textfiles/virus/funpiv5.cvp

FUNPIV5.CVP   911030
   
                     Infection variations
   
This months columns have dealt with a number of possible ways
that computer viral programs may infect program files. 
Unfortunately the overwriters, prependers, appenders and
companions mentioned do not exhaust the possibilities.
   
(By the way, this week's column is basically courtesy of
Vesselin Bontchev, who did all the research.)
   
In discussing overwriting viri I mentioned, by concept although
not by name, the Zerohunt virus, which looks for a string of nul
characters of sufficient length to accommodate it.  However,
there is also the Nina virus, which overwrites the beginning of
a file, and the Phoenix family, which overwrites a random
section of a file, both of which append the overwritten part to
the end.  The Number of the Beast/512 virus and 1963 both
overwrite the beginning of the file and then move the contents
of the overwritten section beyond the *physical* end of the file
into a portion of the last cluster the file occupies.  Because
the clusters are always of a fixed size, and because it is very
unusual for a file to exactly match a "multiple of cluster"
size, there is generally some space there which is, essentially,
invisible to the operating system.
   
In the world of prependers, a similar consideration is used by
the Rat virus.  EXE file headers are always a multiple of 512
bytes, so there is often an unused block of space in the header
itself, which the Rat assumes.  The Suriv 2.01 works a bit
harder: it moves the body of the file and inserts itself between
the header and original file, and then changes the relocation
information in the header.
   
Then there is the DIR II.  The viral code is written to one
section of the disk ... and then the directory and file
allocation information is altered in such a way that all
programs seem to start in that one section of the disk.  Because
of the convoluted way this virus works, it is possible to "lose"
all the programs on the disk by attempting to "repair" them.
   
At this point in my seminar, there is an overhead foil marked
"This page intentionally left blank."  The point being that
there are all kinds of subtle variations on the themes covered
here ... and quite a few not so subtle means which will only
become obvious after they have been used.  However, it is
important to note that the most "successful" viri in terms of
numbers of infections are not necessarily the "new models", but
the older and often less sophisticated versions.  On the one
hand, this indicates that novelty is not a "viral survival
factor."  On the other hand, it points out, in rather depressing
manner, that most computer users are still not using even the
most basic forms of antiviral protection.
   
copyright Robert M. Slade, 1991   FUNPIV5.CVP   911030
Initial commit 2021-04-15 11:31:59 -07:00			`FUNPIV5.CVP 911030`

			`Infection variations`

			`This months columns have dealt with a number of possible ways`
			`that computer viral programs may infect program files.`
			`Unfortunately the overwriters, prependers, appenders and`
			`companions mentioned do not exhaust the possibilities.`

			`(By the way, this week's column is basically courtesy of`
			`Vesselin Bontchev, who did all the research.)`

			`In discussing overwriting viri I mentioned, by concept although`
			`not by name, the Zerohunt virus, which looks for a string of nul`
			`characters of sufficient length to accommodate it. However,`
			`there is also the Nina virus, which overwrites the beginning of`
			`a file, and the Phoenix family, which overwrites a random`
			`section of a file, both of which append the overwritten part to`
			`the end. The Number of the Beast/512 virus and 1963 both`
			`overwrite the beginning of the file and then move the contents`
			`of the overwritten section beyond the physical end of the file`
			`into a portion of the last cluster the file occupies. Because`
			`the clusters are always of a fixed size, and because it is very`
			`unusual for a file to exactly match a "multiple of cluster"`
			`size, there is generally some space there which is, essentially,`
			`invisible to the operating system.`

			`In the world of prependers, a similar consideration is used by`
			`the Rat virus. EXE file headers are always a multiple of 512`
			`bytes, so there is often an unused block of space in the header`
			`itself, which the Rat assumes. The Suriv 2.01 works a bit`
			`harder: it moves the body of the file and inserts itself between`
			`the header and original file, and then changes the relocation`
			`information in the header.`

			`Then there is the DIR II. The viral code is written to one`
			`section of the disk ... and then the directory and file`
			`allocation information is altered in such a way that all`
			`programs seem to start in that one section of the disk. Because`
			`of the convoluted way this virus works, it is possible to "lose"`
			`all the programs on the disk by attempting to "repair" them.`

			`At this point in my seminar, there is an overhead foil marked`
			`"This page intentionally left blank." The point being that`
			`there are all kinds of subtle variations on the themes covered`
			`here ... and quite a few not so subtle means which will only`
			`become obvious after they have been used. However, it is`
			`important to note that the most "successful" viri in terms of`
			`numbers of infections are not necessarily the "new models", but`
			`the older and often less sophisticated versions. On the one`
			`hand, this indicates that novelty is not a "viral survival`
			`factor." On the other hand, it points out, in rather depressing`
			`manner, that most computer users are still not using even the`
			`most basic forms of antiviral protection.`

			`copyright Robert M. Slade, 1991 FUNPIV5.CVP 911030`