DEFGEN7.CVP 930817
Multipartite - pro
Boot sector infectors are the most "successful" of viral programs in
terms of the number of copies made, and the number of systems infected.
This is rather odd, given that BSIs can only make, at most, one copy per
disk. While it is sometimes possible for more than one "boot virus" to
infect a disk, it is also the case that some combinations, such as
Stoned and Michelangelo, conflict in their use of the same areas of the
disk. This renders the system unbootable and alerts the user to a
problem.
On the other hand, boot sector infections, once "installed" on a hard
drive or boot disk, are almost always active, since they start at boot
time. Unless the system is booted from a "clean" disk, the virus will
continuously infect any and all disks which are "proper" targets for it.
BSIs also have a strong "psychological" edge, since most users still do
not understand how a virus can be carried on a "blank" disk. The
InformationWeek survey of June, 1993, shows that while Stoned was the
highest reported virus, BBSes and networks are seen as the major
vectors. The majority of computer users, and managers, in this case,
still do not understand the concepts that prohibit boot sector
infections from spreading via modems and networks, but allow them to
spread on *any* disk.
At first glance, file infectors have many advantages. There are many
more program files on a given system than boot sectors, and therefore
more opportunities or targets for infection. This allows multiple
copies of a given virus to reside on a given system. While some viral
programs may conflict in the use of memory or interrupts, most of the
time multiple viri can quite happily infect a given program file. Files
can be transferred via bulletin boards and communications links, and can
even be infected "through" a network.
On the other hand, a virus which has infected a file has to "wait" until
that file is executed. The majority of "traded" information these days
tends to be data, rather than programs. This provides a vector for a
BSI (if passed on disk) but not for a file infector. Also, program
files tend to be passed in "archived" form, and, even if the program
becomes infected on one system, the archive itself is unaffected. It is
usually the "original" archive that is passed along, rather than a "re-
archived" copy which might have become infected. Therefore, unless the
original archive was infected, it will likely not become a vector, even
if it passes through an infected system.
Boot sector infectors, therefore, have some "advantages", while file
infectors have others. To get the greatest "spread" one wants to build
a virus which will infect both files and boot sectors: a "multipartite"
virus.
copyright Robert M. Slade, 1993 DEFGEN7.CVP 930817
==============
Vancouver ROBERTS@decus.ca | "It says 'Hit any
Institute for Robert_Slade@sfu.ca | key to continue.'
Research into rslade@cue.bc.ca | I can't find the
User p1@CyberStore.ca | 'Any' key on my
Security Canada V7K 2G6 | keyboard."