Timberwolf Software

Timberwolf Software Home About Us Services Products Contact Us Site Map

Timberwolf Anti-Virus Information Center

-- Vendor-Independent Anti-Virus Information and Education Site --

Virus Types

By Bill Grogg

Currently there are several distinct categories of computer viruses: Boot sector, file infecting, multipartite, and macro viruses.

Boot sector viruses

Boot sector viruses are designed to infect the boot sectors of floppy disks and either the Master Boot Record (MBR) or DOS Boot Record of hard disks. Up until early 1996, these proved to be the most successful, and hence, common type of virus. Their frequency has declined dramatically, but they still pose a threat.

In order for a system to be infected with a boot sector virus, the system must be booted from an infected floppy. This floppy will be one which has had its boot sector replaced with the virus's code. When the computer is booted from this floppy, the viral code will load first, even if it subsequently loads the operating system, and will infect the MBR of the hard disk. Once the MBR of the hard disk is infected, the virus will always be loaded first, before the operating system, on every subsequent boot. The virus is then always active watching for any access to other floppy diskettes of which all non-write-protected disks will also be infected.

File infecting viruses

The file infecting virus, as the name indicates, infects files. Most often the affected files are executables, but in the case of macro viruses (discussed below), data files are infected.

File infectors may or may not be memory resident or TSR. The memory resident variety become active in memory when an infected executable is run and will then infect other executable files it finds, either immediately or gradually over time. Those that don't become memory resident will infect other executable files as soon as their infected host executable is run.

Most file infectors infect the beginning code of the executable and move the original program's code elsewhere in the file. When executed, the infected program actually runs the virus, which in turn runs the original startup code of the executable, so that it appears nothing is amiss.

Some file infectors are classified in a subcategory as overwriting viruses. These are usually fairly unsuccessful since they overwrite part of the host program which renders it corrupt and unusable and is a good indication that something is wrong.

Another subcategory of file infectors are companion viruses. These don't actually modify an existing executable program at all, but simply add a new executable for the virus's code with a similar name to the executable they are targeting as the host. Since DOS allows executables with both .COM and .EXE extensions, a companion virus could create a copy of itself with a .COM extension to match the base name of a program with a .EXE extension in the same directory. If the program is run without explicitly using the file extension, DOS will search for the name with a .COM extension first, which will then run the virus code. The virus may transparently do its thing and then run the program with the .EXE extension. Another companion method is to use the same name as the executable, but to place itself earlier in the DOS path than the host file.


A virus that is classified as multipartite uses multiple methods of infection. For example, it may infect floppy boot sectors and executable files. This will give the virus a better opportunity to spread.

Macro viruses

The newest form of viruses are the macro viruses. As the name indicates, these viruses are written in the macro languages of popular application programs such as Microsoft Word and Microsoft Excel. Because the macros are saved in the data files, opening an infected data file executes the virus's macro code.

Macro viruses first appeared on he scene in late 1995 infecting document files (actually document templates) of Microsoft Word. By early 1996, they had become the most common and successful viruses in history. Part of the success came from the fact that Microsoft Word was so widely used and that people are constantly working on the same documents or sending the documents to others via e-mail. This has posed a great challenge to a number of large organizations who clean up a macro virus, only to find it pop up again a short time later as some of many thousands of documents were missed in the cleanup and were subsequently used.

The first macro virus was named WM.Concept. This virus was designed just to prove the point that application macro code using the advanced functionality of today's powerful macro languages could be used to create a virus that continues to spread to other documents. WM.Concept doesn't cause any damage and just proves to be an annoyance by forcing you to save all your Word documents as document templates (since macros can't be saved in Word in plain document files).

WM.Concept didn't hide its code, so it could be readily modified to create new macro viruses that did do something destructive. This happened fairly quickly and a number of macro viruses created since WM.Concept have used either some if its code or techniques.

Many of the new macro viruses are more than annoying, though. Some have been explicitly designed to trigger some destructive event such as the deletion of files.

Return to the Timberwolf Anti-Virus Information Center table of contents

Customer Service    |    Web Picks

Copyright © 1997-2002, Bill Grogg
Timberwolf Software, "Software grown in the heart of the Silicon Forest", Shutters, and the Timberwolf Logo are trademarks of Timberwolf Software.
Send comments concerning this web site to: avicwebmaster@timberwolfsoftware.com.
Last updated at 4:16 PM on 20-Mar-2002.