BACK

Infection Phase

Virus writers have to balance how and when their viruses infect against the possibility of being detected. Therefore, the spread of an infection may not be immediate.

Modern viruses have become more selective about when they infect. Being selective improves the virus' chance to spread; if they infect too often, they will tend to be detected before they have enough time to spread widely. Virus writers want their programs to spread as far as possible before anyone notices them. 

Many viruses go resident in the memory of your PC in the same or similar way as terminate and stay resident (TSR) programs. This means the virus can wait for some external event before it infects additional programs. The virus may silently lurk in memory waiting for you to access a diskette, copy a file, or execute a program, before it infects anything. This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use for their infection.

Standard (640K) memory is not the only memory vulnerable to viruses. It is possible to construct a virus which will locate itself in upper memory (the space between 640K and 1M) or in the High Memory Area (the small space between 1024K and 1088K).

Resident viruses frequently take over portions of the system software on the PC to hide their existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet avoid detection.

Summary

Viruses balance infection versus detection possibility.

Some viruses use a variety of techniques to hide themselves.