File Viruses

While more in number, file infectors are not the most commonly found. They infect in a variety of ways and can be found in a large number of file types.

In terms of sheer number of viruses, these are the most common. However, because of bugs in the virus code, they are not the most widely spread. System sector viruses (and recently, macro viruses) account for more infections in the wild.

The simplest file viruses work by locating a type of file they know how to infect (usually a file name ending in .COM or .EXE) and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. These overwriting viruses do not tend to be very successful since the overwritten program rarely continues to function correctly and the virus is almost immediately discovered.

The more sophisticated file viruses save (rather than overwrite) the original instructions when they insert their code into the program. This allows them to execute the original program after the virus finishes so that everything appears normal.

Just as system sector viruses can remain resident in memory and use stealth techniques to hide their presence, file viruses can hide this way also. If you do a directory listing, you will not see any increase in the length of the file and if you attempt to read the file, the virus will intercept the request and return your original uninfected program to you.

Some file viruses (such as 4096) also infect overlay files as well as the more usual *.COM and *.EXE files. Overlay files have various extensions, but .OVR and .OVL are common. Files with the extension .DLL are also capable of being infected. Indeed, as operating systems become more advanced, typically more files become able to contain executable code and thus be vulnerable to infection.


File viruses number in the thousands, but are not the most widely found in the wild.

File viruses have a wide variety of infection techniques and infect a large number of file types.