Robert Slade
http://www.textfiles.com/virus/funpiv3.cvp
October 1991
In order to avoid damage to the original program, which might lead to detection of the infection, the viral code can be added to the beginning or end of the program. (Or not attached at all.)
Adding code at the beginning of the original program ensures that the viral code is run whenever the program is run. (This also ensures that the virus is run before the program runs. The virus thus has priority in terms of operation, possible conflicts and detection.) With the addition of code to the beginning of the program, it is possible to avoid any change to the original code. It *is* necessary to alter the file/disk allocation table, at least, in order to ensure that the program "call" starts with the viral code, and that the viral code is not overwritten by other changes to the disk or files. While the original code may be left unchanged, the file will be, essentially, altered, and, unless techniques are used to disguise this, will show a different creation date, size and image.
It is also, however, possible to add viral code to the end of the original program, and still ensure that the viral code is run before that of the original program. All that is necessary is to alter the file header information to reflect the fact that you want to start executing the file towards the end, rather than at the normal location. At the end of the viral code another jump returns operation to the original program.
(This kind of operation is not as odd as it may sound. It is not even uncommon. A legacy from the days of mainframe "paging" of memory, it is used in a great many MS-DOS executables, either in single .EXE files or in overlays. It is, therefore, not a coding indication that can be used to identify viral type programs or infected files.)
Appending, or prepending, viral code to an existing program therefore avoids the problems of damage and potential failure to run which plague overwriting viral programs. Even these viral programs, however, are not foolproof. Programs which load in very non-standard ways, such as KEA's "Zstem" terminal emulation program, use the header information which the viral programs alter. Although not originally designed for virus detection, the "Program abort - invalid file header" message thus generated is an indication of viral infection. Sometimes the first indication that users have.
copyright Robert M. Slade, 1991 FUNPIV3.CVP 911014