What is Attached Virus?
A pending virus is a type of virus that adds its code to the end of a host program's file. Your goal is not to destroy the host program, but rather to modify it slightly so that it retains the virus code while it continues to work.
The attached virus copies the first few bytes of its code to a safe place and then adds a jump to its code at the beginning of the program to be executed before the host takes control. Unlike an overwrite virus, this virus does not permanently destroy any part of the host program, making the infection more difficult to detect.
It takes many steps for an attached virus to attach a host program. Technically, the virus looks for a file and then calculates its delta offset to determine the exact file size. Then it takes the file attributes and saves them to restore later so the file appears as unedited. It then checks the file to see if it is already infected. If it is not infected, the attached virus will attach itself to the end of the executable. Once embedded in the host, the virus restores all the attributes the file had before it was modified, so that no traces of changes are displayed.
Antivirus programs sometimes have trouble detecting a well-written virus that is pending. Since it encrypts itself, the encryption is different for all iterations of the virus. The scanner cannot detect the virus directly, but it can still detect the virus decryption engine and mark it as malicious. The only thing that is similar with all the different instances of the virus is the decryption module. In this case, it is always useful to have more than one antivirus scan the system in the hopes that one program will discover what others have been missing.