After the virus updates the proper DOS data structures, it copies itself into the newly reserved region of memory and then updates the Interrupt Vector Table (IVT) so that the virus becomes the default DOS service provider. (See “When and How Floppy Boot Record Viruses Get Control” for information about the IVT.) From this point on, anytime programs request DOS services, the virus gains control and can perform its mischief (see figs. 15.26 and 15.27).

Figure 15.26  Virus copies itself to just below the top of conventional RAM.

Figure 15.27  Fully “hooked” resident COM virus.

Finally, the virus transfers control to the host program and allows it to execute normally. The entire installation process takes only a few microseconds and remains invisible to the user.

How and When the Direct Action File-Infecting Virus Infects New Items

The direct action file-infecting virus infects other executable programs as soon as an infected program and the virus written to the program launches. After the virus finishes infecting other executable programs, it transfers control to the host program and allows it to execute. This is true for all viruses except overwriting viruses, which corrupt the host program during infection (see fig. 15.28).

Figure 15.28  Steps taken by a COM virus when it infects a new file.

The user might notice increased disk activity when starting up infected programs, because the direct action virus must search the drive for other programs to infect as soon as an infected program launches.

The user also might notice that programs take longer than usual to load and execute. As more files become infected, the virus must search through more and more of the hard drive (or floppy disk) for new files to infect. This sometimes can take minutes and is an obvious sign that something is wrong. See figure 15.29 for a description of this process.

Figure 15.29  User executes a file infected by a direct action COM virus.

DOS provides system services for efficiently and systematically traversing the many files and directories present on a drive. The direct action virus uses these services to locate new files to infect in the same way that a file-finding program might locate files that contain a certain text-string.

Some direct action viruses search only within the current directory for new files to infect. Other direct action viruses might try to infect every file on the hard drive or every file in the DOS path.

Consider a simple direct action virus that infects the programs in the current directory of the hard drive. If the current directory is C:\DOS and the user executes an infected copy of the C:\DOS\FORMAT.COM program to format a floppy disk, the direct action virus immediately takes control.

The direct action virus methodically examines each file in the C:\DOS directory in an attempt to determine whether the target file is already infected. It can make this determination using any number of different techniques. Anytime a direct action virus infects a new program, for instance, it can change the date and timestamp on the program to a special date and time. When the virus later launches and finds a program that has this characteristic date and time, it bypasses the program, assuming that it’s already infected.

Using this technique, the virus might inadvertently skip over some uninfected programs that coincidentally have the special date and time settings. Even if a virus infects only 10 percent of the executable programs found, however, it still constitutes a threat to the user and the data stored on the PC.

Other file viruses examine the contents of each executable program they encounter. The virus attempts to identify whether it has already infected the target program by looking for some telltale sign of itself in the program. Again, the virus might inadvertently skip over uninfected programs that it mistakenly assumes are already infected. On the other hand, the virus need not infect 100 percent of the programs on the drive to be viable.

The direct action virus also must determine whether the current file it has located is of the proper type for infection. Many viruses will infect only COM files or EXE files, but not both; if a direct action COM infecting virus tries to infect an EXE program, it will most likely corrupt the program.

After the virus determines that it has located a program of the proper type that isn’t yet infected, it can begin infecting. Most viruses that infect EXE programs use the appending technique described in “EXE Infections.” The majority of viruses that infect COM files use either the prepending or appending scheme.

After the virus has infected a target file, it may transfer control to the host program; however, some direct action viruses infect more than one program at a time. Sometimes, the virus attempts to infect every program in the current directory or even every program on the hard drive.

After a direct action virus executes, it is effectively removed from memory. Therefore, if the user executes any uninfected programs after running an infected program, these programs won’t become infected.

How and When the Memory-Resident File-Infecting Virus Infects New Items

The memory-resident file virus works in a similar manner to its Boot record cousins. When an infected program launches, the virus installs itself as a memory-resident service provider in the operating system. From this point on, anytime DOS or another program tries to read, write, execute, or access a program, the virus is given control of the computer.

The virus can then infect program files as the user references them. Every time a user executes a program, for example, a system services request is made to DOS to load the program into memory and execute it. If the virus is memory-resident at the time, it gains control at the time of this DOS request. After the virus learns of the service request, it can infect the program and then pass the original request along to DOS. DOS then runs the (newly infected) program normally.

The resident file virus uses the same techniques as the direct-action file virus to determine whether a target file is infected. Any program the user executes or references in any way may be infected by the virus if a DOS service request is made to accommodate this request. However, most resident file viruses infect programs only when they are executed.

Memory-resident file viruses that infect files when they are opened are known as fast infectors. Anytime a program file is copied or accessed, the virus infects it. Consider what might happen if a user used a standard DOS antivirus scanner to scan the files on his hard drive.

To scan for known viruses, the antivirus scanner must open each executable file on the computer and examine its contents. Each time the antivirus program opens a new program file, it makes a DOS “open file” service request, which causes the virus to trigger and infect the soon-to-be-scanned program. Scanning a drive with the virus resident can inadvertently infect every executable file on the computer! For this reason, memory scanning techniques (described in “Memory Scanners”) are a vital part of a total antivirus solution.