An Append Virus or Appending Virus is a type of virus that doesn’t destroy the program or file it’s wrapped in, but simply modifies it enough to contain the virus and let it continue to spread/execute. This type of virus is more difficult to detect than one that permanently destroys the program or file it is attached to.
How does it work?
Append viruses are somewhat complicated when it comes to what they do – first, it locates a file on whatever machine it’s on and makes sure that it has the exact file size of the file. It then takes a snapshot of what the file looked like before the infection and keeps it for later. The next step is to check if the file is already infected. An append virus can only check for itself when it comes to that – if a file happens to already be infected by another kind of virus, the process could fail or be impacted.
After making sure the chosen file does not already have a copy of the append virus in it, the virus copies itself to the very end of the program file. This will make the file slightly larger than before, and it would, in theory, be noticeable. At this point, the virus restores the attributes from the snapshot it took, to hide that the file has been modified.
The files infected are usually executable files such as .bat or .exe files, though not always. As a last step of the infection process, the appending virus will redirect the file’s entry point – so when the file is opened, rather than running from the top, the virus makes it execute itself first. That way, the virus is executed in the background each time the file is accessed.
To the user, there might not even be a noticeable difference, as the rest of the file can still function normally. The precise kind of harm and effect the virus has (beyond copying itself) depends on the intent of the creator. Viruses can accomplish all sorts of malicious purposes – and append viruses can be used for many different things as well.
Catching the virus
Because of the covert nature of this type of virus, anti-virus software often has trouble finding them. A properly well-written append virus will encrypt itself and hide. The virus itself is usually not what the anti-virus software will even look for – each copy of the virus in each file that it infects will look slightly different, so the detection program can’t simply search for it the way it would do with other types of viruses.
Instead, the anti-virus program has to look for the one thing that is identical within all copies of the virus. That is the decrypting module. In order to encrypt itself from file to file the virus also needs to be able to decrypt itself. That part of it remains unchanged even across files, and will always look the same. So, it’s that part that the detection programs look for, and it’s what makes finding the viruses so difficult.
The more files are infected the higher the odds of being detected by the program. This means early infections are harder to find and fix, especially for well-written and new viruses. The longer a virus has been in circulation, the easier and faster anti-virus programs can find it. This is true for any virus, of course, but it’s particularly relevant for appending viruses.
Removing an append virus
Since the virus copies itself into multiple files, each file needs to be repaired in order to fully get rid of the infection. If even one file is missed, the virus can come back and re-infect files again. Once the infection has been found, even if it wasn’t removed fully, it will likely be easier to discover a second time, but it’s still important to get rid of all infected files.
In the case of infected programs, it can be easiest to uninstall and reinstall them entirely. This makes sure you start out with a ‘clean’ copy of the files again. It is possible, however, to install programs that are already infected. This is particularly a risk in the case of pirated programs or those from unofficial sources. Beyond that, keeping up regular anti-virus maintenance is a good way to prevent and identify infections of this type. Similarly, it’s important to make sure that whatever anti-virus program you use is up to date. You’ll also want the most recent available version of known virus signatures. This helps identify recently discovered viruses – including example signatures of this type.
Note: If you still prefer to pirate things, there’s one type of software you should never pirate Antivirus software. Essentially all pirated versions of antivirus software, are not only useless but are actively malware. If you don’t want to pay for antivirus software, there are legitimate free versions you should use instead.
Conclusion
Append viruses take their name from how they infect files. They append themselves to the end of the file and then adjust how the file runs so that the virus is called first. Like most viruses, modern append viruses use encryption to hide from signature-based antivirus. This leaves heuristic detection and detection of the decryption function as methods to find the virus. As a virus that infects other files, append viruses can be hard to deal with. A single missed infected file can lead to a complete system reinfection.
