From roberts@decus.arc.ab.ca Fri Aug 13 13:10:54 1993 Received: from relay.CDNnet.CA by freenet.victoria.bc.ca for mae (4.1/1.39) id AA16210; Fri, 13 Aug 93 13:10:41 PDT Received: by relay.CDNnet.CA (4.1/1.14) id AA12148; Fri, 13 Aug 93 13:06:45 PDT Message-Id: <9308132006.AA12148@relay.CDNnet.CA> Date: 13 Aug 93 14:06 -0600 From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decus.arc.ab.ca> To: @cvp@titan.arc.ab.ca Subject: "Link" virus (CVP) Status: RO DEFGEN6.CVP 930729 "Link" virus This term will be familiar only to those using Atari and Amiga systems, but for others, this is simply the standard "file infecting" virus. For most people, this is what is thought of as a virus. (For most, that is, who have *any* accurate idea of what a virus is. For all too many people, a "virus" is simply any computer problem.) File infecting viral programs "link", or attach, in many different ways. The largest number will place the bulk of the viral code to the end of the program file, with a "jump" command at the beginning of the file which "points" to the main body of the virus. Some viral code attaches to the beginning of the file: simpler in concept but actually more difficult in execution. These two techniques are known as "appending" and "prepending" respectively, but the terms are used less than they used to be. Some viral programs do not attach to the beginning or end of the file, but rather write their code into the target program itself. Most often this is done by simply overwriting whatever is there already. Most of the time the virus will also attach a jump command at the beginning of the program which points to the virus, but, on occasion, the virus will rely on chance to stumble on the code and run it. Of course, if a virus has overwritten existing code the original "target" program is damaged, and there is little or no possibility of recovery, other than by deleting the infected file and restoring from a clean backup copy. However, some overwriting viri are known to look for strings of null characters. If such can be identified, the viral code can be removed and replaced with nulls again. (The Lehigh virus, for example, attaches "behind" the COMMAND.COM file in a sense, but overwrites slack space at the end of the file so as not to change the file size.) Some viri do not physically "touch" the target file at all. There are two ways to "infect" in this manner. One method is quite simple, and takes advantage of "precedence" in the system. In MS- DOS, for example, when a command is given, the system checks first for internal commands, then COM, EXE and BAT files in that order. EXE files can be "infected" by writing a COM file in the same directory with the same filename. The second method is more difficult. "FAT" or "system" viral programs, such as DIR-II, will not change the target program, but will change the FAT (file allocation table) entry for the program so as to point to the virus. Therefore, the original file will not be changed, but when the target program is called, the virus will be run first instead. copyright Robert M. Slade, 1993 DEFGEN6.CVP 930729 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard."