You said viruses were “content” not files. What’s the difference?
Since inter-computer communication became prevalent it has been necessary to send “data” from one computer to another without reliance on how that data is stored or formatted (file/database/memory) on either end. That data had to be capable of describing itself so that each end could know what they’re transmitting. Usually this is done with what is called a “header”. Headers are descriptive tags associated with a block of data – like a web page or email – that describes what it contains.
The actual content is just a number of bytes in a row that sometimes seemingly coincidentally can make words or pictures. When you visit a web page the actual response to you is a description of the data, which stores the actual “content” within itself in a form of envelope. That content is what may or may not be malicious.
Certain headers can describe the nature of that content: “content-type” describes what exactly the content is supposed to represent. In some cases this is roughly equivalent to a file type. In other cases it is only a further obfuscation of the information.
If the content is malicious then it will execute as intended unless other security measures are employed. To make it even more promiscuous – many types of “content” are open formats. This means that someone could review the content implementations for flaws in design and exploit those flaws.