Virus

  1. A virus can be in one of several life phases:
    1. Dormant phase: The virus just exists as a file on the disk and avoids detection.
    2. Propagation phase: The virus is replicating itself, infecting new files.
    3. Triggering phase: Some logical condition causes the virus to move from a dormant or propagation phase to perform its intended action.
    4. Action phase: The virus performs the malicious action that it was designed to perform, called the payload, which is anything from sending spam to destroying files, launching denial-of-service attacks, and spying after users. It could also be just another type of malware, e.g., a trojan or spyware.
    Viruses attempt to conceal their action (to prevent anti-virus software from detecting it) in a few ways, including:
    • Encryption: Such a virus encrypts itself and uses a different key each time it infects a new file.
    • Stealth: Escapes anti-virus software by intercepting the software calls to the OS and pointing it to the actual virus.
    • Polymorphic / Metamorphic: Change their form (i.e., mutate) or re-write themselves before every new infection.
    • Sparse Infecting: Infect every nth file, or on rare occasions (e.g., Friday the 13th.)
These notes by Miriam Briskman are licensed under CC BY-NC 4.0 and based on sources.