CrisNews #2 - 05/01/94 By: Childe Roland - Cris South Africa This is an attempt to explain some of the terminology used in connection with viruses. File infecting viruses. ����������������������� These viruses spread by adding code to executable files and thus have the potential to become active when an infected program is executed. Therefore they must make some change in the target file. If normal DOS calls are used to write to it the file-creation date will be changed. When code is added to it the file size will change. Should areas of the file be overwritten the length may re- main unchanged but CRC or checksum checking can detect the change in the file. This brings us to: 1.Overwriting viruses.The simplest of these just overwrite a part of the target file and puts a jump at the beginning of the pro- gram pointing to the viral code. This tends to limit their success as loss of the overwritten code may be fatal to the program. To increase their chance of success, some, like the Zerohunt virus, look for a string of nul characters of sufficient length to acco- modate it. Some append the overwritten part of the file to the end like the Nina virus which overwrites the beginning of the file and the Phoenix which overwrites a random section of the target, and then append the overwritten part to the end. Both the 512 and 1963 overwrite the beginning of a file and moves the overwritten code into a portion of the last cluster occupied by the file where there is often space which is invisible to the operating system. 2.Prepending viruses.These viruses add their code to the beginning of the target program. This ensures that the virus is executed everytime the program is, also that this happens before the pro- gram runs and it therefore has priority in terms of operation and possible conflicts. It is also necessary to alter the FAT at least to ensure that the program call starts with the viral code and that the viral code is not overwritten by other changes to tha disk or files. The original code is left unchanged but the is altered and unless techniques are used to disguise this it will show a different creation date and size. The Rat virus in- serts itself in unused space in EXE file headers. The Suriv 2.01 moves the body of the file and inserts itself between the header and original file and then changes the relocation information in the header. 3.Appending viruses. These viruses add their code to the end of the target. They must change the file header code to ensure that the file execution starts towards the end and not at the normal position. At the end of the viral code there is a jump pointing to the start of the target program. Here too the file size and date will change. 4.Companion viruses. Also known as spawning or precedence viruses. In files with similar names there is an order of precedence in their execution under DOS. First on the list is .com files, then .exe and then .bat files, i.e. virus.com is executed before virus.exe and last is virus.bat file.These viruses create a file with a similar name but a .com extension, thus the .com is al- ways executed in place of the original .exe file. The original stays exactly the same and no change detection programs will pick up the virus. The virus usually ends with a specific call to the original program while it has the hidden attribute set for it- self. Stealth viruses. ���������������� A virus usually contains some identifiable string or code that can be used to identify it, even when it is new or polymorphic. Stealth thus refers to the various mechanisms virus programs use to hide themselves. The earliest attempts at hiding were pre- venting the file size from changing and resetting the file crea- tion date to the original. Then there is the DIR II virus. The viral code is written to one section of the disk and then it alters the directory and file allocation information in such a way that all programs seem to start at that one section of the disk where the viral code is situated. Nowadays stealth refers more to the trapping mechanisms viruses use to prevent detection. These tricks are only effective once the virus is memory resident ( or active in memory.) The virus can do this because few programs read or write directly to the disk and leave the manipulation of the disk to the underlying software and hardware. The operating system provides standard interrupts which are system calls to the required functions. When a program reads from or writes to a disk it does this by calling standard interrupts or functions from a standard known address. Code can be inserted at the standard address which redirects the call to the code provided by the virus and it filters the data returned to the calling program. When an in- fected program is read the infection does not appear in the data that the calling program receives and no trace of the virus program can be found on disk. -------------------------------------------------------------- childe roland.