A computer virus is malicious code that replicates by copying itself to another program, computer boot sector or document and changes how a computer works. A virus spreads between systems after some type of human intervention. Viruses replicate by creating their own files on an infected system, attaching themselves to a legitimate program, infecting a computer's boot process or infecting user documents. The virus requires someone to knowingly or unknowingly spread the infection. In contrast, a computer worm is standalone programming that does not require human interaction to spread. Viruses and worms are two examples of malware, a broad category that includes any type of malicious code.
A virus can be spread when a user opens an email attachment, runs an executable file, visits an infected website or views an infected website advertisement, known as malvertising. It can also be spread through infected removable storage devices, such as Universal Serial Bus (USB) drives. Once a virus has infected the host, it can infect other system software or resources, modify or disable core functions or applications, and copy, delete or encrypt data. Some viruses begin replicating as soon as they infect the host, while other viruses will lie dormant until a specific trigger causes malicious code to be executed by the device or system.
Many viruses also include evasion or obfuscation capabilities designed to bypass modern antivirus and antimalware software and other security defenses. The rise of polymorphic malware development, which can dynamically change its code as it spreads, has made viruses more difficult to detect and identify.
Types of computer viruses
File infectors. Some file infector viruses attach themselves to program files, usually selected COM or EXE files. Others can infect any program for which execution is requested, including SYS, OVL, PRG and MNU files. When the infected program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly contained programs or scripts sent as an attachment to an email note.
Macro viruses. These viruses specifically target macro language commands in applications such as Microsoft Word and other programs. In Word, macros are saved sequences for commands or keystrokes that are embedded in the documents. Macro viruses, or scripting viruses, can add their malicious code to the legitimate macro sequences in a Word file. Microsoft disabled macros by default in more recent versions of Word; as a result, hackers have used social engineering schemes to convince targeted users to enable macros and launch the virus.
Overwrite viruses. Some viruses are designed specifically to destroy a file or application's data. After infecting a system, an overwrite virus begins overwriting files with its own code. These viruses can target specific files or applications or systematically overwrite all files on an infected device. An overwrite virus can install new code in files and applications that programs them to spread the virus to additional files, applications and systems.
Polymorphic viruses. A polymorphic virus is a type of malware that has the ability to change or apply updates to its underlying code without changing its basic functions or features. This process helps a virus evade detection from many antimalware and threat detection products that rely on identifying signatures of malware; once a polymorphic virus's signature is identified by a security product, the virus can then alter itself so it will no longer be detected using that signature.
Resident viruses. This type of virus embeds itself in the memory of a system. The original virus program isn't needed to infect new files or applications. Even if the original virus is deleted, the version stored in memory can be activated when the operating system (OS) loads a specific application or service. Resident viruses are problematic because they can evade antivirus and antimalware software by hiding in the system's random access memory (RAM).
Rootkit viruses. A rootkit virus is a type of malware that installs an unauthorized rootkit on an infected system, giving attackers full control of the system with the ability to fundamentally modify or disable functions and programs. Rootkit viruses were designed to bypass antivirus software, which typically scanned only applications and files. More recent versions of major antivirus and antimalware programs include rootkit scanning to identify and mitigate these types of viruses.
System or boot sector viruses. These viruses infect executable code found in certain system areas on a disk. They attach to the disk OS (DOS) boot sector on diskettes and USB thumb drives or the master boot record (MBR) on hard disks. In a typical attack scenario, the victim receives a storage device that contains a boot disk virus. When the victim's OS is running, files on the external storage device can infect the system; rebooting the system will trigger the boot disk virus. An infected storage device connected to a computer can modify or even replace the existing boot code on the infected system so that, when the system is booted next, the virus will be loaded and run immediately as part of the MBR. Boot viruses are less common now as today's devices rely less on physical storage media.
How does a computer virus spread?
The distinguishing characteristic of a virus is it spreads from system to system after a user takes some action that either intentionally or accidentally facilitates that spread. This spread is known as virus propagation, and there are many different techniques viruses can use to propagate between systems. The simplest example occurs when a virus is contained within an executable file that a user downloads from the internet, receives in an email message or copies from a removable storage device. As soon as the user executes that file, the virus springs into action, running malicious code that infects the user's system.
Other viruses can spread through more complex mechanisms. In those cases, a virus running on an infected system may take action to begin its own propagation. For example, a virus might copy itself to all removable media installed on a system, attach itself to email messages sent to a user's contacts or copy itself to shared file servers. In those cases, the lines become blurred between viruses, which require human assistance to spread, and worms, which spread on their own by exploiting vulnerabilities. The key difference is the virus will always require a human to take an action that enables that final step in the propagation process, while a worm does not require this human assistance.
Viruses can also spread between systems without ever writing data to disk, making them more difficult to detect with virus protection and virus removal mechanisms. These fileless viruses are often launched when a user visits an infected website and then run completely within the target system's memory, carrying out their malicious payload and then disappearing without a trace.
How do computer viruses attack?
Virus propagation is only half the equation. Once a virus gains a foothold on a newly infected system, it begins to carry out whatever exploit the virus author designed it to perform. This is the payload delivery process, where the virus attacks the target system. Depending on the techniques the virus uses and the privileges of the user who created the infection, the virus may be able to take any action it desires on the target system. This is one of the main reasons that security professionals encourage organizations to follow the principle of least privilege (POLP) and not grant users administrative rights on their own systems. This type of access can magnify the damage caused by a virus.
The payload a virus carries may violate one or more of the principles of cybersecurity: confidentiality, integrity and availability (CIA triad). Confidentiality attacks seek to locate sensitive information stored on the target system and share it with the attacker. For example, a virus might search the local hard drive (HD) for Social Security numbers, credit card numbers and passwords, and then funnel those back to the attacker. Integrity attacks seek to make unauthorized modifications or deletions of information stored on the system. For example, a virus might delete files stored on a system or make unauthorized modifications to the OS to avoid detection. Availability attacks seek to deprive the legitimate user access to the system or the information it contains. For example, ransomware is a type of virus that encrypts information on the user's HD, preventing legitimate access. It then demands the payment of a ransom in exchange for the decryption key.
Viruses may also join a system to a botnet, placing it under the control of the attacker. Systems joined to botnets are commonly used to conduct distributed denial of service (DDoS) attacks against websites and other systems.
How do you prevent computer viruses?
The following measures can help you prevent a virus infection:
- Install current antivirus and antispyware software, and keep it up to date.
- Run daily scans of antivirus software.
- Disable autorun to prevent viruses from propagating to any media connected to the system.
- Regularly patch the OS and applications installed on the computer.
- Don't click on web links sent via email from unknown senders.
- Don't download files from the internet or email from unknown senders.
- Install a hardware-based firewall.
What are signs you may be infected with a computer virus?
The following are indications that your computer might be infected by a virus:
- The computer takes a long time to start up, and performance is slow.
- The computer experiences frequent crashes or shutdown and error messages.
- The computer behaves erratically, such as not responding to clicks or opening files on its own.
- The computer's HD is acting strangely -- for example, constantly spinning or making continual noise.
- Email is corrupted.
- The amount of storage on the computer is reduced.
- Files and other data on the computer have gone missing.
How do you remove a computer virus?
In the event your personal computer (PC) becomes infected with a virus, you can take the following steps to remove it:
- Enter Safe Mode. The process will depend on the version of Windows you're running.
- Delete temporary files. While in Safe Mode, use the Disk Cleanup tool to delete temporary files.
- Download an on-demand and a real-time virus scanner.
- Run the on-demand scanner followed by the real-time scanner. If neither scanner removes the virus, then it might need to be removed manually. This should only be done by an expert who is experienced at using Windows Registry and knows how to view and delete system and program files.
- Reinstall any files or programs damaged by the virus.
History of computer viruses
The first known computer virus was developed in 1971 by Robert Thomas, an engineer at BBN Technologies. Known as the Creeper virus, Thomas' experimental program infected mainframes on the Advanced Research Projects Agency Network (ARPANET), displaying the teletype message: "I'm the creeper: Catch me if you can."
The first computer virus to be discovered in the wild was Elk Cloner, which infected Apple II OSes through floppy disks and displayed a humorous message on infected computers. Elk Cloner, which was developed by 15-year-old Richard Skrenta in 1982, was designed as a prank, but it demonstrated how a potentially malicious program could be installed in an Apple computer's memory and prevent users from removing the program.
The term computer virus wasn't used until a year later. Fred Cohen, a graduate student at the University of Southern California (USC), wrote an academic paper titled "Computer Viruses -- Theory and Experiments" and credited his academic advisor and RSA Security co-founder Leonard Adleman with coining the term computer virus in 1983.
Famous computer viruses
Notable examples of early computer viruses include the following:
- The Brain virus, which initially appeared in 1986, is considered to be the first Microsoft DOS (MS-DOS) PC virus. Brain was a boot sector virus. It spread through infected floppy disk boot sectors, and once installed on a new PC, it would install itself to the system's memory and subsequently infect any new disks inserted into that PC.
- The Jerusalem virus, also known as the Friday the 13th virus, was discovered in 1987 and spread throughout Israel via floppy disks and email attachments. The DOS virus would infect a system and delete all files and programs when the system's calendar reached Friday the 13th.
- The Melissa virus, which first appeared in 1999, was distributed as an email attachment. If the infected systems had Microsoft Outlook, the virus would be sent to the first 50 people in an infected user's contact list. This virus also affected macros in Microsoft Word and disabled or lowered security protections in the program.
- The Archiveus Trojan, which debuted in 2006, was the first known case of a ransomwarevirus that used strong encryption to encrypt users' files and data. Archiveus targeted Windows systems, used Rivest-Shamir-Adleman (RSA) encryption algorithms -- whereas earlier versions of ransomware used weaker and easily defeated encryption technology -- and demanded victims purchase products from an online pharmacy.
- The Zeus Trojan, or Zbot, one of the most well-known and widely spread viruses in history, first appeared in 2006 but has evolved over the years and continues to cause problems as new variants emerge. The Zeus Trojan was initially used to infect Windows systems and harvest banking credentials and account information from victims. The virus spreads through phishing attacks, drive-by downloads and man-in-the-browser The Zeus malware kit was adapted by cybercriminals to include new functionality to evade antivirus programs, as well as spawn new variants of the Trojan, such as ZeusVM, which uses steganography techniques to hide its data.
- The Cabir virus is the first verified example of a mobile phone virus for the now-defunct Nokia Symbian OS. The virus was believed to be created by a group from the Czech Republic and Slovakia called 29A, who sent it to a number of security software companies, including Symantec in the U.S. and Kaspersky Lab in Russia. Cabir is considered a proof-of-concept (POC) virus because it proves that a virus can be written for mobile phones, something that was once doubted.