From: R.Wieser (rwieser-killthis-_at_xs4all.nl)
Date: Sun, 7 Mar 2004 17:09:12 +0100
The Half A Wannabee <ShakainZulu_AT(Pink floyd - Obscured by clouds).com>
schreef in berichtnieuws firstname.lastname@example.org...
Hello The Half A Wannabee,
> "The Half A Wannabee" <ShakainZulu_AT(Pink floyd - Obscured by
> wrote in message news:email@example.com...
> > "R.Wieser" <firstname.lastname@example.org> wrote in message
> > news:email@example.com...
> > > 2) You still have to store the (not-to-be-relocated) program
> > > into a file, and that file *can* be comprimized. Either by an
> > > overwriting virus, or by a virus that relocates itself, and will
> > > than load the part that it had overwritten from the file to the
> > > correct spot.
> > Are you saying the virus would do its thing, repair the exe and
> Of course a sort of worm could host in the exe and crawl. Thats what
> saying ?
No, not really. I'm saying that a *virus* could infect an executable (worms
mostly use other means than infecting executables, as they are
self-propagating), while the execution of that program still goes o.k.
(there is a *lot* of proof about, although more-and-more of those "viri" are
> But it cant spread in this exe? It must repair it. Each time the
> exe runs it must be repaired first?
Correct. But how do you think this "repairing" by a virus is any different
than applying fix-ups to the program by the OS that loads the program ?
> I do not understand. Since the data
> segment addresses are relative to the code size, it would be simply
> impossible for the virus to remain in the exe while the exe is running.
Correct. The first thing it therefore does is move itself to a safe spot
(currently mostly by spawning-off itself), and let this child "repair" the
origional memory-image of the program.
> And the exe could check itself.
To late ! When the "self-check" of the memory-image is done, the virus has
been long gone ...
Even when you would apply the self-check to the disk-file, you would either
be to late (the virus has allready entered your computer), or you would not
notice anything strange, as the virus could intercept disk read/writes,
detect it's done on a file that is infected by itself, and return data as if
the file would not be infected (it knows where a copy of itself would move
the origional data to) ....
> Also, each exe is diffrent so the virus must
> know all of them.
Not really. The actual executed code may differ, but some points *must* be
the same, otherwise the OS cannot load & start them ... And that is the
very point a virus will be able to intercept.
> Remember that with this sheme, I can determine, at compile
> time (with some care) where my data will be placed, and insert constant
> pointers to the data for controll in the exe. Each exe with diffrent
> controls pointers would make the virus work a real hell? The virus will
> spread MUCH slower if such a sheme could be made to work ?
No. Just think of this : The OS *must* be able to determine at which
address your code should be started, as well as the size of the code
to-be-loaded. How difficult would it be to overwrite the code at that
point with a jump to the virus ? Or better yet : place the virus-code at
that spot (and do some relocations on that new incarnation of the virus) ?
A simple overwriting virus could (and did, in the DOS-era) do it that way.