Spacefiller (Cavity) Virus

Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.

A spacefiller (cavity) virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A spacefiller virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a spacefiller virus.

Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare...however... A new Windows file format known as Portable Executable (PE) is designed to make loading and running programs faster. While a great goal, the implementation has the effect of leaving potentially large gaps in the program file. A cavity (spacefiller) virus can find these gaps and insert itself into them. The CIH virus family takes advantage of this new file format. There will likely be more.

Summary

• A spacefiller (cavity) virus attempts to install itself inside of the file it is infecting.
• In the past this was difficult to do properly, but new file formats make it easier.