How It Works: Viruses

How Did I Get This Virus, Anyway?

You get a virus when you copy infected files to your computer, then activate the code inside by running the infected application or opening an infected document. How you copy the infected files is irrelevant: Viruses don't care if you get them as an e-mail attachment, a download, or via a shared floppy disk, though e-mail attachments are the most prevalent (and easiest) mode of transport.

Once you open an infected file or application, the malicious code copies itself into a file on your system, where it waits to deliver its payload--whatever the programmer designed it to do to your system. Simply deleting the e-mail after you open the attachment won't get rid of the virus, since it has already entered the machine.

A virus writer can set the payload to trigger immediately, at a preset future time or date, or upon the execution of a specific command, such as when you save or open a file. The Michelangelo virus, for example, was programmed to release its payload on March 6 of any year--the artist's birthday.

General Virus Types

While there are thousands of variations of viruses, most fall into one of the following six general categories, each of which works its magic slightly differently:

Boot Sector Virus: replaces or implants itself in the boot sector---an area of the hard drive (or any other disk) accessed when you first turn on your computer. This kind of virus can prevent you from being able to boot your hard disk.

File Virus: infects applications. These executables then spread the virus by infecting associated documents and other applications whenever they're opened or run.

Macro Virus: Written using a simplified macro programming language, these viruses affect Microsoft Office applications, such as Word and Excel, and account for about 75 percent of viruses found in the wild. A document infected with a macro virus generally modifies a pre-existing, commonly used command (such as Save) to trigger its payload upon execution of that command.

Multipartite Virus: infects both files and the boot sector--a double whammy that can reinfect your system dozens of times before it's caught.

Polymorphic Virus: changes code whenever it passes to another machine; in theory these viruses should be more difficult for antivirus scanners to detect, but in practice they're usually not that well written.

Stealth Virus: hides its presence by making an infected file not appear infected, but doesn't usually stand up to antivirus software.

All Malicious Code Isn't a Virus

A common misconception is that other kinds of electronic nasties, such as worms and Trojan horse applications, are viruses. They aren't. Worms, Trojan horses, and viruses are in a broader category analysts call "malicious code."

A worm program replicates itself and slithers through network connections to infect any machine on the network and replicate within it, eating up storage space and slowing down the computer. But worms don't alter or delete files.

A Trojan horse doesn't replicate itself, but it is a malicious program disguised as something benign such as a screen saver. When loaded onto your machine, a Trojan horse can capture information from your system--such as user names and passwords--or could allow a malicious hacker to remotely control your computer.