File Viruses
A file virus (also called Program Virus)
is a type of virus which inserts itself
into, or associates itself with a file.
They only infect files that can be executed.
This includes, but is not limited to: .EXE
.COM and .DOT files. File viruses can be
further divided into:
- Parasitic Viruses
- Overwriting Viruses
- Companion Viruses
- Linking Viruses
Parasitic Viruses
A parasitic virus attaches itself to a file
in order to propagate. It generally keeps
most of the file intact and either add itself
to the start (prepending viruses) or end of
the file (appending viruses). COM and EXE
files are easiest to infect, as they are simply
loaded directly into memory and execution
always starts at the first instruction.
Overwriting Viruses
Most viruses are careful not to destroy
the infected file, but overwriting viruses
overwrite part of the infected file, so
that it will no longer operate. However,
this makes these viruses extremely obvious,
so they are unlikely to spread far.
Companion Viruses
If you try to run a program without specifying
a file extension, the system will always
try to find and execute the .COM program
first and if it cannot be located then .EXE
file will be called next. Companion viruses
make use of this to provide an infection
mechanism which does not modify the original
file in any way. These viruses only infects
.EXE files and do so by writing a companion
.COM file with the same name. Then, when
the user runs an infected program, the .COM
file containing the virus is run. It looks
for another .EXE file to infect, then loads
the requested .EXE file and runs it.
Linking Viruses
These infect programs by changing information
in the directory structure and modifying
the file pointers, so every infected program
starts at the same location (usually the
last cluster on the disk) which contains
virus code. Cleaning disks infected with
a link virus requires a specific approach.
Each of the above file viruses can incorporate
different techniques to improve the infection
rate or to avoid detection