CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [55]
Macro Virus
A macro virus exploits the enhancements made to many application programs. Programmers can expand the capability of applications such as Word and Excel. Word, for example, supports a mini-BASIC programming language that allows files to be manipulated automatically. These programs in the document are called macros. For example, a macro can tell your word processor to spell-check your document automatically when it opens. Macro viruses can infect all the documents on your system and spread to other systems via e-mail or other methods. Macro viruses are the fastest growing exploitation today.
Multipartite Virus
A multipartite virus attacks your system in multiple ways. It may attempt to infect your boot sector, infect all of your executable files, and destroy your application files. The hope here is that you won’t be able to correct all the problems and will allow the infestation to continue. The multipartite virus in Figure 2.17 attacks your boot sector, infects application files, and attacks your Microsoft Word documents.
Phage Virus
A phage virus modifies and alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system once more.
FIGURE 2.17 A multipartite virus commencing an attack on a system
Polymorphic Virus
Polymorphic viruses change form in order to avoid detection. These types of viruses attack your system, display a message on your computer, and delete files on your system. The virus will attempt to hide from your antivirus software. Frequently, the virus will encrypt parts of itself to avoid detection. When the virus does this, it’s referred to as mutation. The mutation process makes it hard for antivirus software to detect common characteristics of the virus. Figure 2.18 shows a polymorphic virus changing its characteristics to avoid detection. In this example, the virus changes a signature to fool antivirus software.
Retrovirus
A retrovirus attacks or bypasses the antivirus software installed on a computer. You can consider a retrovirus to be an anti-antivirus. Retroviruses can directly attack your antivirus software and potentially destroy the virus definition database file. Destroying this information without your knowledge would leave you with a false sense of security. The virus may also directly attack an antivirus program to create bypasses for itself.
FIGURE 2.18 The polymorphic virus changing its characteristics
Stealth Virus
A stealth virus attempts to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. An infected file may report a file size different from what is actually present in order to avoid detection. Figure 2.19 shows a stealth virus attaching itself to the boot sector to avoid detection. Stealth viruses may also move themselves from fileA to fileB during a virus scan for the same reason.
An updated list of the most active viruses and spyware is on the Panda Software site at http://enterprise.pandasoftware.com.
FIGURE 2.19 A stealth virus hiding in a disk boot sector
Virus Transmission in a Network
Upon infection, some viruses destroy the target system immediately. The saving grace is that the infection can be detected and corrected. Some viruses won’t destroy or otherwise tamper with a system; they use the victim system