First published: 01st December 1994
By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS Head of F-PROT Technical Support, Yui Kee Co. Ltd.
Typically, once a file virus has become active on your system, it will infect each program you execute, but some viruses use different methods. These sub-categories of file virus are divided into Fast Infectors, Slow Infectors and Sparse Infectors.
Fast Infectors, as the name suggests, try to spread at every opportunity. They will infect programs when they are opened for execution, read or write. Program files are not often opened for read - but one exception is an anti-virus scanner, which typically reads every program on a disk, one after another. Imagine the case where a program containing a fast infector has been copied on to a machine. The user runs the infected program, and the virus loads into memory. The user then decides to check his hard disk with his (not very good) anti-virus software, the software opens and checks each program on the hard disk, and the virus infects them at this time. In one action, the user has spread the virus into every program on his disk! If the anti-virus software actually detects the virus, the user might see just the original infected program, or all programs infected, depending on the precise details of the file scan and infection. The user now has a lot of work to do in cleaning the infected programs, or replacing them from backups. Of course, good anti-virus software would detect the presence of the virus in memory, and stop with a warning.
Thus the fast infector will fully infect one machine very quickly, but it is still largely dependant on programs being transferred on floppies to spread between machines. On a network, or through BBSs, a fast infector could spread with frightening speed.
The Slow Infector, of course, takes the opposite course, only infecting when a program is opened for write. There are only two occasions when this happens, when a programmer is creating the program, or when the program is being installed. Slow infector, therefore, spread slowly, so why are they created? They are an attack on one otherwise extremely good method of catching viruses, integrity checkers. Integrity checkers, or checksumming programs, look for changes in software, which may be caused by viruses. They must be installed on a clean system, and thereafter will warn when programs have been modified. However, people do sometimes create new programs or install new software, so an integrity checker has a mechanism for approving legitimate changes. The slow infector aims to get itself approved at the same time a legitimate change is made. Strategically, the slow infector is trading speed for secrecy.
Sparse Infectors only infect when a specific set of conditions are met, it might be a specific range in the size or date stamp of the victim program, or the time of day, or anything else. This is really aimed at confusing the overworked anti-virus expert, who receives samples every day, many of which are junk, corrupted files or otherwise not viruses. The anti-virus expert will often test to see if the sample will infect various bait files, if it does not, it may be put aside with the rest of the junk and not tested further. The sparse infector aims to slip through this loophole, so even when a sample is sent for analysis it hopes to be declared clean.
These three alternative infection strategies demonstrate some of the ploy and counterploy that is so common in the war between virus writers and anti-virus experts. Fortunately, a good anti-virus package can combine a wide range of techniques so that the virus is caught whichever route it chooses.