FUNGEN5.CVP   910828
 
                        Viral activation
 
In attempting to protect against viral infection, and
particularly when trying to disinfect systems, it is important to
bear in mind the times that the virus is actively "infectious". 
The viral activation is not the same as the activation of the
payload that a virus may carry.  For example, the payload of the
original "Stoned" virus was a message which appeared on the
screen saying "Your PC is now Stoned!".  This message only
appears at boot time, and on only one eighth of the times the
computer is rebooted.  The virus, however, is infectious at all
times, if it has infected the hard disk.
 
There are basically three possibilities for the infectious
period: now ("one-shot"), during program run ("while called") or
from now on (resident).  These periods may be modified by other
circumstances.  A resident virus may remain in memory, but only
be actively infecting when a disk is accessed.  A "while called"
virus may only infect a new program when a directory is changed.
 
"One-shot" viri only get one chance on each "run" of the infected
program.  The viral code will seek out and infect a target
program.  They then pass control to the original program, and
perform no further functions.  These are, of course, the simplest
of the viral programs.  Mainframe "mail" viri are generally of
this type.
 
The second class will activate when the infected program is
called, and then pass partial control to the original program. 
The virus, however, will remain operational during the time that
the infected program is running.  If this can be accomplished, it
is only a slight jump to write a fully memory resident virus.
 
Resident viri are the most successful, and the most dangerous, of
viral programs.  A resident virus will become active when an
infected program is run (or at boot time for boot sector
infectors), and remain active until the computer is rebooted or
turned off.  (Some viral programs are even able to trap the
rebooting sequence that is normally called when you press Ctrl-
Alt-Del on an MS-DOS PC, and thus are able to survive a "warm
boot.")  The most successful of the file infectors, the Jerusalem
virus, is resident, as are all boot sector infectors.  (For
fairly obvious reasons; the boot sector is never "called" in
normal operation.)
 
If a virus is active in memory, it is a waste of time trying to
disinfect a file or disk.  No sooner is the file "cleaned", than
it becomes a suitable target for re-infection.  You may try to
disinfect a hard disk right down to performing a low level
format: as soon as the disk is reformatted it may be infected all
over again.  This is why all directions for disinfection stress
the necessity of "cold" booting from a disk that is known to be
free of infection before attempting any cleanup.
 
copyright Robert M. Slade, 1991   FUNGEN5.CVP   910828

===================
Vancouver          ROBERTS@decus.ca         | "Power users think
Institute for      Robert_Slade@sfu.ca      |  'Your PC is now
Research into      rslade@cue.bc.ca         |  Stoned' is part of
User               p1@CyberStore.ca         |  the DOS copyright
Security           Canada V7K 2G6           |  line." R. Murnane