From roberts@decus.arc.ab.ca Fri Aug 13 13:10:54 1993
Received: from relay.CDNnet.CA by freenet.victoria.bc.ca for mae (4.1/1.39)
	id AA16210; Fri, 13 Aug 93 13:10:41 PDT
Received: by relay.CDNnet.CA (4.1/1.14)
	id AA12148; Fri, 13 Aug 93 13:06:45 PDT
Message-Id: <9308132006.AA12148@relay.CDNnet.CA>;
Date: 13 Aug 93 14:06 -0600
From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decus.arc.ab.ca>;
To: @cvp@titan.arc.ab.ca
Subject: "Link" virus (CVP)
Status: RO

DEFGEN6.CVP   930729
 
                           "Link" virus
 
This term will be familiar only to those using Atari and Amiga
systems, but for others, this is simply the standard "file
infecting" virus.  For most people, this is what is thought of as a
virus.  (For most, that is, who have *any* accurate idea of what a
virus is.  For all too many people, a "virus" is simply any computer
problem.)
 
File infecting viral programs "link", or attach, in many different
ways.  The largest number will place the bulk of the viral code to
the end of the program file, with a "jump" command at the beginning
of the file which "points" to the main body of the virus.  Some
viral code attaches to the beginning of the file: simpler in concept
but actually more difficult in execution.  These two techniques are
known as "appending" and "prepending" respectively, but the terms
are used less than they used to be.
 
Some viral programs do not attach to the beginning or end of the
file, but rather write their code into the target program itself. 
Most often this is done by simply overwriting whatever is there
already.  Most of the time the virus will also attach a jump command
at the beginning of the program which points to the virus, but, on
occasion, the virus will rely on chance to stumble on the code and
run it.  Of course, if a virus has overwritten existing code the
original "target" program is damaged, and there is little or no
possibility of recovery, other than by deleting the infected file
and restoring from a clean backup copy.  However, some overwriting
viri are known to look for strings of null characters.  If such can
be identified, the viral code can be removed and replaced with nulls
again.  (The Lehigh virus, for example, attaches "behind" the
COMMAND.COM file in a sense, but overwrites slack space at the end
of the file so as not to change the file size.)
 
Some viri do not physically "touch" the target file at all.  There
are two ways to "infect" in this manner.  One method is quite
simple, and takes advantage of "precedence" in the system.  In MS-
DOS, for example, when a command is given, the system checks first
for internal commands, then COM, EXE and BAT files in that order. 
EXE files can be "infected" by writing a COM file in the same
directory with the same filename.
 
The second method is more difficult.  "FAT" or "system" viral
programs, such as DIR-II, will not change the target program, but
will change the FAT (file allocation table) entry for the program so
as to point to the virus.  Therefore, the original file will not be
changed, but when the target program is called, the virus will be
run first instead.
 
copyright Robert M. Slade, 1993   DEFGEN6.CVP   930729

==============
Vancouver      ROBERTS@decus.ca         | "It says 'Hit any
Institute for  Robert_Slade@sfu.ca      | key to continue.'
Research into  rslade@cue.bc.ca         | I can't find the
User           p1@CyberStore.ca         | 'Any' key on my
Security       Canada V7K 2G6           | keyboard."