Malware 187
■ Macro viruses debuted in force around 2000. They take advantage of embedded
languages such as Visual Basic for Applications (VBA). In applications such as
Microsoft Excel and Word, these macro languages are designed to automate functions
and create new processes. The problem with these languages is that they lend
themselves very effectively to abuse; in addition, they can easily be embedded into
template files and regular document files. Once the macro is run on a victim’s system,
it can do all sorts of things, such as change a system configuration to decrease security
or read a user’s address book and e-mail itself to others (which happened in some early
cases).■ Cluster viruses are another variation of the family tree that carries out its dirty work in
yet another original way. This virus alters the file-allocation tables on a storage device,
causing file entries to point to the virus instead of the real file. In practice, this means
that when a user runs a given application, the virus runs before the system executes the
actual file.Making this type of virus even more dangerous is the fact that infected drive-repair
utilities cause problems of an even more widespread variety. Utilities such as ScanDisk
may even destroy sections of the drive or eliminate files.■ A stealth or tunneling virus is designed to employ various mechanisms to evade
detection systems. Stealth viruses employ unique techniques including intercepting
calls from the OS and returning bogus or invalid responses that are designed to fool or
mislead.■ Encryption viruses are a newcomer to the scene. They can scramble themselves to
avoid detection. This virus changes its program code, making it nearly impossible to
detect using normal means. It uses an encryption algorithm to encrypt and decrypt the
virus multiple times as it replicates and infects. Each time the infection process occurs,
a new encryption sequence takes place with different settings, making it difficult for
antivirus software to detect the problem.■ Cavity or file-overwriting viruses hide in a host file without changing the host file’s
appearance, so detection becomes difficult. Many viruses that do this also implement
stealth techniques, so you don’t see the increase in file length when the virus code is
active in memory.■ Sparse-infector viruses avoid detection by carrying out their infectious actions only
sporadically, such as on every 10th or 25th activation. A virus may even be set up to
infect only files of a certain length or type or that start with a certain letter.■ A companion or camouflage virus compromises a feature of OSs that enables software
with the same name, but different extensions, to operate with different priorities. For
example, you may have program.exe on your computer, and the virus may create a
file called program.com. When the computer executes program.exe, the virus runs
program.com before program.exe is executed. In many cases, the real program runs, so
users believe the system is operating normally and aren’t aware that a virus was run on
the system.