memory resident?
Results 1 to 10 of 10

Thread: memory resident?

  1. #1
    Banned
    Join Date
    Apr 2002
    Posts
    156

    memory resident?

    I have seen alot of virus listings that say either memory resident or non-resident. What does memory resident mean and is it a bad or good thing?

  2. #2
    Banned
    Join Date
    Apr 2002
    Posts
    156

    memory resident?

    I have seen alot of virus listings that say either memory resident or non-resident. What does memory resident mean and is it a bad or good thing?

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    883
    Without getting into a long drawn out deal. It's a bad thing. You can kill the program and delete it from you whatever directory. But it writes itself to memory and on reboot runs itself again. Usualy moving itself to another directory or giving itself another name. Many variations of this abound, but thats it in a nutshell. Also this type likes to write itself to the MBR at times. Go here for a basic detail:
    http://pcvirus2000.web.cern.ch/pcvir...%20viruses.htm
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    883
    Without getting into a long drawn out deal. It's a bad thing. You can kill the program and delete it from you whatever directory. But it writes itself to memory and on reboot runs itself again. Usualy moving itself to another directory or giving itself another name. Many variations of this abound, but thats it in a nutshell. Also this type likes to write itself to the MBR at times. Go here for a basic detail:
    http://pcvirus2000.web.cern.ch/pcvir...%20viruses.htm
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  5. #5
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Well.. The way I would figure is this.

    Once a program is containing a virus is copied to your PC, the virus can spread only when the infected file is opened. The first thing that happens is the program is loaded into memory. Viruses hidden in a program can then be executed from memory. A virus can either be a Memory-resident virus and stay in memory, still doing its thing, even after the host program is killed, or a non-memory-resident virus, which means its killed when the host program is closed.

    After a virus is loaded into the memory it looks for other programs loaded in the memory. When it finds one it will copy itself there and into that same program file on your harddrive. The longer it stays loaded the more destructive it will be, because you will open more programs. The way to kill a memory-resident virus is to turn off your computer (hard-boot) and that will wipe out the memory. I think thats how it works.

    EDIT:But chances are that when you restart it will have a reg entry that will load it on boot anyway.


    EDIT2:I think this could make a perfect idea for my next tut. BUS lines are so boring anyway.

  6. #6
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Well.. The way I would figure is this.

    Once a program is containing a virus is copied to your PC, the virus can spread only when the infected file is opened. The first thing that happens is the program is loaded into memory. Viruses hidden in a program can then be executed from memory. A virus can either be a Memory-resident virus and stay in memory, still doing its thing, even after the host program is killed, or a non-memory-resident virus, which means its killed when the host program is closed.

    After a virus is loaded into the memory it looks for other programs loaded in the memory. When it finds one it will copy itself there and into that same program file on your harddrive. The longer it stays loaded the more destructive it will be, because you will open more programs. The way to kill a memory-resident virus is to turn off your computer (hard-boot) and that will wipe out the memory. I think thats how it works.

    EDIT:But chances are that when you restart it will have a reg entry that will load it on boot anyway.


    EDIT2:I think this could make a perfect idea for my next tut. BUS lines are so boring anyway.

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    366
    Thanks for the answers, I didn't know that either. I love this site, get answers to questions you didn't even know you needed!

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    366
    Thanks for the answers, I didn't know that either. I love this site, get answers to questions you didn't even know you needed!

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    It's very similar to the way exploits on the *NIX environment are generally run.

    Example:

    Someone has a trojaned 'ls' command or something and they see user X has . in their PATH
    statement before everything else (through various methods of finding out).

    This nefarious someone puts the trojaned ls somewhere simple, like /tmp and says 'hey dude, I'm having problems with a file in /tmp name blahblahfoo, can you go look at it? I think the permissions are screwed up' (or something to this effect).

    User X (let's say it's root) says 'Why yes, I can help fix your problems!' and goes to /tmp to look at blahblahfoo and does *gasp* ls.

    Now, at this point, the first thing this trojaned ls will do is delete itself (if nefarious 'someone' was smart). This will still keep it working though because it's in memory (memory resident). It calls the real 'ls' to reveal the directory listings and whatnot, along with any command line options, while it does something else nefarious (such as...copying the shadow password file to nefarious someone's /home directory as 'report.txt' so that they can run crack on it elsewhere or whatnot).

    This is a low-level example of a simple 'memory resident' exploit.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #10
    Banned
    Join Date
    Apr 2002
    Posts
    156
    thanks. I figured it had something to do with creating extra values (copies of itself) in different places but I didn't know that a non-memory resident virus stops working when the infected program stops working.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •