DEFGEN7.CVP 930817 Multipartite - pro Boot sector infectors are the most "successful" of viral programs in terms of the number of copies made, and the number of systems infected. This is rather odd, given that BSIs can only make, at most, one copy per disk. While it is sometimes possible for more than one "boot virus" to infect a disk, it is also the case that some combinations, such as Stoned and Michelangelo, conflict in their use of the same areas of the disk. This renders the system unbootable and alerts the user to a problem. On the other hand, boot sector infections, once "installed" on a hard drive or boot disk, are almost always active, since they start at boot time. Unless the system is booted from a "clean" disk, the virus will continuously infect any and all disks which are "proper" targets for it. BSIs also have a strong "psychological" edge, since most users still do not understand how a virus can be carried on a "blank" disk. The InformationWeek survey of June, 1993, shows that while Stoned was the highest reported virus, BBSes and networks are seen as the major vectors. The majority of computer users, and managers, in this case, still do not understand the concepts that prohibit boot sector infections from spreading via modems and networks, but allow them to spread on *any* disk. At first glance, file infectors have many advantages. There are many more program files on a given system than boot sectors, and therefore more opportunities or targets for infection. This allows multiple copies of a given virus to reside on a given system. While some viral programs may conflict in the use of memory or interrupts, most of the time multiple viri can quite happily infect a given program file. Files can be transferred via bulletin boards and communications links, and can even be infected "through" a network. On the other hand, a virus which has infected a file has to "wait" until that file is executed. The majority of "traded" information these days tends to be data, rather than programs. This provides a vector for a BSI (if passed on disk) but not for a file infector. Also, program files tend to be passed in "archived" form, and, even if the program becomes infected on one system, the archive itself is unaffected. It is usually the "original" archive that is passed along, rather than a "re- archived" copy which might have become infected. Therefore, unless the original archive was infected, it will likely not become a vector, even if it passes through an infected system. Boot sector infectors, therefore, have some "advantages", while file infectors have others. To get the greatest "spread" one wants to build a virus which will infect both files and boot sectors: a "multipartite" virus. copyright Robert M. Slade, 1993 DEFGEN7.CVP 930817 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard."