File Infector Viruses Flashcards
Explain the Appending Virus?
- Add the malware code at the end of the host file.
- Save the Original Entry Point location for later use
- Modify the Original Entry Point to point to the start of the appended malware code.
- Now when the file is run, it will first run the malware.
Explain the Prepending Virus?
- Add the malware code at the end of the host files headers, but before the main code/data.
- Save the Original Entry Point location for later use
- Modify the Original Entry Point to point to the start of the appended malware code.
- Now when the file is run, it will first run the malware.
Explain the WinPE Infecting Virus?
For WinPE file infectors, they are a bit more complex. They work by placing malware code in the empty spaces of a file:
- Save the Original Entry Point location for later use
- Place the malware code in free space within the file (e.g. In the padding space between PE File sections). Each block of malware code jumps to the next block
- Modify the Original Entry Point to point to the start of the malware code.
- Now when the file is run, it will first run the malware.
Explain the Overwriting Virus?
- Place the malware code in the file, overwriting other components if needed.
- Modify the Original Entry Point to point to the start of the malware code.
- Now when the file is run, it will first run the malware. However the original host file will normally have been at least partially destroyed by the infection process, so the malware will not bother to run it also.
Explain the Not Modifying Entry Point Virus?
Some File infectors will not alter the Entry Point, as this can be used to detect something unusual is going on.
Here the malware will first save the first couple of bytes of the original code, and place it at the end of its own. It will then overwrite these bytes with a jump to its own code.
The malware code will then execute as normal. At the end it will run the first bytes of the original code, and then jmp back to the next instruction of the original code.
Explain the Master Boot Record Virus?
Finally we have a Master Boot Record virus These infect the entire disk, not just a single file. The MBR holds details on the systems partition table and is responsible for deciding what code on the machine executes first. Infecting this allows a malware to run before the OS itself.
These can be very tricky to clean, and there have been several famous examples such as Brain, Elk Cloner, Mebroot
Name the different types of File Infector Viruses?
- Appending
- Prepending
- WinPE
- Overwriting
- Not modifying entry point
- MBR