A virus such as the one just described is easily detected because an infected version of a program is longer than the corresponding uninfected one. One way thwart such a simple means of a detecting a virus is to compress the executable file so that both the infected and uninfected versions are of identical length. The following diagram describes it more clearly.
We assume that program p1 is infected with the virus CV.
When the program is invoked, control passes to its virus, which performs the following steps:
*For each uninfected file p2 that is found, the virus first compress that file to produce p2*, which is shorter than original program by the size of virus.
*A copy of the virus is prep ended to the compressed program.
*The compressed version of the original infected program, p1* is uncompressed.
*The uncompressed original program is executed.
0 comments:
Post a Comment