As we all know, vipro viruses usually infect executable files in computers.
Through some observations, we can find that the principle of this virus is file bundling, So theoretically all executable files will be infected. Therefore, after such a virus is detected, all programs must be updated to avoid repeating the same mistakes. But in the infected file, we found such a strange phenomenon-some icons are blurred.
498) this. style. width = 498; ">
Poisoned icon (figure 1)
498) this. style. width = 498; ">
Normal icon (figure 2)
What is the cause? With this question, I opened the original program icon.
498) this. style. width = 498; "border = 0>
The icon shown in the figure is the icon displayed after poisoning. However, this file is not poisoned. Why? It turns out that the icon designer is responsible or used to design multiple icons to display the icons correctly and clearly in different system environments and different icon sizes, therefore, multiple icon color modes and shapes and sizes are created.
Let's take a look at the original icon to get a deeper idea of the Icon size.
498) this. style. width = 498; "border = 0>
After understanding this, we will explain the principles of virus bundling. When virus bundling is used to package and merge normal files, the icon of the normal file is usually read. Then, the first icon of the file to be read is selected, that is, the icon we see in 2.
In this case, if the icon at the first position of some files is very small, then when the size of the displayed icon is greater than the size of the icon, the icon will be enlarged. You may ask why some icons are not blurred. Here is a simple example.
In the above two figures, we can see two identical icons, one being the icon of a virus-infected file, and the other being the icon of a normal file. But what's the difference?
Indeed. According to the previous section, we learned some ways to read the virus icon. Can we guess that the designer of this file only sets the 256-color icon for this file, but do not consider 16-color icons?
Html "target = _ blank> 498) this. style. width = 498;" border = 0>
As shown in the figure, our conclusions are confirmed.
The intelligent reader can think about how to replace the "Courier" in Figure 1. The software's icon is gone and becomes a strange icon. If the computer has been infected with viruses, it is not hard to find that the icons of some files have become strange? What are their similarities? Are they virus writers? We still follow the previous idea to open the icon of a normal file.
498) this. style. width = 498; "border = 0>
It is not difficult to find that the author of the file icon did not create a second icon of different size or color pattern for the icon, but just created an icon for the file.
Perhaps the virus writer's negligence. The virus bundle he compiled cannot identify the icon of a file with only one icon. "The file does not have an icon", so he replaced it with a self-made icon.
This eventually proves our initial conjecture that virus writers only set an icon color mode and a shape size for infected files, but did not fully consider the icon display in different system environments. As a result, the file icon will become blurred after virus infection.