how do viurses know if they've infected a file allready?

[Jskid]

This just doesn't make sense to me. Consider polymorphic and metamorphic file infectors such as Virut and Similie. Correct me if I'm wrong, but all file infectors must somehow check if they've infected a given file allready, right? So why don't virus scans copy that way Virut or Similie checks to see if they've allready infected a file? I mean then it would kind of make the fact that they are polymorphic/metamorphic obsolete, right?

 

[Jaepheth]

Forgive my ignorance on the subject...

But why couldn't they just infect the same file multiple times? Like humans catching multiple strains of a disease they've already been infected with.

 

[Jskid]

Forgive my ignorance on the subject...

But why couldn't they just infect the same file multiple times? Like humans catching multiple strains of a disease they've already been infected with.

Well I'm just speculating but wouldn't that screw it up? Say a system only has 3 files: A, B, C. Each time any of those files run it would infect all the files, so very quickly the virus has infected every file hundreds of times. If a file is infected hundreds of times 1)it would be ridiculously large 2)the virus would repeat its code hundred of times 3)since a single files is infected hundreds of times the code to do the infection on other files would be run hundreds of times

Am I missing something?

 

[Jskid]

In short wouldn't the hard drive fill up very quickly if a virus infected every file each time it ran?

 

[FallenHero]

I'm not a programmer or any sort of computer expert, but I imagine that the virus itself only creates a file for it to operate under and once it is created, becomes dormant and only checks to insure that file is present every so often. Or, after it changes a file, it also would change the md5 checksum and check it against the one it has, and if it matches, then it knows not to do anymore.

EDIT: It seems like you are trying to look at a computer virus like a biological one. A computer virus is created for a specific purpose with a fairly narrow set of instructions. Biological ones can mutate on the fly and generally will kill their host if left unchecked. Unless that is the purpose of the computer virus, I would think that the creator of the computer virus would prevent the death of the computer at all costs considering it is a loss of information/resources for whatever he or she is doing with it.

 

[Modelworks]

Normally malware checks the checksum of the file it intends to infect. If the file is one it can use it then places itself on the drive usually naming itself with a randomly created name so you can't just search for xxx.exe and find it. To make it harder to locate some malware will use run time generated code. Antivirus software looks for programs with preset bits of code organized in patterns it recognizes. A trick malware uses to get around that is to create a file that consist of the actual virus program code and run that file. Antivirus gets fooled because until the malware creates the virus code and writes it to disk there is nothing to detect. Malware can create the file, execute the code, then delete the file and there is nothing to find until it runs again.

 

[LiuKangBakinPie]

This is what happens
A.installation:
1.in general Trojans install it self in c:\windows or c:\windows\system32
2.if i am a dll Trojan it will probably named under a random name in every machine to hard the removal
3.if i am a .exe Trojan i will hide my self using attributes "hide" and "system"
4.i will drop my self in less suspected folderslike c:\program files\windows media player
B.spreading:
1.i will copy my self to all available partitionsand removable media  with autorun.inf files
C.payload:
i will name the payloads that don't go by removing the Trojans
1.compromises network security
2.compromises system security
3.disable services
4.modify HOSTS file
5.modify system registry
6.disable system restore
7..................................
D.protect my self:
i will protect my self against them virus removing and tools"i won't name myself Liukang because i am the Trojan now"
1.i will modify the HOSTS and registry to block the user from entering security vendors websites
2.i will terminate(or try to) the exist anti virus,or the analyzing tools"debuggers,monitor tools,......"
3.i will use root kits methods to hide my self
4.i will run my self as a service
5.change the policies on the system so the user wont be able to use system standard tools to get rid of me
6.i will pack my self that comodo cant mess any packed program flag as suspicious,but i don't think there is a any body running comodo anti virus"
7.i will make my self trusted for the great windows firewall
8.disable safeboot
9.so am i protected or not "there are more advanced things to do but don't wanna mention them as I don't wanna make wanna be malware writings noobs wise