McAfee DR SOLOMON S ANTI-VIRUS 8.5 User Manual page 16

Preface
For a time, sophisticated descendants of this first boot-sector virus represented
the most serious virus threat to computer users. Variants of boot sector viruses
also infect the Master Boot Record (MBR), which stores the partition
information your computer needs to figure out where to find each of your
hard disk partitions and the boot sector itself.
Realistically, nearly every step in the boot process, from reading the MBR to
loading the operating system, is vulnerable to virus sabotage. Some of the
most tenacious and destructive viruses still include the ability to infect your
computer's boot sector or MBR among their repertoire of tricks. Among other
advantages, loading at boot time can give a virus a chance to do its work before
your anti-virus software has a chance to run. Many Dr Solomon's anti-virus
products anticipate this possibility by allowing you to create an emergency
disk you can use to boot your computer and remove infections.
But most boot sector and MBR viruses had a particular weakness: they spread
by means of floppy disks or other removable media, riding concealed in that
first track of disk space. As fewer users exchanged floppy disks and as
software distribution came to rely on other media, such as CD-ROMs and
direct downloading from the Internet, other virus types eclipsed the boot
sector threat. But it's far from gone—many later-generation viruses routinely
incorporate functions that infect your hard disk boot sector or MBR, even if
they use other methods as their primary means of transmission.
Those same viruses have also benefitted from several generations of evolution,
and therefore incorporate much more sophisticated infection and concealment
techniques that make it far from simple to detect them, even when they hide
in relatively predictable places.
File infector viruses
At about the same time as the authors of the Brain virus found vulnerabilities
in the DOS boot sector, other virus writers found out how to use other
software to help replicate their creations. An early example of this type of virus
showed up in computers at Lehigh University in Pennsylvania. The virus
infected part of the DOS command interpreter COMMAND.COM, which it
used to load itself into memory. Once there, it spread to other uninfected
COMMAND.COM files each time a user entered any standard DOS command
that involved disk access. This limited its spread to floppy disks that
contained, usually, a full operating system.
Later viruses quickly overcame this limitation, sometimes with fairly clever
programming. Virus writers might, for instance, have their virus add its code
to the beginning of an executable file, so that when users start a program, the
virus code executes immediately, then transfers control back to the legitimate
software, which runs as though nothing unusual has happened. Once it
activates, the virus "hooks" or "traps" requests that legitimate software makes
to the operating system and substitutes its own responses.
xvi Dr Solomon's Anti-Virus