Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

COMP47380_MalwareAdvanced > File Infector Viruses > Flashcards

File Infector Viruses Flashcards

1
Q

Explain the Appending Virus?

A
  1. Add the malware code at the end of the host file.
  2. Save the Original Entry Point location for later use
  3. Modify the Original Entry Point to point to the start of the appended malware code.
  4. Now when the file is run, it will first run the malware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain the Prepending Virus?

A
  1. Add the malware code at the end of the host files headers, but before the main code/data.
  2. Save the Original Entry Point location for later use
  3. Modify the Original Entry Point to point to the start of the appended malware code.
  4. Now when the file is run, it will first run the malware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain the WinPE Infecting Virus?

A

For WinPE file infectors, they are a bit more complex. They work by placing malware code in the empty spaces of a file:

  1. Save the Original Entry Point location for later use
  2. Place the malware code in free space within the file (e.g. In the padding space between PE File sections). Each block of malware code jumps to the next block
  3. Modify the Original Entry Point to point to the start of the malware code.
  4. Now when the file is run, it will first run the malware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain the Overwriting Virus?

A
  1. Place the malware code in the file, overwriting other components if needed.
  2. Modify the Original Entry Point to point to the start of the malware code.
  3. Now when the file is run, it will first run the malware. However the original host file will normally have been at least partially destroyed by the infection process, so the malware will not bother to run it also.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the Not Modifying Entry Point Virus?

A

Some File infectors will not alter the Entry Point, as this can be used to detect something unusual is going on.

Here the malware will first save the first couple of bytes of the original code, and place it at the end of its own. It will then overwrite these bytes with a jump to its own code.

The malware code will then execute as normal. At the end it will run the first bytes of the original code, and then jmp back to the next instruction of the original code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain the Master Boot Record Virus?

A

Finally we have a Master Boot Record virus These infect the entire disk, not just a single file. The MBR holds details on the systems partition table and is responsible for deciding what code on the machine executes first. Infecting this allows a malware to run before the OS itself.

These can be very tricky to clean, and there have been several famous examples such as Brain, Elk Cloner, Mebroot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name the different types of File Infector Viruses?

A
  1. Appending
  2. Prepending
  3. WinPE
  4. Overwriting
  5. Not modifying entry point
  6. MBR
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

COMP47380_MalwareAdvanced (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions