Robert Slade
http://www.textfiles.com/virus/funpiv5.cvp
October 1991
This months columns have dealt with a number of possible ways that computer viral programs may infect program files. Unfortunately the overwriters, prependers, appenders and companions mentioned do not exhaust the possibilities.
(By the way, this week's column is basically courtesy of Vesselin Bontchev, who did all the research.)
In discussing overwriting viri I mentioned, by concept although not by name, the Zerohunt virus, which looks for a string of nul characters of sufficient length to accommodate it. However, there is also the Nina virus, which overwrites the beginning of a file, and the Phoenix family, which overwrites a random section of a file, both of which append the overwritten part to the end. The Number of the Beast/512 virus and 1963 both overwrite the beginning of the file and then move the contents of the overwritten section beyond the *physical* end of the file into a portion of the last cluster the file occupies. Because the clusters are always of a fixed size, and because it is very unusual for a file to exactly match a "multiple of cluster" size, there is generally some space there which is, essentially, invisible to the operating system.
In the world of prependers, a similar consideration is used by the Rat virus. EXE file headers are always a multiple of 512 bytes, so there is often an unused block of space in the header itself, which the Rat assumes. The Suriv 2.01 works a bit harder: it moves the body of the file and inserts itself between the header and original file, and then changes the relocation information in the header.
Then there is the DIR II. The viral code is written to one section of the disk ... and then the directory and file allocation information is altered in such a way that all programs seem to start in that one section of the disk. Because of the convoluted way this virus works, it is possible to "lose" all the programs on the disk by attempting to "repair" them.
At this point in my seminar, there is an overhead foil marked "This page intentionally left blank." The point being that there are all kinds of subtle variations on the themes covered here ... and quite a few not so subtle means which will only become obvious after they have been used. However, it is important to note that the most "successful" viri in terms of numbers of infections are not necessarily the "new models", but the older and often less sophisticated versions. On the one hand, this indicates that novelty is not a "viral survival factor." On the other hand, it points out, in rather depressing manner, that most computer users are still not using even the most basic forms of antiviral protection.
copyright Robert M. Slade, 1991 FUNPIV5.CVP 911030