User guide

ManualsBrandsTrustPort ManualsSoftwareAntivirus 2013, 3u, 1Y

polymorphic viruses, specially constructed lookup machines modified for encoding schemas

identification are able to find them. Polymorphic viruses are not undefeatable but they have

made scanning programs a hard and expensive task. The majority of antivirus programs contain

searching for encoding mechanism because of protection from polymorphic viruses.

 Retroviruses

Retrovirus is a computer virus that tries to evade a capture or protects itself from antivirus

programs operations by attacking antivirus software. Experts sometimes call retroviruses "anti-

antiviruses" (do not confuse anti-antiviruses with antivirus viruses that are called to paralyze

other viruses!)

It is not a difficult task to create a retrovirus. Of course, authors of viruses can get to any

antivirus on the market. The only thing that they have to do is to study the software they want

to defeat, find some weak point in it and think of how to abuse it. For example, a retrovirus

finds a data file in which an antivirus program stores signatures of viruses, and deletes it. In

that way it decreases the ability of the antivirus software to detect viruses. More sophisticated

retroviruses can find integrity information database and delete it. The removal of the database

has the same consequences for the controller as the removal of data files for the antivirus

software.

Other retroviruses detect the activation of an antivirus program and then they hide from it or

stop it, eventually start a destructive routine before discovery. Some retroviruses change the

computation environment so that it affects operations of the antivirus program. Others use

specific weak points and loopholes of individual antivirus programs to weaken or break their

activity.

 Tunneling viruses

A tunneling virus searches for the original interrupt vectors in DOS and BIOS and calls them

directly and thereby avoids any eventual monitoring program in system that could detect any

attempts to call these interrupt vectors.

Such tunneling methods are sometimes used by viruses enemies too - some antivirus programs

use them to avoid any unknown or undetected viruses that might be active at the time of their

execution.

 Armored viruses

Armored viruses protect themselves with a special program code that makes tracing, reverse

compiling and virus code understanding difficult for the antivirus software. Armored virus can

be shielded for example by an "envelope code" that draws away watcher's attention. Another

possibility is to hide with a help of a load code that simulates being at a different location.

 Multipartite viruses

Multipartite viruses affect executable files, disk boot sectors and sometimes also floppy disks

sectors. Their name comes from the fact that they do not restrict to any specific disk region or

any specific file type, but infect computers in several ways. If you execute any application

affected by the multipartite virus, the virus infects the boot sector of your machine. The virus is

activated on the next system load and infects any suitable program that you execute.

According to the spread rate:

 Fast infectors

By fast infectors we mean file viruses that infect not only executed files, but also opened files

(when copying, moving etc.)

 Slow infectors

Slow viruses are hard to reveal as they infect files that are modified or copied by operating

system. In other words, "slow" virus affects only file user works with. For instance, it affects

floppy disk boot sector when the boot sector is written by the FORMAT or SYS command. A slow

virus can infect only a file copy, not the original.

The fight with slow viruses is a difficult task. An integrity controller should detect a new file and

alert the user to it, because there is no control sum for this file available. The integrity

controller is an antivirus application that monitors contents of disk devices, size of all files and

control sums. It alerts the user to any case of inconsistence. However, the user probably finds

nothing suspicious in error sums, because he himself ordered the instruction to create a new

file. Most often - quite logically - orders to compute a new sum for the new (infected) file.

 Sparse infectors

This term is used for viruses that infect their victims only occasionally or on completing some

condition of little likelihood. Thus they infect only sparsely, which gives them their name. This

behavior minimizes the risk of getting caught by a user.

 ZOO viruses

This term denotes viruses that do not spread in the real world at all. They exist, antivirus

programs are able to detect them, but there is no chance to meet them. They were created for

study purposes or the number of their errors makes them non-vital. Some of them might be