Hi malware fighters,
Typical file infectors choose any of the following infection styles:
* cavity - the virus inserts its code into available spaces within the normal file
* appending - the virus inserts its code after the normal file’s code
* prepending - the virus inserts its code before the normal file’s code
* entry-point obscuring - a complex infection technique used to evade immediate detectionThe VIRUX aka Virut strain, however, uses the following infection schema, see picture below:
* Appending viruses A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
Example: could be a simple COM infector, that appends itself to the end of COM files and propagates through the directory - it's installed in unless you move an infected program outside of the directory of course - virus could be made with Assembly....
* Cavity VirusesA cavity virus attempts to install itself inside of the file it is infecting. This is difficult.
Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.
A cavity virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A cavity virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a cavity virus.
Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare.
Summary
A cavity virus attempts to install itself inside of the file it is infecting.
This is difficult to do properly and so this type of virus is rare,
* EPO virusesEntry-point obscuring viruses are very interesting because of the very difficult nature of its detection, disinfection and removal. Nowadays the EPO technique is used in many different ways, however Win32.CTX.Phage has been chosen for this article because it was written by the same author of other such infamous viruses as Win9x.Margburg (one of the first Windows9x polymorphic virus, which first appeared in the wildlist) and Win9x.HPS. The author of these viruses is known for his difficult-to-detect and difficult-to-disinfect creations. CTX.Phage in particular involves many techniques that make the disinfection process highly difficult, even after the virus is fully understood.
Re:
http://www.securityfocus.com/infocus/1841polonus