DEFGEN8.CVP   930817
 
                        Multipartite - con
 
Multipartite, or "dual infection", viral programs have the potential
to infect both program files and boot sectors.  This expands the
range of possible vectors.  Multipartite infections can
theoretically travel on any disk, and multiple copies may travel on
a disk if program files are present.  Dual infectors can also travel
on networks, and via files passed over bulletin board systems and
other communications channels.
 
Are multipartite infectors a terrible new threat?  Well, no. 
They've been around for a few years now.  Why haven't they "taken
over the world"?
 
There are disadvantages to multipartite viral programs as well as
advantages.  One of the major ones is complexity.  In file
infectors, one sees a number of viri which only infect one type of
program files, an MS-DOS COM file, for example.  A virus which
infects both COM and EXE files must generally have more than twice
the code of one which infects COM files alone.  The virus must not
only know how to deal with both file types, but also how to
distinguish between the target files.  The same logic holds true for
multipartite infectors.  The virus must carry with it the means to
infect two radically different types of targets, and the means to
identify two very different types of potential hosts.  The potential
size of the program is much larger, as is the requirement for
processing.  The multipartite virus can be reduced in size, but this
generally means a reduction in function as well.
 
The "choice" of targets might seem to be an easy matter, but the
reality is slightly more complex.  The most effective means of
spreading would be a "get everything" policy, but this might also
lead to conflicts and detection.  Some programs might choose to
alternate:  a program infection would infect boot sectors, and a
boot sector infection would infect program files.  Seems reasonable,
until you realize the this merely makes the virus sequentially a BSI
*or* a file infector, in alternating generations.  Statistically,
this means that it will be slightly less effective than a boot
virus, rather than more.
 
Ultimately the failure (perhaps "non-success" would be more
accurate) of multipartite viral programs points out a very
interesting fact.  None of the new viral technologies; stealth,
polymorphism, spawning, etc. seem to have much "survival value". 
The successful infectors tend to be the older ones, simple and
basic.  This is not to say that the virus threat is dying.  Stoned
has been around since 1988, and is still infecting more systems each
year.  Simple.  But effective.
 
copyright Robert M. Slade, 1993   DEFGEN8.CVP   930817

==============
Vancouver      p1@arkham.wimsey.bc.ca   | You realize, of
Institute for  Robert_Slade@sfu.ca      | course, that these
Research into  rslade@cue.bc.ca         | new facts do not 
User           p1@CyberStore.ca         | coincide with my
Security       Canada V7K 2G6           | preconceived ideas