A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting. This is difficult but has become easier with new file formats designed to make executable files load and run faster.
A spacefiller (cavity) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A spacefiller virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a spacefiller virus.
Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare…however… A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more.
To see an example of CIH at work, see this video…
- A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting.
- In the past this was difficult to do properly, but new file formats make it easier.
|How Viruses Infect|
|Multipartite Viruses||Tunneling Viruses|