51 lines
2.5 KiB
Plaintext
51 lines
2.5 KiB
Plaintext
|
FUNPIV3.CVP 911013
|
||
|
|
||
|
Viral code addition
|
||
|
|
||
|
In order to avoid damage to the original program, which might
|
||
|
lead to detection of the infection, the viral code can be added
|
||
|
to the beginning or end of the program. (Or not attached at
|
||
|
all.)
|
||
|
|
||
|
Adding code at the beginning of the original program ensures
|
||
|
that the viral code is run whenever the program is run. (This
|
||
|
also ensures that the virus is run before the program runs. The
|
||
|
virus thus has priority in terms of operation, possible
|
||
|
conflicts and detection.) With the addition of code to the
|
||
|
beginning of the program, it is possible to avoid any change to
|
||
|
the original code. It *is* necessary to alter the file/disk
|
||
|
allocation table, at least, in order to ensure that the program
|
||
|
"call" starts with the viral code, and that the viral code is
|
||
|
not overwritten by other changes to the disk or files. While
|
||
|
the original code may be left unchanged, the file will be,
|
||
|
essentially, altered, and, unless techniques are used to
|
||
|
disguise this, will show a different creation date, size and
|
||
|
image.
|
||
|
|
||
|
It is also, however, possible to add viral code to the end of
|
||
|
the original program, and still ensure that the viral code is
|
||
|
run before that of the original program. All that is necessary
|
||
|
is to alter the file header information to reflect the fact that
|
||
|
you want to start executing the file towards the end, rather
|
||
|
than at the normal location. At the end of the viral code
|
||
|
another jump returns operation to the original program.
|
||
|
|
||
|
(This kind of operation is not as odd as it may sound. It is
|
||
|
not even uncommon. A legacy from the days of mainframe "paging"
|
||
|
of memory, it is used in a great many MS-DOS executables, either
|
||
|
in single .EXE files or in overlays. It is, therefore, not a
|
||
|
coding indication that can be used to identify viral type
|
||
|
programs or infected files.)
|
||
|
|
||
|
Appending, or prepending, viral code to an existing program
|
||
|
therefore avoids the problems of damage and potential failure to
|
||
|
run which plague overwriting viral programs. Even these viral
|
||
|
programs, however, are not foolproof. Programs which load in
|
||
|
very non-standard ways, such as KEA's "Zstem" terminal emulation
|
||
|
program, use the header information which the viral programs
|
||
|
alter. Although not originally designed for virus detection,
|
||
|
the "Program abort - invalid file header" message thus generated
|
||
|
is an indication of viral infection. Sometimes the first
|
||
|
indication that users have.
|
||
|
|
||
|
copyright Robert M. Slade, 1991 FUNPIV3.CVP 911014
|