Understanding the Resident
Virus
Viruses are a tremendous
threat to anyone with a connection to the internet. These nasty programs typically install and
execute themselves without the victim's knowledge. The impact of a virus ranges widely from
slowing down the performance of your computer to completely erasing all of your
important files. In most cases, it will
distribute itself to other machines you communicate with, giving it the ability
to cripple an entire network. Regardless
of how severe the consequence, a virus is something you do not want on your
computer.
What is a Resident
Virus?
A resident virus is one
of the most common types of computer infections. It functions by installing malicious code
into the memory of your computer, infecting current programs and any others you
may install in the future. In order to
achieve this, the resident virus needs to find a method to allocate memory for
itself, meaning it must find somewhere to hide.
Additionally, it must establish a process that activates the resident
code to begin infecting other files.
A resident virus may use
a number of different techniques to spread it's infection. One of the most overlooked methods involves
the TSR (Terminate-Stay-Resident) interrupt function. While this method is the easiest to invoke
infection, it is also easily detected by a virus scanner. A more desired technique involves the
manipulation of MBCs (memory control blocks).
Lastly, a virus needs to attach itself to specific interrupts in order
to launch the resident code. For
instance, if a virus is programmed to activate each time a program is run, it
must be hooked to interrupt functions designated for loading and executing that
particular application.
Structure of the Virus
The replication module
within a resident virus is quite similar to that of a nonresident
infection. The virus loads the
replication module into computer memory when executing, ensuring that it is
launched each time the operating system is requested to perform a particular
function. For instance, the replication
module may called upon a WPD. word file.
In this scenario, the resident virus may eventually infect every program
suited for the executable file on the computer.
Resident viruses are
composed of two primary categories: fast infectors and slow infectors. Fast infectors are specifically designed to
corrupt as many files it can as quickly as possible. In simpler terms, it has the ability to
infect every host file accessed on the computer. This complex structure creates a significant
problem for anti-virus programs as many of the scanners they employ are
designed to check every host file when conducting a full-system scan. If the scan fails to detect that such a virus
resides in the memory, the infection can then "piggy-back" on the scanner and
infect any file it searches.
Slow infectors are
designed to infrequently infect hosts.
For example, they often only infect files that are copied. They are able to limit their activity in
order to avoid the detection of a user.
Slow infectors gradually falter the performance of your computer, giving
little indication to the presence of a virus.
Because of this, they aren't very effective and are easily detected by a
virus scanner.
Methods of Detection
In many instances, a
resident virus can be detected by the average computer user. This is done by referring to the map of your
local hard drive. The recommended and
more efficient method involves installing an anti-virus program with in-depth
scanning capability.
