Professional Documents
Culture Documents
Computer Viruses
by BlenderHead
Types of Viruses
Q: What is a virus?
a VIRUS is a small, executable program with the ability to replicate
itself by adding its code to that of a host program and/or the system
area of a hard or floppy disk. The user is generally unaware of the
actions of a virus as it replicates and usually only becomes aware of
its presence when the virus 'activates', which it does according to a
given set of conditions and at which time it is often too late.
However, once the user knows what signs to look for, it can be very
obvious when viral activity occurs. More on the signs in a little bit.
Let's discuss the difference between viruses.
Every virus has its own personality. Viruses differ in many ways, each
having its own unique properties that make it different. Here are some
ways that viruses differ from each other:
SIZE - A virus can be as small as 66 bytes or less, or as large
as 4096 bytes or more. Compared to most computer programs a virus
must be very small.
METHOD OF INFECTION - A virus can infect the host program in
different ways. Below are three methods commonly used. They are
by no means the only ways, but they are the most common. It is
possible for a virus to use one or more of these methods.
OVERWRITING - When a virus infects using this method, it will
simply write a copy of itself over the begining of the host
program. This is a very simple method and is used by more
primitive viruses. An infected file has been destroyed and
must be restored from a backup disk. Overwriting tends to make
the user suspicious becuase the host program no longer
functions. This method of infection causes no change in the
size of an infected program.
APPENDING - This method is a bit more complex. The virus
appends itself onto the end of the host program and also edits
the begining of the program. When the user runs the infected
program it will jump to the end of the program where the virus
is located, perform the functions of the virus, then return
and continue to run the host program. To the user, the program
is functioning normally. This method of infection causes
infected programs to increase in size.
Some appending viruses are unable to tell whether or not
they have already infected a program and will continue to
infect the program hundreds of times, causing it to grow
considerably in size.
DISK INFECTORS - Other viruses will infect the boot record or
partition table. This is an executable area of the disk that
is automatically run every time you boot up from the disk.
This means that as soon as the computer boots up, the virus is
in memory.
TSR - A virus may or may not become resident in memory. If it
does go TSR, then its chances of infecting files are greatly
increased. Otherwise it can only do its stuff when an infected
program is run. If the virus is in memory it can infect files any
time it chooses. Partition table and boot sector infecting viruses
are always TSRs.
STEALTH - Some TSR viruses use a sophisticated technique called
Stealth cloaking. What this means is the virus will fool the
system so that everything appears to be normal. When a user does
a directory listing the virus will intercept the disk read, and
alter the data so that the file sizes appear to be unchanged,
when in actuality they have increased in size.
Boot sector infectors may use stealth so that when the user
attempts to view the boot record, instead of showing the actual
boot record, a copy of the old boot record is returned instead.
Because of stealth techniques it may be impossible to detect a
virus once it has become resident in memory. The only sure way to
check for a stealth virus is to boot from a clean, write-
protected floppy, then scan the hard drive. It is a good idea to
prepare such a floppy disk ahead of time, and adding anti-virus
software such as Scan and F-Prot.
ACTIVATION CRITERIA AND EFFECT- The other area that gives a virus
its personality is the activation criteria, or what makes it go
off. Some activate by the date, others activate when a certain
program is run, and other will activate when they can't find any
more files that haven't been infected yet.
When a virus activates it will take a certain action. I will
refer to this as the activation effect. The efffect may be as
simple and harmless as displaying a message or as malicious as
trashing the victim's hard drive. Obviously, you want to find the
virus BEFORE it activates
Just as with the AIDS virus, there is alot of bullshit concerning the
conditions under which a virus may infect your system. A virus can
only be caught by executing a program that has been infected with a
virus or by ATTEMPTING to boot up from an infected disk. You cannot
get a virus by merely LOOKING at an infected program or disk. A virus
can infect just about any executable file EXE COM OVL SYS DRV BIN and
the partition table and master boot record of floppies and hard disks.
Notice that above I said "attempting" to boot up from an infected
disk. Even if you attempt to boot up from A: and it tells you,
"Non-System disk" and then you boot from C: instead, the virus can
still be active if A: was infected. This is very important. It doesn't
have to be a succesful boot for the virus to get into memory. The
first thing it will probably do is infect C: drive. Then if you put a
new disk in A:, that will in turn be infected. That is why it is
important to keep a clean, write-protected floppy.
Anti-Virus Software
What TO use:
These are some of the AV products that I DO recommend for you to
use. The more Anti-Virus software, the better protected you are.
Allow me to quickly explain what a Heuristic Scan is.
Normally, a virus scanner will look for a 'signature', a series of
bytes that occur inside the virus that can be used to identify a
specific virus. A huruistic scan takes a different approach. It
evaluates the code and looks for virus-like programming techniques.
This technique enables the scanner to find new or unknown viruses
and variations but also tends to cause more false positives and
takes longer. It is a very useful feature.
Well, that's it for now. Now that we have covered the basics, that
will allow us to get into the more fun stuff next time, like how to
play with virues. See ya guys next time.
(714)871-2057 Digital Decay BBS (714)871-2057
Bringing you the finest in Anarchy
340 Megs/ 5+ Megs textfiles/ 800+ virii
24/7 2400/14.4
Call Now!
1/4