Computer viruses – a threat you underestimate

Leave a Comment | Cybersecurity |

A computer virus is a type of malicious software capable of self-replication, embedding itself into legitimate files, and spreading from one computer to another without the user’s knowledge. Similar to biological viruses, it cannot exist independently and requires a “host program” to function.

Viruses were created as technical experiments in the 1980s. Unlike the first viruses, modern ones can cause serious damage, from destroying personal data to shutting down large enterprises and entire industries, which is why understanding their operating principles is an important component of digital security.

🛡️ 1. Types of Computer Viruses and Their Operating Principles

Computer viruses, like biological ones, have evolved and specialized in different “victims” and attack methods. Today, cybercriminals use a whole arsenal of malicious software — from simple advertising annoyances to sophisticated ransomware capable of paralyzing entire corporations.

To defend effectively, you need to know your enemy by face. Let’s look at the main types of digital threats, how they penetrate the system, and what danger they pose — from the most destructive to simply annoying. Each has its own characteristics, infection symptoms, and methods of combat.

🔒 Ransomware

Blocks access to your files by encrypting them and demands a ransom for decryption. Often leads to complete data loss and significant financial losses for companies and individual users.

  • WannaCry — in 2017, infected over 200,000 computers in 150 countries, causing billions of dollars in damage
  • NotPetya — initially targeted at Ukraine but quickly spread worldwide, causing over $10 billion in damages
  • Ryuk — known for attacks on healthcare organizations, including hospitals during the COVID-19 pandemic
  • Conti — modern software with double extortion, which first steals data and then encrypts it
🐴 Trojans

Disguise themselves as useful software but actually provide hackers with remote access to your computer. Can steal confidential information, install other viruses, and use your computer for illegal activities.

  • Zeus (Zbot) — a banking trojan that stole millions of dollars by intercepting banking credentials
  • Emotet — initially a banking trojan that evolved into a platform for delivering other malware
  • DarkComet RAT — popular remote access tool used for espionage and data theft
  • Trickbot — modular banking trojan, often used as the first stage for deploying ransomware
⚙️ Rootkits / Bootkits

Provide deep penetration into the system, hiding their presence and other malware from antiviruses. Extremely difficult to detect and remove as they operate at the lowest level of the system.

  • Sony BMG rootkit — a scandalous case where a legitimate company installed a rootkit on computers through music CDs
  • Stuxnet — complex rootkit used to attack Iranian nuclear facilities
  • TDL/Alureon — a family of rootkits that modify the master boot record to hide from antiviruses
  • Grayfish — extremely complex bootkit associated with the APT Equation Group
🚪 Backdoors

Create a “back door” in the system, allowing attackers to bypass normal authentication mechanisms and gain unauthorized access to the system at any time. Often used to create persistent access after the first infection.

  • Back Orifice — one of the oldest and most famous backdoors for Windows
  • NetBus — backdoor that became known for use in espionage
  • SolarWinds backdoor — used in the high-profile supply chain attack of 2020 through SolarWinds Orion software updates
  • PlugX — advanced backdoor, often used in targeted attacks associated with Chinese APT groups
👻 Fileless Malware

Operates exclusively in the computer’s RAM, not creating files on the hard drive, making it almost invisible to traditional antiviruses. Can use legitimate system tools such as PowerShell to conduct attacks.

  • Back Orifice — one of the oldest and most famous backdoors for Windows
  • NetBus — backdoor that became known for use in espionage
  • SolarWinds backdoor — used in the high-profile supply chain attack of 2020 through SolarWinds Orion software updates
  • PlugX — advanced backdoor, often used in targeted attacks associated with Chinese APT groups
👁️ Spyware

Collects information about the user without their knowledge — passwords, credit card data, browsing history, messages. Can record keystrokes, take screenshots, and even activate the microphone and camera.

  • Pegasus — extremely sophisticated spyware for mobile devices, developed by NSO Group, used against journalists and activists
  • KeyLogger Pro — records keystrokes to steal passwords and other confidential information
  • FlexiSpy — smartphone spyware that intercepts calls, messages, and can activate the microphone
  • StealthGenie — mobile spyware whose creators were held accountable for its development and sale
🐛 Worms

Self-propagate through the network without user participation, quickly infecting a large number of devices. Consume network traffic and system resources, leading to slowing down networks or their complete failure.

  • ILOVEYOU — one of the most destructive computer worms, infected millions of computers in 2000 via email
  • Conficker — infected millions of computers in over 190 countries, creating one of the largest botnets
  • Slammer — in 2003 caused massive problems in internet infrastructure, infecting about 75,000 servers in 10 minutes
  • Mirai — worm for IoT devices that created an enormous botnet and carried out large-scale DDoS attacks on Dyn in 2016
🔄 Polymorphic viruses

Constantly change their code with each infection, making them difficult to detect by signature-based antivirus programs. Capable of evolving and adapting to defense mechanisms.

  • Virlock — polymorphic file virus that also functions as ransomware
  • Lexor — one of the first effective polymorphic viruses that used encryption to change its code
  • Zmist — extremely complex polymorphic virus that uses metamorphic technologies to change its code
  • Marburg — polymorphic virus that rewrote its own code with each infection
💾 MBR-viruses

Infect the Master Boot Record of the hard drive, gaining control over the system before the operating system starts. Can completely block computer boot-up or covertly take control.

  • CIH (Chernobyl) — destroyed data on the hard drive and attempted to overwrite the BIOS
  • Nymaim — combined functions of a banking trojan, ransomware, and bootkit
  • Sasser — caused massive computer failures worldwide
  • Petya — encrypted the MBR and demanded a ransom for its recovery
⏰ Logic bombs

Program code that remains inactive until certain conditions occur (date, time, user action), after which it activates and performs harmful actions. Especially dangerous in corporate environments as they can be installed with legitimate access (e.g., by disgruntled employees).

  • South Korean banks logic bomb — in 2013 erased data from thousands of computers in South Korean banks
  • Siemens logic bomb — installed by a former employee in 2016 in Siemens software
  • TSB Bank malicious scripts — triggered under certain circumstances, causing financial fraud
  • Michelangelo — triggered annually on March 6, the artist’s birthday
📄 File viruses

Infect executable files (.exe) and activate when they are launched. Can damage or delete files, create new problems, reduce system performance, and spread to other files.

  • Jerusalem — one of the first file viruses that deleted programs when they were launched on Friday the 13th
  • Cascade — caused the visual effect of “falling” characters on the screen
  • Sality — one of the most widespread file viruses, capable of polymorphism
  • Magistr — destructive virus that destroyed data on the hard drive and damaged the BIOS
🏠 IoT-malware

Attacks Internet of Things devices (smart cameras, thermostats, routers), which often have weak protection. Uses them to create botnets for DDoS attacks or as an entry point into corporate networks.

  • Mirai — created a massive botnet from cameras and other IoT devices for conducting DDoS attacks
  • BrickerBot — “bricked” (made inoperable) unsecured IoT devices
  • Reaper (IoTroop) — developed Mirai ideas, adding the ability to exploit vulnerabilities
  • VPNFilter — infected routers and NAS devices, allowing traffic interception and isolating devices from the internet
📱 Mobile viruses

Targeted at smartphones and tablets, can steal personal data, track location, eavesdrop on conversations, gain access to banking applications, and send premium SMS without the user’s knowledge.

  • Joker — penetrated the Google Play Store in numerous applications, subscribing users to paid services
  • XHelper — Android malware resistant to removal even after factory reset
  • Pegasus — highly developed spyware for iOS and Android that uses multiple infection methods
  • FluBot — spreads through SMS messages, steals banking credentials
📝 Macro viruses

Written in macro languages for office applications (Word, Excel), activated when infected documents are opened. Can spread via email, encrypt documents, or steal data.

  • Melissa — one of the first widespread macro viruses, distributed via email
  • Concept — the first known macro virus for Microsoft Word
  • O97M/Y2K — activated on January 1, 2000, damaging the system registry
  • Emotet — modern threat that often uses Office macros for initial infection
⛏️ Cryptojackers

Covertly use your device’s computing resources for cryptocurrency mining. Lead to significant slowdowns, component overheating.

  • Coinhive — JavaScript miner that was embedded on websites to mine Monero in visitors’ browsers
  • Smominru — created a large botnet for mining, infecting over 500,000 servers
  • WannaMine — used the EternalBlue vulnerability (like WannaCry) to spread cryptocurrency miners
  • Clipsa — combined functions of a crypto miner and cryptocurrency wallet thief by replacing addresses in the clipboard
📢 Adware

Shows intrusive advertising, changes the browser’s homepage and search results. Although it usually doesn’t destroy data, it can significantly slow down the device, collect information about your online habits, and create additional vulnerabilities for other types of attacks.

  • Fireball — infected over 250 million computers, changing browser settings and displaying ads
  • Vonteera — blocked antivirus websites to prevent removal
  • BrowseFox — changed browser settings and tracked user behavior
  • DollarRevenue — showed pop-up ads and installed additional components without user consent

🕵️ 2. How to Recognize a Virus: “Symptoms” and Detection Methods

Identifying Signs of Compromise in Different System Classes

Detecting the presence of malicious software in an information system requires systematic analysis of a range of anomalies in hardware and software functioning. Early detection of indicators of compromise (IoC) is critical to minimize potential damage and prevent complete system compromise. Below is a comprehensive overview of diagnostic signs that may indicate the presence of malware in the system.

Anomalies in Performance and Resource Consumption

System Performance Degradation

  • Significant decrease in speed during routine computational operations
  • Abnormally high user interface response latency
  • Unnatural delays when launching applications and performing standard system functions
  • Disproportionately high CPU utilization when performing low-resource tasks

Hardware Functioning Anomalies

  • Increased cooling system activity (accelerated fan operation) in the absence of resource-intensive processes in the foreground
  • Uncharacteristic heating of system components during idle or low-intensity computing
  • Increased power consumption without obvious user activity triggers
  • Rapid battery discharge in mobile devices and laptops
Anomalies in System Processes and Components

Suspicious Processes in System Monitor

  • Presence of processes with uncharacteristic or obfuscated names
  • Duplicates of legitimate system processes (e.g., svchost.exe or lsass.exe)
  • Processes that mimic standard system components with slight deviations in naming (chrome_update.exe instead of ChromeUpdater)
  • Running processes with abnormally high execution priority
  • Suspicious parent-child relationships between processes

System Registry and Autostart Modifications

  • Unauthorized modifications to autostart keys (Run and RunOnce)
  • Addition of new services to the Windows system registry
  • Changes in group policy settings and task scheduler
  • Modifications to executable file extensions in the registry
File System Anomalies

Unexplained Changes in the File System

  • Unauthorized creation of new executable files in system directories
  • Disappearance or encryption of user files and documents
  • Modification of file attributes (hidden, system) without user participation
  • Appearance of files with double extensions (document.pdf.exe)
  • Sudden increase in size of system log files

Anomalies in Disk Space Usage

  • Disproportionately rapid filling of disk space without obvious cause
  • Creation of large temporary files in hidden directories
  • Accumulation of cryptocurrency wallets or mining configuration files
  • Growth in swap file and paging file size
Network Anomalies

Uncharacteristic Network Activity

  • Increased network traffic during system idle periods
  • Establishing connections with unknown or suspicious domain names
  • Abnormal DNS activity, especially to dynamic DNS providers
  • Use of non-standard ports for common protocols
  • High volume of outbound traffic to irrelevant geographic regions
  • Persistent DNS queries to a domain, even after receiving a response (DNS tunneling)

Indicators of Compromise in Network Connections

  • Presence of hidden proxy servers or VPN connections established without user knowledge
  • Stable low-level connections to command servers (C2)
  • Abnormal activity on ports used for malicious activity (IRC, Tor)
Browser Environment Anomalies

Browser Settings Modifications

  • Unauthorized change of start page or default search engine
  • Installation of browser extensions without user authorization
  • Manipulation of proxy server settings to intercept traffic
  • Integration of malicious JavaScript code into browser cache

User Experience Anomalies

  • Intrusive advertising appearing outside the context of viewed pages
  • Redirects to phishing sites or resources with malicious content
  • Replacement of legitimate ad blocks with malicious ones (malvertising)
  • Modification of web page display to implement phishing elements
Specialized Indicators by Malware Types

Indicators of Cryptominer Presence

  • Abnormally high CPU and/or GPU utilization over long time intervals
  • Presence of specific processes or services related to cryptocurrency mining
  • Communication with known mining pools or use of mining protocols
  • Sustained high level of system resource usage, especially during periods of inactivity

Indicators of Ransomware Presence

  • Sudden change of extensions in a significant number of files
  • Appearance of files with ransom instructions (readme.txt, recovery.html)
  • Inability to open previously accessible documents
  • Changes in screen saver with encryption message

Indicators of Spyware Presence

  • Webcam activation without user request (activity indicator)
  • Unusually large log files, potentially containing keylogging data
  • Unusual delay when entering text via keyboard
  • Unclear processes with access to input devices
Specialized Indicators for Mobile Devices

Mobile Operating System Anomalies

  • Excessive battery consumption when screen is off
  • Device overheating in standby mode
  • Inability to completely turn off or restart the device
  • Spontaneous activation of screen or applications without interaction

Mobile Application Behavior Anomalies

  • Excessive requests for access to system services (contacts, messages, location)
  • Background execution of applications that should only work in active mode
  • Unauthorized activation of camera, microphone, or GPS
  • Sending SMS messages to premium numbers without user knowledge

The combination of several indicators of compromise significantly increases the likelihood of correctly identifying malware in the system and allows timely measures to minimize the potential consequences of infection.

🛡 3. Tools for Checking Devices (Computers) for Malicious Software

🔸 Malwarebytes Free (Conditionally free)

Designed to search for trojans, spyware, adware.

🔸 Microsoft Safety Scanner (free)

Designed to search for malicious software on Windows computers.

🔸 Zemana AntiMalware Free (Conditionally free)

Designed to search for miners, keyloggers, and other unwanted applications.

🔸 AdwCleaner Scanner (Free)

Designed to clean from advertising and various toolbars.

🔸 ESET Online Scanner (Free)

Designed for deep system scanning.

🔸 RogueKiller Free Scanner (Conditionally free)

Designed to search for rootkits and cryptojackers.

🔸 VirusTotal Online Scanner (Free)

It is designed to check files or websites online through a web interface.

It is important to note: The presented tools provide effective, but not absolute protection against cyber threats. Even the most modern antivirus solutions are characterized by a certain percentage of false-positive scanning results. Therefore, not all objects marked as potentially dangerous are necessarily malicious software.

It is recommended to conduct additional verification of detected threats before neutralizing them, especially in cases of system or work files. These tools should be considered as an effective first line of defense, allowing identification of most threats even by users without specialized knowledge in cybersecurity.

0 0 votes
Rating
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Scroll to Top