Divya's Blog

Posts Tagged ‘computer virus

  • A POLYMORPHIC virus  produces varied but operational copies of itself.
  • These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus.
  • One method of evading scan string-driven virus detectors is self-encryption with a variable key.
  • These viruses (e.g. Cascade) are not termed “polymorphic”, as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners.

A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus).

A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.

More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with “noise” instructions (e.g. a No Operation instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A).

A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated “scanning engine” has to be constructed after thorough research into the particular virus.

  • One of the most sophisticated forms of polymorphism used so far is the “Mutation Engine” (MtE) which comes in the form of an object module.
  • With the Mutation Engine any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
  • The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses.

There are two main classes of viruses.

  • The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files.
  • There is also at least one PC virus that “infects” source code files by inserting code into C language source files that replicates the virus’s function in any executable that is produced from the infected source code files.
  • File infectors can be either DIRECT-ACTION or RESIDENT.
  • A direct-action virus or non-resident selects one or more programs to infect each time a program infected by it is executed. e.g vienna virus
  •  A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when *they* are executed.

The second main category of viruses is SYSTEM or BOOT-RECORD


These viruses infect executable code found in certain system areas on a disk. On PCs there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa and
Michelangelo. All common boot sector and MBR viruses are memory resident. These are often called “MULTIPARTITE” and another name is “BOOT-AND-FILE” virus.

Distinct classes of virus:

  • FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. The program itself is not physically altered, only the directory entry of the program file is.
  • LINK virus is another term occasionally used for these viruses, though it should be avoided, as “link virus” is commonly used in the Amiga world to mean “file infecting virus.”
  • KERNEL viruses target specific features of the programs that contain the “core”(or “kernel”) of an operating system

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 6 other followers

Subscribe our Blog

CLUSTER MAPS Locations of visitors to this page


Error: Please make sure the Twitter account is public.