💾 Archived View for spam.works › mirrors › textfiles › virus › funpiv1.cvp captured on 2023-06-16 at 21:02:41.
-=-=-=-=-=-=-
FUNPIV1.CVP 911006
File infecting viri
File, or program, infecting viral programs, while possibly not as
numerous as boot sector infectors in terms of actual infections,
represent the greatest number of known viral strains, at least in
the MS-DOS world. This may be due to the fact that file infectors
are not as constrained in size as BSIs, or that file infectors do
not require the detailed knowledge of system "internals" which may
be necessary for effective boot sector viri.
File infecting viri spread by adding code to existing executable
files. They have the potential to become active when an infected
program is run. Whereas boot sector infectors must be memory
resident in order to spread, file infecting programs have more
options in terms of infection. This means that there is greater
range in the scope for writing file infecting viri, but it also
means that there may be fewer opportunities for a given virus to
reproduce itself.
File infecting viral programs must, of necessity, make some kind of
change in the target file. If normal DOS calls are used to write
to it the file creation date will be changed. If code is added to
it, the file size will change. Even if areas of the file are
overwritten in such a way that the file length remains unchanged,
a parity, checksum, cyclic redundancy or Hamming code check should
be able to detect the fact that there has been some change. The
Lehigh and Jerusalem viri, the first to become widely known to the
research community on the Internet, were both initially identified
by changes they made to target files (the Jerusalem being widely
known by its length as "1813".) "Change detection", therefore,
remains one of the most popular means of virus detection on the
part of antiviral software producers.
Because change detection is a means of virus detection that
requires no sophisticated programming (in some cases, no
programming at all), virus writers have attempted to camouflage
changes where they can. It is not a difficult task to avoid making
changes to the file creation date, or to return the date to its
original value. It is possible to "overlay" the original code of
the program, so that the file is not increased in size. Most
recently, virus authors have been using "stealth" programming: a
means of "shortcutting" the operating system, and returning only
the original, unchanged, values at any request for information.
copyright Robert M. Slade, 1991 FUNPIV1.CVP 911006