Appendix A

Computer Virus Basics

This appendix is intended to give a quick overview of malicious software for those who are not already familiar with the subject. The origins of malicious software are described, followed by a discussion of competing definitions for a virus and a worm. The structure of a simple IBM PC virus is then provided. The appendix concludes by dispelling a common misconception about how viruses and Trojans gain control from their hosts. It is shown that viruses and Trojans can utilize string matching to randomize the location of the jump instruction in the host that sends control to the malware.

A.1 Origins of Malicious Software

The origin of the modern computer virus can be traced back to 1949, when John von Neumann presented lectures that encompassed the theory and organization of complicated automata [310]. Neumann postulated that a computer program could reproduce itself. Bell Laboratories employees eventually gave life to Neumann's theory in the 1950s in a game dubbed Core Wars. In this game, two programmers would unleash software organisms and watch as the programs attempted to lay claim to the address space in which they fought. The Core Wars were described in a May 1984 issue of Scientific American [91]. Ken Thompson, winner of the prestigious ACM Turing Award, mentioned in his Turing Award lecture that he had experimented with self-replicating code as an undergraduate [300]. At that time he had challenged himself to write the smallest self-replicating ...