File virus, Parasitic virus

File viruses (or parasitic viruses) use arbitrary existing files as hosts. Usually the virus prepends the body of its code to the beginning of, or appends the body of its code to the end to the host file, in which case the original file contents remain intact, except that the OEP (original entry point) is modified, so that the virus code is executed before the original, legitimate code. This method of infection ensures that the virus code will be executed each time the infected file is launched, and also provides a means of spreading.

In some instances, a file infecting virus may damage the host file when infecting it by erasing or overwriting parts of the host file. In this case, the host file may no longer run correctly, although it will still be able to spread the virus.

Executable files often end in extensions like .COM, .DLL, .EXE and .SYS under Windows. Some file viruses might be scripts that were interpreted by other programs and end in extensions like .BAT (a batch file) or .VBS (a Visual Basic program).

From the perspective of an AV engine, viruses need to be disinfected, in order to recover the original file, unlike trojans and worms, which are cleaned by simply deleting them (and fixing residual damage such as gimmicked registry settings). In the event file virus damaged the host file by overwriting portions of it, disinfection is not an option.

While file viruses were more common in the DOS era than in the Windows era, several modern examples do exist, such as the Ramnit, Sality and Virut families, which regularly show up around the globe.

See also: Companion Virus, Overwriting Virus, Virus

Please enable Javascript to ensure correct displaying of this content and refresh this page.