A computer virus is a generally destructive computer program that can cause loss of information that enters the computer and is stored on the hard drive.
What is a Virus on a Computer, What are the Types and How are They Analyzed?
A computer virus is a computer program that reproduces itself and interferes with the computer’s hardware or operating system.
There are antivirus programs that recognize them and can immunize or remove the virus from the computer.
Viruses are designed to reproduce and avoid detection. Like other computer programs, a virus must be run to run. That is, the computer needs to download the virus from the computer’s memory and follow its instructions.
These instructions are known as active virus downloads. Effective loading can corrupt or alter data files, issue a specific message, or cause malfunctions in the operating system.
There are other harmful computer programs (malware) similar to viruses, but they do not meet the duplication and detection avoidance requirements.
These programs fall into three categories:
A Trojan horse looks like something interesting and harmless, such as a game, but it can have harmful effects when run.
A logic pump releases its active load when a certain condition occurs, such as when a certain date or time is reached or a letter combination is entered.
In 1949, Hungarian-born American mathematician John von Neumann increased the theoretical probability of reproducing a computer program at the Institute for Advanced Studies in Princeton, New Jersey.
This theory was experimentally tested at Bell Laboratories in the 1950s, where a game called Core Wars was developed, where players created small computer programs that attacked and deleted the opponent’s system and attempted to spread to that system.
In 1983, American electrical engineer Fred Cohen, later a college student, invented the term virus to describe a self-produced computer program.
The first Trojans appeared in 1985, hidden as a graphics development program called EGABTR and a game called NUKE-LA. Soon, numerous viruses were created, which became increasingly complex.
The virus, Brain, appeared in 1986 and spread to the world in 1987.
In 1988, two new viruses emerged, such as Stone, the first boot sector virus, and an Internet worm that could proliferate overnight in US computer networks.
The first fastest infectious Dark Avenger virus appeared in 1989, followed by the first polymorphic virus in 1990. In 1995, the WinWord Concept virus was created using the first Macro Language.
How Viruses Reproduce or Spread?
Computer viruses are spread when instructions running programs or executable code passes from one computer to another.
Once a virus is activated, it can replicate itself by copying it to floppy disks, hard drives, legitimate computer programs, or computer networks.
These infections are much more common in PCs than professional systems of large computers because the programs of computers are mainly replaced by floppy disks or irregular computer networks.
Viruses work, reproduce and release their active load only when they are run.
So, if a computer is only connected to an infected computer network or installs an infected program, it is not necessarily infected.
Typically, a user does not knowingly execute potentially harmful computer code; However, viruses often deceive the computer’s operating system or computer user to run the viral program.
Some viruses have the ability to comply with legal programs. This membership can take place when a legitimate program is created, opened, or changed.
The same goes for the virus when running such a program. Viruses can also be found on partitions of a hard or flexible disk that loads and runs the operating system when the computer starts, so these viruses run automatically.
On computer networks, some viruses are hidden inside the software that allows the user to connect to the system.
How Are Viruses Transmitted?
Viruses can be easily placed in many different places when programmed. For example, main memory, macro document, boot area, files, websites.
In this case, the threat is automatically placed permanently in the main memory (RAM), waiting for a program with an EXE or COM extension to infect.
It can be considered as a small program or subroutine that another program can perform, such as macro, Word, Excel, PowerPoint office tools.
In these subroutines, routines of a virus configured as a program can be placed when a macro is executed in a kind of office document.
Hard drives and floppy disks have a sector called boot to find information about the properties and content of the disk. In this sector, a threat can be hosted in the same sector that contaminates the program while trying to turn on the computer.
Email attachments are one of the effective ways to spread viruses, and the code can be sent as an attached file with any suspicious name and extension.
Perhaps on the sensitive scale, since they are hypertext files, they occupy the last places, the problem may be on pages with interactive nature, such as forms, as this and other sections of the pages contain programs called Java Applications and ActiveX controls.
However, there are many different and harmful threats that need to be classified.
One of the most common classifications below means that there are others that are more complex.
What Are Its Types?
Computer viruses can be divided into six different categories: parasites, initial boot sector, multi-party, companion, link, and datafile.
Parasitic viruses infect executable files or computer programs.
They do not change the contents of the host program, but they stick to the host so that the code is executed first.
These viruses can be directly effective or established. A direct impact threat selects one or more programs to infect each time it runs.
A built-in threat is hidden in the computer’s memory and infects a specific program when this program is run.
Initial Boot Sector
Viruses in the first boot sector are located in the first part of the hard or flexible disk, known as the first boot sector, and replace programs or programs that start the computer that store information about the content of the disk. These are usually spread by the physical exchange of floppy disks.
Multi-party viruses combine the capabilities of parasitic and first boot sector viruses and can infect both files and initial boot sectors.
The accompanying viruses do not replace the files, but they create a new program with the same name as a legitimate program and trick the operating system to run.
Link viruses change the way the operating system finds programs, enabling you to run the virus first and then the program you want.
A link threat can infect an entire directory on a computer, and all executable programs accessed in that directory trigger malware.
Other threats infect programs that contain powerful macro languages that can open, process, and close data files.
These threats, called data file viruses, are written in macro languages and run automatically when the legitimate program is opened. They are independent of the machine and operating system.
Cleaning Analysis Algorithms
Intuitive scanning is often seen as magic as the ability of a protection solution to classify the sample maliciously without entering a specific signature.
It is a magic technique that allows you to mark the software as potentially suspicious of malicious behavior.
If our antivirus engine is running and detects suspicious behavior, it will go into a warning state and notify us that it is potentially dangerous, for example.
The antivirus will not be completely sure of malicious nature because it has been marked suspect based on behavioral indications and is not based on a condition known to be 100% coincidence.
The system innovates in real-time or at least immediately for its purpose. Behavior analysis gives birth to a full branch of science.
Intuitive mathematics is complex because ultimately they try to model behaviors, not clear facts.
The vast majority of the time, the results of such an approach cannot be explained. These smart recognition techniques are mathematically known as multivariate discovery algorithms.
The algorithm has mathematical modeling of behavior, that is, it has a beginning and an end. Discovery is the method of observation and analysis that allows for later decision making, and multivariate analysis is the mathematical character that creates the dependency of a given event to multiple simultaneous factors.
In summary, heuristic detection is a mathematical problem of multivariate discovery that must be modeled with different algorithms.
Viruses’ Signature Algorithm
Many malicious codes are constantly changed by their authors to create new versions. Often, these variants contain similarities to the originals called a threat family.
The antivirus can recognize all members of the same family through a single signature or general vaccine, thanks to the similarities in the code of the malicious file.
This ensures that when a new version of an already known malware appears, antivirus programs that implement this technique can detect it without requiring an update.
Code Recognition Algorithm
When a program is compiled to convert it into an executable file, the resulting encoding represents instructions to the system to perform certain actions.
The intuitive applications of some antiviruses use techniques to recognize instructions commonly used by malicious code to determine whether an executable file can become malicious code.
Assembly Language Algorithm
All executable files can be examined to obtain the source code of the assembly language program.
The heuristics of some antivirus products can analyze the source code of suspicious programs to recognize the development techniques normally used by programmers and thus recognize new malicious code without the need to update.
File Hiding Algorithm
Malware code developers often use file wrappers to change the appearance of the virus in the eyes of the protection scan. For this, packages like UPX are widely used.
Antivirus programs incorporate packaging methods into their intuitive techniques to avoid being deceived by the old, repackaged malicious code so they can analyze the actual code of the program, not the package.
Intuitive scanning is a very difficult feature to test antivirus products as historical evaluations are required.
To accurately analyze the functioning of the intuitive or proactive features of an antivirus, it is to stop updating product signatures for a while.
During this time, new malicious code samples are collected so that once it has been collected enough, it is analyzed whether the antivirus products have introduced them.
Because they are not updated to detect these instances, the antivirus can only recognize if they are infected with their intuitive abilities.
Thanks to these evaluations, it is possible to know in detail the performance of antivirus products against new or unknown viruses.
The Best and Most Convenient Intuitive Algorithm
By definition, the heuristic algorithm is an algorithm that aims to bring reality as close as possible without achieving the accuracy of an event.
Therefore, it seems appropriate to conclude that the best heuristic algorithm will be the closest algorithm to the actual behavior of the events examined for a particular event.
Key optimization improvement factors are a minimum investment in computational resources, minimizing false positives and real failures, and extensibility of the model to high variability scenarios.
This is what transforms an intuitive antivirus solution from mediocre to good. The ability to approach reality and threat factors are multivariate.
An intuitive antivirus engine that classifies all samples as suspicious is an intuitive engine, but this is not optimal.
Minimizing the Possibility of Infection of Viruses
Users can prepare for viral infection by regularly making backup copies of the original legitimate software and data files to recover the computer system if necessary.
The operating system software can be copied to the disk and protected from writing so that no harmful files can be overwritten.
Viral infections can be prevented by obtaining programs from legitimate sources, using a quarantined computer to test new programs, and protecting floppy disks by writing as much as possible.
Various antivirus programs can be used to detect the presence of a virus.
Antivirus programs can recognize the properties of a virus’s computer code and search for those properties in the computer’s files.
Since new viruses should be scanned when they appear, the scanning programs need to be updated regularly to be effective.
Some antivirus programs look for typical features of viral programs that tend to be less reliable.
The only program that detects all viruses is checksum checks that use mathematical calculations to compare the status of executable programs before and after execution.
If the checksum does not change, the system will not be infected. However, checksum programs can only detect contamination after it occurs.
Integrity programs detect potentially harmful activities, such as overwriting computer files or formatting the computer hard drive.
Integrity shells programs create layers that the order of program execution must pass. A checksum is automatically performed in the integrity shell and if malicious programs are detected, it is not allowed to run.
When a viral infection is detected, it can be found by immediately isolating computers on the network, stopping file sharing, and using only write-protected disks.
In order for a computer system to recover from a viral infection, the virus must first be removed. Some antivirus programs try to remove detected threats, but sometimes the results are unsatisfactory.
More reliable results are achieved by disconnecting the affected computer, booting from a rewrite-protected floppy disk, deleting the infected files and replacing legitimate files with backup copies, and deleting threats that may be in the initial boot sector.
Authors have several strategies to escape from antivirus programs and spread their creations more effectively.
Polymorphic viruses make changes to their copies to avoid being detected by monitoring programs.
When hidden viruses control their location, they hide from the operating system by simulating the results that a system will provide.
Viruses called fast-infectious infect not only running programs but also opened programs.
This means that running antiviral scanning programs on a computer that is affected by such viruses can infect all programs on the computer.
Viruses called slower infect files only when they are changed, so checksum programs legitimately interpret changes in the total.
The infection strategy, which can infect a program in ten running programs, makes it difficult to detect the virus, making it one of the most tactical steps.
The biggest problem that computer security techniques need to solve is unauthorized access to data.