2010年8月21日星期六

ekrn.exe What if to close the ekrn.exe it?

When you open the system slows down the process manager will occasionally find ekrn.exe process which resides in the process manager to see its memory and CPU occupancy and found that the peak CPU utilization even make 100%. Try to end the ekrn.exe process, the discovery process manager which deny access to, this time may be all the elements of this ekrn.exe without making a hand. What is the process in the end ekrn.exe, how to turn off ekrn.exe it? Xiao Bian for everyone to talk about the ekrn.exe process, some small knowledge to everyone.

ekrn.exe What is this?

ekrn.exe is the ESET Smart Security or ESET NOD32 Antivirus software, anti-virus procedures.

Since we already know ekrn.exe procedures anti-virus software, then we should, if to solve this problem?

According to Microsoft officials provided the information, hit the computer you install XPSP2 patch nod32 After, nod32 ekrn.exe a process cpu occupancy will appear excessively high, after Microsoft's SP3 have avoided this phenomenon. So to avoid ekrn.exe occupation CPU100% or occupy too much CPU solution is to use a version of Window XP SP3 system. However, Xiao Bian here to remind you that your system is in identifying genuine case of the system before it was SP3 patch, if the system is not genuine, do not recommend you play SP3 patch to avoid a more terrible problem.

If your computer is already SP3, and it can press the following methods to solve this problem. After this step is a plan to try and solve their own way, please rest assured that use.

1, nod32 suspended all monitoring. Method 2: the first one, right in the nod32 tray icon little green eyes, choose "Disable virus and spyware protection"; second, start the program in nod32, select "Settings" tab "temporarily disable virus and spyware protection, "nod32 if you use the advanced mode, click the" Settings "post, select" virus and spyware protection, "Jiang" file system "," E-mail "," Web Visit "three projects are" Disabled ".

2, a few seconds later, ekrn.exe occupation automatically reduced to 0%, if not patient, in the Task Manager will ekrn.exe "end of the process."

3, a few seconds later, open Control Panel - Administrative Tools - Services (if you do not want trouble, you can enter directly in the run services.msc), find "Automatic Updates" item, right of property is set to "Disabled" , and right to "stop" the service.

4, open the C: WINDOWSSoftwareDistribution folder, delete all the files in the device.

5, according to Step 3, find "Automatic Updates", right attribute set to "Automatic" and click "start" the service.

6, according to the method in step 1, restore nod32 full control.

Analysis: In this situation, ekrn.exe process is not high CPU-nod32 antivirus software, but SP2 patch the bug in SVCHOST.exe result, Windows update service to download and install the repeated failure may have caused the problem Windows update service, that is, we set the "Automatic Updates" service is dependent on the SVCHOST.exe a background process, and repeated failures caused nod32 download and install process ekrn.exe a high index of suspicion, resulting in CPU-ekrn.exe high problem.

If that does not wish to try the following:

ekrn.exe occupation CPU100% ESET also may be caused by the height of heuristic scanning, in the Advanced Settings - virus and spyware protection - Settings - Options - removed before the height of heuristic scanning

The hook in the Advanced Settings - Real-time file system protection - Settings - Options - removed highly heuristic scanning can hook before.

IE 6/7/8 remote code execution vulnerability exists

In light of the recent survey conducted IE flaw, Microsoft released a security bulletin today, KB979352, that the impact of multiple versions of IE vulnerability for remote code execution vulnerability exists in IE, an invalid pointer reference. In particular attack, IE will be released in the visit to allow remote code execution when the object.

Microsoft is an official spokesman said: "Microsoft has been confirmed, IE yes Google Yiji other Zuzhiwangluo one tool being attacked, Gong Si will continue and Google, Other industry Huoban and the co-Lai further investigate this issue. Currently, Microsoft has not see a broader range of users being affected, and only found in IE6 in a limited active attacks using this vulnerability, other versions are not under attack. "

Microsoft said the flaw does not affect Windows 2000 SP4 on IE 5.01 SP4, but the existence of the following versions are found in remote code execution vulnerability: Windows 2000 SP4 on IE6 SP1; Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 on IE6, IE7, IE8.

Microsoft currently has not issued a patch, but provided some emergency measures to alleviate the problem. Microsoft said that after further investigation will be released on Tuesday related to patch patch, or to provide users with non-cyclical safety upgrades.

Microsoft released an emergency patch to fix IE high-risk vulnerabilities

Microsoft today released an emergency security as some patches to repair the high-risk vulnerability exists in IE. The security update is rated as high risk level, in addition to IE6 on Windows Server 2003, the exposure of this previously remote code execution vulnerability affects Microsoft Windows systems all all IE versions, including IE 5.01, IE6, IE7, IE8 .

Microsoft has begun to push a patch through Windows Update and the Windows Update, Microsoft Update, Windows Server Update Services and the Download Center released the latest upgrade of the Windows Malicious Software Removal Tool. Use IE 5/6/7/8 for Windows users can turn the automatic update for Microsoft to provide a cumulative security update.

Microsoft is under attack in the Google and found this vulnerability, and shortly after the use of IE6 vulnerability exploit code was made public, then Microsoft recommends old IE users (especially IE6 users) to upgrade to IE8. In view of the seriousness of this vulnerability, Microsoft decided to release security patches unconventional, but not until next month's Tuesday patch day.

Prior to this, many countries and regions worldwide have begun to take measures to deal with. From last week, the German Federal Office of Information Security (BSI), the French Government and the Australian Government have suggested that the patch release, the best computer users to stop using IE, switch to other browsers.

Official download:

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Microsoft has released security bulletin March 2010

Microsoft released the March 2010 security bulletin, security updates this month, a total of two. The affected products include the Windows Movie Maker, and Office Excel, when opening an attacker to craft a special file that could allow remote code execution time, install the update can fix these two flaws.

The following is the title of this security bulletin and summaries, update to download sorted by severity.

Important (2)

Windows Movie Maker in the vulnerability could allow remote code execution (975561)

This security update addresses the Windows Movie Maker and Microsoft Producer 2003 in a privately reported vulnerability. Windows Live Movie Maker (applies to Windows Vista and Windows 7) not affected by this vulnerability. If an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and enticing a user to open the specially crafted file, the vulnerability could allow remote code execution. Whose accounts are configured to have fewer user rights system, the user has administrative user rights than the user affected is smaller.

Security Update for Windows XP (KB975561)
Windows Vista's Movie Maker 2.6 security update (KB975561)
Windows Vista's Movie Maker 6.0 security update (KB975561)
Windows Vista x64's Movie Maker 2.6 security update (KB97556
Windows Vista x64's Movie Maker 6.0 security update (KB97556
Windows 7 security update (KB975561)
Windows 7 x64 security update (KB975561)

Vulnerability in Microsoft Office Excel could allow remote code execution (980150)

This security update addresses Microsoft Office Excel in seven privately reported vulnerability. If the user opens a specially crafted Excel file, the vulnerability could allow remote code execution. Successfully exploit these vulnerabilities an attacker could gain the same user rights of local users. Whose accounts are configured to have fewer user rights system, the user has administrative user rights than the user affected is smaller.

Excel 2002 Security Update (KB978471)
Office Excel 2003 Security Update (KB978474)
Office Excel 2007 security update (KB978382)
Office Excel Viewer Security Update (KB978383)
Office 2007 Security Update (KB978380)
SharePoint Server 2007's Excel Services security update (KB979439) 32 λ
SharePoint Server 2007's Excel Services security update (KB979439) 64 λ

Other updates:
March 2010 Security Releases ISO Image Update

Note: for all the updates here only supports Simplified Chinese, and does not include Itanium systems and Mac platform updates. The security bulletin on the details, please visit Microsoft's official website.

Trojans prepare for the constructor function

Kaspersky alert you should note this week: "constructor function Trojan" virus. This virus uses UPACK packers technology to protect themselves. Once the user is infected with this virus, the virus infected computer system in the background to run IE (browser) process, IE (browser) program will monitor the remote server command, the virus itself will be embedded into the infected computer users Desktop process. At the same time, "constructor function Trojan" virus to a specific virus, the server will automatically download the files to a large number of virus infected computer, these files are automatically downloaded most of Daohao trojan virus, spyware and so on, to believe that the virus infected users will be immeasurable economic loss of information.

We recommend that you update the virus database for killing as quickly as possible to avoid unnecessary losses.

1, a good security practice, do not open suspicious mail and suspicious websites; 2, do not chat freely to receive and send documents over the web link to fight development; 3. To use removable media to use when the right mouse button to open the best use of necessary, first scan; 4, there are many loopholes in the spread of the virus using the system, so playing the whole patch to the system is also very important; 5, as soon as possible to install Kaspersky Internet Security suite, and open the full real-time monitoring function protection; 6, based machine administrator password to set a more complex password, to prevent virus spread through the password-guessing, the best combination of digits and letters is the password; 7, do not download software from unreliable sources, because the software is likely to with the virus.

2010年8月16日星期一

Robot dog virus

Virus Name: Trojan / Agent.pgz
Chinese name: the robot dog
Virus type: Trojan
Hazard rating: ★ ★ ★
Impact platform: Win 9X/ME/NT/2000/XP/2003
Operating characteristics of the virus:

"Robot dog" virus, mainly in Internet cafes and other software and hard to use System Restore to restore the card environment attack. Virus running, in% WinDir% \ System32 \ drivers directory named pcihdd.sys release a driver, the file will take over the freezing point or the hard disk protection card on the hard disk read and write operations, so a reduction of the virus to break system of protection to the freezing point, hard disk protection card effectiveness. Then, the virus will make use of MS06-014 and MS07-017 vulnerabilities, and vulnerabilities such as multiple applications, from http://xx.exiao ***. com /, http://www.h ***. biz /, http://www.xqh ***. com / download various online games such as malicious Web Trojan, steal, including the legendary, World of Warcraft, journey, miracle variety of online games such as account number and password, and a serious threat to the game players digital property. Because reduction of software and hard disk protection card used mostly in Internet cafes, Internet cafes as the virus attacks, therefore the hardest hit.

ANI virus

Virus Name: Exploit.ANIfile
Virus Chinese name: ANI virus
Virus Type: Worm
Risk level: ★ ★
Affected platforms: Windows 2000/XP/2003/Vista

Description: The Exploit.ANIfile.b example, "ANI poison" variant b is a system using Microsoft Windows ANI file handling vulnerability (MS07-017) for the spread of network worms. "ANI poison" variant b running, self-copied to the system directory. Modify the registry, boot from the start to achieve. Infection in normal executable file and the local web files, and download a lot of Trojans. Infection in the local disk and network shared directory multiple types of Web documents (including *. HTML, *. ASPX, *. HTM, *. PHP, *. JSP, *. ASP), implanted using ANI file handling vulnerability malicious code. To the logic of self-replication under the root directory, and create a autorun.inf autoplay configuration file. Double-click the drive letter to activate the virus, causing re-infection. Modify the hosts file, shielding more than Web sites that are mostly used to spread other viruses previously the site. In addition, "ANI poison" variant of b can also use the built-in SMTP engine to spread via e-mail.

Online games Thieves

Virus Name: Trojan / PSW.GamePass.jws
Chinese name: "online game Thief" variant jws
Virus Length: 13,739 bytes
Virus type: Trojan
Hazard rating: ★ ★
Impact platform: Win 9X/ME/NT/2000/XP/2003

Trojan / PSW.GamePass.jws "online games Thieves" jws variant of "online games Thieves," one of the latest variant of the Trojan family, using Visual C + + written, and after packers processing. "Online games Thieves" variant jws running, will copy itself to the Windows directory, self-registered as "Windows_Down" system service and achieve start of the Kai. The virus will steal, including "Legend of the World," "World of Warcraft," "Perfect World" and "journey", "Swordsman" and other variety of online game players accounts and passwords, and other viruses will be downloaded to run locally. Once the computer players poisoning can lead to game accounts, equipment and other loss, damage caused to the players.

ARP virus

Virus name: "ARP"-like virus
Virus Chinese name: "ARP"-like virus
Virus type: Trojan
Risk level: ★ ★ ★
Impact platform: Win 9X/ME/NT/2000/XP/2003

Description: ARP Spoofing-like virus (hereinafter referred to as ARP virus) is a special type of virus, the virus are generally Trojan (Trojan) viruses, does not have the characteristics of active communication, not self-replicate. However, due to the time of their attack to the whole network to send forged ARP packets, interference with the operation of the whole network, so it's damage is much worse than some worms. By forged IP address and MAC address ARP deception to achieve, can produce large amounts of ARP network traffic so that network congestion or the realization of "man in the middle" for ARP redirection and sniffing attacks. With forged source MAC address to send ARP response packet, the ARP cache mechanism of attack. When a LAN host Trojans to run ARP deception, it will deceive all hosts and routers within the LAN so that all Internet traffic must go through the virus host. Other users had access through a router now directly transferred to the host computer by the virus, when the user switches off the first line. Switch to the virus, the host computer, if the user has landed a legendary server, then the virus host will often break the illusion of false, then the user must log back legendary servers, so the virus can Daohao the host.

U disk parasites

Virus Name: Virus.Autorun.gr
Chinese name: "U disk parasites" variant gr
Virus Length: 22,096 bytes
Virus Type: Worm
Risk level: ★ ★
Impact platform: Win 9X/ME/NT/2000/XP/2003

Virus.Autorun "U disk parasite" is a use of U disk and other mobile devices to spread the worm. "U disk parasites" is such an automatic play for the autorun.inf file worm. autorun.inf files are generally present in the U disk, MP3, mobile hard disk and hard disk root directory of each partition, when the user double-clicks and other equipment when the U disk, the file will automatically play using Windows system functions run the autorun.inf file priority , and the file will be executed immediately by the virus program to load, thus undermining the user's computer, so that the user's computer losses.

2010年8月14日星期六

The first pictures appeared online computer virus

Anti-virus has been intercepted portal also announced the first use of Microsoft's latest security vulnerabilities picture virus, and to remind the user attention to anti-virus software updates and patches to the system in time.

"Although so far this picture are not many examples of viral infection, but this has proven advantage of the vulnerability of the virus has emerged and variants may occur at any time." Kingsoft Anti-virus experts, the company told reporters, because "Tupian virus"
Of transmission anomaly widely, users browse the Internet pictures, open infected e-mail pictures and even during the browsing user avatar instant messaging software will be the course of infection.

Kingsoft Anti-virus from the center of the monitoring data show that the first picture so far the virus called "Wxploit.win32.MS04-028. Gen", is a Trojan horse of viruses, if the user does not have time to play computer good patch, it is possible to connect when browsing the specified FTP address growers Trojans and Trojan file from the FTP download and run the Trojan files in order to achieve the purpose of remote monitoring and control infected machines.

Electronic image hidden virus

When you surf the Internet beautiful, scenic, and other electronic picture, there is not expecting a vicious computer virus infection. Recently, Kingsoft Anti-virus Centre reminded the new Microsoft vulnerabilities present Jingxian  "JPEG processing buffer overflow" vulnerability GDI +, the user will be able to browse the Internet e-picture exposure!

Electronic images may be in three forms of virus attack: mass e-mail with virus attachments entice users to click on the picture; by a malicious Web page form, users browse the web in the electronic image files, and even comes with a picture page can be virus infection; through instant messaging software (such as MSN, QQ, etc.) own image, or send picture files to spread. Kingsoft Anti-virus experts Guojun description, picture virus against allowing users to view electronic images of a system crash when the phenomenon, while making their own machines to run other virus code, resulting in Trojans, worms personal computer trespass.

Kingsoft Anti-virus experts believe that this year features a new computer virus changes, the electronic image viruses, Trojan horses are the 11 National Day to watch for. Trojan virus together with the worm, by e-mail, browse the Web, operating system vulnerabilities to infiltrate the various user computer, the electronic picture virus just to lure users to click on pictures can be infected.

11 holiday has to  Duba makes six safety recommendations  an anti-virus outbreak  please e-picture win for all users of various patches  two anti-Trojan, steal account the need for timely installation of three anti-hacker firewall  virus infected web sites Do not name through the control network run  four anti-trap does not fill out credit card numbers  free e-mail greeting cards with five anti-virus e-mail do not open  six strangers QQ tail and other anti-virus  Do not click on links or run the other came program 

Kingsoft Anti-virus center predicted the use of an electronic image of this vulnerability in the virus will soon occur, users should patch immediately. Duba current characteristics according to the vulnerability of the virus database upgrades, can exploit this vulnerability to conduct anti-death spread of electronic picture virus, and will be announced today for this vulnerability scanning tool, For more information about this vulnerability, please visit db.kingsoft.com Information Security Web site.

Additional Explanation:

GDI + vulnerability and the vulnerability of the difference between past, before several major flaws affected only the operating system, but GDI + is the application that are affected, to the user, and can not determine which program uses GDI +, if there are loopholes. According to this feature, Jinshan announced emergency JPEG image vulnerability scanning tool (Download: db.kingsoft.com), on the one hand help computer users to check all the attacks that exploit the flaws in the picture, to help users killing JPEG picture virus, another , it can help you check all the loopholes in computer applications.

Work after the holiday and the JPEG virus beware of love you virus

After the holiday, the first thing a family office is to your computer to a major cleaning. As the long time use of computers and networks, e-mail and other information will certainly be filled with mail, e-mail business in dealing with the same time, Duba anti-virus experts have warned that users must pay attention to the message hidden in the virus, such as 11 during the transmission The "Love You" worm, such as a trap, there is trouble in the uproar of the "picture virus" that is likely to cause serious damage in the 11 after the holiday. Experts believe that the first major office postganglionic family is killing the virus, prevent economic losses.

Reminder that we should focus on prevention of type II virus, the first category is the virus spread through e-mail, such as 11 after called "pull mill rat" of the virus to spread through OutLook, "La mill rat "is a hacker using email communication tools, hackers can control the user through the system of the virus, the user system to upload, download, Execute and Delete and other file operations, or is Guanbi system, which seriously affected the normal use of the user on the system .

The second category should be wary of is the "picture virus", it is possible here, while various electronic images will be infected with viruses! Beautiful women, dogs and cats and other animals, or friends may be in possession of photographs have a vicious virus. If the user clicks on this picture that is likely to be infected such as: machine crashes, system slowdowns, or personal information leakage occurs, computer users need less beautiful picture better.

Kingsoft Anti-virus experts recommend that users do anti-virus preparation, there are two kinds of measures to protect computers from viruses. Users must immediately start full virus scan, the machine hard disk to scan every file again. There is the users should delete the spam, best not to open e-mail from strangers, to prevent worms, viruses and other pictures by e-mail cause havoc.

At present, the use of computer office workers is the primary attention of computer virus damage, pictures, viruses, Trojans, worms will be by e-mail, visit the beautiful photographs, and other modes, high-fat phase of the virus in the near future, the user should try to avoid the virus can cause harm operations, such as small electronic image browsing.

db.kingsoft.com anti-virus authoritative website for more information on the latest viruses, users can visit to learn more postganglionic anti-virus situation.

"MSN crook" wild virus transmission

Sina Technology News October 10, Rising global anti-virus monitoring network first intercepted a spam advertising messages using MSN virus, named "MSN liar (Worm.msn.funny)". October 10, many MSN Messenger users to Rising customer service center for assistance that reflect their own receive such a message: "The Japanese massacre in Nanjing irrefutable evidence! Firmly boycott! Www .** 78P.com", followed by income to a "FUNNY.EXE" file, your document will run the online friends sent to all the above information.

Rising global monitoring network based anti-virus monitoring, the spread and infection of the virus very quickly, MSN users in the spread and even with the "shock" and "Sasser" virus quite. Rising anti-virus head Jun Cai explained that the virus seems to be a site Daquan Lei Wang Zhan promote their tactics, in addition to MSN friends Fasong random virus Xinxi the salient features of this addition, the virus on the user system is the other destructive analysis.

Rising company has reported the incident the public security department, under the law, creating and spreading computer viruses will bear legal responsibility.

For this vicious virus, Rising will be in the October 10 emergency upgrade, RISING Antivirus 16.47.30 Edition can completely killing the virus. In addition, users can always call the Rising Anti-Virus Emergency Tel :010-82678800 to ask for help.

Hackers attack using pornography

Sina Technology News several anti-virus companies and Internet security organizations has issued safety warnings, malicious hackers have begun to spread Presence network news group "JPEG loopholes" in the pornographic images, this is the first time reports that hackers began Use "JPEG loophole" attacks on the public. "JPEG vulnerability" Microsoft United States for 9 published on 14 of a security vulnerability, there is the problem if a user downloaded a JPEG image, it could lead to computer Shangpianzhuang Yuan Cheng control software, Conger malicious hacker also Huode of Mubiaozhuji remote control.

Hackers will be there "JPEG vulnerability" of pornographic images posted on various Internet news groups, mainly because usually a lot of network users through network news group to share pornographic images. According to network security forum Bugtraq and Easynews.com published information, hackers in Beijing on September 28 in the news group posted a similar "alt.binaries.erotica.breasts" pictures, some of which hackers use e-mail address is Power -Poster @ power-post.org.

ISC (Internet Storm Center), chief technology officer Jonas - Ullrich (Johannes Ullrich) said that difficult problems of image information in the group with a distinction between the normal picture, but these pictures have included the use of "JPEG loopholes "in the code. Hackers use "JPEG vulnerability" approach was just released last weekend's "JPEG of Death", but on a small range of revision. The same way as with the other use, "JPEG of Death" is also a JPEG file format through the GDI + JPEG decoder cause a buffer overflow. GDI + JPEG decoder is a common Windows component, is widely used Windows operating system, IE browser, Outlook and other Windows software.

When the user opens a JPEG image, the existence of the problem, the computer system will automatically install the remote control program Radmin, a hacker can the process as "Trojan horse" to Huode right of the target host remote control Right. In addition, the infected "Trojan horse" of the host will automatically send the report to the IRC channel. Ulrich said that this attack method works only on computers using the Windows XP operating system effective.

ISC and antivirus companies to remind customers, from a technical perspective, there is "JPEG" image holes, and will not spread like a virus, but the hacker can use to modify the code so that it automatically downloaded with the ability to send e-mail virus engine, thus speeding up the spread. Security experts fear that the existence of the GDI + JPEG flaw as "Sasser" virus spread as leading to the Internet again. Because through "JPEG" vulnerability could gain unauthorized access to the target host on the IE browser, Outlook e-mail program and the Office and other applications, it is very attractive to malicious hackers.

2010年8月11日星期三

Hybrid computer virus worm

Hybrid worm computer virus is a malicious virus concentration of all the features of the virus code, usually change the executable code, resident memory but without user consent for virus spread within the network. According to Ed Skoudis, author of malicious software descriptions, and now there is another virus Fighting Malicious Code, this virus is more advanced than with infection with common viruses, file capability, but also to the way the worm within the network rapid spread.

How to clear to break through the active defense of the new Trojan

Patient: I use antivirus software with proactive defense capabilities, can block trojan, can I recently email account or stolen, why is this so?

Doctor: This is actually quite normal, after all, antivirus software is not a panacea, can stop all current malicious programs. Your e-mail is likely to be stolen by Trojans that can break through active defense, such as the latest ByShell Trojan. This is a new type of Trojan, the biggest feature is the ability to easily break through anti-virus software active defense capabilities.

Used to bypass the active defense SSDT

Patient: ByShell such as Trojans, which is beyond the active defense of it?

Doctors: The earliest date for hackers to change the system to an earlier date, so antivirus software will automatically turn off all monitoring functions, of course, also active defense capabilities automatically lose the prevention and control capabilities. There are already many Trojans do not need to adjust the system time to take the initiative to successfully break through the defense function.

Windows systems have a SSDT table, SSDT stands for System Services Descriptor Table, the Chinese name for the "system service descriptor table." This table is the application layer commands transmitted to the system kernel of a channel.

All anti-virus software by modifying the active defense capabilities are SSDT table, so a malicious program can not run under normal circumstances, this can easily be intercepted on malicious programs. If you install active defense capabilities, including antivirus software, you can use Bingren the SSDT function to view, you will find marked in red SSDT table information to be modified.

The ByShel Trojan on the current system of SSDT table search, followed by the use of the original search system SSDT table, then the coverage is now before the SSDT table. Trojans can then perform the normal order, so that eventually the failure of active defense capabilities and complete it.

Tip: Byshell penetration by the world's leading technology, using the latest kernel drivers technology breakthrough anti-virus software, Active Defense. Including Kaspersky, Rising, trends, Norton anti-virus software and other domestic common, and their associated version of the latest antivirus software, can be successfully carried out Byshell Trojan breakthrough.

Active defense class clever Trojan removal

Patient: I understand the principle of such horse, but still do not know how to remove?

Doctor: Clear method is not difficult, and clear the way similar to the other Trojans. Here we have to clear a typical example to explain the specific operation ByShell Trojan.

The first step: First run security tools WSysCheck, click on "Process Management" tab to see the process more than pink, indicating that these processes have been inserted into the Trojan thread. Click on one of the pink IE browser process, including discovery of a suspicious Trojan module hack.dll (Figure 1). Of course, hackers will sometimes set up other names, then we see if there is no "paper company" information on the need to increase their vigilance.

Step two: Then click on the program, "Service Management" tab, you can see the same system services more than red, indicating that these services are not self-service system. View found a hack through the service called more suspicious, because its name and the name of the module the same Trojan.

Similarly, if the hacker to customize the services of other names, in the "Status" column to see labeled as "unknown" services, we will pay attention to, and preferably 11 to troubleshoot.

Step Three: Click the program's "File Manager" tab, the management of resources in the simulation window, the path module in accordance with the guidelines of suspicious and soon found that suspicious Trojan module file hack.dll, at the same time also found a and the module file with the same name of the executable file (Figure 3). It seems that the Trojan is mainly formed by the two documents.

Step Four: Now we begin the cleanup Trojan. In the "process management" in the first pink IE browser to find the process, select it by right after the "end of the process" command removed it. Then click on "Service Management" tab, select the service named after the hack, right-click menu "Remove the selected service" command to delete.

Then the selection process "document management" tab, on the Trojan file final cleanup. In the system's system32 directory to find hack.dll and hack.exe file, right-click menu in the "direct delete" command to complete the final blow to the Trojans. Now restart the system again to see, sure to be cleaned Trojan in it.

Step Five: As the Trojans destroyed the anti-virus software in the SSDT table of contents, so we had better take the initiative to use the software that comes with repair to repair, or simply re-install anti-virus software once.

Summary

Planted before the previous Trojan, hackers of the most important job is to avoid killing their operation, so that you can escape the anti-virus software is signature detection. In addition to the basic hackers now free to kill, but also wondering how to break through active defense capabilities. However, Trojan has been active defense can break through the future will be more and more of these Trojans, so we must strengthen their safety awareness.

Against the worm to fire with fire: make a nematode worm, malicious arrest

A high-profile security researchers believe companies can reduce the use of non-malicious worms network security costs, and begin to take action, working to launch a new framework to build the "controllable worm", in order to bring benefits for the enterprise.

New York State Immunization corporate loopholes researcher Dave Aitel held in the Malaysian capital Kuala Lumpur, Hack In The Box conference demonstrated a on "nematodes (Nematode)" Framework of class procedures, he stressed that the worm will become a good corporate security policy an important component.

In an interview with Ziff Davis Internet journalists interview, Aitel said: "We are trying to change the way people think, we do not want people to think this is impossible. Building beneficial to the use of worms and it is entirely possible, and will firms are implemented. "

Over the years, security experts have been looking on with a good worm and malicious worms, destruction of the concept of holding debate: Some people think that is a worm with a worm attack strategy and construct a good time for the worm to solve the problem, but some people do not think so, because the replication process-related motor disorder people feel confused.

Aitel is the former, he believes the worm antivirus technology can significantly reduce the cost and maintenance of networks, it is inevitable.

Aitel said: "We have already verified only need to use a very simple flaw, after a few steps, take a few minutes, you can make a working worm."

He took the "worm" is the name, because often with some sharp tail of the worm to control pests in crops. Aitel explained: "We can in any way we want to generate the worm, you can create a program of activities to strictly control the nematode worm."

Aitel to Stake member company of Office to do before decoding, in NSA (National Security Agency, National Security Agency) has done 6 years of computer scientists. He firmly believed that the worm could provide answers in order to reduce security costs.

He saw some ISP, government departments and some large companies use "strictly controlled" nematodes significantly reduced cost.

Hack In The Box in the General Assembly to do the report, Aitel lists the reasons for making the worm, and explains why good worms for the control of strict protocol.

He said that loopholes in the existing information can automatically make the worm, he even show off a new programming language specially crafted worms.

Aitel admit there are some potential problems, he noted that the worm is very difficult to write, and will take up a lot of network bandwidth. It is difficult to hit and control the worms, he said, IT administrators live in constant fear.

The concept put forward, including the "worm" of use, only to respond to attacks from the network and clear the NIL (Nematode Intermediate Language, nematodes intermediary language) of the server can be used as a simplified special "worm assembly."

NIL can be quickly and easily put into the worm holes. Aitel that, in some cases, you can write directly to the vulnerability to further simplify the virus in the NIL process.

Aitel claimed: "This will be your tool kit as part of the security team", he stressed that their company's work is a "proof of concept of class (research-level proof of concept)", can be useful to use the theory of the details of the worm of.

Aitel said: "If you look at the cost of maintaining the security of large networks, most of the CIO agreed to pay this strategy. With the concept of the worm, you can use automation to get more with less protection. This is the development of these new technologies the driving force behind. "

He added: "Technology is the next step until the worm a foot pad, we have two stages away. Our goal is to build automatically using automation technology self-protection network. We believe that this technology a reality as you can enjoy the product, only to spend up to 5 years. "

"We have a engine that can be exploited and put them into a worm, so that you can into the control mechanism. Enterprise will certainly be interested in this."

Manually remove stubborn Trojans, worms Simple Guide

Situation is this: After the dial-up Internet access, FTP server Unicom failed repeatedly reported. After examination, the computer installed Norton Personal Firewall Norton anti-virus software, and has been disabled, try opening error, not normally enabled; open the Task Manager and found the illegal process of five, try to stop, reported "Access denied" ; reboot into Safe Mode and then try to stop the illegal process, error still can not stop; then a list of local services into the computer and found two unidentified auto-start services, try to stop, to "stop the service failure", desperation, to modify the Service property to "Disabled", reboot again to safe mode, unknown service finally does not start automatically. So according to the process name before the discovery of the illegal search system disk C drive, found in the Winnt directory and Winnt \ system32 \ directory, manually deleted. Then go to Winnt \ system32 \ directory, find a lot of unknown files, their common features are: file attribute to hidden, the file name like "diALoGUe" random name, the icon is similar to the DOS program icon, and search property without the company, version and other information; as I used for the first time detoxification settings】 【Folder Options to Show hidden files and show all protected system files in order to find the file in, so easy to find this batch file to run a large number of unknown, random attributes identified all income after the Recycle Bin. Then check the registry, delete the run type is unknown since the start key. Finally run the upgrade SP5, 10 minutes after I kick down all the patches, reboot to normal mode, win2000 display normal, start Norton virus, network firewalls successful dial-up FTP success.

Experiences and hear about projects from the above dye, got wind of their potential, come to such a virus infection and the possible attacks after: bugs are not timely because the system user to install patches, or use the super user account permissions visited a malicious Web site, run by unknown programs or files led to infection with a virus. After the permanent system of this virus to replicate itself and automatically connect on-line and then download a variety of horse meat chicken growing this new chickens, and wild chicken with weak passwords using the other network computer trying to login to infect more machines; after infection to other machines , to send all kinds of other crazy horse, worm infection for more virus infected machines, achievements more chicken. This is bound to take up a lot of network bandwidth, DDOS flood attacks and serves the same purpose, will force the network switching, routing equipment, overwhelmed and paralyzed. This most likely is the network slowing down, but the reboot switch or router speeds can be improved after the root causes. And because the virus take up too much process, leading to system resources to operate, poisoning operation will significantly slowing down the machine.

The danger of such viruses is:

1, with high-bandwidth internal network, infects a large network of other vulnerable computers, often one of a large virus.

2, take up a lot of network bandwidth, slowing down to speeds.

3, there are some intelligent, very many variants, anti-virus software is always later than the virus appears to follow effective principles of time, may be subject to the new variant of the virus.

4, with similar DDOS tools, read the other network computer SAM account concurrent use of weak passwords forced landing attempt other computers, leading to the other computer is not infected account login times over the limit, the account is locked, affecting normal use.

Antivirus manual steps summarized as follows:

1, manually download and collection of all SP5 single small file (on win2k, the total of nearly 100M)

2, disconnected from the network

3, reboot into Safe Mode

4, check and clean 【HLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items

5, check and clean 【HCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items

6, Charles unidentified services and prohibit the, if not, proceed to step 7; if any, against it, and return to step 3.

7, focusing on search 【% SystemRoot% \ system32 \】 directory of all hidden exe, com, check its properties, were deleted from unknown sources without amnesty (can first put the recycle bin, reboot and then nothing clear).

8, after updating the latest virus database might use the antivirus software scans all the files once the system tray.

9, confirm that SP4 has been installed on the basis of all the SP5 patch to play the whole

10, reboot into normal mode to use

Note: Due to determine whether the illegal program requires some experience, especially to provide a simple way: click on a suspicious program access】 【Zhu Xing, the normal version of the program are】 【column comes with company name, version, copyright and other information, even 3721, sepsis and other trash with the appropriate information, and worms, Trojans and other programs will most likely not have any information available for inspection, reference, most of the illegal procedure can be judged accordingly.

Maintain the "no drug" and a few tips:

1, isolated local area network using Proxy or NAT with the external network of seamless interchange

2, all machines in the LAN to prevent super-user password is blank, the same username and password, password, super simple acts such as mentally handicapped.

3, the permissions assigned enough】 【strictly follow the principle of super-users as possible to prevent unnecessary production.

4, using the Enterprise Edition antivirus software antivirus central server, set the automatic check in time so that, download the updated virus database and automatically distributed to the client the latest virus database.

5, with SUS and other similar services, software, windows automatically download patches, set up so that it can automatically distributed to all clients and install the latest patches.

6, in time to remind my colleagues attention to Internet safety, not unnecessary site, does not perform any unknown file, pay attention to Internet health.

7, free multi-check the Task Manager is an unknown process, multi-center landing windows automatic update check for the latest patch update.

Analysis from the user perspective and to prevent "worm" virus

Based worm attack mechanism, will be divided into use of system-level vulnerabilities (active dissemination) and the use of social engineering (deception spread) of two, and from the user point of view will worm into corporate networks and individual users for Class 2, business users and individual users from both the characteristics of worms and some preventive measures!

1. Worm virus definition

Virus from the date appears on a computer a great threat, and when the rapid development of the network, when the harm caused by the worm began to appear! From the broad definition of who can cause a computer malfunction, computer data destruction procedures collectively referred to as computer viruses. So from this sense, the worm is a virus! But worms and viruses in general have a big difference. For the worm, and now there is not a complete theoretical system, is generally believed that the worm is a vicious virus spread through the network, it has some common viruses, such as communication, invisible, destructive, etc., but also has some of their own features, such as not using file parasitic (some exist only in memory) for network denial of service, as well as technology integration and hackers, etc.! in the production of the destructive, the worm is not an ordinary virus can be compared, With the development of network worms can spread in a short time the entire network, causing network paralysis!

Case the user can be divided into two categories worm, one is for corporate users, and LAN, this virus to exploit system vulnerabilities, to initiate attacks, can cause paralysis of the entire Internet could be the consequences. Another is the personal users, through the network (mainly e-mail, malicious web page form) worm spread rapidly in these two types, the first great active attacks, but also has some of the sudden outbreak of , but relatively speaking, killing the virus is not very difficult. The second mode of transmission of the virus more complex and diverse, a few applications using the Microsoft vulnerability, more is to use social engineering to deceive and induce the user, so that the virus caused the loss is very large, while is very difficult to eradicate!

2. Worm virus, the similarities and differences with the general

Worm is a virus, so has the common features of the virus. General parasitic virus is needed, it can implement its own orders, to write their own instruction code in the body of another program, but the infected file is called a "host", for example, windows executable file under pe format format (Portable Executable), when the need infected pe file, the host program, create a new section, the virus code is written to the new section, modify the program entry point, etc., so that the host program execution time can be the first implementation of the virus program, virus program to run after this control to the host in the original program instructions. Shows that the virus is mainly infected files, of course, there are links as DIRII this virus, as well as boot sector viruses. He is infected with boot sector virus boot disk, if the floppy disk is infected, this floppy disk used in other machines, the same will infect other machines, the mode of transmission is using floppy disks, etc..

Worms generally do not take advantage of pe format insertion of documents, but copies itself to spread in the Internet environment, the mode of transmission capacity is mainly directed against the computer file system within the terms of the spread of the worm targets all computers within the Internet . LAN under shared folders, email email, network, malicious Web page, a large number of loopholes in the server and so there is a good way to spread the worm. Development of the network makes the worm can spread worldwide within a few hours! And active worm attacks and sudden outbreak of hand, foot and no policy will make it!

It is foreseeable that the future will bring great disaster to the network must be the main network worm!

3. Individual preventive measures on the worm

Through the above analysis, we can know that is not very horrible virus, network worm attacks on individual users primarily through social engineering, rather than the use of system vulnerabilities! So against such viruses need to note the following:

(1) purchase the appropriate anti-virus software! Anti-virus software must be to the memory real-time monitoring and real-time monitoring the development of e-mail! Other pages facing very hard to detect viruses, anti-virus software also allows users demand higher and higher! Current domestic anti-virus software also has a very high level. Like Rising, antivirus software, antivirus software, while integrating the fire-proof, worm and Trojan horse programs and thus have great restraint effect.

(2) frequently update the virus library, anti-virus software is killing the virus based on virus signatures, while the viruses emerging every day, especially in the Internet age, the spread of the worm speed, multi-variant, it is necessary to update virus database, so that the latest killing viruses!

(3) increase awareness of anti-virus. Do not to click on strange sites may contain malicious code on the inside!

When running IE, click on "Tools → Internet Options → Security → Internet zone security level", the security level from "China" to "high." Mainly because this type of page that contains malicious code ActiveX or Applet, JavaScript web page file, so IE settings, ActiveX plug-ins and controls, Java scripts, and all prohibited by the web can be substantially reduced risk of malicious code infection. Specific programs are: IE window, click "Tools" → "Internet Options" dialog box that pops up, select "Security" tab, then click the "Custom Level" button, will pop up "Security Settings" dialog box, to which all ActiveX controls and plug-ins and Java related with all the options select "Disable." However, this website in the future course of normal application may cause some ActiveX can not browse the website.

(4) does not free to see strange messages, especially messages with attachments, e-mail because some viruses can use ie and outlook of the vulnerabilities automatically, so computer users need to upgrade ie and outlook procedures, and other commonly used applications!

Network worms under development as a high-speed Internet, a new type of virus, will have an enormous danger on the Internet. In the defense, was no longer is a separate anti-virus vendors to address and need to network security companies, system vendors, antivirus vendors and user participation, and build comprehensive prevention system!

The combination of worms and hacker techniques make the analysis of the worm, detection and prevention with some difficulty, while a network worm propagation, network traffic characteristics of a mathematical model is to be the work!

2010年8月10日星期二

Trojans prepare for the constructor function

Kaspersky alert you should note this week: "constructor function Trojan" virus. This virus uses UPACK packers technology to protect themselves. Once the user of this virus infection, the virus infected computer system in the background to run IE (browser) process, IE (browser) program will monitor the remote server command embedded in the virus itself but also the infected computer users Desktop process. At the same time, "constructor function Trojan" virus to a specific virus, the server will automatically download the files to a large number of virus infected computer, these files are automatically downloaded most of Daohao trojan virus, spyware and so on, to believe that the virus infected users will be immeasurable economic loss of information.

We recommend that you update the virus database for killing as quickly as possible to avoid unnecessary losses.

1, a good security practice, do not open suspicious mail and suspicious websites;
2, do not chat freely to receive and send documents over the web link to fight development;
3. Use of removable media is best to use when using the right mouse button to open, if necessary, first scan;
4, there are many loopholes in the spread of the virus using the system, so playing the whole patch to the system is also very important;
5, as soon as possible to install Kaspersky Internet Security suite, and open the full protection of real-time monitoring function;
6, based machine administrator password to set a more complex password, to prevent virus spread through the password-guessing, the best combination of digits and letters is the password;
7, do not download software from unreliable sources, because the software is likely a virus.

Beware of e-mail behind the "killer"

Virus Name: Trojan-Downloader.Win32.Agent.wps (downloader variant SPW), the virus type: Trojan, hazard rating: ★ ★ ★ ★ ★, affected platforms: WIN9X/ME/NT/2000/XP/2003

This document uses upack packers, once infected, it will create a disk in the system random number and letter combinations for the name of the hidden folder, and try to connect to the network, once connected, it will quickly connect to the server through port 80 specified Download a large number of Daohao Trojan to this folder, and try to run them, to steal the user's game account and password information. Kaspersky has entirely killing the virus.

Experts suggest:
1. Not to open suspicious mail and suspicious websites.
2. Do not talk at random to receive the file transfer tools and website links.
3. Use of removable media is best to use when using the right mouse button to open, if necessary, must first be scanned.
4. Now there are many loopholes in the spread of the virus using the system, so playing the whole patch to the system is also critical.
5. Install anti-virus software, a professional upgrade to the latest version, and open real-time monitoring.
6. Based machine administrator account to set up a more complex password.

Attention! "IMG-WMF exploits device"

Note: "IMG-WMF exploits device" virus. Once a computer is "IMG-WMF exploits device" virus infection, the virus will be the end of computer antivirus software, while it will also set up video hijack key, so that future users can install and run antivirus software properly. Followed by "IMG-WMF exploits device" virus to the specified server to download a Notepad file, this file contains a large number of Trojan download, virus process will read the address and automatically download the virus file to the system running, stealing take the user's account information.

For your computer security, friendship to remind you:
1, for the spread of the virus to exploit system vulnerabilities to the system to play the whole patch is very important;
2, Kaspersky Internet Security suite installed as soon as possible, and open the full protection of real-time monitoring function;
3, based machine administrator password set the password more complex, the best combination of digits and letters is the password;
4, do not download software from unreliable sources, because the software is likely a virus.

"U disk worm downloader" frequent attacks on the user variant

Xinhua Beijing on Nov. 28 Reuters called "U disk worm downloader variant EYK (Worm.Win32.Autorun.eyk)" The virus is particularly noteworthy this week it through U disk storage devices such as mobile communication, will download a large number of Trojan viruses, to the user great security risk. Therefore, anti-virus, anti-trojan Rising broadcast week (2008.12.01-12.07) to its attention this week as the virus alert level for the ★ ★ ★.

"U disk worm downloader variant EYK" is a worm. The virus will run in the directory system generates its own named svchost. exe and the release of the file name winlogon. exe file, and then start the process of both programs, the virus process using the two-guard functions, if one process is over, then another process will execute the shutdown command, to avoid killing. Viruses from time to time in letter written to the file inside svchost. exe and autorun. inf, to double-click the drive letter to run a virus and the use of mobile hard disk for virus transmission purposes; modify the registry key in order to achieve the purpose at startup, and finally a large number of Trojan will download to the user computer to perform, to the enormous computer users security risks.

In this regard, experts recommend that users: 1, install card access security assistant 6.0 bug fixes, to prevent infection of such viruses; 2, to develop good surfing habits, do not open a bad site, not free to download and install a suspicious plug; 3 , install antivirus software upgrade to the latest version of 2008, regular anti-virus and open real-time monitoring function, prevent the virus from infected computers; 4, time to set a system restore point and back up important files, and to online banking, online games, QQ and other important software to "safe account" in order to prevent the virus to steal game account, password and other personal information.

2010年8月8日星期日

Leap-A/Oompa-A

Perhaps you have seen the Apple ads, which have Justin . Long play "I am Apple," and John . Hochman played "I'm the computer." Hochman play computer crash because of a virus, we should be grateful to Al . Jankovic reminds us that "stinking cheese" against the virus

He also pointed out that there are more than 100,000 kinds of virus attacks your computer. And Justin says, that the virus only infects a computer with Windows systems, Apple Computer does not work.

In most cases, these things right. Apple introduced its "do not open a safe" design philosophy, to avoid a lot of harm to the virus. Apple's hardware and operating system is essentially a closed system, because they are Apple's own products. Thus it can be said of Apple's operating system is a "closed" system. Has been in the home computer market, Apple occupies the second place, but there is a great distance away from the PC great. One can imagine, for Apple Computer viruses can not produce as big as Windows viruses harm.

But this did not prevent the emergence of an Apple hackers. In 2006, Leap-A virus, also known as Oompa-A viruses. It uses Apple's iChat chat program between the spread. When Apple computer virus, it will automatically search for iChat's contact list to send information to one of the friends, the message looks like with an incomplete picture of the damaged jpeg attachment.

Virus will not have computer generated much harm, it proves that even Apple may also be toxic. With the Mac's more and more popular, more and more viruses for Mac will appear.

Sasser and Netsky virus

Sometimes virus makers can escape easily traced. However, the virus may also spread through the back way to find the source. Sasser (Sasser) and Netsky (NetSky) was thus discovered.

A 17-year-old named Sven Jaschan created both German and they spread the virus to the network. Although the two methods of virus is completely different, but similar to the code so that experts have determined that they were from one hand.

Sasser virus infection of computer vulnerabilities of Microsoft. Unlike other worms, it does not spread through the mail, if the computer infected with the virus, the virus will automatically look for loopholes in computer systems, and remote control that computer to download the virus. The virus can search for any IP addresses to find potential victims. The virus will modify the user's operating system so that users can not shut down, only force power.

Netsky virus spread through e-mail and network. It also e-mail address spoofing, and accessories for self-replication [Data: CERT]. When the virus spread, will also carry out denial-of-service attacks (DoS), thereby control the bandwidth resources. Sophos experts believe that Netsky and its variants infected once on the Internet 1 / 4 computer [data: Wagner].

Sven Jaschan did not go to jail, but was sentenced to 1 year and 3 months of probation, because he was under the age of 18 years, which escaped.

Until now, we look back at all those viruses attack computers running Windows system. This does not mean that Apple machines can be free from viruses. Here we will experience a kind of virus against the Mac.

Black Hat

In Oz, you can expect to find a good witch and bad witch. Similarly, the hacker community has good and bad. Those who create viruses and hackers to find vulnerabilities is also called "black hat." Many hackers at Black Hat or Defcon hackers conference to discuss the impact and how to use loopholes to the system intrusion.

Nuowei Ge virus

This Nuowei Ge (Novarg) virus, also known as MyDoom, it also would leave a back door in the user's operating system. The virus was later produced many variants, the initial Nuowei Ge virus has two triggers.

The first program in the February 1, 2004 start to launch denial-of-service attack (DoS), the second program in the February 12, 2004 to stop the virus self-replication. But after a virus attack to stop, leaving the back doors still have harmful [Data: Symantec].

Soon after, another outbreak of the virus to several search engines a mortal blow. And other viruses, Nuowei Ge virus infected users computer search for the contact list, then send the message. In addition, it will send search requests to search engines to search the mailbox and then send e-mail. This led to Google like search engine receive millions of search requests, so that they become very slow service and even server crashes [Data: Sullivan].

Nuowei Ge virus through e-mail and P2P networks to spread. According to Internet security firm MessageLabs information, then every 12 will have a message carrying the virus [data: BBC]. And cover letter similar to the virus, the virus will be carried out e-mail sender Nuowei Ge camouflage, which makes the virus through e-mail inquiries, the source extremely difficult.

Strange computer virus

Not all computer viruses are broken ring or network. Some viruses cause computers to a variety of strange changes occur. Early virus called table tennis table in the computer to generate a constant jump ball, but it will not harm the computer. Funny virus will give you a lot of that computer viruses, and it does not cause any harm, not self-replicate. If you do not trust it, you can use anti-virus software to remove them.

SQL Slammer / Sapphire virus

In late January 2003, a new server, the virus began to spread in the network. As many computer does not have proper precautionary measures, a number of important large-scale computer system eventually paralysis. Bank of America ATM machine can not use the 911 service centers in Seattle was interrupted, Continental Airlines booking system paralyzed, some flights were canceled.

Slammer virus a great impact on South Korea, many bars and cafes to provide Internet services to flow sharply.

This network is the culprit storm SQL Slammer, also known as Sapphire virus. In the software patches and virus by killing before the appearance of this virus has caused 10 billion dollars in losses [Data: Lemos]. Sapphire process of very rapid spread of the virus. The first server in minutes after infection, virus replication in a short time began to multiply. 15 minutes later, the importance of the server line, half are infected [Data: Boutin].

Slammer virus left us a profound lesson, timely patching and upgrading anti-virus software is not enough, hackers will use any loophole they can find to attack, especially those unknown vulnerabilities. Good anti-virus before the poisoning is very important work, while the backup job in a timely manner to prevent the worst situation is also essential.

Time to solve the problem

Some hacker program lurking in the poisoning of the computer until a specific time before the outbreak. Here are some of the virus triggered at a specific time.
"Jerusalem" virus only 13 days to trigger this every Friday, the victim's computer data sabotage.
"Michelangelo" virus in March 6, 1992 broke out, Michelangelo, I was born March 6, 1475.
" Chernobyl "virus outbreak on April 26, 1999, the day is the 13th anniversary of the Chernobyl nuclear leakage.

Code Red and Code Red Generation Ⅱ

Code Red (Code Red) and the Code Red Ⅱ appeared in the summer of 2001. This use of the two worms are in the Windows 2000 and Windows NT operating system in the presence of a loophole, that is buffer overflow vulnerability Dang system cache device Jieshou Daochaoguota Chuli range of Data, the data adjacent to the Cunchu overflow Fugai unit, so that other programs can not operate normally or even cause system crashes.

Carnegie . atrazine University's Computer Emergency treatment center alerting the public to the dangers of the Code Red Virus

The original Code Red worm using distributed denial of service attack (DDOS) attacks on the White House website. In other words, all the Code Red virus infected the computer will be connected at the same time, the White House Web site, overloading the server, the site crashes.

Windows 2000 systems installed in the Code Red computer if Ⅱ, machine will become a "chicken." Worm will set up back doors in the system, allowing remote users to login and control. Term is the system control computer for the computer owner, this is sad news. Dissemination of the virus can be exploited to obtain some information on the victim's computer, or even use this computer for criminal activities. Not only for victims of paralysis to worry about the computer, there may be others as a scapegoat.

Although Windows NT is more vulnerable to Code Red's infection, but the virus in these machines is not very serious harm. Using the Windows NT network servers can often crash after poisoning, but does not produce other hazards. Compared with Windows 2000 users, this is actually nothing.

Microsoft then released patch fixes in Windows 2000 and Windows NT security holes, thus, the virus is no longer rampant. But the patch does not remove computer viruses, which requires users to deal with their own.

How should we do?

Found that computer poisoning, you should be how? This requires, as the case may be. Many anti-virus software will automatically delete the virus. Some virus will destroy your data or information, then the need to restore the backup. Regular backup of the system is very important. The Code Red, the format and then restore the backup computer is a good way. Some viruses will install malicious software on your computer, only this time anti-virus scanning is not enough.

Seeking employment letter virus

Klez (Klez) virus milestone. The virus first appeared in 2001, after a few months a number of variants. The most common cover letter by mail to spread viruses, and then self-replicate, and where the victims address book to send the same e-mail contacts.

Some variants of Klez or even fatal damage will be computer generated. According to versions, cover letter virus can be divided into ordinary viruses, worms or Trojan horses. Some may even be forced to close or disguised as antivirus software virus removal tool [Data: Symantec].

Klez soon appear on the network, hackers it has been improved to make it more contagious. With many viruses, the virus will use the cover letter to contact the victim's address book to send the same message. In addition, it contacts from the poisoning in a randomly selected person, fill in the e-mail address location of the sender. This is the e-mail address spoofing - seems the message is sent one of your acquaintances, but they are actually other human hair.

E-mail address is disguised in order to achieve the following purposes. First of all, to prevent the sender even if the recipient is useless, because the message is sent by other people. Second, users can not distinguish whether a message is spam, Klez will result in the recipient mailbox to plug in a short time. Also, because the sender is a mailing list, contact, many people will open the message and lead poisoning.

In 2001 there are several very powerful computer virus, the next section we will learn that in 2001 with the emergence of another kind of virus - Code Red.

Love Bug virus

Melissa virus outbreak after one year, the Philippines, the emergence of a new virus. And Melissa difference is that there is this worm, the independent self-replication process. The virus name is "I love you (ILOVEYOU)".

And Melissa similar to the original Love Bug virus is spread through the mail. Title usually indicate that this is an admirer of the confession from your letter. Mail attachment is the culprit. This worm file originally called LOVE-LETTER-FOR-YOU.TXT.vbs. Suffix name vbS that hackers are using the VB script program written in this [information: McAfee].

According to antivirus vendor McAfee's report, Love Bug virus attack means the following:

It will self-replicate, each partition on the hard disk has a hidden backup.
It will be inside the user's registry to add new content.
Self-replication, and then automatically replace some files.
By e-mail and chat client communication
Automatically download a file called WIN-BUGSFIX.EXE the patch, this patch will steal private information and send it to hackers.
In the end who created the virus? Many people suspected that the Philippines O'Neill . Di . Guzman. At that time the Philippines do not have a computer failure related laws, the theft of the name only summoned Di . Guzman. Guzman did not admit or deny allegations about the virus and ultimately the lack of conclusive evidence, authorities were forced to release Guzman. According to media estimates, Love Bug virus caused the loss of about 10 billion U.S. dollars.

Guard against "crying wolf"

That viruses, worms and Trojan horses are not only two, we also need to guard against hoax virus. They are not true viruses, they do not self-replicate, or on the computer any harm. Virus creators just wanted to get their real ones. Even so we can not take it lightly, like "crying wolf" story, we may overlook because of the real virus hoax virus.

Melissa Computer Virus

Spring of 1998, David • L • Smith (David L. Smith) in the macro using Word software, a computer virus preparation operations, the virus can spread through the


mail. Smith called it Melissa (Melissa), Florida, the name of a dancer [source: CNN].

Melissa virus usually transmitted by mail, usually the title of the message, "This is for your information, do not let anyone see." Once the recipient opens

the message, the virus automatically to the user address book 50 friends copy before sending the same message.

Smith put it on the network after the virus began to spread rapidly. FBI report to Congress, Melissa on the part of the Government and the private sector

network devastating blow to the federal government attaches great importance to this [data: FBI]. E-mail traffic surge forced many companies to stop the mail

service until the virus under control to re-open.

After a long trial, Smith was betrayed for 20 months in prison, while liable to a fine of five thousand U.S. dollars. In addition, without court permission,

Smith may not use the network [Data: BBC]. Melissa Although there is no cause great harm to society, but it is the first cause of concern for society


viruses.



2010年8月7日星期六

What is a computer virus

Computer Virus (Computer Virus) in "The People's Republic of China Regulations on Protection of Computer Information System Security" has been defined, the virus that "the preparation of computer programs or computer functions to insert the damage or destruction of data, impact of computer use and the ability to burn incense in the virus from Panda I copied a set of computer instructions or code. " And in general textbooks and general information is defined as: use of computer software and hardware defects, be sent by the compromised machine and the destruction of computer data affecting the normal work of a group of computer instruction set or program code. Computer viruses first appeared in the 70's David Gerrold science fiction When HARLIE was One. The first scientific definition in 1983: the Fred Cohen (University of Southern California) doctoral thesis, "Computer Virus Experiment" "A can own (or evolution) The computer program into other programs, "promoter region viruses, macro (macro) virus, script (script) is the same concept of virus transmission mechanisms similar to biological viruses. biological virus is injected into cells among themselves.

The characteristics of computer viruses

Computer viruses generally have the following characteristics:

1. Procedural computer virus (enforceability)
Computer viruses and other legal procedures, is a executable program, but it is not a complete program, but the parasite in other executable programs, so it can be to enjoy all the power program. The virus is running, and the due process right to fight for control of the system. Computer viruses only when it can be run in the computer only when such activity is contagious and destructive. That is control of the computer CPU is the key issue. If the computer is running in normal program control, without running the program with a virus, then this computer is always reliable. In this computer you can see the virus file name, see computer virus code, print the virus code, or even copy-virus program, but had not infected with the virus. Anti-virus technology is all day to work in such an environment. Although their computer and there are also a variety of computer virus code, but has been set under the control of these viruses on the computer will not run the virus program, the entire system is safe. Instead, computer virus, once run on a computer, the virus in the same computer program and the normal system procedures, or some viruses and other virus programs often compete for the right of the system control will result in system crash, leading to the computer Tan Huan. Anti-virus technology is to be achieved in the control of computer systems, identify the code and behavior of computer viruses, prevent it from obtaining control of the system. Advantages and disadvantages of anti-virus technology is embodied in this regard. A good anti-virus system should not only be able to reliably identify the source of known computer viruses, prevent or bypass to run out of their control of the system (to achieve safe lifting, running an infected program), should also identify unknown computers the behavior of the virus in the system, to prevent its spread and damage the system action.

2. Infectious virus

The basic characteristics of infectious virus. In biology, the virus spread through the transmission from one organism to another organism. Under the right conditions, it get a lot of breeding, well so be infected organisms showed disease or even death. Similarly, computer viruses will be through various channels from the infected computer to spread to uninfected computers, in some cases caused the infected computers or even paralyzed the work of disorders. Unlike biological viruses, computer viruses are man-made preparation of a computer program code, this code into the computer Yidan well implemented, it will search for other infectious conditions Fuge its procedures or storage medium, target and then to their own insert the code in which to achieve the purpose of self-reproduction. As long as a computer exposure, if not in time, then the virus will spread rapidly that machines in which a large number of files (usually executable file) will be infected. The infected file has become a new source of infection, and then exchange data with other machines or through a network of contacts will continue to spread the virus.
Normal computer program generally will not impose its own code to connect to other programs above. The virus is transmitted can impose its own code to meet all the conditions of its transmission by the transmission process is not over. Computer viruses can be possible through various channels, such as floppy disks, computer networks to spread to other computers. When you find a machine with a virus often has been used in this computer's floppy disk has been infected with a virus, but with this machine networked with other computers may also be infected with the virus. Determine whether a program is contagious is whether the most important conditions for computer viruses.
Virus program by modifying the contents of the disk sector information or documents and to embed itself into one of the ways to achieve the mode of transmission and spread. Is embedded in the program is called the host program.

3. The latent virus

A preparation of sophisticated computer virus program, normally does not enter the system immediately after the attack, for several weeks or months or even years hidden in legal documents, spread to other systems, not to be found that the more latent Well, its presence in the system time will be longer, the greater the range of the virus infection.
The first performance of latent means, the virus program without specific testing procedures are not out of checks, so the virus can hide in silence the disk or tape to stay a few days or even years, when the time comes, get the opportunity to run , but also everywhere on the propagation, diffusion, continue to harm. The performance potential of the second refers to the internal computer viruses often have a trigger mechanism, does not meet the trigger conditions, in addition to transmission of computer viruses do not do any damage outside. Once the trigger conditions are met, some of the screen display information, graphics, or special identification, while others undermine the operation of the system implementation, such as formatting the disk, delete the disk file, on
Data file to do encryption, block keyboard and make the system deadlock so.

4. Computer viruses can be triggered
Virus due to the emergence of an event or value, inducing the implementation of infection or virus attacks can be triggered as the characteristics. To cover themselves, the virus must be latent and less to do action. If we do not move, it has been latent virus infection also can not can not be destroyed, they lost the lethality. We must also maintain the virus hidden lethal, it must have be triggered. Viruses trigger mechanism is used to control infection and destruction of movement frequency. Virus with a predetermined trigger conditions, these conditions may be the time, date, file type, or some specific data. The virus runs, the trigger mechanism checks whether the conditions intended to meet, if met, start the infection or destruction of movements to virus infection or attack; if not satisfied, so the virus continues to lurk.

5. Destructive computer viruses
All computer viruses are a kind of executable program, and this is bound to run another executable program, so the system is concerned, all the computer viruses are a common hazard exists, that reduce the efficiency of computer systems, taking up system resources, their invasion of the system depending on the virus program.
At the same time destructive computer virus computer virus designer depends on the purpose, the purpose of the designer if the virus is completely destroyed the normal operation of the system, then the virus attacks the computer system is difficult to imagine the consequences, it can destroy the system, part of the data, it can destroy all the data and make it unrecoverable. However, not all viruses are bad on the system to produce an extremely destructive. Sometimes there is not much damage some of the role of cross infection can lead to system crashes and other major consequences.

6. Attack of the initiative
Virus attacks the system is active, not to man's will transfer. In other words, from a certain extent, the computer system regardless of how strict conservation measures taken can not completely rule out the virus attacks the system, while the protection is at best a means to prevent it.

7. Targeted virus
Computer viruses are specific for a particular computer and operating system. For example, for the 1BM PC and compatible machines, the company targeted App1e Macintosh, and also for the UNIX operating system. For example, the virus is a small ball and compatible for the IBM PC, the DOS operating system.

8. Viruses and unauthorized
Virus unauthorized execution. The normal procedure is invoked by the user, then the allocation of resources by the system to complete tasks assigned by the user. The purpose of the user is visible and transparent. The virus has all the characteristics of the normal procedure, it hides in the normal procedure, when the user invokes the normal program to steal control of the system, before normal program execution, the virus moves, the purpose of the user is unknown, is without the user allowed.

9. Hidden nature of the virus
Viruses are generally very high programming skills, dapper procedures. Usually attached to the normal procedure in a more secluded place or disk, there are individual to the form of hidden files. Purpose of its presence from users. If you do not read the code of the virus program with the normal procedure is not easy to distinguish between the. No protective measures usually the case, the computer virus program gets control over the system, you can in a very short time Zhuanrantailiang program. And infected, the computer system is usually able to function properly, so users do not feel any unusual, if not been what occurred in the computer. Imagine if the virus spread to the computer, the machine immediately not work correctly, it can not continue with their infected. It is because of hidden, computer viruses can be detected in case the user does not spread, and loitering in the world millions of computers.
The reason why most of the virus code is designed to be very short, but also to hide. Virus generally only a few hundred or 1K bytes, and PC-DOS files on the access speed of up to several hundred KB per second or more, so the virus can be instant attach this short a few hundred bytes to the normal procedures in, it was very difficult to detect.
Computer virus hidden in two ways:
The first infection of secrecy when the majority of the virus during transmission speed is very fast, usually does not have an external performance can not easily be found. Let us assume that if a computer virus when infected with a new program in the screen displays a message "I am a virus program, I want to do bad things," and then the virus has long been brought under control. Some viruses do, "the courage to expose themselves," the screen from time to time certain patterns or information, or play some music. Often at this time there are many within that computer viruses copied. Many computer users have no concept of computer viruses, not to mention the psychological guard. They see these new screen display and sound, thought it was from the computer system, unaware that the virus is damaging computer systems, are creating a disaster.
Second, the existence of hidden virus programs, virus programs are generally caught in the normal procedure are difficult to discover, but once out of the virus attack, computer systems often have to create a different degrees of damage. Virus-infected computers in most cases able to maintain some of its functions 下, not as an infected virus, Zheng Taiwan computer can not be started up, Huozhe a Chengxuyidan infected by the virus Suo, was not to be Sun Huai Yun Xing, and If this occurs, the virus also can spread in our world. Computer virus designed compact between is here. Normal procedure by computer virus infection, its original functions are largely unaffected, the virus code attached thereon, managed to survive, have to constantly De Yun Xing chances to spread out more of the Fu Zhi body, and Zheng Chang procedures Zhengduoxitong The control and disk space, and constantly to undermine the system, leading to paralysis of the entire system. The virus code is designed to be very clever but short.

10. Virus derivative
This feature provides for some busybody brings a new virus to create a shortcut.
Analysis of the structure of known computer viruses, the damage spread partly reflected the designer's design thinking and design purposes. However, this principle can be other people to master their own attempts to carry out any changes, which in turn derived from a different original version of the new computer virus (also called variants). This is the derivative of computer viruses. The consequences of such variants may be much more serious than the original virus.

11. Parasitic virus (dependent)
Virus program embedded into the host program, depends on the survival of the host program's implementation, which is a parasitic virus. Virus program to invade the host program, the general procedures of the host to be modified, once the host program execution, the virus program is activated, which can self-replicate and reproduce.

12. Unpredictability of the virus
Detection of the virus from the point of view, viruses are unpredictable. Different types of viruses, they code vary, but some operations are shared (such as in memory, change interrupt). Some people use this common virus, making the claim that they could search for all viruses. Such a procedure can indeed identify a number of new viruses, but the current type of software is extremely rich, and some also use a similar normal operation of the virus even borrowed some of the virus technology. Use this method to detect the virus is bound to lead to more false positives. And viruses are constantly improving production technology, virus anti-virus software is always ahead. A new generation of computer viruses and even some basic features are hidden, and sometimes the change by observing the length of documents to determine. However, the virus can also be updated on this issue blind users, they use files to store its own code gaps, to file the same length. Many new viruses deformation is adopted to avoid inspection, and that became the basic features of Xinyi Dai Ji Suanji virus Di.

13. Deceptive computer virus
Computer viruses secretive, unresponsive to their computer, often to the fact that the virus causing the error as accepted, so it is easy to be successful.

14. Persistent virus
Even after the virus program has been detected, data and programs as well as the operating system is very difficult to restore. Especially in network operating conditions, because the virus program from a copy of infection spread through the network repeatedly, making the virus removal process is very complex.

How to prevent computer viruses

1, reported the virus responsive, Kaspersky has a global technology leader in virtual machine to run the virus, about 70% can automatically analyze the behavior of unknown viruses, together with a group of highly qualified experts in the virus analysis, the reaction rate is faster than other home. Per hour to upgrade the virus behind the technology is solid backed.

2, reported the virus to any legitimate users do not ask, D version, virus analyst be replied, in some cases the conclusions based on detailed analysis is given, thoughtful care of the user, sometimes I like to write and even if they Guiche, they will reply , had previously been bound with a D version of guilty mind, when NetEase markdown when Kabbah, quickly buy genuine sets. This is the Kaspersky, potential users easily conquered antivirus software company.

3, at any time to its own mistakes, antivirus analysis is tedious dirty work items, Kaspersky does not do not make mistakes, but mistakes corrected immediately, as long as the user wrote to point out that false positives manslaughter will be corrected immediately. Zhicuojiugai, called a model for other soft-kill, you go to try to symantec error correction would be any results.

4, Kaspersky's engine technology is the core of many domestic and foreign anti-virus software, it is acknowledged that, while abroad, I do not know, the domestic anti-virus vendor reported the virus on all first Kabbah sweep again, it is interesting, you say, Kaspersky is not the master of other soft kill.

5, Kaspersky's not the highest number of drug libraries, but the actual amount of virus can absolutely kill the world, this is because Kaspersky's super shelling capacity, no matter how you packers, as long as the procedure body has can run on the escape from Kaspersky's palm, it is that you always sing is you or you. So Kaspersky drug library the current 13 million can kill the virus is real number, some kill soft version of the virus packers either dumbfounded or as a variant, also complacent upgrade more than 100 a day, does not know that people Kabbah 1 upgrade to dozens of top you.

6, the most important point is that Kaspersky reported virus on the user and no material reward, but we could rush, because: 1 hour ago when I was in an unknown virus, the virus body of documents was sent to Kabbah, You Youran to eat and then take a bath, over 1 hour back, after the upgrade to Kaspersky, Kaspersky accompanied by melodious sound from the slaughterhouse, were individually remove nasty viruses, the kind of mental pleasure and sense of participation, not at the soft can bring something else to kill us?

Against computer viruses

Computer viruses are the main hazards:

1. Data on the computer viruses stimulate the direct destructive effect
Most of the virus in direct damage to the computer when excited by important information data, the use of the means are formatted disk, overwrite the file allocation table and directory area, delete important files or with meaningless "junk" data overwrite files, damaged CMO5 set and so on. Disk killer virus (D1SK KILLER), contains the counter, after exposure in the hard drive within 48 hours of total boot time excited, excited, when displayed on the screen "Warning!! Don'tturn off power or remove diskette while Disk Killer is Prosessing!" (Warning! D1SK KILLER ll1 at work, do not turn off power or remove the disk), rewrite the hard drive data. Was D1SK KILLER damaged hard drive antivirus software can repair, do not give up easily.

2. Take up disk space and the destruction of information
Parasitic virus on the disk to the illegal occupation of part of the total disk space. Boot virus is by the way the general occupation of occupied disk boot sector virus itself, but the original boot sector to other sectors, that is to guide virus to overwrite a disk sector. Be covered by the permanent sector data loss, can not be recovered. File type virus infection by using some DOS functions, these DOS features can detect unused disk space and transmission parts of the virus writes to the disk of unused parts. So in the course of infection usually does not destroy the original data on disk, but the illegal occupation of the disk space. Some file-type virus quickly, in a short time a large number of infected files, each file is lengthened to different degrees, it causes a serious waste of disk space.

3. Occupy system resources
In addition VIENNA, CASPER and a few other viruses, the other most of the virus are under the permanent in the dynamic memory, which must occupy a part of system resources. The basic memory occupied by the virus compared with the virus itself the length of a considerable length. Viruses occupy memory, resulting in reduced memory, part of the software can not run. In addition to occupying the memory, the virus also seize the interrupt, system operation. Many computer operating system function is called by interrupt technique to achieve. In order to stimulate virus infection, always amend the relevant interrupt address, interrupt the normal process of accession to the virus "stuff" to interfere with the normal operation of the system.

4. Affect the computer speed
After the virus entered the memory not only interfere with system operation, but also affect the computer speed, mainly:
(1) virus infection to determine excitation conditions, the total work to the state of the computer monitor, which compared with the normal operation of the computer state is superfluous and is detrimental.
(2) Some viruses to protect themselves, not only the static virus, disk encryption, and the presence of dynamic memory, the virus also at the encryption status, CPU time when addressing the virus to run for some office decryption program to decrypt the encrypted virus CPU instructions into a legitimate re-implementation; the end of the virus to run a program then re-encrypt the virus. This extra CPU as well as on the implementation of thousands of million instructions.
(3) transmission of the virus during the same time to insert additional illegal operation, particularly when infected floppy disk is not only significantly slows down the computer speed and disk read and write the normal order is disrupted, a cacophony of noise.

5. Computer Virus error and unforeseen hazards
Computer viruses and other computer software, a major difference is that the virus was no accountability. The preparation of a comprehensive computer software requires a lot of manpower, material, perfect after a long debugging, software can be introduced. However, neither virus producers seem necessary to do so, it is impossible to do so. Many computer viruses are isolated in the preparation of a computer on the hastily thrown out after debugging. Anti-virus experts of a large number of viruses found in the vast majority of viruses are varying degrees of error. Another major source of error is the virus variants of the virus. Some novice computer who does not have the ability to independently develop software, out of curiosity or other reasons
Modify other viruses, causing an error. Computer viruses are often the consequences of the error is not predictable, anti-virus workers has been detailed in the black friday presence of the virus nine errors, ping-pong virus has five errors. But people can not spend a lot of time to analyze the error of tens of thousands of viruses. Large spread of the virus with unknown error propagation, the consequences are difficult to predict.

6. Compatibility of computer viruses affecting the system operation
Compatibility is an important indicator of computer software, compatibility, good software can be run in a variety of computer environments, whereas poor compatibility of the software is on the operating conditions "cherry-picking" model and operating system version, etc. required. The preparation of the virus are generally not in a variety of computer environments to test the virus, so the compatibility of the virus less often lead to crashes.

7. Computer viruses to users serious psychological stress
According to statistics on computer sales, computer users suspected of sale, "the computer has a virus" and an advisory service about 60% of the workload. The detection of the existence of the virus and about 70%, while only 30% of cases of suspected users, but in fact the computer and no virus. Then the user suspect the reason the virus is it? Mostly occur such as computer crashes, software run abnormal phenomenon. These phenomena do is probably caused by computer viruses. But not all, in fact, the computer work "exception" when is very difficult for an ordinary user to accurately determine whether the virus is. Most users prefer to believe the virus to take some attitude, which is undoubtedly for the protection of computer security is very necessary, but often have to spend time, money and so on price. Merely suspected of virus, the temerity to format the disk caused by the loss even more difficult to remedy. Not only individual stand-alone users, in some large-scale network systems are not immune to the virus and stop the screening. In short computer viruses like "ghost" as shrouded in the minds of the general computer user and have caused tremendous psychological pressure, which greatly affected the efficiency in the use of modern computer, and the resulting loss is immeasurable intangible.

Computer virus on the computer system could make a great impact. Most of the viruses are the computer programs and data destruction. The following describes the destruction of the virus and the impact of different manufacturers.
Some computer viruses such as FormatC (macro virus) and Stoned Daniela, when they are triggered when the hard disk unconditional format and delete all the system files on disk. To AOL4Free Trojan Horse as an example, it is attached to the e-mail message and with the AOL4FREE.COM a file name. In fact, it is DOS utility (utility) - BATEXEC 1.5 version of the batch file (batch file) conversion over the 〔This utility is used to convert into a number of large batch file to go faster〕.
The Trojan Horse in the first difference in the DOS directory to find DELTREE.EXE this file, and then use this file to the hard drive to delete all the files inside. When a file is deleted, it will display a DOS error message: "BadCommand or file 〃 obscene name and a message (obscene message). DELTREE.EXE if the virus can not find it, it can not delete the file, but the obscene message (obscene message) will appear.
Some viruses, such as the Monkey (Stoned. Empire. Monkey) and AntiEXE, infects the Master Boot Record (Master Boot Record MBR) and DOS boot sector (Dos Boot Sector), after that it will reduce the memory and hard disk performance, up to When our computer screen displayed when the number of messages or other damage.
To AntiEXE as an example, in the boot process to load the master boot record (MBR), the virus has not infected this will be stored in the hard disk MBR column (Cylinder) O, side (Side) O, sector (Sector ) 13 position. and then the virus will it in the virus code on the MBR and the MBR has been written in the infected hard disk column (Cylinder) O, side (Side) O, Sector (Sector) 1 position . When AntiEXE virus active in memory when it will get read by any drive to the toxic MBR and \ or DBS re-introduced the same area a clean (clean counterpart). as when the disk read process the MBR and \ or DBS placement, the virus will look for *. EXE files for a particular (its identity has still not know), and then file damage.
Another example, One Half will about half of the hard drive is encrypted, and will display a message: Disk is one half. Press any key to continue. 〃 If we use the general to remove the MBR of the virus, all The data in the password area will be lost.
Feelings:
I think a lot of computer users, computer virus 』『 hear when they hear the mere mention of narcotics. Some of them, or indeed who have been victims, but more because of exaggerated hearsay Erzhi feel insecure. Not only fear, more of a wallet damage (businessman trap).

The dangers of computer viruses is well known, ranging impact machine speed, and at the destruction of documents or cause crashes. To facilitate the computer at any time for maintenance and maintenance, must be prepared to tools, such as clean dos boot disk or a windows98 boot disk, and kill the virus and disk tools, to meet the system could not start virus or hard drive and so on. Should also prepare a variety of accessories for drivers, such as optical drive, sound card, video card, modem, etc.. Floppy and CD-ROM cleaning disk and cleaning solution should also be standing.