By using these calls the virus then searches for files and infects them.
While infection the virus incorporates its code into the middle of the file
to the end of first section. The virus looks for gap in the virtual image
of file: if there is enough free space between first and second section in
virtual image (addresses in the memory, not in disk file – the virus avoids
overlapping sections on loading file into the memory), the virus shifts the
rest of the file down by 1024 bytes, writes its code into this cave,
modifies entry point address and fix section headers.
|Find out the statistics of the threats spreading in your region|