So, how does a virus work? There are some exceptions, or variations, but essentially you start with a clean program. By running an infected program in the same environment, you launch a virus. The virus then finds a suitable host (program) and attaches itself to the program. From now on, when you run the infected program, the virus gets to run first, and then the program runs. The virus is likely to attach itself to many of your programs. If you share an infected file you’ll share your virus. This is a very simple explanation of how a virus works. The example above is how a virus that we call a prepender works. Prepending viruses add their code to the beginning of a file. This makes the file larger than it was before it got infected. If a file increases in size it might be an indication of a virus, but it not always. One of the important things to realize about a virus is that is must execute to infect. If I copy an infected file onto my hard drive it dopes not mean my computer is infected. If I run the program my computer may then become infected.
There are also other ways that viruses infect files. The diagram on the left shows an appender. The virus has to have some code at the beginning of the file to gain control when the file is run, but the bulk of its code is appended to the end of the file. The middle diagram shows how a PE (portable executable) file is infected by viruses such as CIH. The portable executable file format has empty spaces in it. A virus is able to use these empty spaces for its code so that no change in file size occurs. Frequently when a virus infects a file there is a change in the size of the infected files. This isn’t always the case when a portable executable is infected. Many Windows files are of the PE file format. The final diagram shows an over-writer. Over-writing viruses will over-write some or all of the file with the virus code. These viruses tend to do a lot of damage, but don’t tend to get very far. Anytime a virus immediately destroys its host, it tends to get noticed and dealt with. To be successful a virus must be able to be covert for a long time. This allows it to infect more files and spread farther before it is noticed. The form virus is a simple boot sector infector. There has been detection for it for several years, yet it stayed on the list of most prevalent viruses for a very long time. Why? Form only makes its presence known one day a month by causing the keyboard to make a clicking noise each time a key is pressed. If the user isn’t at the computer that specific day, they don’t notice it. If they are at their computer, but are too busy to do something about it, the next day the problem is gone and they either blame Microsoft for a bug in the OS, or simply forget it.