Naïve way Viruses Spread themselves
Take any good program (for which virus has write privileges) and take instruction at location L1.
Replace this by a jump to L2.
Insert the dreadful code at location L2 followed by original code at location L1. Worry about saving and restoring registers while doing this.
Insert a jump to location L1+1 at end of bad code.
Net result is a program that does all the old program did plus whatever else bad is inserted
This naïve approach can be detected by presence of distinctive byte codes formed by code at L2 or more precisely by checking that a particular program has unexpected length or modify time.
The hacker who entered NPAC installed a trapdoor into UNIX command ps in a way that left length of ps unchanged!
First entered NPAC by “sniffing” somebody’s password and using UNIX bugs to get root permissions.