JustKernel

Memory resident viruses infect the in memory programs.  They may not infect any programs directly when they are first executed,  rather, they sit and wait in memory until other programs are accessed,  and infect them then.

These kind of viruses hide themselves in some remote corner of memory (which will be rarely touched by OS) called memory hole like area allocated for Interrupt Vector Table.  IVT, located in segment 0 from offset 0 to 3FF hex in memory, the first 1024 bytes of available memory. The IVT above 80H (offset 200H to 3FFH) are used by only a very few programs. Thus a virus can simply locate its code in this space and chances are it won’t be thrown out.

There are many techniques available by which a virus can go memory resident , one of the simplest one is Interrupt 21H, function 31 H and Interrupt 27H. Both of these calls just tell DOS to terminate that program , and stay away from the memory it occupies from then on.

Originally Posted On: 2011-07-27 07:40:06

Anshul Makkar,  anshul_makkar@justkernel.com

Tags: its all positive learning., Virus