FUNGENA.CVP 911202 Detection avoidance Viral programs have almost no defence at all against disinfection. 99% of viri are almost trivially simple to get rid of, simply by replacing the "infected" file (or boot sector) with an original copy. (Some more recent boot sector and system viri require slightly more knowledge in order to perform effective disinfection: none require drastic measures.) Far from their image as the predators of the computer world, viral programs behave much more like prey. Their survival is dependant upon two primary factors: reproductive ability and avoidance of detection. Using the standard system calls to modify a file leaves very definite traces. The change in a file "creation" or "last modified" date is probably more noticeable than a growth in file size. File size is rather meaningless, whereas dates and times do have significance for users. Changing the date back to its original value, however, is not a significant programming challenge. Adding code while avoiding a change in file size is more difficult, but not impossible. Overwriting existing code and adding code to "unused" portions of the file or disk are some possible means. (The fictional rogue program P1, in Thomas Ryan's "The Adolesence of P1", avoided problems of detection by analyzing and rewriting existing code in such a manner that the programs were more compact and ran more efficiently. Such activity has not yet, alas, been discovered in any existing virus.) Some viral programs, or rather, virus authors, rely on psychological factors. There are a number of examples of viri which will not infect program files under a certain minimum size, knowing that an additional 2K is much more noticeable on a 5K utility than on a 300K spreadsheet. In a sense these are all "stealth" technologies, but this term is most often used for programs which attempt to avoid detection by trapping calls to read the disk and "lying" to the interrogating program. By so doing, they avoid any kind of detection which relies upon perusal of the disk. The disk gives back only that information regarding file dates, sizes and makeup which were appropriate to the original situation. (This also relies upon the virus being "active" at the time of checking.) Although this method avoids any kind of "disk" detection, including checksumming and signature scanning, it leaves traces in the computer's memory which can be detected. (Some viral programs also try to "cover their tracks" by watching for any analysis of the area they occupy in memory and crashing the system, but this tends to be noticeable behaviour ... ) copyright Robert M. Slade, 1991 FUNGENA.CVP 911202