The Structure of a Virus
Every viable computer virus must have at least two basic parts,or subroutines, if it is even to be called a virus. Firstly, it mustcontain a search routine, which locates new files or new diskswhich are worthwhile targets for infection. This routine will determinehow well the virus reproduces, e.g., whether it does so quicklyor slowly, whether it can infect multiple disks or a single disk, andwhether it can infect every portion of a disk or just certain specificareas. As with all programs, there is a size versus functionalitytradeoff here. The more sophisticated the search routine is, the morespace it will take up. So although an efficient search routine mayhelp a virus to spread faster, it will make the virus bigger.
Secondly, every computer virus must contain a routine to copyitself into the program which the search routine locates. The copyroutine will only be sophisticated enough to do its job withoutgetting caught. The smaller it is, the better. How small it can be willdepend on how complex a virus it must copy, and what the targetis. For example, a virus which infects only COM files can get bywith a much smaller copy routine than a virus which infects EXEfiles. This is because the EXE file structure is much more complex,so the virus must do more to attach itself to an EXE file.In addition to search and copy mechanisms, computer viruses
often contain anti-detection routines, or anti-anti-virus routines.Computer Virus Basics 15
These range in complexity from something that merely keeps thedate on a file the same when a virus infects it, to complex routinesthat camouflage viruses and trick specific anti-virus programs into
believing they’re not there, or routines which turn the anti-virusthey attack into a logic bomb itself.
Both the search and copy mechanisms can be designed withanti-detection in mind, as well. For example, the search routine maybe severely limited in scope to avoid detection. A routine which
checked every file on every disk drive, without limit, would take along time and it would cause enough unusual disk activity that analert user would become suspicious.Finally, a virus may contain routines unrelated to its ability toreproduce effectively. These may be destructive routines aimed atwiping out data, or mischievous routines aimed at spreading apolitical message or making people angry, or even routines thatperform some useful function.
No comments:
Post a Comment