HOME > Security Info
| Title | File | Date | ||
|---|---|---|---|---|
| How is a file infected by viruses? | -- | 03/06/09 |
Written by JungHwa Han - HAURI Engine Technology team
Recently, there are many cases of the file infection virus as like Virut. This kind of virus keep changing itself to the complicated variant form and it makes analyzing difficult. This column let you know how file virus infects PC and how we can repair it.
1. Overwriting Viruses (OV)
OV is the virus that overwrites the original files (host file) to break it. It is very simple method, but it has all features of virus. If the file is executed, virus deletes all the files in the disk. Therefore, only virus is executed, but not normal program, so the user can recognize it is virus.
OV can not be repaired in the system. The infected file has to be deleted in disk and be recovered by backup file.
Virus code is overwritten in the file that has below extensions.
The below image shows OV is inserted in the normal program code to make up for the defect which user can recognize it because of the file size modification. In this case, because the file size is not changed and the file seems normal and the user is hard to find it.
2. Random Overwriting Viruses
It is another method of OV. It dose not change the first part of program code in host file but changes the random location. Of course, virus may not control the file during host is executing.
3. Appending Viruses
The typical infecting technology of DOS COM file is called as normal COM. By this technology, ”°jump”± command is inserted in front of the host file and points at the last of host file. For example, it is the slightly modified Vienna from Vienna which is introduced in computer virus book of Ralf Burger. ”°Vienna”± is from the virus body that is inserted the last part of file. Some viruses are changed to ”°COM file”± from EXE file itself and then, infect PC. Vacsina virus uses this way.
Generally, virus code is inserted in the last part of file. And it modifies the first 3 bytes of the file by JMP command and then, moves to virus code. After virus code finishes the performance, it restores the modified 3 bytes and then executes the program. Because the normal program is executed, it is hard to recognize the virus without the size modification. However, there is the normal code in the virus code, enable to be repaired by Anti-virus program.
4. Prepending Viruses(PV)
The normal virus uses the infection technology that inserts virus code in the first part of host file. These viruses are called Prepending Viruses. PV has the simple infection way, but is very effective.
PV executes the virus and then executes the normal program. If the file size is known, it can be repaired by Anti-virus program.
5. Classic Parasitic Viruses(CPV)
It is the variant virus of PV(Prepending Viruses). It pushes the first code of host file that is as same long as virus code and then, inserts virus code to the first part of host file. Once virus executed, read the host file as long as the virus and execute it. If the file size is known, it can be repaired by Anti-virus program.
6. Cavity Viruses
Cavity viruses infect the virus, but the size of object is not increased. However, it overwrites the particular part that virus code can be saved safely. CV inserts the virus code in the unused space (zero) of file. And it modifies the first 3 bytes of the file by JMP command and then, moves to virus code. After virus code finishes the performance, it restores the modified 3 bytes in memory and then executes the program. Because there is the original 3 bytes code, it can be repaired by Anti-virus program.
7. Compressing Viruses(CV)
The particular virus uses the infection technology that compress the content of host file. Virus can hide the modified file size by this technology. This kind of virus uses this technology to hide the content of Trojan horses, Virus, Worm and etc.(Runtime binary packers, PKLITE, LZEXE, UPX, ASPACK can save the disk space by using the famous programs)
CV compresses the normal file and saves as image. After virus code is executed, it extracts the compressed image in memory and executes it. Since the file size is not changed, only Anti-virus program, which has the decompress algorithm, can repair it.
8. Amoeba Infection Technique
Amoeba is the technology that inserts the virus body into host file. It divides the virus code and inserts one into the first part of host file and another into the last part. Then, it executes the head of virus code and moves to tail and executes it, then executes the host file. The original host file is reorganized as new file to be executed in the disk.
