104 lines
5.3 KiB
Plaintext
104 lines
5.3 KiB
Plaintext
CrisNews #2 - 05/01/94
|
|
|
|
By: Childe Roland - Cris South Africa
|
|
|
|
This is an attempt to explain some of the terminology used in
|
|
connection with viruses.
|
|
|
|
|
|
File infecting viruses.
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
These viruses spread by adding code to executable files and thus
|
|
have the potential to become active when an infected program is
|
|
executed. Therefore they must make some change in the target file.
|
|
If normal DOS calls are used to write to it the file-creation
|
|
date will be changed. When code is added to it the file size will
|
|
change. Should areas of the file be overwritten the length may re-
|
|
main unchanged but CRC or checksum checking can detect the change
|
|
in the file.
|
|
This brings us to:
|
|
|
|
1.Overwriting viruses.The simplest of these just overwrite a part
|
|
of the target file and puts a jump at the beginning of the pro-
|
|
gram pointing to the viral code. This tends to limit their success
|
|
as loss of the overwritten code may be fatal to the program. To
|
|
increase their chance of success, some, like the Zerohunt virus,
|
|
look for a string of nul characters of sufficient length to acco-
|
|
modate it. Some append the overwritten part of the file to the
|
|
end like the Nina virus which overwrites the beginning of the file
|
|
and the Phoenix which overwrites a random section of the target,
|
|
and then append the overwritten part to the end.
|
|
Both the 512 and 1963 overwrite the beginning of a file and moves
|
|
the overwritten code into a portion of the last cluster occupied
|
|
by the file where there is often space which is invisible to the
|
|
operating system.
|
|
|
|
2.Prepending viruses.These viruses add their code to the beginning
|
|
of the target program. This ensures that the virus is executed
|
|
everytime the program is, also that this happens before the pro-
|
|
gram runs and it therefore has priority in terms of operation and
|
|
possible conflicts. It is also necessary to alter the FAT at
|
|
least to ensure that the program call starts with the viral code
|
|
and that the viral code is not overwritten by other changes to
|
|
tha disk or files. The original code is left unchanged but the
|
|
is altered and unless techniques are used to disguise this it
|
|
will show a different creation date and size. The Rat virus in-
|
|
serts itself in unused space in EXE file headers. The Suriv 2.01
|
|
moves the body of the file and inserts itself between the header
|
|
and original file and then changes the relocation information
|
|
in the header.
|
|
|
|
3.Appending viruses. These viruses add their code to the end of
|
|
the target. They must change the file header code to ensure that
|
|
the file execution starts towards the end and not at the normal
|
|
position. At the end of the viral code there is a jump pointing
|
|
to the start of the target program. Here too the file size and
|
|
date will change.
|
|
|
|
4.Companion viruses. Also known as spawning or precedence viruses.
|
|
In files with similar names there is an order of precedence in
|
|
their execution under DOS. First on the list is .com files, then
|
|
.exe and then .bat files, i.e. virus.com is executed before
|
|
virus.exe and last is virus.bat file.These viruses create a file
|
|
with a similar name but a .com extension, thus the .com is al-
|
|
ways executed in place of the original .exe file. The original
|
|
stays exactly the same and no change detection programs will pick
|
|
up the virus. The virus usually ends with a specific call to the
|
|
original program while it has the hidden attribute set for it-
|
|
self.
|
|
|
|
Stealth viruses.
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
A virus usually contains some identifiable string or code that
|
|
can be used to identify it, even when it is new or polymorphic.
|
|
Stealth thus refers to the various mechanisms virus programs use
|
|
to hide themselves. The earliest attempts at hiding were pre-
|
|
venting the file size from changing and resetting the file crea-
|
|
tion date to the original.
|
|
|
|
Then there is the DIR II virus. The viral code is written to one
|
|
section of the disk and then it alters the directory and file
|
|
allocation information in such a way that all programs seem to
|
|
start at that one section of the disk where the viral code is
|
|
situated.
|
|
|
|
Nowadays stealth refers more to the trapping mechanisms viruses
|
|
use to prevent detection. These tricks are only effective once
|
|
the virus is memory resident ( or active in memory.) The virus
|
|
can do this because few programs read or write directly to the
|
|
disk and leave the manipulation of the disk to the underlying
|
|
software and hardware. The operating system provides standard
|
|
interrupts which are system calls to the required functions.
|
|
When a program reads from or writes to a disk it does this by
|
|
calling standard interrupts or functions from a standard known
|
|
address. Code can be inserted at the standard address which
|
|
redirects the call to the code provided by the virus and it
|
|
filters the data returned to the calling program. When an in-
|
|
fected program is read the infection does not appear in the
|
|
data that the calling program receives and no trace of the
|
|
virus program can be found on disk.
|
|
|
|
--------------------------------------------------------------
|
|
childe roland.
|
|
|