The anatomy of a virus
The main parts of a virus’ code are
the replication routine and the payload routine. The replication
routine is a mandatory part of every virus. If it is missing,the program is not
a virus by definition. Some other kinds of malicious software,also called
malware, which lack a replication routine but are frequently assumedto be
viruses.
The payload routine is, contrary to
common belief, not mandatory. As a matter of fact, there are many viruses that
lack a payload routine altogether. The lack of a payload routine may actually
be beneficial for the virus and enable it to replicate more efficiently.
The replication routine
The replication mechanism is the most
important part of the virus. This part of the virus code locates suitable
objects to attach the virus to and copies the virus to these objects.
The first problem the replication
routine must solve is how to find suitable objects. A virus is always written
so as to work attached to a certain type of carrier object, such as a program
file or text document created by MS Word, or a limited number of carrier object
types. The replication routine must be able to locate objects of the correct
type. This can be done by searching through the computer, file by file.
However, this is rather inefficient and requires a great deal of computer
power. A more elegant approach is for the virus to remain in memory and monitor
system activity. This enables the virus to infect files when they are used. The
performance
impact of infecting a single file is
so small that the user would not notice it. This behavior also improves the
ability of the virus to spread, as recently accessed files are more likely to
be transmitted to another system.
The next problem that the replication
mechanism must solve is how to attach the virus to the
carrier object. This step is done
using totally different techniques for different types of viruses.
However, one common requirement is
that the virus’ code be executed when the object is used. Viruses that infect
program files may attach the virus code to the beginning or the end of the
program file, and patch the entry point so that when the program is run the
virus code is executed first. The virus usually transfers control to the
original program when it has finished its tasks. This ensures that the original
program works properly and the virus avoids detection. Other types of carrier
objects, such as MS Word documents, may provide features for embedding macros
in the document files. These features make it easy for the replication routine
of the virus to attach the code. It can ensure that the code is run properly by
using certain naming conventions for the virus’ macros.
The payload routine
The payload routine is not a mandatory
part of a virus. It does not take part in the replication of the virus in any
way. The payload is just a routine that performs something that the author of
the virus wants it to perform on all infected computers. The payload routines
of different viruses can be divided into two groups, malicious and
non-malicious. Some viruses also lack a payload routine altogether.
Malicious payloads can, for example,
delete files, modify data, plant backdoors in the system or reveal confidential data.
Non-malicious payloads may play music, show pictures or animations, promote the
author’s favorite heavy-metal band etc.
(The payload of a virus usually cannot
damage the hardware of a computer.)
No comments:
Post a Comment