Detection of a File Virus

Article provided by Kaspersky Lab.

As already mentioned, viruses are divided into resident and non-resident. Resident viruses found so far stood out for their much greater craftiness and sophistication in comparison with non-resident. Therefore, we shall discuss the simplest case for starters – attack of an unknown non-resident virus. Such a virus activates itself upon starting of any infected programs, does all it has to, passes control to the host program and afterwards (unlike resident viruses) does not interfere with its work. To detect such a virus, it is necessary to compare file size on disks and in backup copies (the reminder about the importance of keeping such copies has already become commonplace). If this doesn’t help, you should do a byte comparison of distribution copies with the working copies you use. At the present, there are many such programs, the simplest of them (COMP utility) can be found in DOS.

One may also examine a hex dump of executables. In some cases, it is possible to immediately detect viral presence by some text strings residing in its code. For example, many viruses contain strings “.COM”, “*.COM”, “.EXE”, “*.EXE”, “*.*”, “MZ”, “COMMAND” etc. These strings may often be found at the top or end of the infected files.

There is yet one more method for the visual detection of a virus in a DOS file. It is based on the fact that executables, the source code of which was in a high level programming language, have a quite definite inside structure. In the case of Borland or Microsoft C/C++ program, the code segment is at the very beginning of a file, immediately followed by the data segment containing a copyright notice with the name of a compiler vendor company at the beginning. If the data segment in the dump is followed by one more code segment, then it might very well be that the file is infected with a virus.

The same is true for the most part of the viruses, whose target is Windows and OS/2 files. In these, OS executables have the following standard order of segments: code segment(s) followed by data segments. If a data segment is followed by one more code segment, it may be the sign of the presence of a virus.

If a user is familiar with the assembly language, he may try to figure out the code of suspicious programs. For a quick look, most suitable are the following utilities: HIEW (Hacker’s View) or AVPUTIL. For more detailed analysis, one will require disassembly software – Sourcer or IDA.

It is recommended to run one of the resident antiviral behavior blockers and follow its messages about “suspicious” actions of programs (writes to COM or EXE files, writes to absolute disk addresses etc.). There are blockers not only intercepting such actions, but also displaying messages about the originating addresses of such calls (AVPTSR is one such blocker). Having discovered such a message, one should find out what program caused it and analyze its code with the help of a resident disassembler (for example, AVPUTIL.COM). Tracing the interruptions, INT 13h and 21h are often a great help in the analysis of TSR programs.

One must note that the resident DOS blockers often are powerless when working in a DOS window under Windows95/NT, because Windows95/NT allows viruses to work bypassing the blocker (and the rest TSR programs with it). DOS blockers are also unable to stop the spreading of Windows viruses.

The above methods of detection of file and boot viruses are suitable for most resident and non-resident viruses. But these methods fail if a virus is Stealth by design, which renders useless the majority of modern resident blockers, file comparison and sector read utilities.