
A P P E N D I X C
ruses temporarily disinfect the infected file or substitute themselves for
“healthy” data blocks. In case of macro-viruses, the most popular feature
used is the prohibition to activate the menu list of macros. One of the first
file-stealth-viruses is Frodo and the first boot-stealth-virus is called Brain.
SELF-ENCODING and POLYMORPHIC features are used by almost all
virus types to make it difficult to detect them. Polymorphic viruses are diffi-
cult to detect because they contain no constant code blocks. Generally
speaking, two samples of the same polymorph won’t have even a single
matching code block. This is implemented by encoding of main virus-body
and modifications of the decoder.
UNUSUAL METHODS are used by viruses to hide themselves deep into
the OS kernel (the virus called 3APA3A), to conceal its resident copy (the
viruses called TPVO and Trout2), to make it difficult to disinfect the system
(for example by placing the virus copy in Flash-BIOS), etc.
Classifying viruses by their
destructive capabilities
(or lack thereof), gives
us the following categories:
•
harmless viruses
do not affect computer operation in any way ex-
cept by consuming a portion of the hard disk’s free space;
•
paper-tiger viruses
also consume hard drive space, but may also
produce graphical and/or sound and/or other kinds of effects that
are generally harmless (though they may be extremely annoy-
ing);
•
harmful viruses
may seriously interfere with the computer’s per-
formance;
•
hot viruses
may corrupt programs, cause data loss, damage files
and system areas principal for the computer’s performance and
even (as a computer legend says) decrease the life of the hard-
ware moving parts by causing the resonance and destruction of
some hard disk head types.
No virus can be regarded totally innocent, even thought its algorithm may
not contain system-damaging legs, as the consequences of the system
penetration are unpredictable and occasionally irreversible. The computer
virus, just like any other program, may contain errors causing data loss and
sector corruption on your computer (for example, the "innocent" virus called
DenZuk correctly handles 360Kb diskettes, but it may damage data on
diskettes with larger diskspace). You may come across a virus detecting
286