used social engineering schemes to convince targeted users to enable macros and launch the virus. As macro viruses have seen a resurgence in recent years, Microsoft added a new feature in Office 2016 that allows security managers to selectively enable macro use for trusted workflows only, as well as block macros across an organization.
Overwrite viruses. Some viruses are designed specifically to destroy a file or application's data. After infecting a system, an overwrite virus begins overwriting files with its own code. These viruses can target specific files or applications or systematically overwrite all files on an infected device. An overwrite virus can install new code in files and applications that programs them to spread the virus to additional files, applications and systems.
Polymorphic viruses. A polymorphic virus is a type of malware that has the ability to change or mutate its underlying code without changing its basic functions or features. This process helps a virus evade detection from many antimalware and threat detection products that rely on identifying signatures of malware; once a polymorphic virus' signature is identified by a security product, the virus can then alter itself so that it will no longer be detected using that signature.
Resident viruses. This type of virus embeds itself in the memory of a system. The original virus program isn't needed to infect new files or applications; even if the original virus is deleted, the version stored in memory can be activated when the operating system loads a specific application or function. Resident viruses are problematic because they can evade antivirus and antimalware software by hiding in the system's RAM.
Rootkit viruses. A rootkit virus is a type of malware that installs an unauthorized rootkit on an infected system, giving attackers full control of the system with the ability to fundamentally modify or disable functions and programs. Rootkit viruses were designed to bypass antivirus software, which typically scanned only applications and files. More recent versions of major antivirus and antimalware programs include rootkit scanning to identify and mitigate these types of viruses.
System or boot-record infectors. These viruses infect executable code found in certain system areas on a disk. They attach to the DOS bootsector on diskettes and USB thumb drives or the Master Boot Record on hard disks. In a typical attack scenario, the victim receives storage device that contains a boot disk virus. When the victim's operating system is running, files on the external storage device can infect the system; rebooting the system will trigger the boot disk virus. An infected storage device connected to a computer can modify or even replace the existing boot code on the infected system so that when the system is booted next, the virus will be loaded and run immediately as part of the Master Boot Record. Boot viruses are less common now as today's devices rely less on physical storage media.
How to prevent computer viruses
The following measures can help prevent a virus infection:
- Install current antivirus and antispyware software and keep it up to date.
- Run daily scans of antivirus software.
- Disable autorun to prevent viruses from propagating to any media connected to the system.
- Regularly patch the operating system and applications installed on the computer.
- Don’t click on web links sent via email.
- Don’t download files from the Internet or email.
- Install a hardware-based firewall.
Signs you may be infected with a computer virus
The following are indications that a computer might be infected by a virus:
- The computer takes a long time to start up and performance is slow.
- The computer experiences frequent crashes, or shutdown and error messages.
- The computer behaves erratically, such as not responding to clicks or opening files on its own.
- The computer’s hard drive is acting strangely; for example, constantly spinning or making continual noise.
- Email is corrupted.
- The amount of storage on the computer is reduced.
- Files and other data on the computer have gone missing.
How to remove a computer virus
To remove a virus from a PC, do the following:
Step 1: Enter Safe Mode. The process for doing so will depend on the version of Windows you’re running.
Step 2: Delete temporary files. While in Safe Mode, use the Disk Cleanup tool to delete Temporary Files.
Step 3: Download an on-demand and a real-time virus scanner.
Step 4: Run the on-demand scanner followed by the real-time scanner. If neither scanner removes the virus, then it might need to be removed manually. This should only be done by an expert who is experienced at using Windows Registry and knows how to view and delete system and program files.
Step 5: Reinstall any files or programs damaged by the virus.
History of computer viruses
The first known computer virus was developed in 1971 by Robert Thomas, an engineer at BBN Technologies. Known as the "Creeper" virus, Thomas' experimental program infected mainframes on ARPANET, displaying the teletype message, "I'm the creeper: Catch me if you can."
The first computer virus to be discovered in the wild was "Elk Cloner," which infected Apple II operating systems through floppy disks and displayed a humorous message on infected computers. Elk Cloner, which was developed by 15-year-old Richard Skrenta in 1982, was designed as a prank but it demonstrated how a potentially malicious program could be installed in an Apple computer's memory and prevent users from removing the program.
The term "computer virus" wasn't used until a year later. Fred Cohen, a graduate student at the University of California, wrote an academic paper titled "Computer Viruses -- Theory and Experiments" and credited his academic advisor and RSA Security co-founder Leonard Adleman with coining the phrase "computer virus" in 1983.
Famous computer viruses
Notable examples of early computer viruses include:
- The "Brain" virus, which initially appeared in 1986, is considered to be the first MS-DOS personal computer virus. Brain was a boot sector virus; it spread through infected floppy disk boot sectors and, once installed on a new PC, it would install itself to the system's memory and subsequently infect any new disks inserted into that PC.
- The "Jerusalem" virus, also known as the "Friday the 13th" virus, was discovered in 1987 and spread throughout Israel via floppy disks and email attachments. The DOS virus would infect a system and delete all files and programs when the system's calendar reached Friday the 13th.
- The Melissa virus, which first appeared in 1999, was distributed as an email attachment. If the infected systems had Microsoft Outlook, the virus would be sent to the first 50 people in an infected user's contact list. The "Melissa" virus also affected macros in Microsoft Word and disabled or lowered security protections in the program.
- The "Archiveus" Trojan, which debuted in 2006, was the first known case of a ransomware virus that used strong encryption to encrypt users' files and data. Archiveus targeted Windows systems, used RSA encryption algorithms (earlier versions of ransomware used weaker and easily defeated encryption technology) and demanded victims purchase products from an online pharmacy.
- The "Zeus" Trojan, one of the most well-known and widely spread viruses in history, first appeared in 2006 but has evolved over the years and continued to cause problems as new variants emerge. The Zeus Trojan was initially used to infect Windows systems and harvest banking credentials and account information from victims. The virus spread through phishing attacks, drive-by downloads and man-in-the-browser techniques to infect users. The Zeus malware kit was adapted by cybercriminals to include new functionality to evade antivirus programs as well as spawn new variants of the Trojan such as "ZeusVM," which uses steganography techniques to hide its data.
- "Cabir" virus is the first verified example of a mobile phone virus for the now defunct Nokia Symbian operating system. The virus was believed to be created by a group from the Czech Republic and Slovakia called 29A, who sent it to a number of security software companies, including Symantec in the United States and Kapersky Lab in Russia. Cabir is considered a proof-of-concept virus, because it proves that a virus can be written for mobile phones, something that was once doubted.