the two as suits my mood. Now back to the other stuff... A biological virus is a parasitic "organism" which uses its host to spread itself. It must keep the host alive to keep itself "alive." Only when it has spread everywhere will the host die a painful, horrible death. The modern electronic virus is no different. It attaches itself to a host system and reproduces until the entire system is fucked. It then proceeds and neatly wrecks the system of the dimwit who caught the virus. Replication is what distinguishes a virus from Anybody can write a trojan, but a virus is much more almost invisibly, and catches the victim off-guard when surfaces. The first question is, of course, how does a virus and EXE infections (along with sample infection routines)
a simple trojan. elegant.
It acts
it finally spread?
Both COM
shall be presented.
There are two major approaches to virii: runtime and TSR. Runtime virii infect, yup, you guessed it, when the infected program is run, while TSR virii go resident when the infected programs are run and hook the interrupts and infect when a file is run, open, closed, and/or upon termination (i.e. INT 20h, INT 21h/41h). There are advantages and disadvantages to each. Runtime virii are harder to detect as they don't show up on memory maps, but, on the other hand, the delay while it searches for and infects a file may give it away. TSR virii, if not properly done, can be easily spotted by utilities such as MAPMEM, PMAP, etc, but are, in general, smaller since they don't need a function to search for files to infect. They are also faster than runtime virii, also because they don't have to search for files to infect. I shall cover runtime virii here, and TSR virii in a later installment. Here is 1) 2) 3) 4)
a summary of the infection procedure: Find a file to infect. Check if it meets the infection criteria. See if it is already infected and if so, go back to 1. Otherwise, infect the file.