You said viruses were “content” not files. What’s the difference?
Since inter-computer communication became prevalent it has been necessary to send “data” from one computer to another without reliance on how that data is stored or formatted (file/database/memory) on either end. That data had to be capable of describing itself so that each end could know what they’re transmitting. Usually this is done with what is called a “header”. Headers are descriptive tags associated with a block of data – like a web page or email – that describes what it contains.
The actual content is just a number of bytes in a row that sometimes seemingly coincidentally can make words or pictures. When you visit a web page the actual response to you is a description of the data, which stores the actual “content” within itself in a form of envelope. That content is what may or may not be malicious.
Certain headers can describe the nature of that content: “content-type” describes what exactly the content is supposed to represent. In some cases this is roughly equivalent to a file type. In other cases it is only a further obfuscation of the information.
When you receive content from another source – be it via email, web page or disk – that content can only do what it was designed to do. That intention may not be what you expect, however. An application of some type (sometimes the operating system) on your system must interpret that content. For some viruses the interpretation is simple – “script” content (“text/javascript”, “text/vbscript”, “text/scriptlet”, “text/jscript”, “text/perl”) for example – some applications (like Outlook or Chrome) are capable of interpreting this content directly, so they do.
If the content is malicious then it will execute as intended unless other security measures are employed. To make it even more promiscuous – many types of “content” are open formats. This means that someone could review the content implementations for flaws in design and exploit those flaws.