This type of virus infects EXE files. An EXE file is a binary
executable file. EXE files can be 16-bit and 32-bit. 16-bit
executable files contain for 16-bit operating systems such as DOS
and Windows 3.xx. The 32-bit executable files are used in modern
operating systems such as Windows. Both 16-bit and 32-bit
executable files have headers. A header is a data area that
preceedes an executable code and contains vital information about
a file (for example all headers contain entry point addresses -
the place where execution of a file starts).
An EXE infector can be prepending (writes itself before the
original file), appending (writes itself to the end of the
original file), overwriting (overwrites the original file with
its own code), inserting (inserts itself into gaps inside the
original file), companion (renames the original file and writes
itself with the original file's name) and cavity infector (writes
itself between file sections of 32-bit file). An EXE infector can
be memory resident and non-memory resident. Memory resident
viruses stay active in memory, trap one or more system functions
(usually interrupt 21h or Windows file system hooks) and infect
files while they are accessed. Non-memory resident viruses search
for EXE files on a hard disk and infect them.
An EXE infector can be non-encrypted, encrypted or polymorphic.
An encrypted or polymorphic virus consists of one or more
decryptors and a main code. A decryptor decrypts main virus code
before it could be started. Encrypted viruses usually use fixed
or variable key decryptors while polymorphic viruses have
decryptors that are randomly generated from processor
instructions and contain a lot of commands that are not used in
decryption process.
Disinfection
Automatic Disinfection
Usually viruses infecting boot and executable files are
automatically disinfected by F-Secure Anti-Virus (FSAV). In some
cases, when automatic disinfection is not possible due to file
corruption or overwriting virus, a user can select disinfection
action by him/herself to make FSAV rename or delete an infected
file. In some special cases it is recommended to use specific
disinfection tools provided by F-Secure. They can be downloaded
from our ftp site:
F-Secure Anti-Virus can be purchased from our webshop or from our
authorised distributors. A trial version F-Secure Anti-Virus,
limited to 30 days, can be downloaded from our website:
All the latest versions of FSAV can download anti-virus database
updates automatically. However, these updates can be also
downloaded and installed manually from our web or ftp sites:
It is not recommended to manually disinfect files and boot
sectors from viruses as it can cause damage to a system and make
it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System
Restore feature of these operating systems to prevent a computer
from re-infection by an already removed malware. The fact is that
System Restore feature of these operating systems might save an
infected file into the special folder and copy it back to a hard
drive it every time it's been renamed or deleted by F-Secure
Anti-Virus or by a user. Instructions on how to disable System
Restore feature are here:
It is recommended to re-enable System Restore after disinfection
in order to restore stable system configuration in the future,
if any crash or incompatibility issue occurs.
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer
technician or send a message (and a sample) to our Viruslab. We
have guidelines for sending virus samples, hoaxes and
virus-related questions to F-Secure Viruslab published here:
![](/images/pixel.gif"){kind=tracking}
