Computer viruses and antivirus software. Computer viruses and antiviruses
Abstract on the topic:
« Computer viruses And
antivirus programs"
It’s not for nothing that computer viruses are called that – their similarity to “live” viruses is striking. They spread in the same way, live, act, and die in the same way. The only difference is that the targets are not people or animals, but computers. Contacting each other via floppy disks, CDs, local networks, the Internet and other means of “communication”, they, like humans, infect each other.
Computer virus is a program that can create copies of itself (not necessarily completely identical to the original) and implement them into various objects or resources computer systems, networks and so on without the user’s knowledge. At the same time, copies retain the ability to be further distributed. Today there are 6 main types of viruses known: file, boot, ghost (polymorphic), invisible, script viruses and macro viruses. Viruses must be distinguished from malicious codes. These include Internet worms and programs called Trojan horses.
The main symptoms of a virus infection: slowdown in the operation of some programs, an increase in file sizes (especially executable ones), the appearance of previously non-existent suspicious files, a decrease in the amount of available RAM (compared to normal operation), suddenly appearing various videos and sound effects. In case of all the symptoms listed above, as well as other strange manifestations in the operation of the system (unstable operation, frequent independent reboots, etc.), you should immediately check the system for viruses.
The Birth of Computer Viruses
There are many different opinions about the appearance of the first computer virus. It is only known for certain that the machine of Charles Babbage, considered the inventor of the first computer, did not have it, but the Univax 1108 and IBM 360/370 already had them in the mid-1970s. Interestingly, the idea of computer viruses appeared much earlier than personal computers. The starting point can be considered the works of the famous scientist John von Neumann on the study of self-reproducing mathematical automata, which became known in the 1940s. In 1951, he proposed a method for creating such machines. And in 1959, Scientific American magazine published an article by L.S. Penrose, dedicated to self-reproducing mechanical structures. It described the simplest two-dimensional model of self-reproducing mechanical structures capable of activation, reproduction, mutation, and capture. Later, another scientist F.Zh. Stahl put this model into practice using machine code on IBM 650.
Infection process
Simplified virus infection process program files Can
present it as follows. The code of the infected program is usually the first to receive control of the virus, before the virus-carrying program begins to operate.
When control is transferred to the virus, it somehow finds
new program and pastes its own copy into
the beginning or adds it to the end of this usually not yet infected
programs. If a virus is appended to the end of a program, then it
then he adjusts the program code to gain control
first. To do this, the first few bytes are stored in the body
virus, and in their place the command to go to the beginning is inserted
virus. This method is the most common. By -
Having gained control, the virus restores the “hidden” first
bytes, and after processing its body transfers control
virus-carrying program.
Antivirus programs
Methods to counteract computer viruses can be divided into several groups: preventing viral infection and reducing the expected damage from such infection; method of use antivirus programs, including neutralization and removal of a known virus; methods for detecting and removing an unknown virus.
It has been known since ancient times that sooner or later any poison
an antidote can be found. Such an antidote to computer world
became programs called antivirus programs. These programs can-
but classified into five main groups: filters, detectors,
auditors, doctors and vaccinators.
Antivirus filters are resident programs that
inform the user about all attempts of any program to record
get onto the disk, let alone format it, and also about
other suspicious actions (for example, attempts to change the settings
CMOS settings). In this case, a request for permission or prohibition is displayed.
understanding this action. The operating principle of these programs is based on
intercepting the corresponding interrupt vectors. To the advantage
programs of this class in comparison with detector programs can
but to attribute universality in relation to both known and
unknown viruses, while detectors are written for specific
new, known on this moment views to the programmer. It's special
relevant now, when many mutant viruses have appeared, not
having a permanent code. However, filter programs cannot
monitor viruses that access the BIOS directly, as well as
BOOT viruses that are activated even before the antivirus is launched, in
initial stage of DOS loading. Disadvantages also include
frequent issuance of requests to carry out any operation: from
Answering questions takes a lot of time and effort from the user.
get on his nerves. When installing some antivirus
owl filters may have conflicts with other resident
programs that use the same interrupts, which are simply transferred
stop working.
The most widespread programs in our country are
we are detectors, or rather programs that combine a detector and
doctor. The most famous representatives of this class are Aidstest,
Doctor Web,MicroSoft AntiVirus.
Antivirus detectors are designed for specific viruses and are based on
comparing the sequence of codes contained in the body of the virus with
codes of the programs being checked. Such programs need to be regularly updated
update, as they quickly become outdated and cannot detect
new types of viruses.
Auditors - programs that analyze the current state
files and system areas of the disk and compare it with information
previously saved in one of the auditor data files. Wherein
the state of the BOOT sector, the FAT table, and the length are checked
files, their time of creation, attributes, checksum. Analyze
By editing the messages of the audit program, the user can decide what
whether the changes are caused by a virus or not. When issuing this kind of message
one should not indulge in panic, since the cause of the changes,
for example, the length of the program may not be a virus at all
The last group includes the most ineffective antiviruses -
vaccinators. They record the signs in the vaccinated program
specific virus so that the virus considers it already infected.
Ministry of Education and Youth Affairs
Republic of Karelia
Professional Lyceum No. 12
Computer viruses
and antiviruses
Abstract on computer science
student group No. 18
Malysheva N.V.
Teacher:
Petrozavodsk
Introduction
Who writes viruses and why?
Computer viruses, their properties and classification
Properties of computer viruses
Classification of viruses
Boot viruses
File viruses
Boot file viruses
Polymorphic viruses
Stealth viruses
Trojan horses, software bookmarks and network worms
Paths for viruses to enter a computer and the mechanism for distributing virus programs
Signs of viruses
Methods of protection against computer viruses
Antivirus programs
Conclusion
Bibliography
Introduction
It is hardly worth reminding that computers have become real human assistants and neither a commercial company nor a government organization can do without them. However, in this regard, the problem of information security has become especially acute.
Viruses that have become widespread in computer technology have excited the whole world. Many computer users are concerned about rumors that cybercriminals are using computer viruses to hack networks, rob banks, steal intellectual property...
Today, the widespread use of personal computers, unfortunately, has turned out to be associated with the emergence of self-replicating virus programs that interfere with the normal operation of the computer, destroy the file structure of disks and damage the information stored on the computer.
Increasingly, there are reports in the media about various kinds of pirate tricks of computer hooligans, about the emergence of more and more advanced self-replicating programs. More recently, infecting text files with a virus was considered absurd - now this will not surprise anyone. Suffice it to recall the appearance of the first sign that caused a lot of noise - the WinWord virus. Concept hitting documents in word processor format Microsoft Word for Windows 6.0 and 7.0. Despite the laws adopted in many countries to combat computer crimes and the development of special anti-virus software, the number of new software viruses is constantly growing. This requires the user of a personal computer to have knowledge about the nature of viruses, methods of infection by viruses and protection against them.
I would like to immediately note that you should not be too afraid of viruses, especially if you purchased your computer recently and have not yet accumulated a lot of information on your hard drive. A virus will not blow up your computer. Currently, only one virus is known (Win95.CIH) that can damage the computer's hardware. Others can only destroy information, nothing more.
The literature very persistently advocates that you can get rid of viruses only with the help of complex (and expensive) anti-virus programs, and supposedly only under their protection can you feel completely safe. This is not entirely true - familiarity with the structural features and methods of introducing computer viruses will help you detect and localize them in time, even if you don’t have a suitable anti-virus program at hand.
Who writes viruses and why?
Who writes viruses? In my opinion, the bulk of them are created by students and schoolchildren who have just learned assembly language, want to try their hand at it, but cannot find a more worthy use for it. It is gratifying that a significant portion of such viruses are often not distributed by their authors, and the viruses “die” after a while along with the floppy disks on which they are stored. Such viruses are most likely written only for self-affirmation.
The second group also consists of young people (usually students) who have not yet fully mastered the art of programming, but have already decided to devote themselves to writing and distributing viruses. The only reason that pushes such people to write viruses is an inferiority complex, which manifests itself in computer hooliganism.
From the pen of such “craftsmen” often come either numerous modifications of “classical” viruses, or extremely primitive viruses with a large number of errors (I call such viruses “student viruses”). The life of such virus writers has become significantly easier after the release of virus constructors, with the help of which you can create new viruses even with minimal knowledge of the operating system and assembler, or even without any idea about it at all. Their life became even easier after the advent of macro viruses, since instead of the complex Assembly language, to write macro viruses it is enough to learn a fairly simple BASIC.
Having become older and more experienced, but never having matured, many of these virus writers fall into the third, most dangerous group, which creates and releases “professional” viruses into the world. These very carefully thought out and debugged programs are created by professional, often very talented programmers. Such viruses often use quite original algorithms, undocumented and little-known methods of penetrating system data areas. “Professional” viruses are often made using “stealth” technology and/or are polymorphic viruses that infect not only files, but also boot sectors of disks, and sometimes executable files of Windows and OS/2.
A fairly significant part of my collection is occupied by “families” - groups of several (sometimes more than a dozen) viruses. Representatives of each of these groups can be distinguished by one distinctive feature, which is called “handwriting”: the same algorithms and programming techniques are found in several different viruses. Often all or almost all members of a family belong to one author, and sometimes it’s quite funny to follow the “formation of the pen” of such an artist - from almost “student” attempts to create at least something similar to a virus, to a completely workable implementation of a “professional” virus.
In my opinion, the reason that forces such people to direct their abilities to such meaningless work is still the same - an inferiority complex, sometimes combined with an unbalanced psyche. It is significant that such virus writing is often combined with other addictions. Thus, in the spring of 1997, one of the most famous authors of viruses in the world, nicknamed Talon (Australia), died at the age of 21 from a lethal dose of heroin.
The fourth group of virus authors, the “researchers,” stands somewhat separately. This group consists of fairly smart programmers who are inventing fundamentally new methods of infection, hiding, countering antiviruses, etc. They also come up with ways to implement them into new operating systems, virus constructors and polymorphic generators. These programmers write viruses not for the sake of viruses themselves, but rather for the sake of “exploring” the potential of “computer fauna”.
Often the authors of such viruses do not put their creations into practice, but they very actively promote their ideas through numerous electronic publications dedicated to the creation of viruses. At the same time, the danger from such “research” viruses does not decrease - once in the hands of “professionals” from the third group, new ideas are very quickly implemented in new viruses.
My attitude towards virus authors is threefold. Firstly, everyone who writes viruses or contributes to their distribution are the “breadwinners” of the anti-virus industry, the annual turnover of which I estimate is at least two hundred million dollars or even more (it should not be forgotten that losses from viruses amount to several hundred millions of dollars annually and several times higher than the costs of anti-virus programs). If the total number of viruses is likely to reach 20,000 by the end of 1997, then it is easy to calculate that the income of anti-virus companies from each virus is at least 10 thousand dollars annually. Of course, virus authors should not hope for financial reward: as practice shows, their work was and remains free. In addition, today the supply (new viruses) fully satisfies the demand (the capabilities of antivirus companies to process new viruses).
Secondly, I feel somewhat sorry for the authors of viruses, especially the “professionals”. After all, in order to write such a virus, it is necessary: a) to spend quite a lot of effort and time, and much more than is required to understand the virus, enter it into a database or even write a special antivirus; and b) not have another, more attractive, occupation. Consequently, “professional” virus writers are quite efficient and at the same time suffer from idleness - the situation, it seems to me, is very sad.
Computer viruses, their properties and classification
Properties of computer viruses
Nowadays, personal computers are used in which the user has free access to all the resources of the machine. This is what opened up the possibility of a danger that became known as a computer virus.
What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to provide a “modern” definition of the virus have failed. To get a sense of the complexity of the problem, try, for example, to define the concept of “editor”. You will either come up with something very general, or you will start listing all the known types of editors. Both of these can hardly be considered acceptable. Therefore, we will limit ourselves to considering some properties of computer viruses that allow us to talk about them as a certain class of programs.
First of all, a virus is a program. Such a simple statement in itself can dispel many legends about the extraordinary capabilities of computer viruses. A virus can flip the image on your monitor, but it cannot flip the monitor itself. Legends about killer viruses “destroying operators by displaying a deadly color scheme on the screen in the 25th frame” should also not be taken seriously. Unfortunately, some reputable publications from time to time publish “the latest news from the computer front,” which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.
A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the virus not only do not have to completely coincide with the original, but may not coincide with it at all!
A virus cannot exist in “complete isolation”: today it is impossible to imagine a virus that does not use the code of other programs, information about the file structure, or even just the names of other programs. The reason is clear: the virus must somehow ensure that control is transferred to itself.
Classification of viruses
Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:
habitat
way of infecting the environment
influence
features of the algorithm
Depending on their habitat, viruses can be divided into network, file, boot, and file-boot viruses. Network viruses distributed over various computer networks. File viruses are embedded mainly in executable modules, i.e., in files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never gain control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Re-cord). File-boot Viruses infect both files and boot sectors of disks.
Based on the method of infection, viruses are divided into resident and non-resident. Resident virus when a computer is infected (infected), it leaves its resident part in the RAM, which then intercepts the operating system’s access to infection objects (files, disk boot sectors, etc.) and injects itself into them. Resident viruses reside in memory and are active until the computer is turned off or rebooted. Non-resident viruses do not infect the computer’s memory and are active for a limited time.
Based on the degree of impact, viruses can be divided into the following types:
non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk memory, the actions of such viruses are manifested in some graphic or sound effects
dangerous viruses that can lead to various problems with your computer
very dangerous, the impact of which can lead to loss of programs, destruction of data, and erasure of information in system areas of the disk.
Known invisible viruses, called stealth viruses, which are very difficult to detect and neutralize, since they intercept calls from the operating system to infected files and disk sectors and substitute uninfected areas of the disk in place of their body. Most difficult to detect mutant viruses, containing encryption-decryption algorithms, thanks to which copies of the same virus do not have a single repeating string of bytes. There are also so-called quasiviral or "Trojan" programs that, although not capable of self-propagation, are very dangerous because, masquerading as a useful program, they destroy the boot sector and disk file system.
Now let's take a closer look at some of these groups.
Boot viruses
Let's look at the functioning of a very simple boot virus that infects floppy disks.
What happens when you turn on your computer? First of all, control is transferred program bootstrap , which is stored in a read-only memory (ROM) i.e. PNZ ROM.
This program tests the hardware and, if the tests are successful, tries to find the floppy disk in drive A:
Every floppy disk is marked with the so-called. sectors and tracks. Sectors are combined into clusters, but this is not significant for us.
Among the sectors there are several service ones, used by the operating system for its own needs (these sectors cannot contain your data). Among the service sectors we are interested in boot sector (boot-sector).
The boot sector stores information about the floppy disk - the number of surfaces, the number of tracks, the number of sectors, etc. But what we are interested in now is not this information, but a small boot program (BLP), which must load the operating system itself and transfer control to it.
So the normal bootstrap scheme is as follows:
Now let's look at the virus. Boot viruses have two parts: the head and the so-called. tail. The tail may be empty.
Suppose you have a clean floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a floppy disk that is not write-protected and has not yet been infected, it begins to infect. When infecting a floppy disk, the virus performs the following actions:
allocates a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, the sectors occupied by the virus are marked as bad (bad)
copies its tail and the original (healthy) boot sector to the selected area of the disk
replaces the boot program in the boot sector (the real one) with its head
organizes the chain of control transfer according to the scheme.
Thus, the head of the virus is now the first to receive control, the virus is installed in memory and transfers control to the original boot sector. In a chain
PNZ (ROM) - PNZ (disk) - SYSTEM
a new link appears:
PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM
We examined the functioning scheme of a simple boot virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only boot sectors floppy disks, but also boot sectors of hard drives. Moreover, unlike floppy disks, the hard drive has two types of boot sectors containing boot programs that receive control. When the computer boots from the hard drive, the boot program in the MBR (Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as boot. The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program of this partition. The code of the latter coincides with the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, on the hard drive there are two objects of attack by boot viruses - the boot program in the MBR and the boot program in the boot sector of the boot disk.
File viruses
Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let us consider the functioning scheme of a non-resident file virus. Let's say we have an infected executable file. When such a file is launched, the virus gains control, performs some actions and transfers control to the “host”
What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected. By infecting a file, the virus injects itself into its code in order to gain control when the file is executed. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If the file virus is resident, then it will install itself in memory and will be able to infect files and exhibit other abilities not only while the infected file is running. When infecting an executable file, a virus always changes its code - therefore, infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:
he is not obliged to change the file length
unused code sections
does not have to change the beginning of the file
Finally, file viruses often include viruses that “have some relation to files” but do not have to be embedded in their code.
Thus, when any file is launched, the virus gains control (the operating system launches it itself), installs itself resident in memory and transfers control to the called file.
Boot file viruses
We will not consider the boot-file virus model, because you will not learn any new information. But here is a good opportunity to briefly discuss the recently extremely “popular” boot-file virus OneHalf, which infects the master boot sector (MBR) and executable files. The main destructive effect is the encryption of hard drive sectors. Each time the virus is launched, it encrypts another portion of sectors, and, having encrypted half hard drive, happily reports this. The main problem in treating this virus is that it is not enough to simply remove the virus from the MBR and files; you must decrypt the information encrypted by it.
Polymorphic viruses
Most questions are related to the term “polymorphic virus”. This type of computer virus seems to be the most dangerous today. Let us explain what it is.
Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.
Such viruses not only encrypt their code using various encryption methods, but also contain code for generating an encryptor and a decryptor, which distinguishes them from ordinary encryption viruses, which can also encrypt sections of their code, but at the same time have a constant encryptor and decryptor code.
Polymorphic viruses are viruses with self-modifying decryptors. The purpose of such encryption: if you have an infected and original file, you still will not be able to analyze its code using regular disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself during execution. In this case, options are possible: he can decrypt himself all at once, or he can perform such decryption “on the fly,” he can re-encrypt sections that have already been used. All this is done to make it difficult to analyze the virus code.
Stealth viruses
When scanning a computer, antivirus programs read data - files and system areas from hard drives and floppy disks using the operating system and basic system BIOS I/O. A number of viruses, after launching, leave special modules in the computer’s RAM that intercept programs accessing the computer’s disk subsystem. If such a module detects that a program is trying to read an infected file or system area of the disk, it replaces the data being read on the fly, as if there was no virus on the disk.
Stealth viruses trick antivirus programs and, as a result, remain undetected. However, there is a simple way to disable the camouflage mechanism of stealth viruses. It is enough to boot the computer from a non-infected system floppy disk and immediately, without launching other programs from the computer disk (which may also be infected), scan the computer with an anti-virus program.
When loaded from a system floppy disk, the virus cannot gain control and install a resident module in RAM that implements the stealth mechanism. An antivirus program will be able to read the information actually written on the disk and will easily detect the virus.
Trojan horses, software bookmarks and network worms
Trojan horse– this is a program containing some destructive function, which is activated when a certain trigger condition occurs. Usually such programs are disguised as some kind of useful utilities. Viruses can carry Trojan horses or “Trojanize” other programs—introduce destructive functions into them.
“Trojan horses” are programs that, in addition to the functions described in the documentation, also implement some other functions associated with security violations and destructive actions. There have been cases of such programs being created to facilitate the spread of viruses. Lists of such programs are widely published in the foreign press. They are usually disguised as gaming or entertainment programs and cause harm accompanied by beautiful pictures or music.
Software bookmarks also contain some function that causes damage to the aircraft, but this function, on the contrary, tries to be as inconspicuous as possible, because the longer the program does not arouse suspicion, the longer bookmark will be able to work.
If viruses and Trojan horses cause damage through avalanche-like self-propagation or outright destruction, then the main function of worm-type viruses operating in computer networks is to hack the attacked system, i.e. overcoming protection to compromise security and integrity.
In more than 80% of computer crimes investigated by the FBI, "crackers" penetrate the attacked system through the Internet. When such an attempt succeeds, the future of a company that took years to build can be jeopardized in a matter of seconds.
This process can be automated using a virus called a network worm.
Worms are called viruses that spread across global networks, infecting entire systems, not individual programs. This is the most dangerous look viruses, since in this case information systems of a national scale become the targets of attack. With the advent of the global Internet, this type of security breach poses the greatest threat, since any of the 40 million computers connected to this network can be exposed to it at any time.
Ways viruses enter a computer
and mechanism for distribution of virus programs
The main ways viruses enter a computer are removable drives(flexible and laser), as well as computer networks. A hard drive can become infected with viruses when loading a program from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was rebooted, and the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.
A virus, as a rule, is introduced into a working program in such a way that when it is launched, control is first transferred to it and only after all its commands are executed, it returns to the working program. Having gained access to control, the virus first of all rewrites itself into another work program and infects her. After running a program containing a virus, it becomes possible to infect other files.
Most often, the boot sector of the disk and executable files with the extensions EXE, COM, SYS, BAT are infected with a virus. It is extremely rare for text files to become infected.
After infecting a program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, does not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.
Signs of viruses
When your computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of viruses. These include the following:
cessation of operation or incorrect operation of previously successfully functioning programs
slow computer
inability to load the operating system
disappearance of files and directories or corruption of their contents
changing the date and time of file modification
resizing files
unexpected significant increase in the number of files on the disk
significant reduction in the size of free RAM
Displaying unexpected messages or images on the screen
giving unexpected sound signals
Frequent freezes and crashes in the computer
It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be the result of other reasons. Therefore, it is always difficult to correctly diagnose the condition of a computer.
Methods of protection against computer viruses
Whatever the virus, the user needs to know the basic methods of protecting against computer viruses.
To protect against viruses you can use:
general information protection tools, which are also useful as insurance against physical damage to disks, malfunctioning programs or erroneous user actions;
preventive measures to reduce the likelihood of contracting the virus;
specialized programs for virus protection.
General information security tools are useful for more than just virus protection. There are two main types of these funds:
copying information - creating copies of files and system areas of disks;
access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous user actions.
Despite the fact that general information security measures are very important for protecting against viruses, they are still not enough. It is also necessary to use specialized programs to protect against viruses. These programs can be divided into several types: detectors, doctors (phages), auditors, doctor-auditors, filters and vaccines (immunizers).
DETECTOR PROGRAMS allow you to detect files infected with one of several known viruses. These programs check whether files on a user-specified drive contain a combination of bytes specific to a given virus. When it is detected in any file, a corresponding message is displayed on the screen. Many detectors have modes for curing or destroying infected files. It should be emphasized that detector programs can only detect viruses that are “known” to them. The Scan program from McAfee Associates and D.N. Lozinsky's Aidstest allow you to detect about 9,000 viruses, but in total there are more than twenty thousand of them! Some detector programs, for example Norton AntiVirus or AVSP from Dialog-MGU, can be configured for new types of viruses; they only need to indicate the byte combinations inherent in these viruses. However, it is impossible to develop a program that could detect any previously unknown virus.
Thus, from the fact that a program is not recognized by detectors as infected, it does not follow that it is healthy - it could contain some new virus or a slightly modified version of an old virus, unknown to detector programs.
Many detector programs (including Aidstest) cannot detect infection by “invisible” viruses if such a virus is active in the computer’s memory. The fact is that they use DOS functions to read the disk, and they are intercepted by the virus, which says that everything is fine. True, Aidstest and other detectors try to identify a virus by looking at RAM, but this does not help against some “cunning” viruses. So, detector programs provide a reliable diagnosis only when loading DOS from a “clean” write-protected floppy disk, and a copy of the detector program must also be launched from this floppy disk.
Some detectors (for example, ADinf from Dialog-Nauka) can catch “invisible” viruses, even when they are active. To do this, they read the disk without using DOS calls. However, this method does not work on all drives.
Most detector programs have a “doctor” function, i.e. they try to return infected files or disk areas to their the initial state. Those files that could not be recovered are usually rendered inoperative or deleted.
Most doctor programs can only “cure” a certain fixed set of viruses, so they quickly become outdated. But some programs can learn not only how to detect, but also how to treat new viruses. Such programs include AVSP from Dialog-MSU.
AUDITOR PROGRAMS have two stages of work. First, they remember information about the state of programs and system areas of disks (the boot sector and the sector with the hard disk partition table). It is assumed that at this moment programs and system areas of disks are not infected. After this, using the auditor program, you can compare the state of programs and system disk areas with the original state at any time. Any discrepancies detected are reported to the user.
To check the status of programs and disks every time the operating system boots, you must include the command to launch the audit program in the AUTOEXEC.BAT batch file. This allows you to detect a computer virus infection when it has not yet caused much harm. Moreover, the same audit program will be able to find files damaged by the virus.
Many audit programs are quite "intelligent" - they can distinguish changes in files caused, for example, by switching to new version programs, from changes made by the virus, and do not raise a false alarm. The fact is that viruses usually change files in a very specific way and make the same changes in different program files. It is clear that in a normal situation such changes almost never occur, so the audit program, having recorded the fact of such changes, can confidently report that they were caused by a virus.
Other programs often use various half measures - they try to detect a virus in RAM, require calls from the first line of the AUTOEXEC.BAT file, hoping to work on a “clean” computer, etc. Alas, all this is useless against some “cunning” viruses.
To check whether a file has changed, some audit programs check the length of the file. But this check is not sufficient - some viruses do not change the length of infected files. A more reliable check is to read the entire file and calculate its checksum. It is almost impossible to change a file so that its checksum remains the same.
Recently, very useful hybrids of auditors and doctors have appeared, i.e. DOCTOR-AUDITORS, - programs that not only detect changes in files and system areas of disks, but can also automatically return them to their original state in case of changes. Such programs can be much more universal than doctor programs, since during treatment they use pre-stored information about the state of files and disk areas. This allows them to cure files even from viruses that were not created at the time the program was written.
But they cannot treat all viruses, but only those that use “standard” file infection mechanisms known at the time the program was written.
There are also FILTERS PROGRAMS, which are located resident in the computer’s RAM and intercept those calls to the operating system that are used by viruses to reproduce and cause harm, and report them to the user. The user can allow or deny the corresponding operation.
Some filter programs do not “catch” suspicious actions, but check the programs called for execution for viruses. This causes your computer to slow down.
However, the advantages of using filter programs are very significant - they allow you to detect many viruses at a very early stage, when the virus has not yet had time to multiply and spoil anything. This way you can reduce losses from the virus to a minimum.
VACCINE PROGRAMS, or IMMUNIZERS, modify programs and disks in such a way that this does not affect the operation of the programs, but the virus against which the vaccination is performed considers these programs or disks to be already infected. These programs are extremely ineffective.
Antivirus programs
So what is an antivirus? Let’s immediately dispel one frequently occurring illusion. For some reason, many people believe that an antivirus can detect any virus, that is, by running an antivirus program or monitor, you can be absolutely sure of their reliability. This point of view is not entirely correct. The fact is that an antivirus is also a program, of course written by a professional. But these programs are able to recognize and destroy only known viruses. That is, an antivirus against a specific virus can be written only if the programmer has at least one copy of this virus. So there is this endless war between the authors of viruses and antiviruses, although for some reason there are always more of the former in our country than the latter. But the creators of antiviruses also have an advantage! The fact is that there are a large number of viruses whose algorithm is practically copied from the algorithm of other viruses. As a rule, such variations are created by unprofessional programmers who, for some reason, decided to write a virus. To combat such “copies”, a new weapon has been invented - heuristic analyzers. With their help, the antivirus is able to find similar analogues of known viruses, informing the user that he seems to have a virus. Naturally, the reliability of the heuristic analyzer is not 100%, but still its efficiency is greater than 0.5. Thus, in this information war, as, indeed, in any other, the strongest remain. Viruses that are not recognized by antivirus detectors can only be written by the most experienced and qualified programmers.
Thus, it is almost impossible to protect yourself 100% from viruses (this assumes that the user exchanges floppy disks with friends and plays games, and also receives information from other sources, such as networks). If you do not enter information into the computer from the outside, it is impossible to become infected with a virus - it will not be born on its own.
AIDSTEST
In our country, as mentioned above, anti-virus programs that combine the functions of detectors and doctors have become especially popular. The most famous of them is the AIDSTEST program by D.N. Lozinsky. In Ukraine, almost every IBM-compatible personal computer has one of the versions of this program. One of the latest versions detects more than 8,000 viruses.
For its normal functioning, Aidstest requires that there are no resident antiviruses in memory that block writing to program files, so they should be unloaded, either by specifying the unload option to the resident program itself, or use the appropriate utility.
When launched, Aidstest checks its RAM for viruses known to it and neutralizes them. In this case, only the functions of the virus associated with reproduction are paralyzed, while other side effects may remain. Therefore, after the virus has been neutralized in memory, the program issues a request to reboot. You should definitely follow this advice if the PC operator is not a system programmer who studies the properties of viruses. In this case, you should reboot using the RESET button, since during a “warm reboot” some viruses may persist. In addition, it is better to run the machine and Aidstest from a write-protected floppy disk, since when running from an infected disk, the virus can become resident in memory and interfere with treatment.
Aidstest tests its body for the presence of known viruses, and also judges by distortions in its code whether it is infected with an unknown virus. In this case, cases of false alarms are possible, for example, when the antivirus is compressed by a packager. The program does not have a graphical interface, and its operating modes are set using keys. By specifying the path, you can check not the entire disk, but a separate subdirectory.
As practice has shown, the most optimal mode for daily work is set with the keys /g (scans all files, not just those with the EXE,COM,SYS extension) and /s (slow scan). The increase in time with such options is practically not noticeable, but the probability of detection is an order of magnitude higher.
During normal testing, you should not use the /f switch (fixing infected programs and deleting those that cannot be restored), even with the /q switch (prompt to delete a file), since any program, including anti-virus, is not immune to errors. The /f key should be used when Aidstest, as well as other antiviruses, indicate the presence of a virus in a file. In this case, you should restart the computer from a write-protected floppy disk, since the system may be infected with a resident virus, and then the treatment will be ineffective, or even downright dangerous. If a virus is detected in a valuable file, you should copy it to a floppy disk, or even better, to an electronic disk and try to cure it there by specifying the /f option to Aidstest. If the attempt is unsuccessful, then you need to delete all infected copies of the file and check the disk again. If the file contains important information that it would be a shame to erase, then you can archive the file and wait for the release of a new version of Aidstest or another antivirus that can treat this type of virus. To speed up the process, you can send the infected file as a sample to Lozinsky.
To create a log file for the Aidstest program, use the /p key. The protocol becomes necessary when the user does not have time to view the names of infected files. To support the Sheriff anti-virus software and hardware complex (which will be discussed in more detail later), the /z key is used.
DOCTOR WEB
Recently, the popularity of another antivirus program - Doctor Web - has been rapidly growing. Dr.Web, like Aidstest, belongs to the class of doctor detectors, but unlike the latter, it has a so-called “heuristic analyzer” - an algorithm that allows you to detect unknown viruses. “The Healing Web,” as the name of the program is translated from English, became the response of domestic programmers to the invasion of self-modifying mutant viruses. The latter, when multiplying, modify their body so that not a single characteristic chain of bytes that was present in the original version of the virus remains. Dr.Web can be called a new generation antivirus compared to Aidstest and its analogues.
Modes are controlled using keys, just like in Aidstest. The user can tell the program to test both the entire disk and individual subdirectories or groups of files, or refuse to scan disks and test only RAM. In turn, you can test either only basic memory, or, in addition, extended memory (indicated using the /H key). Like Aidstest, Doctor Web can create a work report (key /P), load a Cyrillic character generator (key /R), supports working with the Sheriff software and hardware complex (key /Z).
But of course, main feature The “healing web” is the presence of a heuristic analyzer, which is connected with the /S key. A balance between speed and quality can be achieved by specifying the level of heuristic analysis for the key: 0 - minimum, 1 - optimal, 2 - maximum; in this case, naturally, the speed decreases in proportion to the increase in quality. In addition, Dr.Web allows you to test files vaccinated with CPAV, as well as packaged with LZEXE, PKLITE, DIET. To do this, you should specify the /U key (in this case, the files will be unpacked on the current device) or /U drive: (where drive: is the device on which the unpacking will be performed), if the floppy disk from which Doctor Web is launched is write-protected. Many programs are packaged in this way, although the user may not be aware of it. If the /U key is not set, Doctor Web may miss a virus that has entered the packaged program.
An important function is to control infection of the tested files with a resident virus (/V switch). When scanning memory, there is no absolute guarantee that the Healing Web will detect all viruses located there. So, when you specify the /V function, Dr.Web tries to prevent the remaining resident viruses from infecting the tested files.
Testing a hard drive with Dr.Web takes much longer than with Aidstest, so not every user can afford to spend so much time checking the entire hard drive every day. Such users can be advised to check floppy disks brought from outside more carefully (with the /S2 option). If the information on the floppy disk is in an archive (and recently programs and data are transferred from machine to machine only in this form; even software manufacturers, for example Borland, package their products), you should unpack it into a separate directory on the hard drive and immediately, without delay, launch Dr.Web, giving it the full path to this subdirectory instead of the disk name as a parameter. And yet, you need to perform a full scan of the hard drive for viruses at least once every two weeks, setting the maximum level of heuristic analysis.
Just as in the case of Aidstest, during initial testing you should not allow the program to disinfect files in which it detects a virus, since it cannot be ruled out that the sequence of bytes accepted as a pattern in the antivirus can be found in a healthy program. If, upon completion of testing, Dr.Web displays messages indicating that it has found viruses, you need to run it with the /P option (if this option was not specified) in order to see which file is infected. After this, you need to copy the file to a floppy disk or electronic disk and try to delete by specifying the /F key to the “Healing Web”. If treatment fails, you should proceed in the same way as in a similar situation described above for the Aidstest program.
MICROSOFT ANTIVIRUS
Included in modern MS-DOS versions(for example, 7.10) includes Microsoft Antivirus (MSAV). This antivirus can work in detector-doctor and auditor modes.
MSAV has a user-friendly interface in the MS-Windows style, and of course, mouse support. Contextual help is well implemented: there is a hint for almost any menu item, for any situation. Access to menu items is universally implemented: for this you can use the cursor keys, key keys (F1-F9), keys corresponding to one of the letters of the item name, as well as the mouse. Settings flags in the Options menu item can be set using either the SPACEBAR key or with the ENTER key. A serious inconvenience when using the program is that it saves tables with file data not in one file, but scatters them across all directories.
When launched, the program loads its own character generator and reads the directory tree of the current disk, after which it exits to the main menu. It is not clear why the directory tree should be read immediately upon startup: after all, the user may not want to check the current disk. In the main menu, you can change the drive (Select new drive), choose between scanning without removing viruses (Detect) and with removing them (Detect&Clean). When you run a disk check (both in deletion mode and without it), the program first scans the memory for viruses known to it. In this case, an indication of the work done is displayed in the form of a colored bar and the percentage of work completed. After scanning the memory, MSAV begins to scan the disk itself.
During the first check, MSAV creates CHKLIST.MS files in each directory containing executable files, into which it writes information about the size, date, time, attributes, as well as the checksum of the controlled files. During subsequent checks, the program will compare files with information in CHKLIST.MS files. If the size and date have changed, the program will inform the user about this and ask for further actions: update the information (Update), set the date and time in accordance with the data in CHKLIST.MS (Repair), continue, not paying attention to changes in this file (Continue), interrupt the check (Stop). If the checksum has changed, then MSAV will display the same window, only instead of the Repair item there will be a Delete item, since the program cannot restore the contents of the file. If a virus is detected in the Detect&Clean mode, the program will remove the virus. Disk scanning in both modes can be paused or completely interrupted by pressing ESC (or F3) and answering the appropriate question from the program. During disk scanning, information about the work done is displayed: the percentage of directories processed and the percentage of files processed in the current directory. This information is also presented visually, in the form of a colored bar, as in a memory test. At the end of the scan, MSAV issues a report in the form of a table, which reports the number of scanned hard drives and floppy drives, the number of scanned, infected and disinfected files. In addition, the scanning time is displayed.
In the Options menu you can configure the program as you wish. Here you can set the mode to scan for invisible viruses (Anti-Stealth), check all (not just executable) files (Check All Files), and also allow or disable the creation of CHKLIST.MS tables (Create New Checksums). In addition, you can set the mode for saving a report on the work done in a file. If you set the Create Backup option, then before removing the virus from the infected file, a copy of it will be saved with the extension *.VIR
While in the main menu, you can view the list of viruses known to the MSAV program by pressing the F9 key. This will display a window with the names of the viruses. To view more detailed information about the virus, you need to move the cursor to its name and press ENTER. You can quickly navigate to the virus of interest by typing the first letters of its name. Information about the virus can be output to the printer by selecting the appropriate menu item.
ADINF
(Advanced Diskinfoscope)
ADinf belongs to the class of audit programs. The antivirus has a high operating speed and is capable of successfully resisting viruses located in memory. It allows you to control the disk by reading it sector by sector through the BIOS and without using DOS system interrupts, which can be intercepted by a virus.
The ADinf program received first prize at the Second All-Union Competition of Anti-Virus Programs in 1990, as well as second prize at the Borland Contest."93 ADinf was the only antivirus that, in the summer of 1991, discovered the DIR virus, built on a fundamentally new method of infection and camouflage.
To cure infected files, the ADinf Cure Module is used, which is not included in the ADinf package and is supplied separately. The principle of operation of the module is to save a small database describing controlled files. Working together, these programs can detect and remove about 97% of file viruses and 100% of boot sector viruses. For example, the sensational SatanBug virus was easily detected, and files infected with it were automatically restored. Moreover, even those users who purchased ADinf and ADinf Cure Module several months before the appearance of this virus were able to get rid of it without difficulty.
COMPUTER VIRUSES, THEIR CLASSIFICATION. ANTI-VIRUS SOFTWARE
Computer virus - This special program, Capable of spontaneously attaching to other programs and, when the latter is launched, performing various unwanted actions: corruption of files and directories; distortion of calculation results; clogging or erasing memory; interfering with computer operation. The presence of viruses manifests itself in different situations.
- Some programs stop working or start working incorrectly.
- Extraneous messages, signals and other effects are displayed on the screen.
- The computer slows down significantly.
- The structure of some files turns out to be corrupted.
There are several classification features existing viruses:
- by habitat;
- according to the affected area;
- according to the features of the algorithm;
- by method of infection;
- according to destructive possibilities.
Based on their habitat, they distinguish between file, boot, macro and network viruses.
File viruses are the most common type of virus. These viruses are embedded in executable files, create satellite files (companion viruses) or use features of the file system organization (link viruses).
Boot viruses write themselves to the boot sector of the disk or to the boot sector of the hard disk. They start working when the computer boots and usually become resident.
Macro viruses infect files of commonly used data processing packages. These viruses are programs written in programming languages built into these packages. The most widespread are macroviruses for Microsoft applications Office.
Network viruses use protocols or commands of computer networks and email to spread. The main operating principle of a network virus is the ability to independently transfer its code to a remote server or workstation. Full-fledged computer viruses have the ability to run on remote computer your code to execute.
In practice, there are various combinations of viruses - for example, file-boot viruses that infect both files and boot sectors of disks, or network macro viruses that infect edited documents and send copies of themselves by e-mail.
As a rule, each virus infects files of one or more operating systems. Many boot viruses alsoare focused on specific formats for the location of system data in boot sectors of disks. Based on the characteristics of the algorithm, resident ones are distinguished; viruses, stealth viruses, polymorphic, etc. Resident viruses are capable of leaving copies of themselves in the operating system, intercepting event processing (for example, accessing files or disks) and causing procedures to infect objects (files or sectors). These viruses are active in memory not only while the infected program is running, but also after. Resident copies of such viruses are viable until the OS is rebooted, even if all infected files on the disk are destroyed. If a resident virus is also bootable and is activated when the OS boots, then even formatting the disk if this virus is present in the memory does not delete it.
Macro viruses should also be classified as a type of resident viruses, since they are constantly present in the computer’s memory while the infected editor is running.
Stealth algorithms allow viruses to completely or partially hide their presence. The most common stealth algorithm is to intercept OS requests to read/write infected objects. Stealth viruses either temporarily cure these objects or substitute uninfected pieces of information in their place. Partially, stealth viruses include a small group of macro viruses that store their main code not in macros, but in other areas of the document - in its variables or in Auto-text.
Polymorphism (self-encryption) is used to complicate the virus detection procedure. Polymorphic viruses are viruses that are difficult to detect and do not have a constant section of code. IN general case two samples of the same virus do not match. This is achieved by encrypting the main body of the virus and modifying the decryption program.
When creating viruses, non-standard techniques are often used. Their use should make it as difficult as possible to detect and remove the virus.
Based on the method of infection, a distinction is made between Trojan programs, hidden administration utilities, Intended viruses, etc.
Trojan horses get their name by analogy with the Trojan horse. The purpose of these programs is to imitate any useful programs, new versions of popular utilities or additions to them. When the user writes them to his computer, Trojan programs are activated and perform unwanted actions.
Hidden administration utilities are a type of Trojan programs. In their functionality and interface, they are in many ways reminiscent of computer administration systems on a network, developed and distributed by various software product manufacturers. During installation, these utilities independently install a hidden system on the computer. remote control. As a result, it becomes possible hidden control this computer. Implementing the underlying algorithms, the utilities, without the user's knowledge, receive, launch or send files, destroy information, reboot the computer, etc. These utilities can be used to detect and transmit passwords and other confidential information, launch viruses, and destroy data.
Intended viruses include programs that are unable to reproduce due to errors existing in them. This class also includes viruses that reproduce only once. Having infected a file, they lose the ability to further reproduce through it.
According to their destructive capabilities, viruses are divided into:
- non-hazardous, the impact of which is limited by a decrease in free disk memory, slowdown of the computer, graphic and sound effects;
- dangerous, which could potentially lead to irregularities in the file structure and computer malfunctions;
- very dangerous, the algorithm of which specifically includes data destruction procedures and the ability to ensure rapid wear of moving parts of mechanisms by introducing into resonance and destroying the read/write heads of some HDDs.
To combat viruses, there are programs that can be divided into main groups: monitors, detectors, doctors, auditors and vaccines.
Monitor programs(filter programs) are located resident in the computer operating system, interceptand inform the user about OS calls that are used by viruses to reproduce and cause damage. The user has the ability to allow or deny the execution of these calls. The advantage of such programs is the ability to detect unknown viruses. Using filter programs allows you to detect viruses at an early stage of infecting your computer. The disadvantages of the programs are the inability to track viruses that access the BIOS directly, as well as boot viruses that are activated before the antivirus starts when loading DOS, and the frequent issuance of requests to perform operations.
Detector programs check whether files and disks contain a combination of bytes specific to a given virus. If it is detected, a corresponding message is displayed. The disadvantage is that it can only protect against known viruses.
Doctor programs restore infected programs by removing the virus body from them. Typically, these programs are designed for specific types of viruses and are based on comparing the sequence of codes contained in the body of the virus with the codes of the programs being scanned. Doctor programs must be periodically updated to obtain new versions that detect new types of viruses.
Auditor programs analyze changes in the state of files and system areas of the disk. Check the status of the boot sector and FAT table; length, attributes and creation time of files; checksum codes. The user is notified if any discrepancies are detected.
Vaccine programs modify programs and risks in such a way that this does not affect the operation of the programs, but the virus against which the vaccination is performed considers the programs or disks to be already infected. Existing anti-virus programs mainly belong to the hybrid class (detector doctors, doctor auditors, etc.).
In Russia, the most widely used antivirus programs are Kaspersky Lab (Anti-IViral Toolkit Pro) and DialogScience (Adinf, Dr.Web). AntiViral Toolkit Pro (AVP) includes AVP Scanner, resident watchman AVP Monitor, a program for administering installed components. Control center and a number of others. AVP Scanner, in addition to traditional scanning of executable files and document files, processes email databases. Using the scanner allows you to detect viruses in packed and archived files (not protected by passwords). Detects and removes macroviruses, polymorphic, stealth, Trojan, and previously unknown viruses. This is achieved, for example, through the use of heuristic analyzers. Such analyzers simulate the operation of the processor and analyze the actions of the diagnosed file. Depending on these actions, a decision is made about the presence of a virus.
Monitor controls typical paths virus penetration, for example operations accessing files and sectors.
AVP Control Center is a service shell designed to set the scanner startup time, automatically update package components, etc.
If your computer is infected or is suspected of being infected with a virus, you must:
- assess the situation and not take actions that lead to loss of information;
- restart the computer OS. In this case, use a special, pre-created and write-protected system floppy disk. As a result, the activation of boot and resident viruses from the computer’s hard drive will be prevented;
- run existing antivirus programs until all viruses are detected and removed. If it is impossible to remove the virus and if there is valuable information in the file, archive the file and wait for the release of a new version of the antivirus. After finishing, restart your computer.
1. Introduction
2.1 File viruses
2.2 Boot viruses
2.3 Macro viruses
2.4 Network viruses
3. Antivirus programs
4. Types of antiviruses
4.1 Scanners
4.2 CRC scanners
4.3 Monitors
1. Introduction
The first studies of self-replicating artificial structures were carried out in the middle of the last century. In the works of von Neumann, Wiener and other authors, a definition was given and carried out mathematical analysis finite state machines, including self-reproducing ones. The term “computer virus” appeared later. It is officially believed that it was first used by F. Cohen, an employee of Lehigh University (USA), in 1984 at the 7th Conference on Information Security, held in the USA. A lot of time has passed since then, the severity of the problem of viruses has increased many times, but a strict definition of what a computer virus is has not been given, despite the fact that many have tried to do this repeatedly.
The main difficulty that arises when trying to give a strict definition of a virus is that almost all the distinctive features of a virus (introduction into other objects, secrecy, potential danger) are either inherent in other programs that are not viruses in any way, or there are viruses that are not contain the above distinctive features(excluding the possibility of distribution).
Therefore, it seems possible to formulate only required condition in order for some sequence of executed code to be a virus.
Mandatory (necessary) property of a computer virus- the ability to create your own duplicates (not always identical to the original) and implement them into computer networks and/or files, system areas of the computer and other executable objects. At the same time, duplicates retain the ability to further spread.
2. Classification of computer viruses
Viruses can be divided into classes according to the following main characteristics:
habitat;
operating system;
features of the operating algorithm;
destructive possibilities.
Depending on the habitat viruses can be divided:
file;
boot;
macroviruses;
File viruses either they are embedded in executable files in various ways, or they create duplicate files, or they use the peculiarities of the file system organization.
Boot viruses write themselves either to the boot sector of the disk, or to the sector containing the system boot loader of the hard drive, or change the pointer to the boot sector.
Macro viruses infect document files and spreadsheets of several popular editors.
Network viruses use protocols or commands of computer networks and e-mail for their distribution.
There are a large number of combinations, for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex operating algorithm and often use original methods of penetrating the system. Another example of such a combination is a network macro virus, which not only infects documents being edited, but also sends copies of itself by email.
Infected operating system is the second level of dividing viruses into classes.
Every file And network virus infects files of one or more operating systems - DOS, Windows, Win95/NT, OS/2, etc.
Macro viruses infect files in Word, Excel, Office 97 formats.
Boot viruses are also focused on specific formats for the location of system data in boot sectors of disks.
Among features of the operating algorithm viruses the following stand out:
residency;
use of “stealth” algorithms;
self-encryption and polymorphism;
use of non-standard techniques.
Resident virus When a computer is infected, it leaves its resident part in the operating memory, which then intercepts calls from the operating system to infection objects and injects itself into them. Resident viruses are active not only while the infected program is running, but also after the program has finished running. Resident copies of such viruses remain viable until the next reboot, even if all infected files on the disk are destroyed. Often it is impossible to get rid of such viruses by restoring all copies of files from distribution disks. The resident copy of the virus remains active and infects newly created files. The same is true for boot viruses; formatting a disk while there is a resident virus in the memory does not always cure the disk, since many resident viruses re-infect it after it has been formatted.
Macro viruses can be considered resident, since they are also present in the computer’s memory during the entire time the infected editor is running. In this case, the editor takes on the role of the operating system, and the concept of “rebooting the operating system” is interpreted as exiting the editor.
Non-resident viruses, on the contrary, are active for a rather short time - only at the moment the infected program is launched. To spread, they search for uninfected files on the disk and write to them.
After the virus code transfers control to the host program, the impact of the virus on the operating system is reduced to zero until the next launch of any infected program. Therefore, it is much easier to delete files infected with non-resident viruses from the disk, without the virus infecting them again.
Usage “stealth” algorithms allows viruses to completely or partially hide themselves in the system. The most common “stealth” algorithm is to intercept operating system requests to read and write infected objects and then “stealth” viruses either temporarily cure them or substitute uninfected pieces of information in their place. In the case of macro viruses, the most popular method is to disable calls to the macro viewing menu.
Self-encryption And polymorphism are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses are those that cannot be detected (or are extremely difficult) using so-called virus masks - sections of code specific to a particular virus. This is achieved in two ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself.
Various non-standard techniques are often used in viruses in order to hide themselves as deeply as possible in the kernel of the operating system, protect their resident copy from detection, make it difficult to treat the virus, etc.
By destructive possibilities Viruses can be divided into:
harmless, i.e. that do not affect the operation of the computer in any way (except for reducing free memory on the disk as a result of their distribution);
non-hazardous, the impact of which is limited by a decrease in free memory on the disk and graphic, sound and other effects;
dangerous viruses that can lead to serious computer malfunctions;
very dangerous - their algorithm of operation deliberately contains procedures that can cause the loss of programs, destroy data, and erase information necessary for the operation of the computer recorded in system memory areas.
But even if no branches are found in the virus algorithm that cause damage to the system, this virus cannot be called harmless with complete confidence, since its penetration into a computer can cause unpredictable and sometimes catastrophic consequences. After all, a virus, like any program, has errors, as a result of which both files and disk sectors can be damaged.
2.1 File viruses
This group includes viruses that, when replicating in one way or another, use the file system of an operating system.
File viruses can be embedded in almost all executable files of all popular operating systems.
There are viruses that infect files that contain source texts programs, library or object modules. It is also possible for a virus to be written to data files, but this happens either as a result of an error in the virus or when its aggressive properties manifest themselves.
How a file virus works:
Having received control, the virus performs the following actions:
a resident virus checks the RAM for the presence of its copy and infects the computer memory if a copy of the virus is not found; a non-resident virus looks for uninfected files in the current and (or) root directories, in directories marked with the PATH command, scans the directory tree of logical drives and then infects the detected files;
executes if they exist, additional functions: destructive actions, graphic or sound effects, etc. (additional functions of the resident virus can be called some time after activation, depending on the current time, system configuration, internal virus counters or other conditions; in this case, when activated, the virus processes the state of the system clock, sets its counters, etc.)
2.2 Boot viruses
Boot viruses infect the boot sector of a floppy disk and the boot sector or MasterBootRecord (MBR) of a hard drive. The operating principle of boot viruses is based on algorithms for starting the operating system when you turn on or restart the computer: after the necessary tests of the installed equipment (memory, disks), the program system boot reads the first physical sector of the boot disk and transfers control to A:, C: or CD-ROM, depending on the parameters set in BIOS Setupe.
In the case of a floppy disk or CD, control is received by the boot sector of the disk, which analyzes the table of disk parameters and calculates addresses system files operating system, reads their memory and launches them for execution. If there are no operating system files on the boot disk, the program located in the boot sector of the disk displays an error message and suggests replacing the boot disk.
In the case of a hard drive, control is received by a program located in the MBR of the hard drive. It analyzes the disk partition table (DiskPartitionTable), calculates the address of the active boot sector (usually this sector is the boot sector of the C: drive), loads it into memory and transfers control to it. Having received control, the active boot sector of the hard drive performs the same actions as the boot sectors of a floppy disk.
When infecting disks, boot viruses substitute their code in place of any program that gains control when the system boots. The principle of infection: the virus “forces” the system, when it is restarted, to read into memory and give control not to the original bootloader code, but to the virus code.
The only way to infect floppy disks is in a known way: the virus writes its code instead original code boot sectors of the floppy disk.
Winchester becomes infected with three possible ways: the virus writes either instead of the MBR code, or instead of the boot sector code of the boot disk (usually C:), or modifies the address of the active boot sector in the DiskPartitionTable, located in the MBR of the hard drive.
Algorithm for the operation of a boot virus.
Almost all boot viruses are resident. They are embedded in the computer's memory when booted from an infected disk. In this case, the system boot loader reads the contents of the first sector of the disk from which the boot is made, places the read information in memory and transfers control to it (i.e., to the virus). After this, the instructions of the virus begin to be executed, which:
as a rule, it reduces the amount of free memory, copies its code to the free space and reads its continuation (if any) from the disk;
intercepts the necessary interrupt vectors, reads the original boot sector into memory and transfers control to it.
Subsequently, the boot virus behaves in the same way as a resident file virus: it intercepts the operating system's calls to the disks and infects them, depending on certain conditions it performs destructive actions or causes sound or video effects.
There are also non-resident boot viruses. When loaded, they infect the MBR of the hard drive and floppy disks, if they are present in the drive. Such viruses then transfer control to the original bootloader and no longer affect the operation of the computer.
2.3 Macro viruses
Macro viruses are programs written in languages (macrolanguages) built into some data processing systems (text editors, spreadsheets). To reproduce, such viruses use the capabilities of macro languages and, with their help, transfer themselves from one file (document or table) to others. The most widespread macro viruses are for Microsoft Word, Excel and Office 97.
For viruses to exist in a specific system, it is necessary to have a macro language built into the system with the following capabilities:
binding a program in a macro language to specific file;
copying macro programs from one file to another;
obtaining control of a macro program without user intervention (automatic or standard macros).
Algorithm of the Word macrovirus
Most well-known Word macro viruses, when launched, transfer their code (macros) to the global macro area of the document; for this they use the macro copy commands MacroCopy, Organizer. Copy or using the macro editor. The virus calls it, creates a new macro, inserts its code into it, which it saves in the document.
When you exit Word, global macros are automatically written to the global macros DOT file (usually NORMAL.DOT). Thus, the next time you start the Word virus, it is activated at the moment when WinWord loads global macros.
The virus then overrides one or more standard macros and intercepts commands for working with files. When these commands are called, the virus infects the file being accessed. To do this, the virus converts the file into the Template format (which makes it impossible to further change the file format) and writes its macros into the file, including an automacro.
Thus, if a virus intercepts the FileSaveAs macro, then every DOS file saved through the macro intercepted by the virus is infected. If the FileOpen macro is intercepted, the virus is written to the file when it is read from disk.
Algorithm of Excel macro virus operation
Reproduction methods for Excel viruses are generally similar to those for Word viruses. The differences are in the macro copy commands and the absence of NORMAL. DOT, its function (in the viral sense) is performed by files in the STARTUP CATALOG of Excel.
2.4 Network viruses
Network viruses include viruses that actively use the protocols and capabilities of local and global networks to spread. The main operating principle of a network virus is the ability to independently transfer its code to a remote server or workstation.
Network viruses of the past spread across a computer network and typically did not change files or sectors on disks. They penetrated the computer's memory from a computer network, calculated network addresses other computers and sent their copies to these addresses.
Modern network viruses are Macro. Word. ShareFun and Win. Homer. the first one uses the email capabilities of MicrosoftMail. He creates a new letter containing an infected file document, then selects three from the list of MS-Mail addresses random addresses and sends an infected letter to them.
The second virus (Homer) uses to spread FTP protocol(FileTrausferProtocol) and transfers its copy to a remote ftp server in the Incoming directory. Since the FTP network protocol does not allow running files on a remote server, this virus can be characterized as semi-network, but this is a real example of the ability of viruses to use modern network protocols and infect global networks.
3. Antivirus programs
Antivirus programs are the most effective in fighting computer viruses. However, it should be noted that there are no antiviruses that guarantee 100% protection against viruses. Such systems do not exist, since for any antivirus algorithm it is always possible to propose a counter-algorithm for a virus that is invisible to this antivirus (the reverse, fortunately, is also true: for any virus algorithm it is always possible to create an antivirus). Moreover, the impossibility of the existence of an absolute antivirus was proven mathematically based on the theory of finite state machines, the author of the proof was Fred Cohen.
The quality of an antivirus program is determined by the following items, listed in descending order of their importance.
Reliability and ease of use- no antivirus freezes or other technical problems that require the user to special training.
This is the most important criterion, since even an absolute antivirus may be useless if it is unable to complete the scanning process - it hangs and does not scan some disks and files and, thus, leaves the virus undetected in the system. If the antivirus requires special knowledge from the user, then it will also be useless; most users will simply ignore the antivirus messages.
Well, if an antivirus asks difficult questions to an ordinary user too often, then most likely the user will stop using such an antivirus.
Virus detection quality all common types, scanning inside document/spreadsheet files (MSWord, Excel, Office), packed and archived files. No “false positives”. The ability to treat infected objects.
Any antivirus is useless if it is not able to catch viruses or does not do it well. Therefore, the quality of virus detection is the second most important criterion for the “quality” of an antivirus program. However, if the antivirus with high quality virus detection causes a large number of false positives, then its level of usefulness drops sharply, since the user is forced to either destroy uninfected files, or independently analyze suspicious files, or gets used to frequent false positives - stops paying attention to antivirus messages and, as a result, misses the message of a real virus .
Multiplatform Antivirus is the next item on the list, since only a program designed for a specific operating system can fully use the functions of that system. Non-native antiviruses often turn out to be ineffective and sometimes even destructive.
Opportunity checking files on the fly is also a fairly important feature of an antivirus. Instant and forced scanning of files and inserted floppy disks arriving on your computer is an almost 100% guarantee against virus infection.
The next most important criterion is operating speed. If an antivirus takes several hours to fully scan your computer, it is unlikely that most users will run it often enough. At the same time, the slowness of an antivirus does not at all mean that it catches more viruses and does it better than a faster antivirus. Different antiviruses use different virus search algorithms; one algorithm may be faster and of higher quality, while another may be slower and of lower quality. It all depends on the abilities and professionalism of the developers of a particular antivirus.
The presence of additional functions and features is on the list of antivirus qualities on last place, since very often these functions do not in any way affect the level of usefulness of the antivirus. However, these additional features make the user's life much easier.
4. Types of antiviruses
The most popular and effective antivirus programs are antivirus scanners. Following them are CRC scanners. Often both of these methods are combined into one universal program, which significantly increases its power. Various types of monitors (blockers) and immunizers are also used.
4.1 Scanners
The operating principle of anti-virus scanners is based on checking files, sectors and system memory and searching them for known and new (unknown to the scanner) viruses. To search for known viruses, so-called masks are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a mask or the mask is not long enough, then other methods are used. An example of such a method is an algorithmic language that describes everything possible options code that may occur when infected with a virus of this type.
Many scanners also use heuristic scanning algorithms, i.e. analyzing the sequence of commands in the object being checked, collecting some statistics and making a decision for each object being checked.
The advantages of scanners include their versatility, the disadvantages are their size antivirus databases, which scanners have to “carry with them”, and relatively low speed search for viruses.
4.2 CRC scanners
The operating principle of CRC scanners is based on calculating CRC sums (checksums) for files/system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. When subsequently launched, CRC scanners compare the data contained in the database with the actual calculated values. If the file information recorded in the database does not match with real values, then CRC scanners signal that the file has been modified or infected with a virus.
CRC scanners using “anti-stealth” algorithms are quite a powerful weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on the computer. However, this type of antivirus has a drawback that significantly reduces their effectiveness.
This disadvantage is that CRC scanners are not able to catch a virus at the moment it appears in the system, but do this only some time later, after the virus has spread throughout the computer. CRC scanners cannot detect viruses in new files because their database does not contain information about these files.
Moreover, viruses periodically appear that take advantage of this “weakness” of CRC scanners, infecting only newly created files and thus remaining invisible to CRC scanners.
4.3 Monitors
Anti-virus monitors are resident programs that intercept virus-hazardous situations and notify the user about it. Virus-dangerous ones include calls to open for writing to executable files, writing to boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, i.e. challenges that are typical for viruses during their reproduction.
The advantages of monitors include their ability to detect and block the virus at the earliest stage of its reproduction. The disadvantages include the existence of ways to bypass monitor protection and a large number of false positives, which, apparently, was the reason for the almost complete abandonment of this kind of anti-virus programs by users.
It is also necessary to note this direction antivirus agents, like anti-virus monitors made in the form of computer hardware components. However, as with program monitors, such protection is easy to bypass. Also added to the above disadvantages are problems of compatibility with standard computer configurations and difficulties in installing and configuring them. All this makes hardware monitors extremely unpopular compared to other types antivirus protection.
4.4 Immunizers
Immunizers are divided into two types: immunizers that report infection and immunizers that block infection.
The first ones are usually written to the end of files and each time the file is launched, they check it for changes. Such immunizers have only one drawback, but it is lethal: the absolute inability to report infection with a “stealth” virus. Therefore, such immunizers, like monitors, are practically not used at present.
The second type of immunization protects the system from infection by a virus of some kind. a certain type. The files on the disks are modified in such a way that the virus perceives them as already infected.
To protect against a resident virus, a program that simulates a copy of the virus is inserted into the computer’s memory; when launched, the virus encounters it and believes that the system is already infected.
This type of immunization cannot be universal, since it is impossible to immunize files against all known viruses. However, despite this, such immunizers, as a half-measure, can quite reliably protect a computer from a new unknown virus up to the moment when it is detected by anti-virus scanners.
Bibliography
1. Kaspersky E.V. Computer viruses: what they are and how to fight them. - M.: SK Press, 1998. - 288 p.
2. Computer science. Basic course.2nd edition / Ed. S.V. Simonovich. - St. Petersburg: Peter, 2006. - 640 p.
Viruses and antiviruses
Completed by: Ilya Silkin 2-TR
1.What are viruses and antiviruses.
2.More information about viruses.
3.More information about antiviruses.
4.List of quality antiviruses.
5.List of common viruses.
What are viruses and antiviruses?
Computer virus (CV) Computer virus (CV) is a program capable of creating copies of itself (not necessarily completely identical to the original), introducing them into various objects or resources of computer systems, networks, and performing certain actions without the user’s knowledge.
Antivirus – This a program to protect your computer or mobile device from malware. The term " malware» includes all possible types of dangerous programs, such as viruses, worms, Trojan horses and spyware.
Read more about viruses.
Different viruses perform different actions:
Displays disturbing information on the screen text messages(congratulations, political slogans, phrases intended to be humorous, etc.);
Create sound effects(hymn, scale, popular melody);
Create video effects(turn over or shift the screen, simulate an earthquake, cause letters in the text to fall off, display pictures, etc.);
Slow down computer operation, gradually reduce the amount of free RAM;
Increase wear hardware (for example, drive heads);
Call refusal individual devices, freezing or rebooting of the computer and the crash of the entire computer;
Destroy FAT format HDD, erase the BIOS, destroy or change data, erase anti-virus programs;
Carry out scientific, technical, industrial and financial espionage;
Disable systems protection information, etc.
Symptoms viral infection of a computer:
Some programs slow down
Increased file sizes (especially executable ones)
The appearance of previously non-existent “strange” files
Reduced amount of available RAM (compared to normal operation)
Various video and sound effects appear suddenly
Occurrence of OS malfunctions (including freezing)
Writing information to disks at times when this should not happen
Stopping or incorrect operation of previously normally functioning programs.
Exists big number various classifications viruses:
By habitat:
Network– spread over networks (Melissa).
File– infect executable files with extensions .exe, .com. This class also includes macro viruses that infect non-executable files (for example, in MS WORD or MS EXCEL).
Boot– are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Record - MBR). Some viruses write their bodies to free sectors of the disk, marking them as “bad” in FAT.
File-boot– capable of infecting boot sectors and files.
By method of infection:
Resident– they leave their resident part in RAM, which then intercepts program calls to the OS and is embedded in them. The virus can repeat its destructive actions many times.
Non-resident– do not infect RAM and are active only once when the infected program is launched.
By degree of danger:
Non-hazardous– for example, a message appears on the screen: “I want chuchu.” If you type the word “chucha” on the keyboard, the virus will temporarily “calm down.”
Dangerous– destroy some files on the disk.
Very dangerous– format the hard drive themselves. (CIH - activates on the 26th of every month and is capable of destroying data on the hard drive and in the BIOS).
According to the features of the algorithm:
Companion viruses– create new satellite files for exe files with the same name, but with the extension com. The virus is written to a com file and does not change the exe file of the same name in any way. When running such a file, the OS will first detect and execute the COM file, i.e. a virus that will then launch the exe file.
Replicators (worms) - distributed on the Internet. They penetrate the computer's memory from the network, calculate the network addresses of other computers and send copies of themselves to these addresses. Worms reduce throughput networks slow down servers. They can multiply without being introduced into other programs and are “stuffed” with computer viruses. (“The Morris worm” paralyzed several global networks in the United States in the late 80s).
Invisibility (stealth) – mask their presence in a computer and are difficult to detect. They intercept OS calls to infected files or disk sectors and “substitute” uninfected sections of the files.
Mutants (ghosts, polymorphic viruses, polymorphics) – they are difficult to detect, because their copies contain practically no completely matching sections of code. This is achieved by adding empty commands (garbage) to virus programs, which do not change the algorithm of the virus, but make it difficult to detect them. (OneHalf - local “epidemics” of it occur regularly).
Macro viruses– use the capabilities of macro languages built into data processing systems (Word, Excel).
"Trojan horses" – disguised as a useful or interesting program, while also performing destructive work during its operation (for example, erasing FAT) or collecting information on the computer that is not subject to disclosure. They do not have the property of self-reproduction.
By integrity:
Monolithic – virus program - single block, which can be detected after infection.
Distributed– the program is divided into parts. These parts contain instructions that tell the computer how to put them together to recreate the virus.
Read more about antiviruses.
Antivirus programs are developed to combat viruses. In medical terms, these programs can identify (diagnose), treat (destroy) viruses and inoculate “healthy” programs.
Kinds antivirus programs:
Detector programs (scanners) – designed to detect specific viruses. Based on comparison of a characteristic (specific) sequence of bytes ( signatures or virus masks) contained in the body of the virus, with bytes of the programs being scanned. These programs need to be updated regularly, because... they quickly become outdated and cannot detect new types of viruses. If a program is not recognized by the detector as infected, this does not mean that it is “healthy”. It may contain a virus that is not included in the detector database.
Doctor programs (phages, disinfectants) – not only find files infected with a virus, but also treat them by removing the body of the virus program from the file. Polyphages – allow you to treat a large number of viruses. Detector programs that simultaneously perform the functions of doctor programs are widespread. Examples: AVP(author E. Kaspersky), Aidstest(D. Lozinsky), Doctor Web(I. Danilov).
Auditor programs – analyze the current state of files and system disk areas and compare it with information previously saved in one of the auditor files. This checks the status of the Boot sector, FAT, as well as the length of files, their creation time, attributes, checksums(modulo 2 summation of all bytes of the file). An example of such a program is Adin f(D. Mostovoy).
Filter programs (watchmen, monitors) – resident programs that notify the user about all attempts of any program to perform suspicious actions, and the user makes a decision about allowing or prohibiting the execution of these actions. Filters control following operations: updating program files and system disk area; disk formatting; resident placement of programs in RAM. An example is the program Vsafe. It is not capable of neutralizing the virus; for this you need to use phages.
Immunization programs – they write the signs of a specific virus into the vaccinated program so that the virus considers it already infected and therefore does not re-infect it. These programs are the least effective and outdated.
List of quality antiviruses.
1. A-Squared Free
2. Avast! Free Antivirus
3. AVG Antivirus Free
4. Comodo Antivirus
5.Microsoft Security Essentials
6. Nano AntiVirus
7. Avira AntiVir Personal
10. Panda Cloud Antivirus
List of common viruses.
1.MyDoom The most destructive to this day is the MyDoom virus, which has already caused losses in the amount of $38 billion. In addition to being the most devastating, its influence spreads quickly and far. When a user's computer is infected with a virus, it (the virus) installs a special program on the computer and sends copies of itself to all addresses that can be found on the user's computer. In addition, the virus has the ability to open random programs. In 2004, it was estimated that 25% of all emails were infected with this virus.
2.SoBig Another dangerous and destructive virus is SoBig. This virus cost $37.1 billion in damages in 2003. This fast-spreading virus circulated through emails as spam and, if opened, had the ability to copy files, send itself to others, and cause great harm to software and hardware.
This is another special one dangerous virus, which spreads quickly through email, websites and files. This virus, also known as the "I Love You" worm, damaged more than 500 thousand systems in 2000 and caused damage estimated at $15 billion. In the first week alone, it was able to harm users for $5.5 billion. This virus is itself sent to everyone on the computer owner’s contact list. This virus became a kind of ancestor for those viruses that are attached to email messages.
4. Conficker This malware caused losses of $9.1 billion in 2007 and infected millions of computers around the world. The virus scanned the computer for vulnerabilities, randomly generated a list of sites that are accessed to obtain executable code. When receiving an executable file from a website, the worm checked the electronic digital signature and, if it matched, executed the file. 5. Code Red To this day it is one of the most well-known viruses. In 2001, it caused more than $2 billion in damage by being able to penetrate computer networks and exploit weak spots in Microsoft software. As soon as the virus infected a computer, it began to actively search for other computers on the network to infect.
This is an extremely “slippery” virus that sent infected Microsoft documents Word via Microsoft Outlook to everyone who was in the user's address book. The letters looked like regular messages from a Microsoft Outlook user, but it was actually the Melissa virus. An indicator that Melissa has snuck into your Outlook is when your contacts receive a message from their email with the content: “Here is the document you asked for... Don’t show it to anyone.” This message is accompanied by a Word document containing the virus. In 1999, this virus caused $1.2 billion in damages.
7.SirCam This computer worm caused more than $1 billion in losses to users in 2001. The virus compromises confidential information, deletes individual items or fills free place, until there is no room left to store anything else.
8. SQL Slammer This is a malicious program that significantly affected banks and led to a sharp drop in Internet speed. Losses from this virus were estimated to be approximately $750 million in 2003. It affected about 200 thousand computers around the world.
It is one of the most common viruses on the Internet. In 2001, the damage from it amounted to $635 million. It led to very slow loading Internet pages and low traffic speed. In addition, the virus has the ability to penetrate mail program user and send files to everyone in the address book.
10. Sasser This virus created many difficulties in 2004, causing losses of $500 million, disrupting the work of airlines, and blocking electronic cards. The creator of Sasser turned out to be a teenager and was quickly discovered when one of his “friends” turned him in for a promised reward from Microsoft in the amount of $250 thousand.
And to summarize, viruses are very dangerous for today's users. They carry a lot of troubles and can ruin your computer or steal important data. Each user is required to purchase an antivirus for protection purposes in order to protect their computer from viruses. The first virus appeared in the 90s and they still exist and bring a lot of trouble to users. Viruses are very dangerous for computers even today. Therefore, I believe that every PC should have an antivirus that will protect the PC from malware.
