💾 Archived View for spam.works › mirrors › textfiles › virus › funpiv5.cvp captured on 2023-06-16 at 21:02:45.
-=-=-=-=-=-=-
FUNPIV5.CVP 911030
Infection variations
This months columns have dealt with a number of possible ways
that computer viral programs may infect program files.
Unfortunately the overwriters, prependers, appenders and
companions mentioned do not exhaust the possibilities.
(By the way, this week's column is basically courtesy of
Vesselin Bontchev, who did all the research.)
In discussing overwriting viri I mentioned, by concept although
not by name, the Zerohunt virus, which looks for a string of nul
characters of sufficient length to accommodate it. However,
there is also the Nina virus, which overwrites the beginning of
a file, and the Phoenix family, which overwrites a random
section of a file, both of which append the overwritten part to
the end. The Number of the Beast/512 virus and 1963 both
overwrite the beginning of the file and then move the contents
of the overwritten section beyond the *physical* end of the file
into a portion of the last cluster the file occupies. Because
the clusters are always of a fixed size, and because it is very
unusual for a file to exactly match a "multiple of cluster"
size, there is generally some space there which is, essentially,
invisible to the operating system.
In the world of prependers, a similar consideration is used by
the Rat virus. EXE file headers are always a multiple of 512
bytes, so there is often an unused block of space in the header
itself, which the Rat assumes. The Suriv 2.01 works a bit
harder: it moves the body of the file and inserts itself between
the header and original file, and then changes the relocation
information in the header.
Then there is the DIR II. The viral code is written to one
section of the disk ... and then the directory and file
allocation information is altered in such a way that all
programs seem to start in that one section of the disk. Because
of the convoluted way this virus works, it is possible to "lose"
all the programs on the disk by attempting to "repair" them.
At this point in my seminar, there is an overhead foil marked
"This page intentionally left blank." The point being that
there are all kinds of subtle variations on the themes covered
here ... and quite a few not so subtle means which will only
become obvious after they have been used. However, it is
important to note that the most "successful" viri in terms of
numbers of infections are not necessarily the "new models", but
the older and often less sophisticated versions. On the one
hand, this indicates that novelty is not a "viral survival
factor." On the other hand, it points out, in rather depressing
manner, that most computer users are still not using even the
most basic forms of antiviral protection.
copyright Robert M. Slade, 1991 FUNPIV5.CVP 911030