VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

File infecting viri

Robert Slade
October 1991

[Back to index] [Comments]

File, or program, infecting viral programs, while possibly not as numerous as boot sector infectors in terms of actual infections, represent the greatest number of known viral strains, at least in the MS-DOS world. This may be due to the fact that file infectors are not as constrained in size as BSIs, or that file infectors do not require the detailed knowledge of system "internals" which may be necessary for effective boot sector viri.

File infecting viri spread by adding code to existing executable files. They have the potential to become active when an infected program is run. Whereas boot sector infectors must be memory resident in order to spread, file infecting programs have more options in terms of infection. This means that there is greater range in the scope for writing file infecting viri, but it also means that there may be fewer opportunities for a given virus to reproduce itself.

File infecting viral programs must, of necessity, make some kind of change in the target file. If normal DOS calls are used to write to it the file creation date will be changed. If code is added to it, the file size will change. Even if areas of the file are overwritten in such a way that the file length remains unchanged, a parity, checksum, cyclic redundancy or Hamming code check should be able to detect the fact that there has been some change. The Lehigh and Jerusalem viri, the first to become widely known to the research community on the Internet, were both initially identified by changes they made to target files (the Jerusalem being widely known by its length as "1813".) "Change detection", therefore, remains one of the most popular means of virus detection on the part of antiviral software producers.

Because change detection is a means of virus detection that requires no sophisticated programming (in some cases, no programming at all), virus writers have attempted to camouflage changes where they can. It is not a difficult task to avoid making changes to the file creation date, or to return the date to its original value. It is possible to "overlay" the original code of the program, so that the file is not increased in size. Most recently, virus authors have been using "stealth" programming: a means of "shortcutting" the operating system, and returning only the original, unchanged, values at any request for information.

copyright Robert M. Slade, 1991 FUNPIV1.CVP 911006

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka