In the system operation, the virus through the virus vector is the system's external memory into the system's internal memory, resident memory. The virus in the system memory to monitor the operation of the system, when it found that there is an attack target and meet the conditions, it will be stored from memory itself to the target of the attack, so that the virus spread. And the virus uses the system int 13H reads and writes the disk the interrupt to write it to the system external memory floppy disk or the hard disk, then infects other systems.
How does an executable file infect a new executable when it infects a virus?
Executable file. com or. exe is infected with a virus, such as the Black Friday virus, which is placed in memory when it executes the infected file.
Once in memory, you start to monitor the operation of the system. When it finds an infected target, do the following:
(1) First of all, the running executable file specific address identification information to determine whether the virus has been infected;
(2) When the condition is satisfied, use the int 13H to link the virus to the header or the tail or the middle of the executable file, and coexist the large disk;
(3) After the infection is completed, continue to monitor the operation of the system and try to find new targets.
How the operating system virus is transmitted
The normal PC DOS boot process is:
(1) After the power-on of the system to enter the detection program and the implementation of the program for the system's basic equipment testing;
(2) After normal detection, from the system disk 0 sides of 0 1 sectors, that is, logical 0 sectors read into the boot boot program to the memory of the 0000:7C00 place;
(3) Transfer to the boot execution;
(4) Boot to determine whether the system disk, if not the system disk is prompted;
Non-system disk or disk error
Replace and strike any key when ready
Otherwise, read the IBM BIO. COM and IBM DOS. COM two hidden files; (5) Execute IBM BIO. COM and IBM DOS. COM two hidden files, loading command.com into memory;
(6) The system is running normally, DOS starts successfully.
If the system disk is infected with a virus, the start of PC dos will be another scene, the process is:
(1) First read the virus code in the boot area into the memory of the 0000:7C00 place;
(2) The virus will read all its own code into the memory of a safe area, resident memory, monitoring the operation of the system;
(3) Modify the entry address of an int 13H interrupt service handler to point to the virus control module and execute it. Because any virus to infect floppy disk or hard disk, can not be separated from the disk read and write operations, modify the INT13h Interrupt Service program's entry address is an indispensable operation;
(4) The virus program is all read into memory before reading into the normal boot content to the memory of the 0000:7C00 place, the normal starting process;
(5) Virus programs waiting to be ready to infect a new system disk or a non-system disk.
If you find an object that can be attacked, the virus does the following work:
(1) Read the boot sector of the target disk into memory, and determine whether the disk is infected with the virus;
(2) When the infection conditions are met, all or part of the virus is written to the boot area, and the normal disk's boot program is written to the disk close-up location;
(3) return to the normal int 13H interrupt Service handler to complete the infection of the target disk.