In the "old days", boot viruses like Stoned, or the infamous Michelangelo, were passed from machine to machine by a forgetful user leaving an infected floppy disk in the drive when rebooting. The virus on the floppy disk would take control of the system, and inject itself into the boot sector of the hard drive. Once its work was done, it returned control back to the system, where DOS would produce an error message. The user realized they had a non-bootable disk in the drive, and would pull it out and reboot. When the PC booted from the hard disk, the damage was done, the virus was in memory and ready to infect files and other disks inserted into the machine. Antivirus software found viruses like Stoned relatively easy to detect and clean, as the viruses made a copy of the master boot record (MBR) at a fixed location on the hard disk, which could be detected and restored. Other viruses were somewhat parasitic and rode along in the code of a .COM file, and propagated every time the program was run. For new users whove never seen a true DOS prompt, a .COM file is a simple 16 bit executable file. In programming terms, it is a single segment program file, in which the code and data combined could never be more that 64K bytes in size. The format is essentially a direct image of what is executed in memory. Early file infectors attacked .COM files and were written in assembly language. A .COM file was relatively easy to infect, since the executable entry point was always at the beginning of the file, or location 100h in memory after the Program Segment Prefix (PSP), and usually the first instruction was a jump to the actual program starting point. A virus would just add its own code to the end of the .COM file, make a copy of the original entry point address, and overwrite it with the entry point of its own code. When a hapless user ran the infected .COM file, DOS would load the file into memory, go to 100h and start executing the code. At the first jump, the infected code would take control, and have its way with the system, usually infecting other .COM files, and possibly trashing data or other programs in the process. Once the viral code was done, it usually would execute a jump back to the original programs starting point. If well written, the virus could avoid detection by the user and go about its infecting ways.
Detecting these early viruses was childs play compared to todays antivirus techniques. For a given virus, the antivirus product could simply scan the .COM file for a signature, or recognizable string of bytes. The string could be a particular text string, like "stoned", that the virus writer included, or more often, a sequence of executable code. Early AV products had fairly short lists of signatures that they could quickly scan through. Once detected, the AV product knew the infecting behavior of the virus, and could disinfect the virus and repair the file by restoring the programs proper starting jump address, and truncating the file to its original size. As mentioned, in the DOS world most infections were seen in .COM files or boot sectors, but with the advent of Windows, the application world switched to .EXE format executables. While there was the DOS-MZ executable format under DOS and Windows 3.x, there were enough .COM programs that were run on a system that the majority of virus writers didnt switch. However, with Windows 95 the world changed. While still generally based on DOS, Windows 95 introduced challenges for application developers, virus writers and AV vendors alike. Infecting .EXE files is done in any number of ways, from prepending, or appending code to a file, to splitting up the virus and hiding it in holes within the unused segments of the host application.