Now I’ve Seen It All (Maybe)

I've been coding anti-virus routines for 1, 2, 5... 10, 15, 20... a really long time.  Starting with the Apple II, before there was even an anti-virus industry, and continuing on the PC (and funnily enough, joining the industry wasn't the obvious choice for me when I left school).  In between times, I've analysed viruses for the Commodore 64, Amiga, Macintosh, and Itanium platforms, macros, scripts, things on phones, things on devices... even things on calculators!  My website is full of descriptions.  I thought that I'd seen all of the techniques that there can be to infect a file.
Broadly speaking, infections exist in three categories - boot, file, and companion.  Boot and file are easy to see - some code is attached to the object.  That can be by overwriting, inserting, prepending, appending, or any combination of those.  The companion virus, on the other hand, takes the place of the original file.  In DOS days, that was achieved through PATH or suffix-order trickery.  Another way is to simply rename the host and place the virus file in the original location.
That's everything, right?  Not exactly, as it turns out.  A companion virus doesn't have to infect files.  However, I don't want to say that it "infects" directories, though some people might consider that to be the case.  Such a virus relies on the fact that if the file suffix and size are hidden, then a file and a directory are essentially indistinguishable.  Then, given the same icon, one can't tell them apart.  So, by hiding the directory and placing a file of that name in the parent directory, the file becomes the companion to the directory.
This effect can be achieved on the Windows desktop, though it doesn't complicate the detection in any way.  Just something to confuse the user.
So it seems that this old dog can still learn some new tricks.
- Peter Ferrie

Comments (0)

Skip to main content