Infection methods of trojan virus
The groups of viruses listed above can be sub-divided according to the technique a virus uses to infect objects.
File Viruses
File viruses use the following infection methods:
- Overwriting
- Parasitic
- Companion
- Links
- Object modules (OBJ)
- Compiling libraries (LIB)
- Application source code
Overwriting :- This is the simplest infection method: the virus replaces the code of the infected file with its own, erasing the original code. The file is rendered useless and cannot be restored. These viruses are easily detected because the operating system and affected applications will cease to function shortly after infection.
Parasitic:- Parasitic viruses modify the code of the infected file. The infected file remains partially or fully functional.
Parasitic viruses are grouped according to the section of the file they write their code to:
- Prepending: the malicious code is written to the beginning of the file
- Appending: the malicious code is written to the end of the file
- Inserting: the malicious code is inserted in the middle of the file
Inserting file viruses use a variety of methods to write code to the middle of a file: they either move parts of the original file to the end or copy their own code to empty sections of the target file. These are sometimes called cavity viruses.
Prepending viruses:- Prepending viruses write their code to target files in two ways. In the first scenario, the virus moves the code from the beginning of the target file to the end and writes its own code to this space. In the second scenario the virus adds the code of the target file to its own code.
In both cases, every time the infected file is launched, the virus code is executed first. In order to maintain application integrity, the virus may clean the infected file, re-launch it, wait for the file to execute, and once this process is over, the virus will copy itself again to the beginning of the file. Some viruses use temp files to store clean versions of infected files. Some viruses will restore the application code in memory, and reset necessary addresses in the body, thus duplicating the work of the operating system.
Appending viruses:- Most viruses fall into this category. Appending viruses write themselves to the end of the infected files. However, these viruses usually modify the files (change the entry point in the file header) to ensure that the commands contained in the virus code are executed before infected object commands.
Inserting viruses Virus writers use a variety of methods to inject viruses into the middle of a file. The simplest methods are moving part of the file code to the end of the file or pushing the original code aside to create a space for the virus.
Inserting viruses include so-called cavity viruses; these write their code to sections of files that are known to be empty.. For instance, cavity viruses can copy themselves to the unused part of exe file headers, to the gaps between exe file sections, or to text areas of popular compilers. Some cavity viruses will only infect files where a certain block contains a certain byte; the chosen block will be overwritten with the virus code.
Finally, some inserting viruses are badly written and simply overwrite sections of code which are essential for the infected file to function. This causes the file to be irrevocably corrupted.
Entry point obscuring viruses – EPOs There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
- Searching for frames and overwriting them with infected starting points
- Disassembling the host file code
- Or changing the addresses of importing functions
Companion viruses :-Companion viruses do not modify the host file. Instead they create a duplicate file containing the virus. When the infected file is launched the copy containing the virus will be executed first.
This category includes viruses that re-name the host file, record the new name for future reference and then overwrite the original file. For instance, a virus might rename notepad.exe as notepad.exd and write its own code to the file under the original name. Each time the user of the victim machine launches notepad.exe, the virus code will be executed, with the original Notepad file, notepad.exd, being run afterwards.
There are other types of companion viruses which use original infection techniques or exploit vulnerabilities in specific operating systems. For instance, Path-companion viruses place their copies in the Windows system directory, exploiting the fact that this directory is first in the PATH list; the system will start from this directory when launching Windows. Many contemporary worms and Trojans use such autorun techniques.
Other infection techniques Some viruses do not use executable files to infect a computer, but simply copy themselves to a range of folders in the hope that sooner or later they will be launched by the user. Some virus writers give their viruses such as install.exe or winstart.bat in order to persuade the user to launch the file containing the virus.
Other viruses copy themselves to compressed files in formats such as ARJ, ZIP and RAR, while still others write the command to launch an infected file to a BAT-file.
Link viruses also do not modify host files. However, they force the operating system to execute the virus code by modifying the appropriate fields in the file system.