Friday, November 25, 2005

Memory Resident Viruses

File infector viruses are often memory-resident, meaning that the virus remains in the system memory after it executes, infecting other opened programs until the user reboots or shuts down the computer. Living in the system memory also lets the virus intercept program-dependent OS (operating system) services, which can help the virus code run as planned. Although the actions of a memory-resident virus cease when the computer is off, some crafty viruses modify the Windows Registry (database for settings and user preferences) so they become active in memory the next time the user turns on the computer.
These viruses can be difficult to eradicate because even if a user deletes all of the infected files, the virus is still waiting in the memory to infect more files. This also is known as a TSR (terminate-and-stay-resident) program, a DOS term meaning that the program (or virus in this case) runs its routines only as necessary. Because users tend to run several programs or other executable files during an average computing session, the potential for serious damage is great.
One of the most notorious examples of the memory-resident file infector virus is CIH, a variant of which is known as Chernobyl (because the virus executes on April 26, the anniversary of the Chernobyl nuclear disaster; other variants of this virus activate their payloads on the 26th of every month or annually on June 26).
CIH first emerged in June 1998 and quickly spread via both pirated software and products from legitimate companies. An IBM shipment of new Aptiva PCs infected with CIH made it to market, as did an infected firmware update for Yamaha’s CD-R400 drives. The virus appeared in other commercial sources, as well, and soon its destructive nature had a worldwide presence.
Infecting EXE (executable) files on PCs running Windows 95 and Windows 98, CIH overwrites data on the hard drive, which would seem destructive enough, but it goes a step further and tries to overwrite the PC’s BIOS (Basic Input/Output System) information. If the chip containing this information is not reprogrammable, purchasing a new BIOS chip (or a new motherboard altogether) might be necessary.
Another infamous memory-resident virus is Jerusalem. This virus infects both EXE and COM (executable; for programs) files, although the first version of the virus was ultimately buggy and infected a single EXE file repeatedly until multiple infected versions filled the hard drive’s remaining empty space. Activating every Friday the 13th, Jerusalem deletes any programs executed on that day and slows down the computer. Because of the virus’ rather concise code, it provided a template of sorts for aspiring virus writers, and soon after Jerusalem entered the wild, variants followed at a breakneck pace.
Although most modern memory-resident viruses try to conceal their presence, an early virus called Cascade (also known as Falling Letters or Blackjack) does just the opposite. When infected with this DOS-based virus, and assuming the virus’ system conditions were met, letters on your monitor’s screen will fall to the bottom of the screen, creating a “virtual pile.”
Direct action viruses and overwrite viruses often act as file infector viruses, depending on their behavior. For example, certain direct action viruses behave like file infector viruses in the sense that they replicate by infecting other files, although they are not memory-resident. These viruses select programs to infect whenever the original infected program executes.
The Vienna virus, written in Vienna, Austria, as a high school student’s experiment, is a prominent example of a direct action virus because it searches for uninfected COM files and infects them. This virus destroys one of every eight files it infects by overwriting some of the original code with instructions to reboot the computer. Multiple variants of Vienna entered the wild after its source code appeared in a book about computer viruses. Because it partially overwrites files, Vienna shares traits with overwrite viruses. These viruses destroy files by replacing part or all of their code. Interestingly, overwrite viruses do not increase the file size of the original file, most likely to avoid detection.


Post a Comment

<< Home