|
1.6 Types of Viruses·What is a Nonresident virus?
·What is a Resident virus?
·What are Fast Infectors ?
·What are Slow Infectors?
·What exactly is a companion virus?
·What Virus extensions does an antivirus program typically assign to a virus...
|
| |
Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
For simple viruses the replicator's task is to:
Open the new file
Check if the executable file has already been infected (if it is, return to the finder module)
Append the virus code to the executable file
Save the executable's starting point
Change the executable's starting point so that it points to the start location of the newly copied virus code
Save the old start location to the virus in a way so that the virus branches to that location right after its execution.
Save the changes to the executable file
Close the infected file
Return to the finder so that it can find new files for the replicator to infect.
 feedback form
 feedback form
by qazwsx2 
last modified: 2006-08-11 01:26:00 |
| |
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.
There are two types:
Fast Infectors
and
Slow Infectors
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:24:49 |
| |
Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software.
feedback form
feedback form
by qazwsx2 |
| |
Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach doesn't seem very successful however. Virus that are common in the wild are mostly relatively fast to extremely fast infectors.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:26:44 |
| |
A few older viruses called companion viruses do not have host files per se, but exploit MS-DOS. A companion virus creates new files (typically .COM but can also use other extentions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if he does not type in ".EXE" but instead does not specify a file extention, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus) and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. Some companion viruses are known to run under Windows 95 and on DOS emulators on Windows NT systems. Path companion viruses create files that have the same name as the legitimate file and place new virus copies earlier in the directory paths. These viruses have become increasingly rare with the introduction of Windows XP, which does not use the MS-DOS command prompt per se.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:25:36 |
| |
What Virus extensions does an antivirus program typically assign to a virus once it has been found?
@mm is an extension commonly appended to the end of a mass mailing computer virus. This model is used by security firm Symantec, and follows any variant letter. Examples include:
* W32.MyDoom@mm
* Mac.Simpsons@mm
* W32.MyParty@mm
* W32.Nimda.A@mm
Other similar extensions or prefixes are applied to computer viruses, however the decision to do so and indeed the 'name' of the virus is determined by the will of individual security firms.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:28:28 |
