💾 Archived View for spam.works › mirrors › textfiles › virus › funpiv3.cvp captured on 2023-06-16 at 21:02:43.
-=-=-=-=-=-=-
FUNPIV3.CVP 911013
Viral code addition
In order to avoid damage to the original program, which might
lead to detection of the infection, the viral code can be added
to the beginning or end of the program. (Or not attached at
all.)
Adding code at the beginning of the original program ensures
that the viral code is run whenever the program is run. (This
also ensures that the virus is run before the program runs. The
virus thus has priority in terms of operation, possible
conflicts and detection.) With the addition of code to the
beginning of the program, it is possible to avoid any change to
the original code. It *is* necessary to alter the file/disk
allocation table, at least, in order to ensure that the program
"call" starts with the viral code, and that the viral code is
not overwritten by other changes to the disk or files. While
the original code may be left unchanged, the file will be,
essentially, altered, and, unless techniques are used to
disguise this, will show a different creation date, size and
image.
It is also, however, possible to add viral code to the end of
the original program, and still ensure that the viral code is
run before that of the original program. All that is necessary
is to alter the file header information to reflect the fact that
you want to start executing the file towards the end, rather
than at the normal location. At the end of the viral code
another jump returns operation to the original program.
(This kind of operation is not as odd as it may sound. It is
not even uncommon. A legacy from the days of mainframe "paging"
of memory, it is used in a great many MS-DOS executables, either
in single .EXE files or in overlays. It is, therefore, not a
coding indication that can be used to identify viral type
programs or infected files.)
Appending, or prepending, viral code to an existing program
therefore avoids the problems of damage and potential failure to
run which plague overwriting viral programs. Even these viral
programs, however, are not foolproof. Programs which load in
very non-standard ways, such as KEA's "Zstem" terminal emulation
program, use the header information which the viral programs
alter. Although not originally designed for virus detection,
the "Program abort - invalid file header" message thus generated
is an indication of viral infection. Sometimes the first
indication that users have.
copyright Robert M. Slade, 1991 FUNPIV3.CVP 911014