• Trigger: event or condition determining when the payload is activated or delivered. • Payload: What the virus does, besides spreading. The payload may involve damage or mayinvolve benign but noticeable activity. A virus can be prepended or postpended to an executable program, or it can be embedded insome other fashion. The key to its operation is that the infected program, when invoked, will firstexecute the virus code and then execute the original code of the program.Once a virus has gained entry to a system by infecting a single program, it is in a position toinfect some or all other executable files on that system when the infected program executes.Thus, viral infection can be completely prevented by preventing the virus from gaining entry inthe first place. Unfortunately, prevention is extraordinarily difficult because a virus can be part ofany program outside a system. Thus, unless one is content to take an absolutely bare piece of ironand write all one's own system and application programs, one is vulnerable. The lack of accesscontrols on early PCs is a key reason why traditional machine code based viruses spread rapidlyon these systems. In contrast, while it is easy enough to write a machine code virus for UNIXsystems, they were almost never seen in practice due to the existence of access controls on thesesystems prevented effective propagation of the virus.
In this case, the virus code, V, is prepended to infected programs, and it is assumed that the entrypoint to the program, when invoked, is the first line of the program. An infected program beginswith the virus code and works as follows. The first line of code is a jump to the main virusprogram. The second line is a special marker that is used by the virus to determine whether or nota potential victim program has already been infected with this virus. When the program isinvoked, control is immediately transferred to the main virus program. The virus program firstseeks out uninfected executable files and infects them. Next, the virus may perform some action,usually detrimental to the system. This action could be performed every time the program isinvoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virustransfers control to the original program. If the infection phase of the program is reasonablyrapid, a user is unlikely to notice any difference between the execution of an infected anduninfected program.Compression Virus
A virus such as the one just described is easily detected because an infected version of a programis longer than the corresponding uninfected one. A way to thwart such a simple means ofdetecting a virus is to compress the executable file so that both the infected and uninfectedversions are of identical length. The code shown from Figure shows in general terms the logicrequired. The key lines in this virus are numbered, and Figure illustrates the operation. In thisexample, the virus does nothing other than propagate. As in the previous example, the virus may