Computer Viruses Explained
(a bit dated 2006... but still good info)

So, I will add rootkits
A rootkit is a nasty form of malware that installs certain tools on to a victims computer that are designed to mask their presence by disabling installed programs designed to identify them. Rootkits are usually installed through a system vulnerability or if the user is not using a "strong" password, the password can be cracked and then the hacker will have administrative level access to the computer. Once the hacker has gained access to your computer, there are many types of rootkit tools that can be installed. One of the most dangerous is the "key-logger". This is a tool that will log the keystrokes of the user and send this information directly to the hackers server. If your keystrokes have been logged and sent while you have accessed your bank-accounts, you can rest assured that your bank account password has been compromised.
Posted by Dave
5 Star Support Security Specialist

In this paper, I will try to introduce you to the most prevalent types of viruses you may encounter on the Internet, as well as give you both a definition of each type, and hopefully a better understanding of what they are and how they operate in a computer.

A properly engineer virus is a real attention getter, usually making the news on radio, television, newspapers, and Web sites. They tend to show us that although we have become truly high-tech and globally interconnected, we are still quite vulnerable.

To illustrate this, I ask you to remember a few truly simple viruses from the past. In March 1999, the Melissa virus was deemed so powerful, major companies including Microsoft shut down their email services until the virus was contained, and anti-virus vendors got caught up and offered removal tools. The I Love You virus in 2000 had a similar effect. In January 2004, the simple Mydoom worm infected over a quarter-million computers in a single day, and is still circulating. Today. These were all very simple from a coding standpoint, yet very effective, and certainly got a lot of attention.

Let’s begin by covering the most common types of threats on the Internet today:

A virus is a small piece of software or code designed to piggyback itself to a program in your computer. Every time that program is run, the virus also runs and has a chance to replicate or reproduce itself and then attach to another program in the computer. Usual symptoms are the program being used does not operate normally, and it operates more slowly.

E-mail viruses:
These viruses migrate by means of e-mail messages &/or attachments. They spread by e-mailing themselves to every address found in the address book in the computer. Given the sheer volume of e-mail traffic on a global basis, this allows these viruses to spread very rapidly, and the volume created has forced e-mail server shutdowns on a number of occasions.

These are small pieces of software that makes use of computer networks and security holes found in them to replicate and spread. Most worms are written to detect and exploit a specific security hole or flaw. Once a computer on a network is discovered with the appropriate weakness, it gets attacked and infected by the worm. The worm then scans the network looking for another computer with the same hole and the process repeats. Now there are two computers for it to replicate from. The process continually repeats itself, but with the speed of today’s computers and networks, a network of say 50 computers and a properly engineered worm can easily infect all 50 computers in the network in under an hour. Perhaps the most famous worm of recent times was Code Red. In July of 2001 it replicated itself over 250,000 times in just nine hours.
Trojans (Trojan Horses):
Simply stated, a Trojan is a program. The program claims to do one thing, but when run, it does damage to the computer running it (for example, it may be designed to erase your hard drive). Fortunately, a straight Trojan Horse has no way of replicating itself. Now for some background and history regarding viruses: Executable viruses:

Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed to run first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues. If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a bulletin board, then other programs get infected. This is how the virus spreads. The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised if all they did was replicate themselves. Unfortunately, most viruses also have some sort of destructive attack phase where they do some damage. Some sort of trigger will activate the attack phase, and the virus will then "do something" -- anything from printing a silly message on the screen to erasing all of your data. The trigger might be a specific date, or the number of times the virus has been replicated, or something similar.

Boot Sector Viruses:

As virus creators got more sophisticated, they learned new tricks. One important trick was the ability to load viruses into memory so they could keep running in the background as long as the computer remained on. This gave viruses a much more effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately, and it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and on college campuses where lots of people share machines they spread like wildfire.
In general, both executable and boot sector viruses are not very threatening any more. The first reason for the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact disc. Compact discs cannot be modified, and that makes viral infection of a CD impossible. The programs are so big that the only easy way to move them around is to buy the CD. People certainly can't carry applications around on a floppy disk like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined because operating systems now protect the boot sector.
Both boot sector viruses and executable viruses are still possible, but they are a lot harder now and they don't spread nearly as quickly as they once could. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made these viruses possible in the 1980s, but huge executables, unchangeable CDs and better operating system safeguards have largely eliminated that environmental niche.

E-mail viruses:

The latest thing in the world of computer viruses is the e-mail virus, and the Melissa virus in March 1999 was spectacular. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. As a result, the Melissa virus was the fastest-spreading virus ever seen! As mentioned earlier, it forced a number of large companies to shut down their e-mail systems.

The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.

The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess.

Microsoft applications have a feature called Macro Virus Protection built into them to prevent this sort of thing. With Macro Virus Protection turned on (the default option is ON), the auto-execute feature is disabled. So when a document tries to auto-execute viral code, a dialog pops up warning the user. Unfortunately, many people don't know what macros or macro viruses are, and when they see the dialog they ignore it, so the virus runs anyway. Many other people turn off the protection mechanism. So the Melissa virus spread despite the safeguards in place to prevent it.

In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing. What fueled this virus was the human willingness to double-click on the executable.
One thing is certain. Although viruses are not as prevalent and dominant as they once were, they are here to stay. The main danger from them is the damage caused. The more skilled writers of the new millennium are also finding ways to ‘package’ viruses, which means include them inside other forms of malware in order to ensure successful spreading and damage on a large scale. These same writers are turning out more complex and difficult to detect and remove code as time marches on.

The bottom line is this. If you intend to connect a computer to the Internet, a good anti-virus program is a must for your computer. The bigger the database it draws from, and the more automatic its operation, the better.

I hope this has helped increase your knowledge and understanding of Viruses and how they operate and spread. Until I see you again here at 5 Star Support, stay safe and happy computing.

Credits: Dave at 5 Star Support - Free Computer Help and Technical Support