Copy Link
Add to Bookmark
Report
Cris Vol 2 Issue 03
CrisNews #2 - 05/01/94
By: Childe Roland - Cris South Africa
This is an attempt to explain some of the terminology used in
connection with viruses.
File infecting viruses.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
These viruses spread by adding code to executable files and thus
have the potential to become active when an infected program is
executed. Therefore they must make some change in the target file.
If normal DOS calls are used to write to it the file-creation
date will be changed. When code is added to it the file size will
change. Should areas of the file be overwritten the length may re-
main unchanged but CRC or checksum checking can detect the change
in the file.
This brings us to:
1.Overwriting viruses.The simplest of these just overwrite a part
of the target file and puts a jump at the beginning of the pro-
gram pointing to the viral code. This tends to limit their success
as loss of the overwritten code may be fatal to the program. To
increase their chance of success, some, like the Zerohunt virus,
look for a string of nul characters of sufficient length to acco-
modate it. Some append the overwritten part of the file to the
end like the Nina virus which overwrites the beginning of the file
and the Phoenix which overwrites a random section of the target,
and then append the overwritten part to the end.
Both the 512 and 1963 overwrite the beginning of a file and moves
the overwritten code into a portion of the last cluster occupied
by the file where there is often space which is invisible to the
operating system.
2.Prepending viruses.These viruses add their code to the beginning
of the target program. This ensures that the virus is executed
everytime the program is, also that this happens before the pro-
gram runs and it therefore has priority in terms of operation and
possible conflicts. It is also necessary to alter the FAT at
least to ensure that the program call starts with the viral code
and that the viral code is not overwritten by other changes to
tha disk or files. The original code is left unchanged but the
is altered and unless techniques are used to disguise this it
will show a different creation date and size. The Rat virus in-
serts itself in unused space in EXE file headers. The Suriv 2.01
moves the body of the file and inserts itself between the header
and original file and then changes the relocation information
in the header.
3.Appending viruses. These viruses add their code to the end of
the target. They must change the file header code to ensure that
the file execution starts towards the end and not at the normal
position. At the end of the viral code there is a jump pointing
to the start of the target program. Here too the file size and
date will change.
4.Companion viruses. Also known as spawning or precedence viruses.
In files with similar names there is an order of precedence in
their execution under DOS. First on the list is .com files, then
.exe and then .bat files, i.e. virus.com is executed before
virus.exe and last is virus.bat file.These viruses create a file
with a similar name but a .com extension, thus the .com is al-
ways executed in place of the original .exe file. The original
stays exactly the same and no change detection programs will pick
up the virus. The virus usually ends with a specific call to the
original program while it has the hidden attribute set for it-
self.
Stealth viruses.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
A virus usually contains some identifiable string or code that
can be used to identify it, even when it is new or polymorphic.
Stealth thus refers to the various mechanisms virus programs use
to hide themselves. The earliest attempts at hiding were pre-
venting the file size from changing and resetting the file crea-
tion date to the original.
Then there is the DIR II virus. The viral code is written to one
section of the disk and then it alters the directory and file
allocation information in such a way that all programs seem to
start at that one section of the disk where the viral code is
situated.
Nowadays stealth refers more to the trapping mechanisms viruses
use to prevent detection. These tricks are only effective once
the virus is memory resident ( or active in memory.) The virus
can do this because few programs read or write directly to the
disk and leave the manipulation of the disk to the underlying
software and hardware. The operating system provides standard
interrupts which are system calls to the required functions.
When a program reads from or writes to a disk it does this by
calling standard interrupts or functions from a standard known
address. Code can be inserted at the standard address which
redirects the call to the code provided by the virus and it
filters the data returned to the calling program. When an in-
fected program is read the infection does not appear in the
data that the calling program receives and no trace of the
virus program can be found on disk.
--------------------------------------------------------------
childe roland.
