On Tue, 7 Jan 2003, Nikhil Joshi wrote:
Now how is kernel to decide (if it had powers/facility) whether program is virus or not?
A virus is not a program on its own. It is a snippet of code that needs to be attached to an existing program to be effective. A virus consists of three parts - one which loads it into memory - this would be written somewhere near the start of the infected binary, the payload - the stuff that the virus does, and the contagion - the part that helps the virus spread.
A worm is a program in itself that propagates on its own. It does not require user intervention or the existence of other programs. It does not infect other programs.
A trojan is a program that claims to be something that it isn't. For example, the program format.com will destroy all data on your hard disk, but that's what it says it will do - hence it is not a trojan. a program that says it is a new year card, but in reality destroys all data on your hard disk - that is a trojan. Trojans need to be executed by the user.
It is impossible for an antivirus program to identify trojans. Well known trojans can be added to a database, but it is impossible to identify new ones based solely on what they do. Viruses are easy to detect because all viruses must have code that allows them to write themselves onto other binaries.
Worms are hard to identify, but there are telltale signs that can give a hint as to whether a piece of code is a worm or not.
Consider now, what would happen if a virus were to infect a worm.
Philip