Hubbry Logo
Computer virusComputer virusMain
Open search
Computer virus
Community hub
Computer virus
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Computer virus
Computer virus
Computer virus
View on Wikipedia
from Wikipedia

Hex dump of the Brain virus, generally regarded as the first computer virus for the IBM Personal Computer (IBM PC) and compatibles

A computer virus[1] is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs.[2][3] If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.[4]

Computer viruses generally require a host program.[5] The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage. By contrast, a computer worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program, but can run independently and actively carry out attacks.[6][7]

Virus writers use social engineering deceptions and exploit detailed knowledge of security vulnerabilities to initially infect systems and to spread the virus. Viruses use complex anti-detection/stealth strategies to evade antivirus software.[8] Motives for creating viruses can include seeking profit (e.g., with ransomware), desire to send a political message, personal amusement, to demonstrate that a vulnerability exists in software, for sabotage and denial of service, or simply because they wish to explore cybersecurity issues, artificial life and evolutionary algorithms.[9]

As of 2013, computer viruses caused billions of dollars' worth of economic damage each year.[10] In response, an industry of antivirus software has cropped up, selling or freely distributing virus protection to users of various operating systems.[11]

History

[edit]
See also: History of antivirus software, History of ransomware, and History of malware
Further information: Timeline of computer viruses and worms and Malware research

The first academic work on the theory of self-replicating computer programs was done in 1949 by John von Neumann who gave lectures at the University of Illinois about the "Theory and Organization of Complicated Automata". The work of von Neumann was later published as the "Theory of self-reproducing automata". In his essay von Neumann described how a computer program could be designed to reproduce itself.[12] Von Neumann's design for a self-reproducing computer program is considered the world's first computer virus, and he is considered to be the theoretical "father" of computer virology.[13]

In 1972, Veith Risak directly building on von Neumann's work on self-replication, published his article "Selbstreproduzierende Automaten mit minimaler Informationsübertragung" (Self-reproducing automata with minimal information exchange).[14] The article describes a fully functional virus written in assembler programming language for a SIEMENS 4004/35 computer system. In 1980, Jürgen Kraus wrote his Diplom thesis "Selbstreproduktion bei Programmen" (Self-reproduction of programs) at the University of Dortmund.[15] In his work Kraus postulated that computer programs can behave in a way similar to biological viruses.

The MacMag virus 'Universal Peace', as displayed on a Mac in March 1988

The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in the early 1970s.[16] Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971.[17] Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system.[18] Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'M THE CREEPER. CATCH ME IF YOU CAN!" was displayed.[19] The Reaper program was created to delete Creeper.[20]

In 1982, a program called "Elk Cloner" was the first personal computer virus to appear "in the wild"—that is, outside the single computer or computer lab where it was created.[21] Written in 1981 by Richard Skrenta, a ninth grader at Mt. Lebanon High School near Pittsburgh, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk.[21] On its 50th use the Elk Cloner virus would be activated, infecting the personal computer and displaying a short poem beginning "Elk Cloner: The program with a personality."

In 1984, Fred Cohen from the University of Southern California wrote his paper "Computer Viruses – Theory and Experiments".[22] It was the first paper to explicitly call a self-reproducing program a "virus", a term introduced by Cohen's mentor Leonard Adleman.[23] In 1987, Cohen published a demonstration that there is no algorithm that can perfectly detect all possible viruses.[24] Cohen's theoretical compression virus[25] was an example of a virus which was not malicious software (malware), but was putatively benevolent (well-intentioned). However, antivirus professionals do not accept the concept of "benevolent viruses", as any desired function can be implemented without involving a virus (automatic compression, for instance, is available under Windows at the choice of the user). Any virus will by definition make unauthorised changes to a computer, which is undesirable even if no damage is done or intended. The first page of Dr Solomon's Virus Encyclopaedia explains the undesirability of viruses, even those that do nothing but reproduce.[26][27]

An article that describes "useful virus functionalities" was published by J. B. Gunn under the title "Use of virus functions to provide a virtual APL interpreter under user control" in 1984.[28] The first IBM PC compatible virus in the "wild" was a boot sector virus dubbed (c)Brain,[29] created in 1986 and was released in 1987 by Amjad Farooq Alvi and Basit Farooq Alvi in Lahore, Pakistan, reportedly to deter unauthorized copying of the software they had written.[30]

The first virus to specifically target Microsoft Windows, WinVir was discovered in April 1992, two years after the release of Windows 3.0.[31] The virus did not contain any Windows API calls, instead relying on DOS interrupts. A few years later, in February 1996, Australian hackers from the virus-writing crew VLAD created the Bizatch virus (also known as "Boza" virus), which was the first known virus to specifically target Windows 95.[32] This virus attacked the new portable executable (PE) files introduced in Windows 95.[33] In late 1997 the encrypted, memory-resident stealth virus Win32.Cabanas was released—the first known virus that targeted Windows NT (it was also able to infect Windows 3.0 and Windows 9x hosts).[34]

Even home computers were affected by viruses. The first one to appear on the Amiga was a boot sector virus called SCA virus, which was detected in November 1987.[35] By 1988, one sysop reportedly found that viruses infected 15% of the software available for download on his BBS.[36]

Design

[edit]

Parts

[edit]

A computer virus generally contains three parts: the infection mechanism, which finds and infects new files, the payload, which is the malicious code to execute, and the trigger, which determines when to activate the payload.[37]

Infection mechanism
Also called the infection vector, this is how the virus spreads. Some viruses have a search routine, which locate and infect files on disk.[38] Other viruses infect files as they are run, such as the Jerusalem DOS virus.
Trigger
Also known as a logic bomb, this is the part of the virus that determines the condition for which the payload is activated.[39] This condition may be a particular date, time, presence of another program, size on disk exceeding a threshold,[40] or opening a specific file.[41]
Payload
The payload is the body of the virus that executes the malicious activity. Examples of malicious activities include damaging files, theft of confidential information or spying on the infected system.[42][43] Payload activity is sometimes noticeable as it can cause the system to slow down or "freeze".[38] Sometimes payloads are non-destructive and their main purpose is to spread a message to as many people as possible. This is called a virus hoax.[44]

Phases

[edit]

Virus phases is the life cycle of the computer virus, described by using an analogy to biology. This life cycle can be divided into four phases:

Dormant phase
The virus program is idle during this stage. The virus program has managed to access the target user's computer or software, but during this stage, the virus does not take any action. The virus will eventually be activated by the "trigger" which states which event will execute the virus. Not all viruses have this stage.[38]
Propagation phase
The virus starts propagating, which is multiplying and replicating itself. The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often "morph" or change to evade detection by IT professionals and anti-virus software. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.[38]
Triggering phase
A dormant virus moves into this phase when it is activated, and will now perform the function for which it was intended. The triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.[38] The trigger may occur when an employee is terminated from their employment or after a set period of time has elapsed, in order to reduce suspicion.
Execution phase
This is the actual work of the virus, where the "payload" will be released. It can be destructive such as deleting files on disk, crashing the system, or corrupting files or relatively harmless such as popping up humorous or political messages on screen.[38]

Targets and replication

[edit]

Computer viruses infect a variety of different subsystems on their host computers and software.[45] One manner of classifying viruses is to analyze whether they reside in binary executables (such as .EXE or .COM files), data files (such as Microsoft Word documents or PDF files), or in the boot sector of the host's hard drive (or some combination of all of these).[46][47]

A memory-resident virus (or simply "resident virus") installs itself as part of the operating system when executed, after which it remains in RAM from the time the computer is booted up to when it is shut down. Resident viruses overwrite interrupt handling code or other functions, and when the operating system attempts to access the target file or disk sector, the virus code intercepts the request and redirects the control flow to the replication module, infecting the target. In contrast, a non-memory-resident virus (or "non-resident virus"), when executed, scans the disk for targets, infects them, and then exits (i.e. it does not remain in memory after it is done executing).[48]

Many common applications, such as Microsoft Outlook and Microsoft Word, allow macro programs to be embedded in documents or emails, so that the programs may be run automatically when the document is opened. A macro virus (or "document virus") is a virus that is written in a macro language and embedded into these documents so that when users open the file, the virus code is executed, and can infect the user's computer. This is one of the reasons that it is dangerous to open unexpected or suspicious attachments in e-mails.[49][50] While not opening attachments in e-mails from unknown persons or organizations can help to reduce the likelihood of contracting a virus, in some cases, the virus is designed so that the e-mail appears to be from a reputable organization (e.g., a major bank or credit card company).

Boot sector viruses specifically target the boot sector and/or the Master Boot Record[51] (MBR) of the host's hard disk drive, solid-state drive, or removable storage media (flash drives, floppy disks, etc.).[52]

The most common way of transmission of computer viruses in boot sector is physical media. When reading the VBR of the drive, the infected floppy disk or USB flash drive connected to the computer will transfer data, and then modify or replace the existing boot code. The next time a user tries to start the desktop, the virus will immediately load and run as part of the master boot record.[53]

Email viruses are viruses that intentionally, rather than accidentally, use the email system to spread. While virus infected files may be accidentally sent as email attachments, email viruses are aware of email system functions. They generally target a specific type of email system (Microsoft Outlook is the most commonly used), harvest email addresses from various sources, and may append copies of themselves to all email sent, or may generate email messages containing copies of themselves as attachments.[54]

Detection

[edit]

To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes.[55] Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example, the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.[56] Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them (for example, Conficker). A Virus may also hide its presence using a rootkit by not showing itself on the list of system processes or by disguising itself within a trusted process.[57] In the 2010s, as computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.[citation needed] In addition, only a small fraction of known viruses actually cause real incidents, primarily because many viruses remain below the theoretical epidemic threshold.[58]

Read request intercepts

[edit]

While some kinds of antivirus software employ various techniques to counter stealth mechanisms, once the infection occurs any recourse to "clean" the system is unreliable. In Microsoft Windows operating systems, the NTFS file system is proprietary. This leaves antivirus software little alternative but to send a "read" request to Windows files that handle such requests. Some viruses trick antivirus software by intercepting its requests to the operating system. A virus can hide by intercepting the request to read the infected file, handling the request itself, and returning an uninfected version of the file to the antivirus software. The interception can occur by code injection of the actual operating system files that would handle the read request. Thus, an antivirus software attempting to detect the virus will either not be permitted to read the infected file, or, the "read" request will be served with the uninfected version of the same file.[59]

The only reliable method to avoid "stealth" viruses is to boot from a medium that is known to be "clear". Security software can then be used to check the dormant operating system files. Most security software relies on virus signatures, or they employ heuristics.[60][61] Security software may also use a database of file "hashes" for Windows OS files, so the security software can identify altered files, and request Windows installation media to replace them with authentic versions. In older versions of Windows, file cryptographic hash functions of Windows OS files stored in Windows—to allow file integrity/authenticity to be checked—could be overwritten so that the System File Checker would report that altered system files are authentic, so using file hashes to scan for altered files would not always guarantee finding an infection.[62]

Self-modification

[edit]
See also: Self-modifying code

Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures.[63] Different antivirus programs will employ different search methods when identifying viruses. If a virus scanner finds such a pattern in a file, it will perform other checks to make sure that it has found the virus, and not merely a coincidental sequence in an innocent file, before it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.[citation needed]

One method of evading signature detection is to use simple encryption to encipher (encode) the body of the virus, leaving only the encryption module and a static cryptographic key in cleartext which does not change from one infection to the next.[64] In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that finding some may be reason enough for virus scanners to at least "flag" the file as suspicious.[citation needed] An old but compact way will be the use of arithmetic operation like addition or subtraction and the use of logical conditions such as XORing,[65] where each byte in a virus is with a constant so that the exclusive-or operation had only to be repeated for decryption. It is suspicious for a code to modify itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.[citation needed] A simpler older approach did not use a key, where the encryption consisted only of operations with no parameters, like incrementing and decrementing, bitwise rotation, arithmetic negation, and logical NOT.[65] Some viruses, called polymorphic viruses, will employ a means of encryption inside an executable in which the virus is encrypted under certain events, such as the virus scanner being disabled for updates or the computer being rebooted.[66] This is called cryptovirology.

Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using "signatures".[67][68] Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called "mutating engine" or "mutation engine") somewhere in its encrypted body. See polymorphic code for technical detail on how such engines operate.[69]

Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for antivirus professionals and investigators to obtain representative samples of the virus, because "bait" files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.

To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that utilize this technique are said to be in metamorphic code. To enable metamorphism, a "metamorphic engine" is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14,000 lines of assembly language code, 90% of which is part of the metamorphic engine.[70][71]

Effects

[edit]

Damage is due to causing system failure, corrupting data, wasting computer resources, increasing maintenance costs or stealing personal information.[10] Even though no antivirus software can uncover all computer viruses (especially new ones), computer security researchers are actively searching for new ways to enable antivirus solutions to more effectively detect emerging viruses, before they become widely distributed.[72]

A power virus is a computer program that executes specific machine code to reach the maximum CPU power dissipation (thermal energy output for the central processing units).[73] Computer cooling apparatus are designed to dissipate power up to the thermal design power, rather than maximum power, and a power virus could cause the system to overheat if it does not have logic to stop the processor. This may cause permanent physical damage. Power viruses can be malicious, but are often suites of test software used for integration testing and thermal testing of computer components during the design phase of a product, or for product benchmarking.[74]

Stability test applications are similar programs which have the same effect as power viruses (high CPU usage) but stay under the user's control. They are used for testing CPUs, for example, when overclocking. Spinlock in a poorly written program may cause similar symptoms, if it lasts sufficiently long.

Different micro-architectures typically require different machine code to hit their maximum power. Examples of such machine code do not appear to be distributed in CPU reference materials.[75]

Infection vectors

[edit]

As software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit and manipulate security bugs, which are software defects in a system or application software, to spread themselves and infect other computers. Software development strategies that produce large numbers of "bugs" will generally also produce potential exploitable "holes" or "entrances" for the virus.

To replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs (see code injection). If a user attempts to launch an infected program, the virus' code may be executed simultaneously.[76] In operating systems that use file extensions to determine program associations (such as Microsoft Windows), the extensions may be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For example, an executable may be created and named "picture.png.exe", in which the user sees only "picture.png" and therefore assumes that this file is a digital image and most likely is safe, yet when opened, it runs the executable on the client machine.[77] Viruses may be installed on removable media, such as flash drives. The drives may be left in a parking lot of a government building or other target, with the hopes that curious users will insert the drive into a computer. In a 2015 experiment, researchers at the University of Michigan found that 45–98 percent of users would plug in a flash drive of unknown origin.[78]

The vast majority of viruses target systems running Microsoft Windows. This is due to Microsoft's large market share of desktop computer users.[79] The diversity of software systems on a network limits the destructive potential of viruses and malware.[a] Open-source operating systems such as Linux allow users to choose from a variety of desktop environments, packaging tools, etc., which means that malicious code targeting any of these systems will only affect a subset of all users. Many Windows users are running the same set of applications, enabling viruses to rapidly spread among Microsoft Windows systems by targeting the same exploits on large numbers of hosts.[80][81][82][83]

While Linux and Unix in general have always natively prevented normal users from making changes to the operating system environment without permission, Windows users are generally not prevented from making these changes, meaning that viruses can easily gain control of the entire system on Windows hosts. This difference has continued partly due to the widespread use of administrator accounts in contemporary versions like Windows XP. In 1997, researchers created and released a virus for Linux—known as "Bliss".[84] Bliss, however, requires that the user run it explicitly, and it can only infect programs that the user has the access to modify. Unlike Windows users, most Unix users do not log in as an administrator, or "root user", except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked.[85]

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. Personal computers of the era would attempt to boot first from a floppy if one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector viruses were the most common in the "wild" for many years. Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in bulletin board system (BBS), modem use, and software sharing. Bulletin board–driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSs.[86][87] Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by other computers.[88]

Macro viruses have become common since the mid-1990s. Most of these viruses are written in the scripting languages for Microsoft programs such as Microsoft Word and Microsoft Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread to Macintosh computers. Although most of these viruses did not have the ability to send infected email messages, those viruses which did take advantage of the Microsoft Outlook Component Object Model (COM) interface.[89][90] Some old versions of Microsoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents".[91]

A virus may also send a web address link as an instant message to all the contacts (e.g., friends and colleagues' e-mail addresses) stored on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.[92] Viruses that spread using cross-site scripting were first reported in 2002,[93] and were academically demonstrated in 2005.[94] There have been multiple instances of the cross-site scripting viruses in the "wild", exploiting websites such as MySpace (with the Samy worm) and Yahoo!.

Countermeasures

[edit]
See also: Malware § Vulnerability to malware, Anti-malware, and Browser security § Browser hardening
Screenshot of the open-source ClamWin antivirus software running in Wine on Ubuntu Linux

In 1989 The ADAPSO Software Industry Division published Dealing With Electronic Vandalism,[95] in which they followed the risk of data loss by "the added risk of losing customer confidence."[96][97][98]

Many users install antivirus software that can detect and eliminate known viruses when the computer attempts to download or run the executable file (which may be distributed as an email attachment, or on USB flash drives, for example). Some antivirus software blocks known malicious websites that attempt to install malware. Antivirus software does not change the underlying capability of hosts to transmit viruses. Users must update their software regularly to patch security vulnerabilities ("holes"). Antivirus software also needs to be regularly updated to recognize the latest threats. This is because malicious hackers and other individuals are always creating new viruses. The German AV-TEST Institute publishes evaluations of antivirus software for Windows[99] and Android.[100]

Examples of Microsoft Windows anti virus and anti-malware software include the optional Microsoft Security Essentials[101] (for Windows XP, Vista and Windows 7) for real-time protection, the Windows Malicious Software Removal Tool[102] (now included with Windows (Security) Updates on "Patch Tuesday", the second Tuesday of each month), and Windows Defender (an optional download in the case of Windows XP).[103] Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use).[104] Some such free programs are almost as good as commercial competitors.[105] Common security vulnerabilities are assigned CVE IDs and listed in the US National Vulnerability Database. Secunia PSI[106] is an example of software, free for personal use, that will check a PC for vulnerable out-of-date software, and attempt to update it. Ransomware and phishing scam alerts appear as press releases on the Internet Crime Complaint Center noticeboard. Ransomware is a virus that posts a message on the user's screen saying that the screen or system will remain locked or unusable until a ransom payment is made. Phishing is a deception in which the malicious individual pretends to be a friend, computer security expert, or other benevolent individual, with the goal of convincing the targeted individual to reveal passwords or other personal information.

Other commonly used preventive measures include timely operating system updates, software updates, careful Internet browsing (avoiding shady websites), and installation of only trusted software.[107] Certain browsers flag sites that have been reported to Google and that have been confirmed as hosting malware by Google.[108][109]

There are two common methods that an antivirus software application uses to detect viruses, as described in the antivirus software article. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its Random Access Memory (RAM), and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives, or USB flash drives), and comparing those files against a database of known virus "signatures". Virus signatures are just strings of code that are used to identify individual viruses; for each virus, the antivirus designer tries to choose a unique signature string that will not be found in a legitimate program. Different antivirus programs use different "signatures" to identify viruses. The disadvantage of this detection method is that users are only protected from viruses that are detected by signatures in their most recent virus definition update, and not protected from new viruses (see "zero-day attack").[110]

A second method to find viruses is to use a heuristic algorithm based on common virus behaviors. This method can detect new viruses for which antivirus security firms have yet to define a "signature", but it also gives rise to more false positives than using signatures. False positives can be disruptive, especially in a commercial environment, because it may lead to a company instructing staff not to use the company computer system until IT services have checked the system for viruses. This can slow down productivity for regular workers.

Recovery strategies and methods

[edit]

One may reduce the damage done by viruses by making regular backups of data (and the operating systems) on different media, that are either kept unconnected to the system (most of the time, as in a hard drive), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which will hopefully be recent).[111] If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus (so long as a virus or infected file was not copied onto the CD/DVD). Likewise, an operating system on a bootable CD can be used to start the computer if the installed operating systems become unusable. Backups on removable media must be carefully inspected before restoration. The Gammima virus, for example, propagates via removable flash drives.[112][113]

Many websites run by antivirus software companies provide free online virus scanning, with limited "cleaning" facilities (after all, the purpose of the websites is to sell antivirus products and services). Some websites—like Google subsidiary VirusTotal.com—allow users to upload one or more suspicious files to be scanned and checked by one or more antivirus programs in one operation.[114][115] Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use).[116] Microsoft offers an optional free antivirus utility called Microsoft Security Essentials, a Windows Malicious Software Removal Tool that is updated as part of the regular Windows update regime, and an older optional anti-malware (malware removal) tool Windows Defender that has been upgraded to an antivirus product in Windows 8.

Some viruses disable System Restore and other important Windows tools such as Task Manager and CMD. An example of a virus that does this is CiaDoor. Many such viruses can be removed by rebooting the computer, entering Windows "safe mode" with networking, and then using system tools or Microsoft Safety Scanner.[117] System Restore on Windows Me, Windows XP, Windows Vista and Windows 7 can restore the registry and critical system files to a previous checkpoint. Often a virus will cause a system to "hang" or "freeze", and a subsequent hard reboot will render a system restore point from the same day corrupted. Restore points from previous days should work, provided the virus is not designed to corrupt the restore files and does not exist in previous restore points.[118][119]

Microsoft's System File Checker (improved in Windows 7 and later) can be used to check for, and repair, corrupted system files.[120] Restoring an earlier "clean" (virus-free) copy of the entire partition from a cloned disk, a disk image, or a backup copy is one solution—restoring an earlier backup disk "image" is relatively simple to do, usually removes any malware, and may be faster than "disinfecting" the computer—or reinstalling and reconfiguring the operating system and programs from scratch, as described below, then restoring user preferences.[111] Reinstalling the operating system is another approach to virus removal. It may be possible to recover copies of essential user data by booting from a live CD, or connecting the hard drive to another computer and booting from the second computer's operating system, taking great care not to infect that computer by executing any infected programs on the original drive. The original hard drive can then be reformatted and the OS and all programs installed from original media. Once the system has been restored, precautions must be taken to avoid reinfection from any restored executable files.[121]

[edit]

The first known description of a self-reproducing program in fiction is in the 1970 short story The Scarred Man by Gregory Benford which describes a computer program called VIRUS which, when installed on a computer with telephone modem dialing capability, randomly dials phone numbers until it hits a modem that is answered by another computer, and then attempts to program the answering computer with its own program, so that the second computer will also begin dialing random numbers, in search of yet another computer to program. The program rapidly spreads exponentially through susceptible computers and can only be countered by a second program called VACCINE.[122] His story was based on an actual computer virus written in FORTRAN that Benford had created and run on the lab computer in the 1960s, as a proof-of-concept, and which he told John Brunner about in 1970.[123]

The idea was explored further in two 1972 novels, When HARLIE Was One by David Gerrold and The Terminal Man by Michael Crichton, and became a major theme of the 1975 novel The Shockwave Rider by John Brunner.[124]

The 1973 Michael Crichton sci-fi film Westworld made an early mention of the concept of a computer virus, being a central plot theme that causes androids to run amok.[125][better source needed] Alan Oppenheimer's character summarizes the problem by stating that "...there's a clear pattern here which suggests an analogy to an infectious disease process, spreading from one...area to the next." To which the replies are stated: "Perhaps there are superficial similarities to disease" and, "I must confess I find it difficult to believe in a disease of machinery."[126]

In 2016, Jussi Parikka announced the creation of The Malware Museum of Art: a collection of malware programs, usually viruses, distributed in the 1980s and 1990s on home computers. Malware Museum of Art is hosted at The Internet Archive and is curated by Mikko Hyppönen from Helsinki, Finland.[127] The collection allows anyone with a computer to experience virus infection of decades ago with safety.[128]

Other malware

[edit]
Main article: Malware

The term "virus" is also misused by extension to refer to other types of malware. "Malware" encompasses computer viruses along with many other forms of malicious software, such as computer "worms", ransomware, spyware, adware, trojan horses, keyloggers, rootkits, bootkits, malicious Browser Helper Object (BHOs), and other malicious software. The majority of active malware threats are trojan horse programs or computer worms rather than computer viruses. The term computer virus, coined by Fred Cohen in 1985, is a misnomer.[129] Viruses often perform some type of harmful activity on infected host computers, such as acquisition of hard disk space or central processing unit (CPU) time, accessing and stealing private information (e.g., credit card numbers, debit card numbers, phone numbers, names, email addresses, passwords, bank information, house addresses, etc.), corrupting data, displaying political, humorous or threatening messages on the user's screen, spamming their e-mail contacts, logging their keystrokes, or even rendering the computer useless. However, not all viruses carry a destructive "payload" and attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs that modify other software without user consent by injecting themselves into the said programs, similar to a biological virus which replicates within living cells.

See also

[edit]

Notes

[edit]

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Computer virus

View on Grokipedia
from Grokipedia
A computer virus is a type of malicious software that, when executed, replicates itself by modifying other computer programs, files, or boot sectors to insert its own code, thereby spreading to additional systems or media upon user interaction or program execution. Unlike self-propagating worms, viruses typically require a host file or user action, such as opening an infected or running a contaminated , to infect and disseminate. This mechanism draws an analogy to biological viruses, enabling rapid proliferation across networks, devices, and storage media while potentially evading detection by altering its signature or behavior. The concept of computer viruses traces back to theoretical work in the mid-20th century, with mathematician exploring self-replicating automata in 1949, laying foundational ideas for programs that could copy themselves. The term "computer virus" was formally coined in 1983 by Fred Cohen during his graduate research at the , where he defined it as "a program that can infect other programs by modifying them to include a possibly evolved copy of itself" and demonstrated experimental viruses on VAX systems. The first known experimental self-replicating program, Creeper, appeared in 1971 on , created by Bob Thomas as a harmless test that displayed "I'm the creeper, catch me if you can," and was neutralized by Ray Tomlinson's program. Practical viruses emerged in the 1980s, with the 1986 Brain virus—written by Pakistani brothers Basit and Amjad Farooq Alvi to protect software copies—marking the first to target PCs by infecting boot sectors of floppy disks. Computer viruses encompass various subtypes based on infection targets and methods, including file infector viruses that embed in executable files to corrupt or steal information, boot sector viruses that compromise startup processes on disks or drives, macro viruses that exploit document scripting in applications like or Excel, and polymorphic viruses that mutate their code to avoid antivirus detection. They spread primarily through attachments, infected downloads from untrusted websites, like USB drives, or vulnerabilities in software and networks, often disguising themselves as benign files to trick users. Once activated, viruses can cause harm ranging from benign annoyances, such as displaying messages, to severe damage like , system crashes, theft, or facilitation of and botnets. The evolution of computer viruses has paralleled advancements in computing, shifting from standalone infections in the pre-internet era to sophisticated, network-aware threats integrated with other malware families under the broader umbrella of malware. Early self-propagating malware like the 1988 highlighted risks to interconnected systems, infecting thousands of UNIX machines and inspiring modern cybersecurity practices. Today, while the term "virus" is sometimes used loosely for any malicious code, strict definitions emphasize their parasitic nature and reliance on hosts, distinguishing them from standalone trojans or rootkits. Protection involves multilayered strategies, including updated , firewalls, regular system scans, user education on avoidance, and safe browsing habits to mitigate infection risks. Despite these defenses, viruses remain a persistent threat, adapting to , mobile devices, and IoT ecosystems, underscoring the ongoing arms race between creators and defenders in cybersecurity.

Fundamentals

Definition

A computer virus is a type of malicious software that attaches itself to legitimate programs or files, replicating by infecting other files or systems upon execution of the host. This typically requires execution of the infected host, often involving user action, distinguishing it from worms that propagate independently without such intervention. Essential attributes of a computer virus include its dependence on host files or programs for propagation, as it cannot spread independently like some network-based threats. Additionally, viruses have the potential to alter, corrupt, or delete on infected systems, though the primary mechanism is rather than immediate execution. The term "computer virus" was first used in 1983 by Fred Cohen during his graduate research at the , who defined it as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself," and formalized this in his 1984 academic paper. This definition established the foundational concept of viral in environments.

Key Characteristics

Computer viruses exhibit autonomy in replication, a core trait that enables them to spread without direct user intervention beyond the initial execution of an infected host. This process involves the virus embedding its into other legitimate programs or files, where it remains dormant until the host is executed, at which point the viral activates and seeks new targets for . Unlike self-contained such as worms, viruses rely on this host-mediated propagation to achieve transitive spread across systems, leveraging user authorizations and sharing mechanisms to infect additional executables. A defining feature of computer viruses is their host dependency, distinguishing them from independent by necessitating attachment to viable host files for survival and dissemination. Viruses typically integrate with executable formats like .exe files or document types such as .doc, modifying the host's structure—often by prepending, appending, or intruding into the code—while preserving the host's apparent functionality to avoid immediate detection. This dependency ensures that the virus cannot operate standalone and instead propagates only when the infected host is run, exploiting the host's execution environment for replication. Many computer viruses incorporate polymorphism and mutation techniques to obfuscate their signatures and evade antivirus detection. Polymorphic viruses encrypt or rearrange their using variable keys or ciphers, generating unique variants each time they replicate while maintaining functional equivalence. More advanced metamorphic variants go further by completely rewriting their entire codebase during propagation, replacing instructions with semantically identical alternatives to produce offspring that bear no structural resemblance to the parent. Virus activation relies on sophisticated trigger mechanisms that determine when the malicious executes, allowing the virus to remain latent post-infection. These triggers can be time-based, such as activating on a specific date like the 13th of a month, or event-driven, responding to user actions like file access or system boot sequences. Other common triggers include counters that delay payload delivery until a threshold number of infections occurs, or logical conditions tied to environmental factors, ensuring controlled and potentially stealthy operation. The payload delivery phase represents the virus's non-replicative intent, executing harmful actions only after successful and trigger satisfaction to maximize impact while minimizing early exposure. often involve , such as overwriting files or scrambling disk sectors, or the installation of backdoors for unauthorized access. These functions are designed by the virus author to achieve objectives ranging from disruption to , with execution typically integrated into the host's runtime to blend seamlessly with normal operations.

Historical Development

Early Concepts and Origins

The concept of self-replicating programs in computing drew early inspiration from biological viruses, with theorists exploring how digital entities could mimic natural reproduction processes. In 1949, mathematician delivered lectures at the University of Illinois, outlining a theoretical framework for self-reproducing automata—hypothetical machines capable of creating exact copies of themselves within a environment. This work, posthumously published as Theory of Self-Reproducing Automata in 1966, laid foundational ideas for programs that could propagate autonomously, influencing later discussions on computational replication without direct human intervention. The first practical demonstration of such a self-replicating program emerged in 1971 with Bob Thomas's Creeper, an experimental worm developed at Bolt, Beranek and Newman (BBN) Technologies. Designed to test network mobility on the , Creeper traversed Tenex operating systems across connected computers, copying itself to remote machines and displaying the benign message "I'm the creeper, !" Unlike later malicious code, Creeper caused no harm and served purely as a proof-of-concept for self-propagation in a networked environment, prompting the creation of Ray Tomlinson's program to seek and eliminate it. This experiment highlighted the potential for programs to spread uncontrollably across distributed systems, though it remained confined to research settings. Academic formalization of computer viruses occurred in 1983 through Fred Cohen's graduate work at the (USC). In his thesis experiments on VAX-11/780 systems running Unix, Cohen developed and demonstrated five viral programs that infected other executable files by appending malicious code, proving that such entities could evade traditional security measures without physical isolation. Cohen's November 3 seminar presentation coined the term "computer virus" to describe a program capable of modifying others to include a copy of itself, emphasizing its infectious nature akin to biological pathogens. His analysis concluded that viruses were theoretically uncontainable in open systems, a finding that shifted focus toward preventive strategies like access controls. Throughout these early developments, motivations were predominantly experimental and educational, aimed at understanding replication mechanics rather than causing disruption. Von Neumann's automata explored logical and informational reliability in complex systems, Creeper tested resilience, and Cohen's viruses illustrated security vulnerabilities in controlled lab environments. This non-malicious intent contrasted sharply with the destructive applications that would emerge later, establishing as a core concept in while underscoring the need for safeguards against unintended spread.

Notable Incidents and Evolution

The first widespread virus, known as , emerged in 1986 when brothers Basit and Amjad Farooq Alvi in , , developed it to protect their from by infecting the s of floppy disks. This virus marked the beginning of practical viral threats on PC compatibles, spreading through shared disks and displaying a message with the brothers' contact information upon infection. The late 1990s introduced the macro virus era, exemplified by Melissa in March 1999, which exploited Microsoft Word macros to propagate via email attachments and automatically forward itself to the first 50 contacts in the victim's Outlook address book. Created by David L. Smith, Melissa rapidly overwhelmed corporate email servers worldwide, leading to temporary shutdowns at organizations like the Pentagon and causing an estimated $80 million in direct damages from lost productivity and cleanup efforts. This incident highlighted the shift from physical media to network-based dissemination, accelerating the adoption of email security measures. Building on this momentum, the worm-virus hybrid struck in May 2000, spreading through deceptive attachments disguised as love letters that executed scripts upon opening, overwriting files and emailing itself to all contacts in the Windows . Attributed to Onel de Guzman in the , it infected tens of millions of computers globally within days, disrupting operations at major entities including the U.S. and British , with estimated worldwide damages ranging from $6.7 billion to $15 billion due to system repairs, data loss, and downtime. In the , computer viruses evolved toward fileless variants that evade traditional detection by operating in and registry without dropping files, as seen with Poweliks in 2014, which used in Word documents to inject into the for persistence and ad-click . This approach represented a sophistication in stealth, exploiting legitimate system processes like rundll32.exe to avoid antivirus scans. By the 2020s, polymorphic viruses have incorporated AI techniques, such as generative adversarial networks (GANs), to dynamically alter their code signatures and behaviors, enabling evasion of signature-based and even machine learning detectors. These AI-assisted variants generate adversarial samples that mimic benign traffic or mutate in real-time, posing challenges to static analysis and contributing to a rise in sophisticated, targeted attacks up to 2025. Over decades, virus propagation has transitioned from floppy disks in the 1980s to networked and web vectors in the and , and further to mobile apps and (IoT) devices in the onward, where vulnerabilities in connected ecosystems like smart homes amplify spread. Enhanced operating system protections, including built-in antivirus like Windows Defender and sandboxing in macOS and Android, have contributed to a decline in standalone , shifting threats toward integrated ecosystems and hybrids.

Technical Design

Core Components

A typical computer virus is structured as a modular program consisting of distinct code segments that enable its survival and spread while minimizing detection. These components work in concert to allow the virus to integrate into host systems, propagate, execute harmful actions, and evade analysis. The design draws from early theoretical models, where viruses are defined as programs that modify other programs to include copies of themselves, often with additional functionality for persistence or disruption. The infection routine is the initial code segment responsible for locating suitable host files and attaching the viral code to them. This routine typically scans for executable files or other targets, such as .exe files in Windows environments, and modifies their structure by appending or prepending the virus body. To perform these modifications, it often invokes operating system API calls, like CreateFile to open the target and WriteFile to overwrite or append data, ensuring the host remains functional while redirecting execution to the virus. Parasitic file-infecting viruses primarily employ two attachment methods: appending (tail parasitism) and prepending (head parasitism). In appending, the virus attaches its code to the end of the host file. To ensure execution of the virus code first, the virus modifies the host file's entry point—for example, by altering the AddressOfEntryPoint field in the Portable Executable (PE) header for Windows executables—to point to the start of the viral code. Alternatively, it may insert a jump instruction to the virus code at the original entry point. After performing its infection and payload operations, the virus jumps back to the original entry point, allowing the host program to continue normal execution. This method is more common because it avoids relocation issues, as the appended virus code does not require adjusting internal address references within the original host code. In prepending, the virus inserts its code at the beginning of the host file, shifting the original code to later positions in the file. Upon execution, the virus code runs first, completes its tasks, and then transfers control to the relocated original entry point. In complex formats like PE, this requires handling file headers, section alignments, and relocation tables to preserve executability, making the method more complicated and less common. Some prepending viruses use indirect techniques, such as copying the original program to a temporary file and executing it via system calls or batch scripts. These parasitic methods modify the file structure for covert infection while preserving the host program's normal execution, reducing the chance of immediate user detection. The replication module handles the copying of the viral code to new hosts, incorporating logic to propagate efficiently without redundancy. This module executes during the infection process, duplicating the virus body and integrating it into the selected files or memory segments. A key feature is the inclusion of checks to avoid re-infecting the same file, such as scanning for a unique marker (e.g., a specific byte sequence) already embedded by prior infections, which prevents unnecessary resource consumption and reduces the risk of file corruption that could alert users. This selective replication ensures controlled spread, often limited to shared directories or networks accessible via user permissions. The payload represents the core malicious or demonstrative functionality activated under specific conditions, distinguishing viruses from benign replicators. It may include actions like displaying innocuous messages for proof-of-concept viruses, encrypting files to demand ransom as in ransomware variants, or exfiltrating sensitive data to remote servers. For example, early experimental viruses demonstrated payloads such as infinite loops causing denial of service when a trigger like a date threshold (e.g., year > 1984) is met, while modern ones might delete system files or install backdoors. The payload's design prioritizes delayed execution to allow replication first, enhancing overall infectivity. Anti-detection features comprise stealth techniques embedded in the virus to conceal its presence from scanners and users. Common methods include entry point obscuring (EPO), where the virus alters random instructions in the host file to insert a jump to its code, avoiding predictable modifications at the file's start that signature-based detectors target. Code obfuscation further hides the virus by encrypting its body, using polymorphic engines to mutate non-essential parts across infections, or employing metamorphic rewriting to generate unique variants that evade pattern matching. These mechanisms exploit the undecidability of precise virus detection, making static analysis challenging. Many viruses incorporate an optional termination condition to control their lifecycle, such as triggers for dormancy or self-removal after achieving objectives. This might involve a time-based dormancy where the virus ceases replication upon reaching a predefined date or infection quota, reducing visibility during investigations. Self-removal routines can delete the viral code from hosts under certain conditions, like after payload delivery, to limit forensic traces, though precise implementation varies and often relies on the same API calls used for infection. Such features are not universal but appear in sophisticated designs to balance spread with evasion.

Operational Phases

Computer viruses operate through a series of sequential phases that enable their survival, spread, and impact on infected systems. This lifecycle begins with initial and progresses through and potential persistence mechanisms, allowing the virus to remain effective while minimizing early detection. The phases are interdependent, with core components such as replication code and modules playing supporting roles in their execution. In the dormant phase, the integrates into the host file or and remains inactive, avoiding any disruptive activity to evade immediate detection by security software or users. During this period, it does not replicate or execute its , instead lying hidden within legitimate files or until a specific event activates it. This stealthy integration allows the to persist unnoticed on the for extended periods, sometimes indefinitely, until conditions are met. The propagation phase commences when the infected host is executed, prompting the virus to scan for suitable new targets and replicate itself into them. For instance, a file-infector virus might attach its code to other files using parasitic infection methods such as appending to the end (most common) or prepending to the beginning (less common), thereby creating additional infected hosts without altering the original program's apparent functionality (detailed in Core Components). This is a defining trait of viruses, enabling exponential spread within a system or network, though it consumes resources and risks exposure if not carefully managed. Upon satisfying predefined conditions, the triggering phase activates the virus's , initiating its malicious intent. These conditions can include temporal factors, such as a particular date or time (e.g., the Jerusalem virus, which activates on Fridays the 13th), or operational events like accessing a certain number of files. This phase ensures the deploys strategically, often delaying action to maximize propagation before causing noticeable harm. During the execution phase, the payload runs, carrying out the virus's intended effects, which may range from displaying messages to corrupting data or altering system configurations. For example, the payload might overwrite files or inject additional code to facilitate further infections, directly impacting the host's stability and security. This phase marks the virus's overt influence, potentially leading to system crashes or if not contained.

Propagation Mechanisms

Replication Targets

Computer viruses primarily target executable files for replication, as these are directly runnable programs that facilitate the virus's and spread upon execution. On systems like Windows and older DOS environments, common targets include files with extensions such as .exe and .com, where the virus inserts its code into the host file without immediately altering its functionality to avoid detection. Document files, particularly those supporting macro languages in office applications, serve as another key replication target by exploiting embedded scripting capabilities. Formats like .doc for word processors and .xls for spreadsheets allow viruses to attach malicious macros that execute when the document is opened, enabling replication into other documents or templates. Boot sectors, including the master boot record (MBR) on hard drives, are critical targets for persistent infection, as they load during system startup and provide an early execution opportunity. Viruses infecting these areas modify the boot code to ensure replication on subsequent boots or when media is accessed. Viruses also propagate via network shares and , such as USB drives or shared folders, which act as intermediaries between isolated systems. These targets are exploited by copying infected files or autorun mechanisms onto accessible storage, bridging infections across networks or devices. The selection of replication targets is guided by criteria that maximize efficiency, such as prioritizing frequently accessed, writable, or files to increase the likelihood of undetected spread while minimizing resource overhead in the virus's replication module.

Infection Vectors

Computer viruses primarily enter systems through infection vectors that leverage user interactions, network exposures, and physical media transfers, facilitating their initial infiltration and subsequent spread. These mechanisms often exploit trust in seemingly legitimate sources or unpatched vulnerabilities, allowing malicious to execute without immediate detection. Common vectors include email-based deliveries, illicit software acquisitions, web exploits, removable storage devices, and deceptive tactics rooted in human . As of 2025, and malspam remain the dominant vectors, accounting for a majority of infections, while web-based attacks like continue to pose risks through targeted exploits. One prevalent infection vector involves email attachments, where malicious files are disguised as innocuous documents such as invoices, resumes, or software updates to exploit user trust and curiosity. Attackers send phishing emails containing these attachments, which, upon opening, execute the virus payload, often using macro-enabled formats in files to automate infection. According to the National Institute of Standards and Technology (NIST), email remains a primary vector for malware delivery, with phishing campaigns responsible for a significant portion of initial infections in reported breaches. Viruses also propagate via software downloads, particularly from untrusted or pirated sources where malware is bundled with cracked programs, freeware, or keygens. Users seeking unauthorized copies of commercial software from torrent sites or file-sharing platforms inadvertently download infected executables that install the virus alongside the desired application. A study by the University of Nebraska-Lincoln highlights that pirated software frequently serves as a conduit for viruses, with infection rates elevated due to the lack of vendor verification and updates in such distributions. The Federal Bureau of Investigation (FBI) has warned that counterfeit software often embeds malware, leading to widespread infections among users bypassing legitimate channels. Drive-by downloads represent another critical vector, occurring when users visit compromised websites that exploit vulnerabilities in browsers, plugins like or , or operating systems to automatically deliver and install viruses without user interaction. These attacks typically involve malicious scripts, such as those embedded in iframes or on legitimate sites, triggering silent downloads upon page load. Although less common than in the early due to enhanced browser protections, drive-by downloads still contribute to infections by targeting outdated software components. Peripheral devices, such as USB flash drives and external hard drives, serve as physical vectors for virus transmission, especially in environments with auto-run features enabled. When an infected device is connected to a computer, the virus can self-execute via files or exploit operating system features to copy itself and infect the host system, potentially spreading to networked machines. The (CISA) notes that attackers deliberately plant on USBs left in public places or distributed via social engineering, leading to infections that bypass network defenses. This vector has been implicated in high-profile incidents, including state-sponsored campaigns using infected thumb drives. Social engineering tactics, particularly , trick users into executing infected code through lures like urgent alerts, fake login prompts, or enticing links that lead to downloads. These attacks manipulate psychological factors such as authority or scarcity to prompt actions like clicking embedded links or entering credentials on bogus sites, thereby initiating the infection process. CISA identifies as a core social engineering method for virus delivery, often combining with malicious payloads to compromise systems en masse. Such vectors rely on rather than technical exploits, making them effective against even secured environments.

System Impacts

Direct Effects

Computer viruses exert direct technical impacts on infected systems primarily through their payload execution, which disrupts normal operations at the file, resource, and system levels. One common effect is file corruption, where viruses overwrite or append malicious code to executable files such as .exe or .com formats, rendering them unusable and causing programs to crash upon execution. This corruption often results in , as infected files must typically be deleted to eradicate the virus, with no reliable recovery possible for overwritten content. Viruses also impose significant resource consumption during replication, hijacking CPU and to propagate themselves, which leads to noticeable system slowdowns, lag in applications, and potential full crashes under heavy load. For instance, multipartite viruses that infect both files and sectors exacerbate this by continuously altering system , further degrading performance across the entire device. System instability arises when viruses modify core components, such as altering registry entries to ensure persistence or injecting malicious code into boot processes. viruses, in particular, target the (MBR), corrupting the boot code and preventing the operating system from loading, often displaying errors due to invalid sector signatures like the absence of 0x55 and 0xAA markers. A notable example is the CIH virus, which emerged in 1998 and overwrote the Flash chip on compatible systems (such as those with 430TX chipsets), rendering the hardware inoperable and requiring physical reprogramming of the chip to restore boot functionality. Additionally, some viruses incorporate payloads designed for data theft, such as keyloggers that record every keystroke to capture sensitive information like passwords or details, transmitting it to attackers without user awareness. These immediate effects collectively compromise the integrity and usability of the infected system, often necessitating manual intervention or specialized tools for .

Broader Consequences

Computer viruses have inflicted substantial economic damages on a global scale, with major outbreaks leading to billions in direct and indirect costs related to system downtime, remediation efforts, and lost revenue. For instance, the 2000 virus, a spread via , infected millions of systems worldwide and resulted in estimated damages of $10-15 billion, including cleanup and productivity losses. These financial burdens highlight how viruses disrupt critical operations, amplifying costs beyond initial infections. Productivity losses from computer viruses further exacerbate economic strain, as infections often halt business activities and require extensive time for cleanup and restoration. Globally, such disruptions contribute to annual productivity declines as part of broader cybercrime costs estimated at $10.5 trillion in 2025, forcing organizations to divert resources from core functions to security responses. Major virus incidents have accelerated shifts in the cybersecurity paradigm, prompting surges in investments and the development of stricter regulations to mitigate future risks. Following high-profile attacks like ILOVEYOU, global cybersecurity spending has risen sharply, reaching over $150 billion annually by 2023, while governments have enacted mandates for incident reporting and risk management frameworks. These changes reflect a broader recognition of viruses as catalysts for proactive defenses in both private and public sectors, with ongoing adaptations to threats in cloud, mobile, and IoT environments as of 2025. Geopolitically, advanced persistent threats incorporating virus-like behaviors have demonstrated the potential for cyber threats to target national infrastructure, escalating tensions between nations and blurring lines between digital and physical warfare. For example, state-sponsored operations have used to sabotage critical systems, influencing and prompting debates on cyber norms. Over the long term, computer viruses have contributed significantly to the expanding economy, with costs reaching $10.5 trillion annually in 2025, up from $6 trillion in 2021. This growth encompasses virus-related damages alongside other threats, driving sustained economic pressure and underscoring the need for ongoing global collaboration.

Detection Approaches

Signature-Based Methods

Signature-based methods form the foundational approach to computer virus detection, relying on predefined patterns or "signatures" derived from known samples to identify infections during static scans of files, , and sectors. These techniques compare target against a database of unique identifiers, such as cryptographic hashes or byte sequences, to flag exact or closely matching threats without executing the code. Developed in the early days of , this method prioritizes speed and reliability for recognized viruses but requires continuous updates to remain effective against evolving threats. Hash matching represents a precise form of signature-based detection, where cryptographic hash functions generate fixed-length digests of entire files or sections to create unique identifiers for known viruses. Commonly employed algorithms include , which produces a 128-bit hash, and SHA-256, offering 256-bit outputs for greater , allowing antivirus engines to verify file integrity and detect exact matches against databases. For instance, tools like use MD5-based signatures in the format MD5Hash:FileSize:[MalwareName](/page/Malware) stored in .hdb files to identify static samples, while SHA-256 variants in .hsb files support more robust detection of (PE) sections in Windows files. This approach excels in identifying unaltered virus files but is limited to exact replicas, as even minor modifications alter the hash. String scanning complements hash matching by searching for specific byte sequences or "strings" within files that are characteristic of known viruses, such as unique code snippets unlikely to appear in legitimate software. Antivirus programs maintain databases of these strings, extracted from disassembled virus samples, and scan files byte-by-byte or using optimized pattern-matching algorithms like the Aho-Corasick method to locate matches efficiently. The , containing the standardized string X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*, serves as a benchmark for validating string-based detection across antivirus products without using real malware. This technique enables detection of viruses embedded in larger files, such as email attachments, by isolating suspicious patterns amid benign code. Heuristic signatures extend traditional by employing rule-based profiles to detect families of related viruses, rather than individual variants, through generic indicators like structures or behavioral traits. For example, rules might flag boot sector modifiers by identifying anomalies in () , such as self-replicating instructions or unusual jumps that characterize infectors like the virus family. ’s engine uses scoring systems to evaluate against predefined rules, incorporating wildcards and regular expressions to catch polymorphic variants that alter byte sequences while preserving core logic. Kaspersky similarly applies static decompilation to compare against a database, assigning scores to patterns indicative of file infectors or macro viruses. These signatures provide broader coverage for virus families but higher false positives if rules are too permissive. Centralized signature databases, maintained by major antivirus vendors, play a critical role in enabling effective detection through regular updates that incorporate new patterns from global threat intelligence. Symantec (now part of ) ensures signature files are refreshed to remain within a configurable age threshold, typically seven days, verifying protection against the latest known viruses via automated downloads to client endpoints. ’s VirusScan DAT files, updated multiple times daily, deliver incremental signature additions to address emerging s without full database overhauls, supporting both on-demand and real-time scanning. These repositories aggregate hashes, strings, and heuristic rules from analyzed samples, distributed via services to millions of users, though update frequency depends on threat velocity and network policies. Despite their reliability for known threats, signature-based methods exhibit significant limitations, particularly against zero-day viruses and polymorphic variants that lack predefined patterns. Zero-day attacks, exploiting undisclosed vulnerabilities before signatures are developed, evade detection entirely until databases are updated, often leaving systems vulnerable for days or weeks. Polymorphic viruses, which encrypt or mutate their code with each infection—such as using variable keys or junk instructions—render hash and matches ineffective, as no static persists across instances. This static nature also struggles with techniques like packing, where anti-detection features compress or encrypt payloads to alter observable patterns. Consequently, signature-based systems detect only a fraction of novel threats, necessitating complementary approaches for comprehensive protection.

Heuristic and Behavioral Detection

Heuristic detection employs rule-based algorithms to identify potential threats by analyzing patterns that deviate from expected software , such as unusual code structures or resource usage, without relying on predefined signatures. This approach is particularly effective against evolving computer viruses that mutate to evade traditional scanning. Behavioral detection, in contrast, focuses on runtime observation of a program's actions, flagging anomalies like unauthorized file modifications or network communications that indicate malicious intent. Together, these methods provide proactive identification of unknown threats by emphasizing dynamic analysis over static matching. Sandboxing involves executing suspicious code in an isolated that mimics a real operating system, allowing security tools to observe replication attempts, such as self-propagation to other files or processes, without risking the host system. During this controlled execution, the sandbox monitors interactions like registry changes or outbound connections to reveal hidden behaviors, including those from zero-day viruses. This technique has proven essential for dissecting complex threats, as demonstrated in analyses where sandboxes uncovered evasion tactics in over 90% of tested samples. API monitoring tracks system calls, such as those for file creation, process injection, or network access, to detect unusual sequences that align with or payload delivery. For instance, frameworks like use to classify API call graphs from Windows executables, achieving high accuracy in identifying by modeling behavioral patterns rather than code content. This method excels in endpoint environments, where it flags deviations like excessive privilege escalations common in infections. Machine learning models enhance by training on datasets of benign and malicious behaviors to recognize deviations, such as irregular process spawning or memory access patterns indicative of viral activity. Neural networks, including recurrent and convolutional variants, process features from system logs or network traffic to classify threats with accuracies exceeding 97% on benchmarks like NSL-KDD, enabling real-time flagging of unknown viruses. These AI-driven approaches adapt to polymorphic variants by focusing on behavioral signatures rather than static code. Rootkit detection leverages scans to uncover hidden , altered file systems, or hooked kernel structures that viruses use for persistence. Tools analyze discrepancies between API-reported data and raw or disk contents, such as mismatched lists, to expose stealthy alterations. Behavioral heuristics further identify rootkits through indicators like unexplained system instability or anomalous network activity, with methods like SSDT confirming infections in targeted investigations. By 2025, advancements in (EDR) systems have integrated these techniques for proactive behavioral blocking, continuously monitoring endpoints to correlate anomalies across processes and halt viral propagation in real time. EDR platforms employ machine learning-enhanced behavioral analysis to detect and isolate threats autonomously, reducing response times to seconds and addressing the limitations of isolated heuristics against sophisticated viruses. This evolution underscores a shift toward comprehensive, adaptive defenses in enterprise environments.

Defensive Measures

Prevention Techniques

Antivirus software serves as a primary line of defense against computer viruses by performing real-time scanning of files, emails, and to detect and malicious code before it executes. These programs maintain of known virus signatures, which are updated automatically to address emerging threats, ensuring protection against the latest variants. within antivirus tools further enhances prevention by identifying suspicious behaviors, such as unusual file modifications, even without exact signature matches. Safe computing practices significantly reduce virus infection risks through user vigilance and system configurations. Users should avoid opening attachments or clicking links from unknown sources, as these often serve as infection vectors like email phishing. Enabling built-in operating system protections, such as Windows Defender, provides automatic threat blocking, while firewalls monitor and restrict unauthorized inbound and outbound connections to prevent unauthorized access. Regular software updates patch vulnerabilities that viruses exploit, maintaining overall system integrity. Access controls limit the potential damage from viruses by restricting application privileges and isolating potentially risky processes. The principle of least privilege ensures users and programs operate with only the minimum necessary permissions, preventing a virus from escalating to gain broader system access. Sandboxing confines applications to isolated environments, where they cannot interact with the main system or other files, effectively containing any malicious activity during execution. Network security measures block virus propagation across connected systems. Intrusion prevention systems (IPS) actively monitor traffic for anomalous patterns indicative of virus activity, such as unauthorized , and terminate suspicious sessions in real time. Email filtering at gateways scans incoming messages for malware signatures and blocks attachments with executable files, a common virus delivery method, thereby preventing infections at the entry point. Education campaigns foster long-term prevention by increasing of virus risks and promoting best practices. Programs like the National Cybersecurity Month initiative train users to recognize social engineering tactics. Studies on security , , and (SETA) programs have shown that such can reduce susceptibility by up to 50% through simulated exercises. These efforts emphasize the human element, as informed users are less likely to fall for deceptive tactics that bypass technical defenses.

Eradication and Recovery

Eradication of computer viruses typically begins with isolating infected files through processes, where moves suspicious items to a secure, isolated area to prevent further spread while allowing for analysis and removal. Tools like employ this method by scanning systems in real-time or on-demand, quarantining detected threats, and enabling users to review and delete them permanently from the quarantine manager. Once quarantined, deletion removes the viral code entirely, though users must ensure no remnants persist by running follow-up scans to verify system integrity. For thorough cleaning, especially when viruses embed deeply or the operating system is compromised, full system scans using bootable rescue environments are essential, as they operate outside the infected OS to avoid interference. The Kaspersky Rescue Disk, for instance, boots from a USB or CD into a Linux-based environment, allowing offline scanning and disinfection of the primary drive without risking re-infection during the process. This approach is particularly effective against persistent threats like rootkits that load before the OS, enabling detection and removal that standard scans might miss. Specialized tools address specific virus types, such as boot sector viruses that infect the (MBR). Bootable recovery tools from vendors like Norton create media to scan and repair infections, helping restore functionality without full OS reinstallation; however, compatibility may be limited on modern systems. Similarly, dedicated disinfectors from vendors like Symantec provide targeted repairs for known variants, minimizing while excising malicious code. Recovery after eradication often involves restoring data from verified backups to rebuild the system cleanly, ensuring the backups themselves are free of infection to prevent reintroduction of the virus. Strategies include performing a clean OS reinstallation followed by selective restoration from offline or backups tested for , such as those maintained on external media. The U.S. recommends using encrypted, offline backups and validating them periodically to facilitate swift recovery without compromising security. Best practices for effective recovery emphasize pre-infection system imaging, where a complete disk snapshot—such as an ISO file—captures the clean state for rapid restoration. Post-recovery, verifying file through checksums or additional scans confirms the absence of residual threats, reducing the risk of future incidents. Maintaining multiple backup versions allows selection of the most recent uninfected point, aligning with guidelines from agencies like the Cybersecurity and Communications Integration Cell for resilient data preservation.

Societal and Cultural Dimensions

Computer viruses have been a recurring motif in films, often portrayed as apocalyptic forces capable of dismantling civilizations or global systems. In the 1996 science fiction film Independence Day, protagonists upload a computer virus into an alien mothership's network, disabling protective shields and enabling a counterattack that saves Earth from invasion. This depiction frames the virus as a heroic, world-ending weapon, amplifying 1990s-era public fears of cyber threats as immediate existential dangers. Similarly, the 2007 action thriller Live Free or Die Hard centers on a "firesale" cyber-attack involving a virus that sequentially targets transportation, finance, and utilities infrastructure across the United States, illustrating viruses as instruments of orchestrated societal collapse. Such cinematic narratives emphasize dramatic, high-stakes interventions, influencing perceptions of viruses as both destructive and solvable through individual ingenuity. In literature and video games, computer viruses frequently merge digital and biological contagion themes, exploring uncontrolled replication and human vulnerability. Neal Stephenson's 1992 cyberpunk novel Snow Crash introduces a virus that propagates through virtual reality networks and linguistic code, crashing computer systems while inducing real-world neurological effects on users, thereby popularizing the idea of information as a self-replicating pathogen. The story's virus exploits a shared "machine language" in the , blending computational errors with ancient myths to critique technological overreach. In the video game franchise, spanning titles from 1996 onward, viruses such as the T-Virus and Progenitor Virus are engineered bioweapons that mutate humans into zombies and monsters, driving narratives of corporate malfeasance and global outbreaks. These portrayals highlight viruses as catalysts for horror and scenarios, reinforcing their role as metaphors for irreversible escalation. Television and news coverage have often sensationalized actual virus incidents, likening them to uncontrollable plagues that disrupt daily life. The Y2K transition in 1999 drew intense media scrutiny, with reports warning of opportunistic viruses that could activate on January 1, such as those mimicking BIOS errors to reformat hard drives or downloading destructive payloads, heightening public apprehension amid millennium hype. Likewise, the 2017 WannaCry ransomware was depicted in global news as a swift-spreading worm that infected over 200,000 computers in more than 150 countries, crippling healthcare systems like the UK's National Health Service and evoking a "digital pandemic" through its exploitation of unpatched software. These accounts amplified the virus's image as a borderless, predatory force, blending technical details with alarmist rhetoric to underscore real-world vulnerabilities. Cultural metaphors derived from computer viruses have evolved into everyday language, particularly in social media contexts. The phrase "going viral," originating from biological metaphors for cultural transmission in the 1970s, now describes content that proliferates rapidly across networks, transforming a term of dread into one of digital success and mimicry of viral spread. By 2025, media representations have shifted toward grounded explorations of , as exemplified in the television series (2015–2019), where hackers deploy realistic via USB drives and exploit IoT devices to target corporate networks, portraying viruses as precise tools in ideological conflicts rather than fantastical doomsdays. Recent depictions, such as in the 2023 film The Creator, extend this to AI-driven viral threats in futuristic warfare, reflecting ongoing concerns with . This maturation reflects broader awareness of persistent, systemic threats, molding public discourse on cybersecurity from spectacle to strategy. The legal landscape governing computer viruses encompasses national statutes aimed at criminalizing unauthorized access, data interference, and malicious code propagation. In the United States, the of 1986 established federal prohibitions against intentionally accessing a computer without authorization or exceeding authorized access, which courts have interpreted to include the creation and release of viruses that cause damage or impair functionality. This law marked a pivotal response to early cyber threats, enabling prosecutions for worm and virus incidents that disrupt protected systems. Similarly, in the , Directive 2013/40/EU on attacks against information systems, adopted in 2013, harmonizes member states' criminal laws by defining offenses such as illegal system interference and data alteration, explicitly covering the distribution of like viruses through tools including botnets and email attachments. These frameworks prioritize deterrence through penalties that can include imprisonment and fines scaled to the extent of harm inflicted. Prosecutions under these laws have set precedents for holding virus creators accountable, though outcomes vary based on intent and jurisdiction. became the first person convicted under the CFAA in 1990 for releasing the in 1988, which infected thousands of computers and caused an estimated $10 million in cleanup costs; he received a three-year probation, 400 hours of , and a $10,050 fine after a determined his actions constituted intentional unauthorized access. In 2001, Dutch authorities arrested 20-year-old Jan de Wit, who confessed to authoring the Anna Kournikova virus—a worm that spread via attachments promising photos of the player and infected hundreds of thousands of systems worldwide—charging him with violating Dutch computer laws, resulting in a due to his age and lack of prior offenses. Another landmark case involved German teenager Sven Jaschan, arrested in 2004 and convicted in 2005 for creating the Sasser worm and Netsky viruses, which exploited Windows vulnerabilities to cause widespread system crashes; he received a 21-month and , influenced by his cooperation and Microsoft's $250,000 reward leading to his identification. Ethical considerations surrounding computer viruses center on the dual-use nature of self-replicating , where techniques developed to study for defensive purposes—such as improving antivirus detection—can be repurposed for harmful attacks, prompting debates on whether such work should be restricted to prevent misuse. This tension is evident in discussions of "white-hat" virus writing, where ethical hackers create benign or proof-of-concept in controlled environments to test , but critics argue it blurs lines with black-hat activities and risks accidental release, necessitating strict ethical guidelines and institutional oversight to balance innovation with responsibility. Jaschan's post-conviction transition to white-hat consulting exemplifies how reformed creators can contribute positively, yet underscores ongoing ethical scrutiny of intent in development. Overall, these debates emphasize the moral imperative for to evaluate potential harms, often guided by professional that prioritize non-malicious applications. Internationally, the Budapest Convention on Cybercrime, opened for signature in 2001, provides a cornerstone treaty by requiring signatories to criminalize offenses like illegal access and system interference, including virus dissemination, and facilitating cross-border cooperation in investigations. As of November 2025, the convention has been ratified by 81 countries, enabling joint operations against transnational virus threats despite varying domestic implementations. However, challenges persist in attributing and prosecuting state-sponsored attacks, as seen with the 2017 NotPetya —initially disguised as but designed for destruction—which U.S. and allied governments attributed to Russia's military intelligence unit () based on code analysis and infrastructure tracing, yet legal action remains limited due to difficulties in proving individual culpability across borders and the absence of extradition in such geopolitical contexts. These attribution hurdles highlight the need for enhanced international norms to bridge gaps between technical evidence and enforceable justice.

Relation to Broader Malware Landscape

Distinctions from Other Malware Types

Computer viruses are distinguished from other primarily by their requirement to attach to and replicate via host files or programs, a trait that sets them apart from standalone or non-replicating threats. Unlike worms, which are self-contained programs capable of independent propagation across networks without needing a host, viruses depend on user interaction or to spread, embedding their code into legitimate executables or documents. For instance, the of 1988 exploited vulnerabilities in Unix systems to replicate autonomously over , infecting approximately 10% of connected computers without attaching to files, demonstrating the self-propagating nature absent in viruses. In contrast to Trojan horses, viruses actively self-replicate by infecting hosts, whereas Trojans masquerade as benign software to trick users into installation but lack inherent replication mechanisms, relying instead on social engineering for distribution. Trojans may grant attackers remote access or steal data once installed, but they do not propagate independently like viruses, which modify and spread through attached files to potentially corrupt systems over time. Ransomware, while often overlapping with viral payloads, differs fundamentally as it prioritizes data encryption and over replication; viruses are defined by their attachment and self-copying behavior, even if some incorporate elements. A virus might encrypt files as a secondary effect, but its core trait is host dependency for spread, unlike pure that spreads via or exploits without . Hybrid forms further highlight viruses' attachment mechanisms, as seen in boot sector viruses, which target the Master Boot Record (MBR) or boot sectors of storage devices to load malicious code during system startup, thereby infecting the boot process itself. In comparison, rootkits employ stealth techniques to conceal malware by modifying operating system kernels or processes, often without the file-attachment replication central to viruses; boot sector viruses propagate by overwriting boot areas on inserted media, while rootkits persist by hiding activities post-infection. This attachment to critical boot components allows boot sector viruses like Michelangelo (1991) to evade casual detection, but rootkits emphasize concealment over such targeted replication. In contemporary malware taxonomies, viruses remain a distinct subset characterized by host-file replication, separate from worms, Trojans, and other categories, as outlined in classifications by organizations like Kaspersky, which group malware into viruses (file infectors), worms (network spreaders), and Trojans (deceptive non-replicators). These standards, updated regularly to reflect evolving threats, underscore viruses' reliance on attachment for propagation, positioning them as a foundational type amid broader ecosystem shifts.

Influence on Modern Threats

Traditional computer viruses, known for their self-replicating nature by infecting executable files, have profoundly influenced the rise of hybrid malware in the post-2010 era. These modern variants blend viral propagation with fileless execution and living-off-the-land (LOTL) techniques, leveraging legitimate system tools to evade detection while maintaining persistence and spread. , a prominent example first detected in 2014, disrupted in 2021 but resurged thereafter with activity continuing into 2025, exemplifies this evolution; initially a banking trojan, it transformed into a modular loader that used , (WMI), and Microsoft HTML Application Host (MSHTA) for fileless operations, enabling lateral movement across networks without creating detectable artifacts on disk. This hybrid approach extended traditional virus tactics—such as attachment and replication—into stealthier forms, inspiring subsequent threats that distribute and info-stealers while minimizing forensic footprints. The principles of deception and infection from PC-era viruses have also shaped mobile and Internet of Things (IoT) threats, particularly on Android platforms. Early computer viruses disguised malicious code within benign files to trick users and systems; similarly, Android like FakeApp trojans masquerade as legitimate applications—such as antivirus tools or updaters—to gain permissions and exfiltrate data. This evolution adapts PC virus models to mobile ecosystems, where imposter apps exploit vulnerabilities and social engineering, much like floppy disk infections in the and . By 2025, while FakeApp detections declined by 7.49% year-over-year, these threats persist in fraudulent schemes, underscoring the ongoing adaptation of viral infection strategies to resource-constrained devices. IoT devices face analogous risks, with propagating via weak updates, echoing how viruses exploited shared networks. In the 2020s, the adaptive replication of computer viruses has driven the incorporation of (AI) and (ML) into malware for enhanced evasion. Traditional viruses mutated code to avoid signatures; modern counterparts use ML algorithms to generate polymorphic variants that dynamically alter behavior, achieving evasion rates as high as 88% against certain antivirus tools. For instance, AI-powered threats employ generative models to obfuscate payloads and adapt to defensive analyses in real-time, extending viral self-preservation into automated, intelligent operations. This shift addresses limitations in older detection methods, with attackers using large language models to craft evasive code that bypasses static and dynamic scanners. Virus-like propagation has further manifested in attacks, where infects trusted software distribution channels to achieve widespread dissemination. The 2020 SolarWinds breach illustrates this: Russian state actors injected the backdoor into Orion platform updates starting in February 2020, propagating the to over 18,000 customers who installed the compromised versions between March and June. Once deployed, lay dormant before enabling remote access and lateral movement, mirroring how viruses infect hosts through routine file execution but scaled via enterprise trust networks. This tactic has influenced subsequent incidents, amplifying the reach of traditional viral mechanics in interconnected environments. Looking ahead, the legacy of computer viruses informs projections for threats emerging by 2025, particularly those involving and . As quantum processors advance, malware could exploit "store now, decrypt later" strategies, harvesting encrypted data for future quantum decryption using algorithms like Shor's, targeting networks secured by . As of November 2025, no widespread quantum-enabled incidents have been reported, but preparations for such threats have accelerated with increased adoption of quantum-resistant standards. exploits may evolve to include quantum-resistant that demands payment in vulnerable cryptocurrencies, while hybrid viruses adapt to standards. By late 2025, experts anticipate increased focus on quantum-safe designs to counter these viral-inspired threats, with geopolitical actors potentially accelerating such innovations.

References

  1. https://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohen-viruses.html
  2. https://www.kaspersky.com/resource-center/threats/computer-viruses-vs-worms
  3. https://usa.kaspersky.com/resource-center/threats/computer-viruses-and-malware-facts-and-faqs
  4. https://pmc.ncbi.nlm.nih.gov/articles/PMC5041502/
  5. https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir4939.pdf
  6. https://ethw.org/Computer_Viruses
  7. https://usa.kaspersky.com/resource-center/threats/types-of-malware
  8. https://www.cisa.gov/news-events/news/virus-basics
  9. https://support.symantec.com/en_US/article.TECH98539.html
  10. https://usa.kaspersky.com/resource-center/threats/a-brief-history-of-computer-viruses-and-what-the-future-holds
  11. https://encyclopedia.kaspersky.com/glossary/virus/
  12. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-166.pdf
  13. https://csrc.nist.gov/glossary/term/virus
  14. https://ntrs.nasa.gov/api/citations/19920020387/downloads/19920020387.pdf
  15. http://all.net/books/Dissertation.pdf
  16. https://www.cnsr.ictas.vt.edu/QEpaper/cohen.pdf
  17. https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1836&context=cstech
  18. https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1172&context=open_access_dissertations
  19. http://web.stanford.edu/class/sts129/essays/waddell1.htm
  20. https://www.historyofinformation.com/detail.php?id=2464
  21. https://archive.org/download/theoryofselfrepr00vonn_0/theoryofselfrepr00vonn_0.pdf
  22. https://www.historyofinformation.com/detail.php?entryid=2860
  23. https://www.scientificamerican.com/article/when-did-the-term-compute/
  24. https://www.sciencedirect.com/science/article/pii/S0167404897822456
  25. https://www.cs.drexel.edu/~jjohnson/2007-08/winter/cs475/lectures/malware.pdf
  26. https://repository.law.miami.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1219&context=umblr
  27. https://www.fbi.gov/news/stories/melissa-virus-20th-anniversary-032519
  28. https://www.sei.cmu.edu/documents/506/1999_019_001_496184.pdf
  29. https://www.gao.gov/assets/t-aimd-00-171.pdf
  30. https://commdocs.house.gov/committees/science/hsy131170.000/hsy131170_1.HTM
  31. https://www.cs.toronto.edu/~arnold/427/16s/csc427_16s/indepth/poweliks/poweliks.pdf
  32. https://www.cs.drexel.edu/~mancors/papers/malcon2018a.pdf
  33. https://ieeexplore.ieee.org/document/9297264
  34. https://ieeexplore.ieee.org/document/10187144
  35. https://www.govinfo.gov/content/pkg/CHRG-115shrg28382/html/CHRG-115shrg28382.htm
  36. https://www.nist.gov/system/files/documents/itl/BITS-Malware-Report-Jun2011.pdf
  37. https://www.giac.org/paper/gsec/10226/malware-101-viruses/112902
  38. https://www.research.ed.ac.uk/files/15441550/A_Framework_for_Modelling_Trojans_and_Computer_Virus_Infection.pdf
  39. https://www.jetir.org/papers/JETIR2008083.pdf
  40. https://www.sciencedirect.com/topics/computer-science/malicious-payload
  41. https://www.cs.cornell.edu/courses/cs711/2005fa/papers/cj-usenix03.pdf
  42. https://onlinelibrary.wiley.com/doi/10.1155/2023/8227751
  43. https://seclab.nu/static/publications/ssp2010dormant.pdf
  44. https://www.fortinet.com/resources/cyberglossary/computer-virus
  45. https://www.avast.com/c-computer-virus
  46. https://www.educative.io/answers/what-is-the-structure-and-life-cycle-of-a-computer-virus
  47. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-83.pdf
  48. https://www.jsums.edu/nmeghanathan/files/2015/05/CSC439-Sp2013-Module-9-Spring2013-Malware.pdf
  49. https://www.cisecurity.org/insights/blog/top-10-malware-q1-2025
  50. https://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1377&context=csearticles
  51. https://www.fbi.gov/news/stories/pirated-software-may-contain-malware1
  52. https://www.cisa.gov/news-events/news/using-caution-usb-drives
  53. https://www.wired.com/story/china-usb-sogu-malware/
  54. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
  55. https://www.fortect.com/malware-damage/malware-windows-registry/
  56. https://usa.kaspersky.com/resource-center/definitions/boot-sector-virus
  57. https://www.f-secure.com/v-descs/cih.shtml
  58. https://www.fortinet.com/resources/cyberglossary/what-is-keyloggers
  59. https://www.kaspersky.com/resource-center/threats/ilove-you
  60. https://cybersecurityventures.com/official-cybercrime-report-2025/
  61. https://www.cpajournal.com/2025/08/27/the-sec-finalizes-rule-on-cybersecurity-disclosures/
  62. https://www.ibm.com/reports/data-breach
  63. https://spectrum.ieee.org/the-real-story-of-stuxnet
  64. https://cs.stanford.edu/people/eroberts/cs201/projects/2000-01/viruses/anti-virus.html
  65. https://docs.clamav.net/manual/Signatures/HashSignatures.html
  66. https://www.malwarepatrol.net/malware-hashes-and-hash-functions/
  67. https://www.eicar.org/download-anti-malware-testfile/
  68. https://web-assets.esetstatic.com/wls/en/papers/white-papers/Heuristic_Analysis.pdf
  69. https://usa.kaspersky.com/resource-center/definitions/heuristic-analysis
  70. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/cs-help-hi-console-v14067393-d57e1843/antivirus-antivirus-signature-file-is-up-to-date-v9569791-d57e3140.html
  71. https://mcafee.com/support/s/article/000001549?language=en_US
  72. https://www.datto.com/blog/why-taking-a-next-generation-approach-to-av-is-essential/
  73. https://www.splunk.com/en_us/blog/learn/malware-detection.html
  74. https://www.imperva.com/learn/application-security/malware-sandboxing/
  75. https://www.sciencedirect.com/science/article/pii/S1084804523001236
  76. https://pmc.ncbi.nlm.nih.gov/articles/PMC8145138/
  77. https://www.sans.org/media/score/checklists/rootkits-investigation-procedures.pdf
  78. https://www.crowdstrike.com/en-us/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/
  79. https://www.cisa.gov/news-events/news/understanding-anti-virus-software
  80. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf
  81. https://consumer.ftc.gov/node/78347
  82. https://support.microsoft.com/en-us/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026
  83. https://oag.ca.gov/privacy/facts/online-privacy/protect-your-computer
  84. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-94.pdf
  85. https://www.justice.gov/criminal/criminal-ccips/file/872771/dl?inline=
  86. https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=1125&context=jcerp
  87. https://pmc.ncbi.nlm.nih.gov/articles/PMC8956416/
  88. https://www.malwarebytes.com/cybersecurity/basics/how-to-remove-virus-from-computer
  89. https://help.malwarebytes.com/hc/en-us/articles/31589479169179-Manage-quarantined-items-in-Desktop-Security
  90. https://support.kaspersky.com/viruses/rescuedisk
  91. https://us.norton.com/products/free-tools
  92. https://www.cisa.gov/news-events/news/recovering-viruses-worms-and-trojan-horses
  93. https://www.cisa.gov/stopransomware/ransomware-guide
  94. https://www.cyber.nj.gov/guidance-and-best-practices/cyber-hygiene/backups-the-cure-to-viral-cyber-infections
  95. https://mashable.com/ad/article/computer-viruses-90s-films
  96. https://www.computerworld.com/article/1576107/security-goes-to-the-movies-live-free-or-die-hard.html
  97. https://www.cnbc.com/2021/11/03/how-the-1992-sci-fi-novel-snow-crash-predicted-facebooks-metaverse.html
  98. https://gamerant.com/resident-evil-virus-parasite-disease-explained/
  99. https://www.latimes.com/archives/la-xpm-1999-dec-30-fi-48827-story.html
  100. https://www.bbc.com/news/technology-39901382
  101. https://www.wnyc.org/story/what-going-viral-means-internet/
  102. https://www.welivesecurity.com/2016/07/21/analyzing-mr-robot-s02e01/
  103. https://www.fbi.gov/history/famous-cases/morris-worm
  104. https://www.nytimes.com/2001/02/14/technology/dutch-police-arrest-suspect-after-computer-virus-spreads.html
  105. https://www.nbcnews.com/id/wbna8507272
  106. https://docs.lib.purdue.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1900&context=cstech
  107. https://scholarship.law.umn.edu/cgi/viewcontent.cgi?article=1450&context=mjlst
  108. https://www.coe.int/en/web/cybercrime/the-budapest-convention
  109. https://www.justice.gov/archives/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
  110. https://www.fortinet.com/resources/cyberglossary/malware-vs-virus-vs-worm
  111. https://usa.kaspersky.com/resource-center/threats/computer-viruses-vs-worms
  112. https://www.radware.com/security/ddos-knowledge-center/ddospedia/morris-worm/
  113. https://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-RTMworm-89.html
  114. https://www.digicert.com/faq/vulnerability-management/what-is-the-difference-between-viruses-worms-and-trojan-horses
  115. https://www.fortinet.com/resources/cyberglossary/trojan-horse-virus
  116. https://www.proofpoint.com/us/threat-reference/computer-virus
  117. https://www.nakivo.com/blog/virus-ransomware-and-malware-the-differences-explained/
  118. https://www.cisco.com/site/us/en/learn/topics/security/what-is-a-virus-vs-ransomware-malware.html
  119. https://www.geeksforgeeks.org/computer-networks/difference-between-virus-and-ransomware/
  120. https://www.fortinet.com/resources/cyberglossary/rootkit
  121. https://blog.barracuda.com/2023/12/07/malware-101-file-system-evasion-rootkits-bootkits
  122. https://www.acronis.com/en/blog/posts/boot-sector-virus/
  123. https://encyclopedia.kaspersky.com/knowledge/the-classification-tree/
  124. https://www.av-test.org/en/statistics/malware/
  125. https://www.radware.com/cyberpedia/bot-management/emotet-anatomy-examples-and-defense/
  126. https://www.exabytes.my/blog/emotet-malware-a-silent-cyber-assassin-still-lurking-in-2025/
  127. https://www.morphisec.com/blog/fileless-malware-attacks/
  128. https://www.malwarebytes.com/blog/detections/android-fakeapp
  129. https://news.drweb.com/show/?i=15060&lng=en
  130. https://pdfs.semanticscholar.org/c474/cfd64885def22ac9cce014346b96cb50b621.pdf
  131. https://www.researchgate.net/publication/390111012_AI-driven_threat_detection_Enhancing_cybersecurity_automation_for_scalable_security_operations
  132. https://mitsloan.mit.edu/ideas-made-to-matter/ai-cyberattacks-three-pillars-defense/
  133. https://blog.checkpoint.com/artificial-intelligence/ai-evasion-the-next-frontier-of-malware-techniques/
  134. https://www.fortinet.com/resources/cyberglossary/solarwinds-cyber-attack
  135. https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
  136. https://technode.global/2025/10/17/quantum-computings-top-3-cybersecurity-threats-and-why-we-cant-ignore-them/
  137. https://www.esecurityplanet.com/cybersecurity/quantum-computing-threat-forces-crypto-revolution-in-2025/
  138. https://www.rapid7.com/blog/post/it-key-emerging-cybersecurity-threats-challenges-ai-ransomware-quantum/
Add your contribution
Related Hubs
User Avatar
No comments yet.