Computer viruses are small, compact programs, usually written in assembly language or C, designed to propagate themselves within a host of legitimate programs. Like a real virus, a computer virus needs to infect a host ( a file), replicate in the process, and cause damage to. However, this analogy should not be a cause of confusion. Real viruses are submicroscopic particles which have the capability to infect cells. Computer viruses, on the other hand, are programs, that attach themselves to other programs.
To ensure the perpetuation of its class, a computer virus needs to infect a program. This can be done through various infection strategies though I will only discuss two of the most common types: overwriting and non-overwriting. An infection strategy can be deemed successful not only when the virus attaches itself to a program but also when the virus modifies the program in a way that the virus is executed first whenever the infected program is run. The overwriting strategy accomplishes this by placing itself at the start of the program thereby overwriting a part of the original program. When the infected program is run, the virus is executed first because it was placed at the start of the program. However, this infection strategy has some very serious limitations. First, the virus overwrites a part of the original program. This means that the original program is effectively destroyed and can be a cause of premature discovery of the virus. Second, this strategy can only be used to .com files. An infected .exe file when executed will cause the computer to lock up. And third, this strategy is very lame. This is the easiest to make, and easiest to detect virus. The most commonly used infection strategy is that of the non-overwriting or appending strategy. Basing on it's name, this strategy doesn't overwrite a part of the program(which means that the infected program can be executed after the virus has done its stuff) and that it append itself to the end of the program. The virus saves the first few bytes of the program and overwrites it with a jmp instruction to the end of the original file where the virus is located so that when the infected program is run, a jmp is automatically executed to the virus. After the virus has done its stuff, the overwritten part of the original program is restored and control is transferred to it. With this strategy, the original program will run as if it was not modified (but it was!). But like the overwriting strategy, this has some drawbacks (but not as serious). First, is that there is a significant increase in the file length. This is due to the fact that the virus overwrites nothing, it just appends itself to the program. Some users may notice that there is a gradual decrease in their free space. Second, is that because this infection strategy was designed for com files, the virus must determine when it appends itself to a program that it will not exceed 64kb. This is due to the fact that the maximum length of com files is 64kb. In the case of exe infections, we can use the non-overwriting strategy with some modifications(some virus writers consider exe infections easier that com infections). We cannot use the jmp command since exe files are not just mere memory images. To infect exe files, the virus is simply appended to the end of the file and the exeheader is modified so that the virus is executed whenever the infected program is run. The next part of a virus is that of the search function. It must search for files to infect and therefore replicate itself in the process. This can be accomplished by using the findfirst and findnext functions of DOS. Coupled with a directory traversal routine, the virus can infect basically all executable files in the drive. This process, however, poses a problem because each time the virus is run it must search the drive for executables. This significant increase in the execution time of programs may disclose the fact that a virus is already lurking inside the computer. This problem can be solved by simply installing the virus in memory and hooking it to the int 21 to intercept the exec function. Through this way the virus need not to search the whole drive for files to infect, it can simply wait for files to be executed and then infect them. The virus may not only intercept the exec function but also the file close function. This way a simple DIR command can cause the infection of files. The last part of a virus(but really not necessary), is that of the damage or payload function. This is actually the fun part of writing a virus. This part is totally dependent on the programmer. Virus programmers like me, tend to favor benign but irritating payload like simple messages, computer slowdowns, and noisy beeps. Some programmers, however, tend to incorporate into their virus damaging routines like the deletion of files, reformatting of hard drives and destruction of the flash bios(like cih). This is the part where programmer get to show their originality. But aside from these part I have just discussed, a virus may also use some routines to ensure its survival. Viruses use encryption and mutation to avoid detection by scanners. They bypasss the read-only attribute of files so that they can infect it. They restore that time and date stamps of files to hide file modification. Memory resident viruses uses stealth techniques to hide the decrease in available memory and increase in file length. Furthermore, a virus may infect the boot sector so that it can be loaded before the command interpreter is loaded. To sum it up, computer viruses are potentially destructive, many are out there in the wild. There may be a virus lurking inside your computer (hopefully it won't be mide. I don't plan releasing the viruses I have created). So, take care now that not only programs but also documents are in the danger of viral infection (macro viruses are now rampant).