Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 11, 2016, 05:46:52 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: How viruses work  (Read 1594 times)

manimatters

  • Participant
  • Joined in 2007
  • *
  • Posts: 56
    • View Profile
    • Donate to Member
How viruses work
« on: October 29, 2008, 02:47:22 AM »
Hello, im doing a report on "Heuristic antivirus technology" for my term paper this sem, and while googling around for that, I have kind of got the idea of how viruses work, but im a little confused, so I thought to ask you guys of it.

This is what i've understood-
A virus, once executed, attaches itself to a normal executable file. It attaches itself to the end of the executable, stores the first instructions of the executable in itself, and overwrites the first instructions of the file with a jump instruction which jumps the control to the end of the file(where the virus has attached itself). So, on execution, the file first performs the work for the virus.The virus, at the end of its work (which usually is infecting other files), restores the original instructions it had overwritten (thats why it had stored those in the first place), and returns control to the file. That way, the file, in most cases, continues to work seemingly normally. That way, it spreads to other files.

The most confusing thing in this explanation I find is that the file which was infected is now restored to its original form(except for the virus code at the end, which causes an increase in size of the file) after the virus itself restores the file. Does this mean that the virus body in a particular file is only executed once after infection (since the virus has restored the original instructions over the jump instruction it had earlier written)?

Can you guys please point me in the right direction?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: How viruses work
« Reply #1 on: October 29, 2008, 03:39:38 AM »
Viruses work in various ways...

AFAIK, most viruses today don't actually do exe-infection, they simply store their executables somewhere and use means of adding them to the windows startup. This can be done in more or less sophisticated ways - some viruses employ rootkits that can make detection and removal pretty darn different. And things like hooking winsock TDI providers makes f0dder go argh.

For exe infection, there's lots of ways to go about it as well. On NTFS, alternate data streams can be used to hide the payload. The usual method is appending virus code to the executable code section, though. Then either the start of the executable is overwritten to jump to virus code then back, or the executable entrypoint is redirected to the virus code, or... in the case of evil polymorphic engines... sometimes the virus body is actually merged/interleaved with the normal executable code, making disinfection more or less impossible.

In the case of "restoring original instruction", that is only done in-memory, so virus payload will run every time an executable is run.

Also, windows doesn't have a "terminate and stay resident" concept like DOS had, so if a virus wants to keep running (to infect executables in the background, or join a botnet, whatever) it has to keep code running in memory somehow. Users would be suspicious if they close an application and it doesn't disappear from the windows task manager list, so a virus can't just keep the original executable running. Various schemes are used... some viruses try to inject themselves into already running programs (usually explorer.exe, since it's always running on any normal windows install), some run a rootkit-hidden executable, some have virus code entirely in driver components, et cetera.

IMHO if you have an infected system, the only way out is a total windows reinstall. Trying to "clean" systems, when dealing with anything but simple malware, has too great risks of missing an infected file, or causing executable corruption in the removal phase.
- carpe noctem