Fast and Slow Infectors

A fast infector infects any file accessed, not just run. A slow infector only infects files as they are being created or modified.

The term fast or slow when dealing with viruses pertains to how often and under what circumstances they spread the infection.

Typically, a virus will load itself into memory when an infected program is run. It sits there and waits for other programs to be run and infects them at that time.

Fast: A fast infector infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. By its nature, anti-virus software (a scanner, in particular) opens each file on a disk being checked in order to determine if a virus is present. A fast infector that has not been found in memory before the scanning starts will spread itself quickly throughout the disk.

Slow: A slow infector does just the opposite. A slow infector will only infect files when they are created or modified. Its purpose is to attempt to defeat integrity checking software by piggybacking on top of the process which legitimately changes a file. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. By its nature (and because executable code is not usually changed) a slow infector does not spread rapidly and if the integrity checker has a scanning component it will likely be caught. Also, an integrity checker that is run on a computer booted from a known-clean floppy disk will be able to defeat a slow infector.

Summary

  • A fast infector infects programs when they are accessed, not just when run. This type of virus is designed to ride on the back of anti-virus scanners and can quickly infect an entire disk if not found before the scan is performed.
  • A slow infector infects programs only when they are created or modified. This type of virus is designed to defeat integrity checkers but can usually be found if the checker has a scanner component or is started properly.
Up Arrow How Viruses Infect Up Arrow
Prior Page Next Page
Stealth Viruses and Rootkits Sparse Infectors