Quote:
After loading them (by launching an infected program for example), they fix themselves inside of the computer's memory (RAM, Random Acces Memory), and they get control over the machine. Inside of PCs, there is a kind of memory which users can't directly access to. I'm talking about ROM memory (Read Only Memory) which can't be updated or written but only read. This means that no program can change it. Inside of this memory there is the BIOS (Basic Input Output System), just a program - or even better, a set of programs - which handle all the machine's main operations. The BIOS for instance - whenever you start your PC - read the first floppy's sector (if you have put it into its drive, of course) and if it doesn't find any floppy, looks inside of the hard disk searching for that record indispensable to load the operating system. The BIOS reads the RAM. The BIOS 'reads' the characthers which you type on the keyboard and then display them on the screen. All these functions are handled by BIOS programs, called 'services'. Programs can use these services by means of 'interrupts'. An innterrupt is' - as you can easily understand by its name - a temporary break of all things the machine was doing till that moment, to execute something of more important. For instance, when you press a key, the keyboard causes an hardware interruption, in other words, the keyboard asks the machine to handle the 'key-pressed' event. Any program was running before, is stopped, a BIOS program handles that event and, soon after, all stopped activities can resume. All that happen thousands of times and you don't notice anything! There are many kind of interruptions, and each of them is needed to handle a particular event, such as reading pressed keys, writing on the screen, writing into the disk, reading of RAM and so on. Well, a TSR virus, once placed itself inside of the RAM, intercepts all system's interrupts, and, before calling real BIOS programs to handle a certain event, it launchs itself. Soon after it calls the real BIOS program, so nobody can notice its presence.
Quote:
Each virus is recognizable by its 'identification sttring', that is a kind of virus' finger-print, composed by the first statements of the virus (remember: a virus is just a program). Well, many viruses try to hide themselves, by encrypting their code; in this way antiviruses can't detect them! This kind of viruses have a encryption algorithm to hide their statements, and decrypt them just a second before they are runned. Whenever a virus is launched, it encrypt itself, every time in a different way. But cryptography algorithm, is always the same, so antiviruses can detect it.
There might be a possibility that the pc's RAM may be infected by such a virus that targets SAM.