DEFGEN8.CVP 930817 Multipartite - con Multipartite, or "dual infection", viral programs have the potential to infect both program files and boot sectors. This expands the range of possible vectors. Multipartite infections can theoretically travel on any disk, and multiple copies may travel on a disk if program files are present. Dual infectors can also travel on networks, and via files passed over bulletin board systems and other communications channels. Are multipartite infectors a terrible new threat? Well, no. They've been around for a few years now. Why haven't they "taken over the world"? There are disadvantages to multipartite viral programs as well as advantages. One of the major ones is complexity. In file infectors, one sees a number of viri which only infect one type of program files, an MS-DOS COM file, for example. A virus which infects both COM and EXE files must generally have more than twice the code of one which infects COM files alone. The virus must not only know how to deal with both file types, but also how to distinguish between the target files. The same logic holds true for multipartite infectors. The virus must carry with it the means to infect two radically different types of targets, and the means to identify two very different types of potential hosts. The potential size of the program is much larger, as is the requirement for processing. The multipartite virus can be reduced in size, but this generally means a reduction in function as well. The "choice" of targets might seem to be an easy matter, but the reality is slightly more complex. The most effective means of spreading would be a "get everything" policy, but this might also lead to conflicts and detection. Some programs might choose to alternate: a program infection would infect boot sectors, and a boot sector infection would infect program files. Seems reasonable, until you realize the this merely makes the virus sequentially a BSI *or* a file infector, in alternating generations. Statistically, this means that it will be slightly less effective than a boot virus, rather than more. Ultimately the failure (perhaps "non-success" would be more accurate) of multipartite viral programs points out a very interesting fact. None of the new viral technologies; stealth, polymorphism, spawning, etc. seem to have much "survival value". The successful infectors tend to be the older ones, simple and basic. This is not to say that the virus threat is dying. Stoned has been around since 1988, and is still infecting more systems each year. Simple. But effective. copyright Robert M. Slade, 1993 DEFGEN8.CVP 930817 ============== Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@sfu.ca | course, that these Research into rslade@cue.bc.ca | new facts do not User p1@CyberStore.ca | coincide with my Security Canada V7K 2G6 | preconceived ideas