57 lines
2.9 KiB
Plaintext
57 lines
2.9 KiB
Plaintext
FUNGEN5.CVP 910828
|
|
|
|
Viral activation
|
|
|
|
In attempting to protect against viral infection, and
|
|
particularly when trying to disinfect systems, it is important to
|
|
bear in mind the times that the virus is actively "infectious".
|
|
The viral activation is not the same as the activation of the
|
|
payload that a virus may carry. For example, the payload of the
|
|
original "Stoned" virus was a message which appeared on the
|
|
screen saying "Your PC is now Stoned!". This message only
|
|
appears at boot time, and on only one eighth of the times the
|
|
computer is rebooted. The virus, however, is infectious at all
|
|
times, if it has infected the hard disk.
|
|
|
|
There are basically three possibilities for the infectious
|
|
period: now ("one-shot"), during program run ("while called") or
|
|
from now on (resident). These periods may be modified by other
|
|
circumstances. A resident virus may remain in memory, but only
|
|
be actively infecting when a disk is accessed. A "while called"
|
|
virus may only infect a new program when a directory is changed.
|
|
|
|
"One-shot" viri only get one chance on each "run" of the infected
|
|
program. The viral code will seek out and infect a target
|
|
program. They then pass control to the original program, and
|
|
perform no further functions. These are, of course, the simplest
|
|
of the viral programs. Mainframe "mail" viri are generally of
|
|
this type.
|
|
|
|
The second class will activate when the infected program is
|
|
called, and then pass partial control to the original program.
|
|
The virus, however, will remain operational during the time that
|
|
the infected program is running. If this can be accomplished, it
|
|
is only a slight jump to write a fully memory resident virus.
|
|
|
|
Resident viri are the most successful, and the most dangerous, of
|
|
viral programs. A resident virus will become active when an
|
|
infected program is run (or at boot time for boot sector
|
|
infectors), and remain active until the computer is rebooted or
|
|
turned off. (Some viral programs are even able to trap the
|
|
rebooting sequence that is normally called when you press Ctrl-
|
|
Alt-Del on an MS-DOS PC, and thus are able to survive a "warm
|
|
boot.") The most successful of the file infectors, the Jerusalem
|
|
virus, is resident, as are all boot sector infectors. (For
|
|
fairly obvious reasons; the boot sector is never "called" in
|
|
normal operation.)
|
|
|
|
If a virus is active in memory, it is a waste of time trying to
|
|
disinfect a file or disk. No sooner is the file "cleaned", than
|
|
it becomes a suitable target for re-infection. You may try to
|
|
disinfect a hard disk right down to performing a low level
|
|
format: as soon as the disk is reformatted it may be infected all
|
|
over again. This is why all directions for disinfection stress
|
|
the necessity of "cold" booting from a disk that is known to be
|
|
free of infection before attempting any cleanup.
|
|
|
|
copyright Robert M. Slade, 1991 FUNGEN5.CVP 910828 |