2010年8月7日星期六
What is a computer virus
Computer Virus (Computer Virus) in "The People's Republic of China Regulations on Protection of Computer Information System Security" has been defined, the virus that "the preparation of computer programs or computer functions to insert the damage or destruction of data, impact of computer use and the ability to burn incense in the virus from Panda I copied a set of computer instructions or code. " And in general textbooks and general information is defined as: use of computer software and hardware defects, be sent by the compromised machine and the destruction of computer data affecting the normal work of a group of computer instruction set or program code. Computer viruses first appeared in the 70's David Gerrold science fiction When HARLIE was One. The first scientific definition in 1983: the Fred Cohen (University of Southern California) doctoral thesis, "Computer Virus Experiment" "A can own (or evolution) The computer program into other programs, "promoter region viruses, macro (macro) virus, script (script) is the same concept of virus transmission mechanisms similar to biological viruses. biological virus is injected into cells among themselves.
The characteristics of computer viruses
Computer viruses generally have the following characteristics:
1. Procedural computer virus (enforceability)
Computer viruses and other legal procedures, is a executable program, but it is not a complete program, but the parasite in other executable programs, so it can be to enjoy all the power program. The virus is running, and the due process right to fight for control of the system. Computer viruses only when it can be run in the computer only when such activity is contagious and destructive. That is control of the computer CPU is the key issue. If the computer is running in normal program control, without running the program with a virus, then this computer is always reliable. In this computer you can see the virus file name, see computer virus code, print the virus code, or even copy-virus program, but had not infected with the virus. Anti-virus technology is all day to work in such an environment. Although their computer and there are also a variety of computer virus code, but has been set under the control of these viruses on the computer will not run the virus program, the entire system is safe. Instead, computer virus, once run on a computer, the virus in the same computer program and the normal system procedures, or some viruses and other virus programs often compete for the right of the system control will result in system crash, leading to the computer Tan Huan. Anti-virus technology is to be achieved in the control of computer systems, identify the code and behavior of computer viruses, prevent it from obtaining control of the system. Advantages and disadvantages of anti-virus technology is embodied in this regard. A good anti-virus system should not only be able to reliably identify the source of known computer viruses, prevent or bypass to run out of their control of the system (to achieve safe lifting, running an infected program), should also identify unknown computers the behavior of the virus in the system, to prevent its spread and damage the system action.
2. Infectious virus
The basic characteristics of infectious virus. In biology, the virus spread through the transmission from one organism to another organism. Under the right conditions, it get a lot of breeding, well so be infected organisms showed disease or even death. Similarly, computer viruses will be through various channels from the infected computer to spread to uninfected computers, in some cases caused the infected computers or even paralyzed the work of disorders. Unlike biological viruses, computer viruses are man-made preparation of a computer program code, this code into the computer Yidan well implemented, it will search for other infectious conditions Fuge its procedures or storage medium, target and then to their own insert the code in which to achieve the purpose of self-reproduction. As long as a computer exposure, if not in time, then the virus will spread rapidly that machines in which a large number of files (usually executable file) will be infected. The infected file has become a new source of infection, and then exchange data with other machines or through a network of contacts will continue to spread the virus.
Normal computer program generally will not impose its own code to connect to other programs above. The virus is transmitted can impose its own code to meet all the conditions of its transmission by the transmission process is not over. Computer viruses can be possible through various channels, such as floppy disks, computer networks to spread to other computers. When you find a machine with a virus often has been used in this computer's floppy disk has been infected with a virus, but with this machine networked with other computers may also be infected with the virus. Determine whether a program is contagious is whether the most important conditions for computer viruses.
Virus program by modifying the contents of the disk sector information or documents and to embed itself into one of the ways to achieve the mode of transmission and spread. Is embedded in the program is called the host program.
3. The latent virus
A preparation of sophisticated computer virus program, normally does not enter the system immediately after the attack, for several weeks or months or even years hidden in legal documents, spread to other systems, not to be found that the more latent Well, its presence in the system time will be longer, the greater the range of the virus infection.
The first performance of latent means, the virus program without specific testing procedures are not out of checks, so the virus can hide in silence the disk or tape to stay a few days or even years, when the time comes, get the opportunity to run , but also everywhere on the propagation, diffusion, continue to harm. The performance potential of the second refers to the internal computer viruses often have a trigger mechanism, does not meet the trigger conditions, in addition to transmission of computer viruses do not do any damage outside. Once the trigger conditions are met, some of the screen display information, graphics, or special identification, while others undermine the operation of the system implementation, such as formatting the disk, delete the disk file, on
Data file to do encryption, block keyboard and make the system deadlock so.
4. Computer viruses can be triggered
Virus due to the emergence of an event or value, inducing the implementation of infection or virus attacks can be triggered as the characteristics. To cover themselves, the virus must be latent and less to do action. If we do not move, it has been latent virus infection also can not can not be destroyed, they lost the lethality. We must also maintain the virus hidden lethal, it must have be triggered. Viruses trigger mechanism is used to control infection and destruction of movement frequency. Virus with a predetermined trigger conditions, these conditions may be the time, date, file type, or some specific data. The virus runs, the trigger mechanism checks whether the conditions intended to meet, if met, start the infection or destruction of movements to virus infection or attack; if not satisfied, so the virus continues to lurk.
5. Destructive computer viruses
All computer viruses are a kind of executable program, and this is bound to run another executable program, so the system is concerned, all the computer viruses are a common hazard exists, that reduce the efficiency of computer systems, taking up system resources, their invasion of the system depending on the virus program.
At the same time destructive computer virus computer virus designer depends on the purpose, the purpose of the designer if the virus is completely destroyed the normal operation of the system, then the virus attacks the computer system is difficult to imagine the consequences, it can destroy the system, part of the data, it can destroy all the data and make it unrecoverable. However, not all viruses are bad on the system to produce an extremely destructive. Sometimes there is not much damage some of the role of cross infection can lead to system crashes and other major consequences.
6. Attack of the initiative
Virus attacks the system is active, not to man's will transfer. In other words, from a certain extent, the computer system regardless of how strict conservation measures taken can not completely rule out the virus attacks the system, while the protection is at best a means to prevent it.
7. Targeted virus
Computer viruses are specific for a particular computer and operating system. For example, for the 1BM PC and compatible machines, the company targeted App1e Macintosh, and also for the UNIX operating system. For example, the virus is a small ball and compatible for the IBM PC, the DOS operating system.
8. Viruses and unauthorized
Virus unauthorized execution. The normal procedure is invoked by the user, then the allocation of resources by the system to complete tasks assigned by the user. The purpose of the user is visible and transparent. The virus has all the characteristics of the normal procedure, it hides in the normal procedure, when the user invokes the normal program to steal control of the system, before normal program execution, the virus moves, the purpose of the user is unknown, is without the user allowed.
9. Hidden nature of the virus
Viruses are generally very high programming skills, dapper procedures. Usually attached to the normal procedure in a more secluded place or disk, there are individual to the form of hidden files. Purpose of its presence from users. If you do not read the code of the virus program with the normal procedure is not easy to distinguish between the. No protective measures usually the case, the computer virus program gets control over the system, you can in a very short time Zhuanrantailiang program. And infected, the computer system is usually able to function properly, so users do not feel any unusual, if not been what occurred in the computer. Imagine if the virus spread to the computer, the machine immediately not work correctly, it can not continue with their infected. It is because of hidden, computer viruses can be detected in case the user does not spread, and loitering in the world millions of computers.
The reason why most of the virus code is designed to be very short, but also to hide. Virus generally only a few hundred or 1K bytes, and PC-DOS files on the access speed of up to several hundred KB per second or more, so the virus can be instant attach this short a few hundred bytes to the normal procedures in, it was very difficult to detect.
Computer virus hidden in two ways:
The first infection of secrecy when the majority of the virus during transmission speed is very fast, usually does not have an external performance can not easily be found. Let us assume that if a computer virus when infected with a new program in the screen displays a message "I am a virus program, I want to do bad things," and then the virus has long been brought under control. Some viruses do, "the courage to expose themselves," the screen from time to time certain patterns or information, or play some music. Often at this time there are many within that computer viruses copied. Many computer users have no concept of computer viruses, not to mention the psychological guard. They see these new screen display and sound, thought it was from the computer system, unaware that the virus is damaging computer systems, are creating a disaster.
Second, the existence of hidden virus programs, virus programs are generally caught in the normal procedure are difficult to discover, but once out of the virus attack, computer systems often have to create a different degrees of damage. Virus-infected computers in most cases able to maintain some of its functions 下, not as an infected virus, Zheng Taiwan computer can not be started up, Huozhe a Chengxuyidan infected by the virus Suo, was not to be Sun Huai Yun Xing, and If this occurs, the virus also can spread in our world. Computer virus designed compact between is here. Normal procedure by computer virus infection, its original functions are largely unaffected, the virus code attached thereon, managed to survive, have to constantly De Yun Xing chances to spread out more of the Fu Zhi body, and Zheng Chang procedures Zhengduoxitong The control and disk space, and constantly to undermine the system, leading to paralysis of the entire system. The virus code is designed to be very clever but short.
10. Virus derivative
This feature provides for some busybody brings a new virus to create a shortcut.
Analysis of the structure of known computer viruses, the damage spread partly reflected the designer's design thinking and design purposes. However, this principle can be other people to master their own attempts to carry out any changes, which in turn derived from a different original version of the new computer virus (also called variants). This is the derivative of computer viruses. The consequences of such variants may be much more serious than the original virus.
11. Parasitic virus (dependent)
Virus program embedded into the host program, depends on the survival of the host program's implementation, which is a parasitic virus. Virus program to invade the host program, the general procedures of the host to be modified, once the host program execution, the virus program is activated, which can self-replicate and reproduce.
12. Unpredictability of the virus
Detection of the virus from the point of view, viruses are unpredictable. Different types of viruses, they code vary, but some operations are shared (such as in memory, change interrupt). Some people use this common virus, making the claim that they could search for all viruses. Such a procedure can indeed identify a number of new viruses, but the current type of software is extremely rich, and some also use a similar normal operation of the virus even borrowed some of the virus technology. Use this method to detect the virus is bound to lead to more false positives. And viruses are constantly improving production technology, virus anti-virus software is always ahead. A new generation of computer viruses and even some basic features are hidden, and sometimes the change by observing the length of documents to determine. However, the virus can also be updated on this issue blind users, they use files to store its own code gaps, to file the same length. Many new viruses deformation is adopted to avoid inspection, and that became the basic features of Xinyi Dai Ji Suanji virus Di.
13. Deceptive computer virus
Computer viruses secretive, unresponsive to their computer, often to the fact that the virus causing the error as accepted, so it is easy to be successful.
14. Persistent virus
Even after the virus program has been detected, data and programs as well as the operating system is very difficult to restore. Especially in network operating conditions, because the virus program from a copy of infection spread through the network repeatedly, making the virus removal process is very complex.
1. Procedural computer virus (enforceability)
Computer viruses and other legal procedures, is a executable program, but it is not a complete program, but the parasite in other executable programs, so it can be to enjoy all the power program. The virus is running, and the due process right to fight for control of the system. Computer viruses only when it can be run in the computer only when such activity is contagious and destructive. That is control of the computer CPU is the key issue. If the computer is running in normal program control, without running the program with a virus, then this computer is always reliable. In this computer you can see the virus file name, see computer virus code, print the virus code, or even copy-virus program, but had not infected with the virus. Anti-virus technology is all day to work in such an environment. Although their computer and there are also a variety of computer virus code, but has been set under the control of these viruses on the computer will not run the virus program, the entire system is safe. Instead, computer virus, once run on a computer, the virus in the same computer program and the normal system procedures, or some viruses and other virus programs often compete for the right of the system control will result in system crash, leading to the computer Tan Huan. Anti-virus technology is to be achieved in the control of computer systems, identify the code and behavior of computer viruses, prevent it from obtaining control of the system. Advantages and disadvantages of anti-virus technology is embodied in this regard. A good anti-virus system should not only be able to reliably identify the source of known computer viruses, prevent or bypass to run out of their control of the system (to achieve safe lifting, running an infected program), should also identify unknown computers the behavior of the virus in the system, to prevent its spread and damage the system action.
2. Infectious virus
The basic characteristics of infectious virus. In biology, the virus spread through the transmission from one organism to another organism. Under the right conditions, it get a lot of breeding, well so be infected organisms showed disease or even death. Similarly, computer viruses will be through various channels from the infected computer to spread to uninfected computers, in some cases caused the infected computers or even paralyzed the work of disorders. Unlike biological viruses, computer viruses are man-made preparation of a computer program code, this code into the computer Yidan well implemented, it will search for other infectious conditions Fuge its procedures or storage medium, target and then to their own insert the code in which to achieve the purpose of self-reproduction. As long as a computer exposure, if not in time, then the virus will spread rapidly that machines in which a large number of files (usually executable file) will be infected. The infected file has become a new source of infection, and then exchange data with other machines or through a network of contacts will continue to spread the virus.
Normal computer program generally will not impose its own code to connect to other programs above. The virus is transmitted can impose its own code to meet all the conditions of its transmission by the transmission process is not over. Computer viruses can be possible through various channels, such as floppy disks, computer networks to spread to other computers. When you find a machine with a virus often has been used in this computer's floppy disk has been infected with a virus, but with this machine networked with other computers may also be infected with the virus. Determine whether a program is contagious is whether the most important conditions for computer viruses.
Virus program by modifying the contents of the disk sector information or documents and to embed itself into one of the ways to achieve the mode of transmission and spread. Is embedded in the program is called the host program.
3. The latent virus
A preparation of sophisticated computer virus program, normally does not enter the system immediately after the attack, for several weeks or months or even years hidden in legal documents, spread to other systems, not to be found that the more latent Well, its presence in the system time will be longer, the greater the range of the virus infection.
The first performance of latent means, the virus program without specific testing procedures are not out of checks, so the virus can hide in silence the disk or tape to stay a few days or even years, when the time comes, get the opportunity to run , but also everywhere on the propagation, diffusion, continue to harm. The performance potential of the second refers to the internal computer viruses often have a trigger mechanism, does not meet the trigger conditions, in addition to transmission of computer viruses do not do any damage outside. Once the trigger conditions are met, some of the screen display information, graphics, or special identification, while others undermine the operation of the system implementation, such as formatting the disk, delete the disk file, on
Data file to do encryption, block keyboard and make the system deadlock so.
4. Computer viruses can be triggered
Virus due to the emergence of an event or value, inducing the implementation of infection or virus attacks can be triggered as the characteristics. To cover themselves, the virus must be latent and less to do action. If we do not move, it has been latent virus infection also can not can not be destroyed, they lost the lethality. We must also maintain the virus hidden lethal, it must have be triggered. Viruses trigger mechanism is used to control infection and destruction of movement frequency. Virus with a predetermined trigger conditions, these conditions may be the time, date, file type, or some specific data. The virus runs, the trigger mechanism checks whether the conditions intended to meet, if met, start the infection or destruction of movements to virus infection or attack; if not satisfied, so the virus continues to lurk.
5. Destructive computer viruses
All computer viruses are a kind of executable program, and this is bound to run another executable program, so the system is concerned, all the computer viruses are a common hazard exists, that reduce the efficiency of computer systems, taking up system resources, their invasion of the system depending on the virus program.
At the same time destructive computer virus computer virus designer depends on the purpose, the purpose of the designer if the virus is completely destroyed the normal operation of the system, then the virus attacks the computer system is difficult to imagine the consequences, it can destroy the system, part of the data, it can destroy all the data and make it unrecoverable. However, not all viruses are bad on the system to produce an extremely destructive. Sometimes there is not much damage some of the role of cross infection can lead to system crashes and other major consequences.
6. Attack of the initiative
Virus attacks the system is active, not to man's will transfer. In other words, from a certain extent, the computer system regardless of how strict conservation measures taken can not completely rule out the virus attacks the system, while the protection is at best a means to prevent it.
7. Targeted virus
Computer viruses are specific for a particular computer and operating system. For example, for the 1BM PC and compatible machines, the company targeted App1e Macintosh, and also for the UNIX operating system. For example, the virus is a small ball and compatible for the IBM PC, the DOS operating system.
8. Viruses and unauthorized
Virus unauthorized execution. The normal procedure is invoked by the user, then the allocation of resources by the system to complete tasks assigned by the user. The purpose of the user is visible and transparent. The virus has all the characteristics of the normal procedure, it hides in the normal procedure, when the user invokes the normal program to steal control of the system, before normal program execution, the virus moves, the purpose of the user is unknown, is without the user allowed.
9. Hidden nature of the virus
Viruses are generally very high programming skills, dapper procedures. Usually attached to the normal procedure in a more secluded place or disk, there are individual to the form of hidden files. Purpose of its presence from users. If you do not read the code of the virus program with the normal procedure is not easy to distinguish between the. No protective measures usually the case, the computer virus program gets control over the system, you can in a very short time Zhuanrantailiang program. And infected, the computer system is usually able to function properly, so users do not feel any unusual, if not been what occurred in the computer. Imagine if the virus spread to the computer, the machine immediately not work correctly, it can not continue with their infected. It is because of hidden, computer viruses can be detected in case the user does not spread, and loitering in the world millions of computers.
The reason why most of the virus code is designed to be very short, but also to hide. Virus generally only a few hundred or 1K bytes, and PC-DOS files on the access speed of up to several hundred KB per second or more, so the virus can be instant attach this short a few hundred bytes to the normal procedures in, it was very difficult to detect.
Computer virus hidden in two ways:
The first infection of secrecy when the majority of the virus during transmission speed is very fast, usually does not have an external performance can not easily be found. Let us assume that if a computer virus when infected with a new program in the screen displays a message "I am a virus program, I want to do bad things," and then the virus has long been brought under control. Some viruses do, "the courage to expose themselves," the screen from time to time certain patterns or information, or play some music. Often at this time there are many within that computer viruses copied. Many computer users have no concept of computer viruses, not to mention the psychological guard. They see these new screen display and sound, thought it was from the computer system, unaware that the virus is damaging computer systems, are creating a disaster.
Second, the existence of hidden virus programs, virus programs are generally caught in the normal procedure are difficult to discover, but once out of the virus attack, computer systems often have to create a different degrees of damage. Virus-infected computers in most cases able to maintain some of its functions 下, not as an infected virus, Zheng Taiwan computer can not be started up, Huozhe a Chengxuyidan infected by the virus Suo, was not to be Sun Huai Yun Xing, and If this occurs, the virus also can spread in our world. Computer virus designed compact between is here. Normal procedure by computer virus infection, its original functions are largely unaffected, the virus code attached thereon, managed to survive, have to constantly De Yun Xing chances to spread out more of the Fu Zhi body, and Zheng Chang procedures Zhengduoxitong The control and disk space, and constantly to undermine the system, leading to paralysis of the entire system. The virus code is designed to be very clever but short.
10. Virus derivative
This feature provides for some busybody brings a new virus to create a shortcut.
Analysis of the structure of known computer viruses, the damage spread partly reflected the designer's design thinking and design purposes. However, this principle can be other people to master their own attempts to carry out any changes, which in turn derived from a different original version of the new computer virus (also called variants). This is the derivative of computer viruses. The consequences of such variants may be much more serious than the original virus.
11. Parasitic virus (dependent)
Virus program embedded into the host program, depends on the survival of the host program's implementation, which is a parasitic virus. Virus program to invade the host program, the general procedures of the host to be modified, once the host program execution, the virus program is activated, which can self-replicate and reproduce.
12. Unpredictability of the virus
Detection of the virus from the point of view, viruses are unpredictable. Different types of viruses, they code vary, but some operations are shared (such as in memory, change interrupt). Some people use this common virus, making the claim that they could search for all viruses. Such a procedure can indeed identify a number of new viruses, but the current type of software is extremely rich, and some also use a similar normal operation of the virus even borrowed some of the virus technology. Use this method to detect the virus is bound to lead to more false positives. And viruses are constantly improving production technology, virus anti-virus software is always ahead. A new generation of computer viruses and even some basic features are hidden, and sometimes the change by observing the length of documents to determine. However, the virus can also be updated on this issue blind users, they use files to store its own code gaps, to file the same length. Many new viruses deformation is adopted to avoid inspection, and that became the basic features of Xinyi Dai Ji Suanji virus Di.
13. Deceptive computer virus
Computer viruses secretive, unresponsive to their computer, often to the fact that the virus causing the error as accepted, so it is easy to be successful.
14. Persistent virus
Even after the virus program has been detected, data and programs as well as the operating system is very difficult to restore. Especially in network operating conditions, because the virus program from a copy of infection spread through the network repeatedly, making the virus removal process is very complex.
How to prevent computer viruses
1, reported the virus responsive, Kaspersky has a global technology leader in virtual machine to run the virus, about 70% can automatically analyze the behavior of unknown viruses, together with a group of highly qualified experts in the virus analysis, the reaction rate is faster than other home. Per hour to upgrade the virus behind the technology is solid backed.
2, reported the virus to any legitimate users do not ask, D version, virus analyst be replied, in some cases the conclusions based on detailed analysis is given, thoughtful care of the user, sometimes I like to write and even if they Guiche, they will reply , had previously been bound with a D version of guilty mind, when NetEase markdown when Kabbah, quickly buy genuine sets. This is the Kaspersky, potential users easily conquered antivirus software company.
3, at any time to its own mistakes, antivirus analysis is tedious dirty work items, Kaspersky does not do not make mistakes, but mistakes corrected immediately, as long as the user wrote to point out that false positives manslaughter will be corrected immediately. Zhicuojiugai, called a model for other soft-kill, you go to try to symantec error correction would be any results.
4, Kaspersky's engine technology is the core of many domestic and foreign anti-virus software, it is acknowledged that, while abroad, I do not know, the domestic anti-virus vendor reported the virus on all first Kabbah sweep again, it is interesting, you say, Kaspersky is not the master of other soft kill.
5, Kaspersky's not the highest number of drug libraries, but the actual amount of virus can absolutely kill the world, this is because Kaspersky's super shelling capacity, no matter how you packers, as long as the procedure body has can run on the escape from Kaspersky's palm, it is that you always sing is you or you. So Kaspersky drug library the current 13 million can kill the virus is real number, some kill soft version of the virus packers either dumbfounded or as a variant, also complacent upgrade more than 100 a day, does not know that people Kabbah 1 upgrade to dozens of top you.
6, the most important point is that Kaspersky reported virus on the user and no material reward, but we could rush, because: 1 hour ago when I was in an unknown virus, the virus body of documents was sent to Kabbah, You Youran to eat and then take a bath, over 1 hour back, after the upgrade to Kaspersky, Kaspersky accompanied by melodious sound from the slaughterhouse, were individually remove nasty viruses, the kind of mental pleasure and sense of participation, not at the soft can bring something else to kill us?
2, reported the virus to any legitimate users do not ask, D version, virus analyst be replied, in some cases the conclusions based on detailed analysis is given, thoughtful care of the user, sometimes I like to write and even if they Guiche, they will reply , had previously been bound with a D version of guilty mind, when NetEase markdown when Kabbah, quickly buy genuine sets. This is the Kaspersky, potential users easily conquered antivirus software company.
3, at any time to its own mistakes, antivirus analysis is tedious dirty work items, Kaspersky does not do not make mistakes, but mistakes corrected immediately, as long as the user wrote to point out that false positives manslaughter will be corrected immediately. Zhicuojiugai, called a model for other soft-kill, you go to try to symantec error correction would be any results.
4, Kaspersky's engine technology is the core of many domestic and foreign anti-virus software, it is acknowledged that, while abroad, I do not know, the domestic anti-virus vendor reported the virus on all first Kabbah sweep again, it is interesting, you say, Kaspersky is not the master of other soft kill.
5, Kaspersky's not the highest number of drug libraries, but the actual amount of virus can absolutely kill the world, this is because Kaspersky's super shelling capacity, no matter how you packers, as long as the procedure body has can run on the escape from Kaspersky's palm, it is that you always sing is you or you. So Kaspersky drug library the current 13 million can kill the virus is real number, some kill soft version of the virus packers either dumbfounded or as a variant, also complacent upgrade more than 100 a day, does not know that people Kabbah 1 upgrade to dozens of top you.
6, the most important point is that Kaspersky reported virus on the user and no material reward, but we could rush, because: 1 hour ago when I was in an unknown virus, the virus body of documents was sent to Kabbah, You Youran to eat and then take a bath, over 1 hour back, after the upgrade to Kaspersky, Kaspersky accompanied by melodious sound from the slaughterhouse, were individually remove nasty viruses, the kind of mental pleasure and sense of participation, not at the soft can bring something else to kill us?
Against computer viruses
Computer viruses are the main hazards:
1. Data on the computer viruses stimulate the direct destructive effect
Most of the virus in direct damage to the computer when excited by important information data, the use of the means are formatted disk, overwrite the file allocation table and directory area, delete important files or with meaningless "junk" data overwrite files, damaged CMO5 set and so on. Disk killer virus (D1SK KILLER), contains the counter, after exposure in the hard drive within 48 hours of total boot time excited, excited, when displayed on the screen "Warning!! Don'tturn off power or remove diskette while Disk Killer is Prosessing!" (Warning! D1SK KILLER ll1 at work, do not turn off power or remove the disk), rewrite the hard drive data. Was D1SK KILLER damaged hard drive antivirus software can repair, do not give up easily.
2. Take up disk space and the destruction of information
Parasitic virus on the disk to the illegal occupation of part of the total disk space. Boot virus is by the way the general occupation of occupied disk boot sector virus itself, but the original boot sector to other sectors, that is to guide virus to overwrite a disk sector. Be covered by the permanent sector data loss, can not be recovered. File type virus infection by using some DOS functions, these DOS features can detect unused disk space and transmission parts of the virus writes to the disk of unused parts. So in the course of infection usually does not destroy the original data on disk, but the illegal occupation of the disk space. Some file-type virus quickly, in a short time a large number of infected files, each file is lengthened to different degrees, it causes a serious waste of disk space.
3. Occupy system resources
In addition VIENNA, CASPER and a few other viruses, the other most of the virus are under the permanent in the dynamic memory, which must occupy a part of system resources. The basic memory occupied by the virus compared with the virus itself the length of a considerable length. Viruses occupy memory, resulting in reduced memory, part of the software can not run. In addition to occupying the memory, the virus also seize the interrupt, system operation. Many computer operating system function is called by interrupt technique to achieve. In order to stimulate virus infection, always amend the relevant interrupt address, interrupt the normal process of accession to the virus "stuff" to interfere with the normal operation of the system.
4. Affect the computer speed
After the virus entered the memory not only interfere with system operation, but also affect the computer speed, mainly:
(1) virus infection to determine excitation conditions, the total work to the state of the computer monitor, which compared with the normal operation of the computer state is superfluous and is detrimental.
(2) Some viruses to protect themselves, not only the static virus, disk encryption, and the presence of dynamic memory, the virus also at the encryption status, CPU time when addressing the virus to run for some office decryption program to decrypt the encrypted virus CPU instructions into a legitimate re-implementation; the end of the virus to run a program then re-encrypt the virus. This extra CPU as well as on the implementation of thousands of million instructions.
(3) transmission of the virus during the same time to insert additional illegal operation, particularly when infected floppy disk is not only significantly slows down the computer speed and disk read and write the normal order is disrupted, a cacophony of noise.
5. Computer Virus error and unforeseen hazards
Computer viruses and other computer software, a major difference is that the virus was no accountability. The preparation of a comprehensive computer software requires a lot of manpower, material, perfect after a long debugging, software can be introduced. However, neither virus producers seem necessary to do so, it is impossible to do so. Many computer viruses are isolated in the preparation of a computer on the hastily thrown out after debugging. Anti-virus experts of a large number of viruses found in the vast majority of viruses are varying degrees of error. Another major source of error is the virus variants of the virus. Some novice computer who does not have the ability to independently develop software, out of curiosity or other reasons
Modify other viruses, causing an error. Computer viruses are often the consequences of the error is not predictable, anti-virus workers has been detailed in the black friday presence of the virus nine errors, ping-pong virus has five errors. But people can not spend a lot of time to analyze the error of tens of thousands of viruses. Large spread of the virus with unknown error propagation, the consequences are difficult to predict.
6. Compatibility of computer viruses affecting the system operation
Compatibility is an important indicator of computer software, compatibility, good software can be run in a variety of computer environments, whereas poor compatibility of the software is on the operating conditions "cherry-picking" model and operating system version, etc. required. The preparation of the virus are generally not in a variety of computer environments to test the virus, so the compatibility of the virus less often lead to crashes.
7. Computer viruses to users serious psychological stress
According to statistics on computer sales, computer users suspected of sale, "the computer has a virus" and an advisory service about 60% of the workload. The detection of the existence of the virus and about 70%, while only 30% of cases of suspected users, but in fact the computer and no virus. Then the user suspect the reason the virus is it? Mostly occur such as computer crashes, software run abnormal phenomenon. These phenomena do is probably caused by computer viruses. But not all, in fact, the computer work "exception" when is very difficult for an ordinary user to accurately determine whether the virus is. Most users prefer to believe the virus to take some attitude, which is undoubtedly for the protection of computer security is very necessary, but often have to spend time, money and so on price. Merely suspected of virus, the temerity to format the disk caused by the loss even more difficult to remedy. Not only individual stand-alone users, in some large-scale network systems are not immune to the virus and stop the screening. In short computer viruses like "ghost" as shrouded in the minds of the general computer user and have caused tremendous psychological pressure, which greatly affected the efficiency in the use of modern computer, and the resulting loss is immeasurable intangible.
Computer virus on the computer system could make a great impact. Most of the viruses are the computer programs and data destruction. The following describes the destruction of the virus and the impact of different manufacturers.
Some computer viruses such as FormatC (macro virus) and Stoned Daniela, when they are triggered when the hard disk unconditional format and delete all the system files on disk. To AOL4Free Trojan Horse as an example, it is attached to the e-mail message and with the AOL4FREE.COM a file name. In fact, it is DOS utility (utility) - BATEXEC 1.5 version of the batch file (batch file) conversion over the 〔This utility is used to convert into a number of large batch file to go faster〕.
The Trojan Horse in the first difference in the DOS directory to find DELTREE.EXE this file, and then use this file to the hard drive to delete all the files inside. When a file is deleted, it will display a DOS error message: "BadCommand or file 〃 obscene name and a message (obscene message). DELTREE.EXE if the virus can not find it, it can not delete the file, but the obscene message (obscene message) will appear.
Some viruses, such as the Monkey (Stoned. Empire. Monkey) and AntiEXE, infects the Master Boot Record (Master Boot Record MBR) and DOS boot sector (Dos Boot Sector), after that it will reduce the memory and hard disk performance, up to When our computer screen displayed when the number of messages or other damage.
To AntiEXE as an example, in the boot process to load the master boot record (MBR), the virus has not infected this will be stored in the hard disk MBR column (Cylinder) O, side (Side) O, sector (Sector ) 13 position. and then the virus will it in the virus code on the MBR and the MBR has been written in the infected hard disk column (Cylinder) O, side (Side) O, Sector (Sector) 1 position . When AntiEXE virus active in memory when it will get read by any drive to the toxic MBR and \ or DBS re-introduced the same area a clean (clean counterpart). as when the disk read process the MBR and \ or DBS placement, the virus will look for *. EXE files for a particular (its identity has still not know), and then file damage.
Another example, One Half will about half of the hard drive is encrypted, and will display a message: Disk is one half. Press any key to continue. 〃 If we use the general to remove the MBR of the virus, all The data in the password area will be lost.
Feelings:
I think a lot of computer users, computer virus 』『 hear when they hear the mere mention of narcotics. Some of them, or indeed who have been victims, but more because of exaggerated hearsay Erzhi feel insecure. Not only fear, more of a wallet damage (businessman trap).
The dangers of computer viruses is well known, ranging impact machine speed, and at the destruction of documents or cause crashes. To facilitate the computer at any time for maintenance and maintenance, must be prepared to tools, such as clean dos boot disk or a windows98 boot disk, and kill the virus and disk tools, to meet the system could not start virus or hard drive and so on. Should also prepare a variety of accessories for drivers, such as optical drive, sound card, video card, modem, etc.. Floppy and CD-ROM cleaning disk and cleaning solution should also be standing.
1. Data on the computer viruses stimulate the direct destructive effect
Most of the virus in direct damage to the computer when excited by important information data, the use of the means are formatted disk, overwrite the file allocation table and directory area, delete important files or with meaningless "junk" data overwrite files, damaged CMO5 set and so on. Disk killer virus (D1SK KILLER), contains the counter, after exposure in the hard drive within 48 hours of total boot time excited, excited, when displayed on the screen "Warning!! Don'tturn off power or remove diskette while Disk Killer is Prosessing!" (Warning! D1SK KILLER ll1 at work, do not turn off power or remove the disk), rewrite the hard drive data. Was D1SK KILLER damaged hard drive antivirus software can repair, do not give up easily.
2. Take up disk space and the destruction of information
Parasitic virus on the disk to the illegal occupation of part of the total disk space. Boot virus is by the way the general occupation of occupied disk boot sector virus itself, but the original boot sector to other sectors, that is to guide virus to overwrite a disk sector. Be covered by the permanent sector data loss, can not be recovered. File type virus infection by using some DOS functions, these DOS features can detect unused disk space and transmission parts of the virus writes to the disk of unused parts. So in the course of infection usually does not destroy the original data on disk, but the illegal occupation of the disk space. Some file-type virus quickly, in a short time a large number of infected files, each file is lengthened to different degrees, it causes a serious waste of disk space.
3. Occupy system resources
In addition VIENNA, CASPER and a few other viruses, the other most of the virus are under the permanent in the dynamic memory, which must occupy a part of system resources. The basic memory occupied by the virus compared with the virus itself the length of a considerable length. Viruses occupy memory, resulting in reduced memory, part of the software can not run. In addition to occupying the memory, the virus also seize the interrupt, system operation. Many computer operating system function is called by interrupt technique to achieve. In order to stimulate virus infection, always amend the relevant interrupt address, interrupt the normal process of accession to the virus "stuff" to interfere with the normal operation of the system.
4. Affect the computer speed
After the virus entered the memory not only interfere with system operation, but also affect the computer speed, mainly:
(1) virus infection to determine excitation conditions, the total work to the state of the computer monitor, which compared with the normal operation of the computer state is superfluous and is detrimental.
(2) Some viruses to protect themselves, not only the static virus, disk encryption, and the presence of dynamic memory, the virus also at the encryption status, CPU time when addressing the virus to run for some office decryption program to decrypt the encrypted virus CPU instructions into a legitimate re-implementation; the end of the virus to run a program then re-encrypt the virus. This extra CPU as well as on the implementation of thousands of million instructions.
(3) transmission of the virus during the same time to insert additional illegal operation, particularly when infected floppy disk is not only significantly slows down the computer speed and disk read and write the normal order is disrupted, a cacophony of noise.
5. Computer Virus error and unforeseen hazards
Computer viruses and other computer software, a major difference is that the virus was no accountability. The preparation of a comprehensive computer software requires a lot of manpower, material, perfect after a long debugging, software can be introduced. However, neither virus producers seem necessary to do so, it is impossible to do so. Many computer viruses are isolated in the preparation of a computer on the hastily thrown out after debugging. Anti-virus experts of a large number of viruses found in the vast majority of viruses are varying degrees of error. Another major source of error is the virus variants of the virus. Some novice computer who does not have the ability to independently develop software, out of curiosity or other reasons
Modify other viruses, causing an error. Computer viruses are often the consequences of the error is not predictable, anti-virus workers has been detailed in the black friday presence of the virus nine errors, ping-pong virus has five errors. But people can not spend a lot of time to analyze the error of tens of thousands of viruses. Large spread of the virus with unknown error propagation, the consequences are difficult to predict.
6. Compatibility of computer viruses affecting the system operation
Compatibility is an important indicator of computer software, compatibility, good software can be run in a variety of computer environments, whereas poor compatibility of the software is on the operating conditions "cherry-picking" model and operating system version, etc. required. The preparation of the virus are generally not in a variety of computer environments to test the virus, so the compatibility of the virus less often lead to crashes.
7. Computer viruses to users serious psychological stress
According to statistics on computer sales, computer users suspected of sale, "the computer has a virus" and an advisory service about 60% of the workload. The detection of the existence of the virus and about 70%, while only 30% of cases of suspected users, but in fact the computer and no virus. Then the user suspect the reason the virus is it? Mostly occur such as computer crashes, software run abnormal phenomenon. These phenomena do is probably caused by computer viruses. But not all, in fact, the computer work "exception" when is very difficult for an ordinary user to accurately determine whether the virus is. Most users prefer to believe the virus to take some attitude, which is undoubtedly for the protection of computer security is very necessary, but often have to spend time, money and so on price. Merely suspected of virus, the temerity to format the disk caused by the loss even more difficult to remedy. Not only individual stand-alone users, in some large-scale network systems are not immune to the virus and stop the screening. In short computer viruses like "ghost" as shrouded in the minds of the general computer user and have caused tremendous psychological pressure, which greatly affected the efficiency in the use of modern computer, and the resulting loss is immeasurable intangible.
Computer virus on the computer system could make a great impact. Most of the viruses are the computer programs and data destruction. The following describes the destruction of the virus and the impact of different manufacturers.
Some computer viruses such as FormatC (macro virus) and Stoned Daniela, when they are triggered when the hard disk unconditional format and delete all the system files on disk. To AOL4Free Trojan Horse as an example, it is attached to the e-mail message and with the AOL4FREE.COM a file name. In fact, it is DOS utility (utility) - BATEXEC 1.5 version of the batch file (batch file) conversion over the 〔This utility is used to convert into a number of large batch file to go faster〕.
The Trojan Horse in the first difference in the DOS directory to find DELTREE.EXE this file, and then use this file to the hard drive to delete all the files inside. When a file is deleted, it will display a DOS error message: "BadCommand or file 〃 obscene name and a message (obscene message). DELTREE.EXE if the virus can not find it, it can not delete the file, but the obscene message (obscene message) will appear.
Some viruses, such as the Monkey (Stoned. Empire. Monkey) and AntiEXE, infects the Master Boot Record (Master Boot Record MBR) and DOS boot sector (Dos Boot Sector), after that it will reduce the memory and hard disk performance, up to When our computer screen displayed when the number of messages or other damage.
To AntiEXE as an example, in the boot process to load the master boot record (MBR), the virus has not infected this will be stored in the hard disk MBR column (Cylinder) O, side (Side) O, sector (Sector ) 13 position. and then the virus will it in the virus code on the MBR and the MBR has been written in the infected hard disk column (Cylinder) O, side (Side) O, Sector (Sector) 1 position . When AntiEXE virus active in memory when it will get read by any drive to the toxic MBR and \ or DBS re-introduced the same area a clean (clean counterpart). as when the disk read process the MBR and \ or DBS placement, the virus will look for *. EXE files for a particular (its identity has still not know), and then file damage.
Another example, One Half will about half of the hard drive is encrypted, and will display a message: Disk is one half. Press any key to continue. 〃 If we use the general to remove the MBR of the virus, all The data in the password area will be lost.
Feelings:
I think a lot of computer users, computer virus 』『 hear when they hear the mere mention of narcotics. Some of them, or indeed who have been victims, but more because of exaggerated hearsay Erzhi feel insecure. Not only fear, more of a wallet damage (businessman trap).
The dangers of computer viruses is well known, ranging impact machine speed, and at the destruction of documents or cause crashes. To facilitate the computer at any time for maintenance and maintenance, must be prepared to tools, such as clean dos boot disk or a windows98 boot disk, and kill the virus and disk tools, to meet the system could not start virus or hard drive and so on. Should also prepare a variety of accessories for drivers, such as optical drive, sound card, video card, modem, etc.. Floppy and CD-ROM cleaning disk and cleaning solution should also be standing.
Transmission of computer viruses
The first way: through the non-moving spread of computer hardware devices, these devices usually have a dedicated ASIC chips and computer hard drives.
The second way: to spread through removable storage devices such equipment, including floppy disk, tape, etc..
The third way: to spread through computer networks.
The fourth way: through point to point communication systems and wireless communication channels\
Infectious virus is the most basic characteristics of computer viruses, virus, infectious virus survival breeding conditions, if the virus does not spread channels, their destructive small, spreads narrow, difficult to cause pandemic.
Computer viruses must be "equipped" to be infected with a computer system, usually they are attached in a file.
Computer viruses spread primarily through the file copy, file transfer, file execution, manner, file copying and file transfer needs of transmission media, file execution is a necessary means of virus infection (Word, Excel and other macro virus Word, Excel calls indirectly implementation), so the file spread of the virus changes the media have a direct relationship.
According to the information reported, the computer virus appeared in the 70's, then as the computer has not yet widespread, the virus causing the damage and the impact on the public is not very big. In 1986 widespread virus in Pakistan think-tank, put the virus on the PC, the threat of real task in front of people. 1987 "Black," a large-scale epidemic in the countries around the world among IBM PC and compatible, causing considerable panic. The computer virus, like other computer viruses, the most basic features is that it's contagious. Through careful study of various computer mode of transmission, targeted to take effective measures against computer viruses will be able to take a favorable position in the struggle to better prevent virus attacks on computer systems.
Main mode of transmission of computer viruses are:
1. Floppy
Floppy disk as the most commonly used medium of exchange, the early computer applications in the spread of the virus played a huge role, because when the computer application is relatively simple, executable files and data file systems are small, many of the implementation of documents adopted by the floppy disk copy each other installation, so the virus can spread through the floppy disk file virus; In addition, the column in the floppy disk directory or boot the machine, the boot sector virus boot disk in the floppy disk with the cross-infection. Therefore, a computer virus, floppy disks have become the major parasitic "hotbed."
2. CD-ROM
CD-ROM because the capacity to store a large number of executable files, a large number of virus will hide in the CD, on a compact disc read-only, can not write, so the virus can not remove the disc. Profit making illegal copies of software production process, can not bear special responsibility for virus protection, there can never be truly reliable technical support possible to avoid the virus spread, transmission, prevalence and spread. At present, the proliferation of pirated CDs to the spread of the virus has brought great convenience.
3. Hard
As with the virus in the local hard disk or moved to other places for use, maintenance, etc., to clean infected floppy disk and then spread.
4.BBS
Electronic bulletin board (BBS) as the station is easy, less investment, so well loved by the public users. BBS is a computer enthusiast from the self-organized communication site, users can exchange files on the BBS (including free software, games, self process). As the BBS stations generally do not have strict security management, there was no restriction, which has had a number of virus writers spread the virus to provide a place. BBS stations between cities conducted through the central station transmission, spread wider area. With the popularity of BBS in China, to the spread of the virus were added to the new medium.
5. Network
Modern communications technology has made great progress in not remote distance, data, files, Dianziyoujian Keyifangbian to Wang Luo workstations in various cable between the Tong Guo, Guang Xian or Dianhua line Jinxingzhuansong, workstations, the distance can be placed side by side the Jisuan Ji Duan Zhi, can be up to thousands of kilometers, is the so-called "separated by Wandering us disappear," but also the spread of computer viruses provides a new "highway." Computer viruses can be attached to the normal file, the other end from the network when you get an infected program and your computer does not add any protective measures that run with it, open to the transmission of the virus. Modes of transmission of this virus is very popular in the computer network to connect countries is common, the domestic computer infected with "import" what the virus is no longer surprising things. Information in our international, we are international virus. With a large number of foreign virus into the domestic network.
With the Internet's popularity, to the spread of the virus has added a new way, and will become the first transmission. Internet pioneering the development of the virus can be devastating, even more rapid spread of the virus, anti-virus, even more arduous. Internet has brought two different kinds of security threats, a threat from the file to download, they are browsing or downloading files via FTP may exist in the virus. Another threat comes from e-mail. Most Internet e-mail system provides networks with transmission function of the message format document, therefore, documents or files being virus could flood through the gateway and mail server enterprise network. Network uses the simplicity and openness makes this threat more serious.
At present, Internet is the latest trend online virus: (1) criminals or the only good thing making anonymous personal web pages directly to download a large number of virus samples to facilitate the means of living. (2) As the virus sample to provide academic research institutions can also become tools of people with ulterior motives. (3) logged in as anonymous Internet possible the Zhuanmenguanyu virus writers have discussed academic nature of the electronic papers, journals, magazines and related Wangshang academic exchange activities, such virus-Association annual Hui, etc., may all be Guonei Wai anyone who wants to become a new virus creators learn from, theft, copying the target with the object. (4) a large number of scattered sites on the virus production tools, wizards, program, etc., so no programming experience and the foundation of the people to create new virus is possible. (5) New technologies, new virus makes almost all of the time unknowingly spread the virus unwittingly become a vehicle or a communicator.
Discussed above, the spread of computer viruses channels, with the various anti-virus technology and people's understanding of various characteristics of the virus, spread through various means of strict control from the virus would become less intrusive.
The second way: to spread through removable storage devices such equipment, including floppy disk, tape, etc..
The third way: to spread through computer networks.
The fourth way: through point to point communication systems and wireless communication channels\
Infectious virus is the most basic characteristics of computer viruses, virus, infectious virus survival breeding conditions, if the virus does not spread channels, their destructive small, spreads narrow, difficult to cause pandemic.
Computer viruses must be "equipped" to be infected with a computer system, usually they are attached in a file.
Computer viruses spread primarily through the file copy, file transfer, file execution, manner, file copying and file transfer needs of transmission media, file execution is a necessary means of virus infection (Word, Excel and other macro virus Word, Excel calls indirectly implementation), so the file spread of the virus changes the media have a direct relationship.
According to the information reported, the computer virus appeared in the 70's, then as the computer has not yet widespread, the virus causing the damage and the impact on the public is not very big. In 1986 widespread virus in Pakistan think-tank, put the virus on the PC, the threat of real task in front of people. 1987 "Black," a large-scale epidemic in the countries around the world among IBM PC and compatible, causing considerable panic. The computer virus, like other computer viruses, the most basic features is that it's contagious. Through careful study of various computer mode of transmission, targeted to take effective measures against computer viruses will be able to take a favorable position in the struggle to better prevent virus attacks on computer systems.
Main mode of transmission of computer viruses are:
1. Floppy
Floppy disk as the most commonly used medium of exchange, the early computer applications in the spread of the virus played a huge role, because when the computer application is relatively simple, executable files and data file systems are small, many of the implementation of documents adopted by the floppy disk copy each other installation, so the virus can spread through the floppy disk file virus; In addition, the column in the floppy disk directory or boot the machine, the boot sector virus boot disk in the floppy disk with the cross-infection. Therefore, a computer virus, floppy disks have become the major parasitic "hotbed."
2. CD-ROM
CD-ROM because the capacity to store a large number of executable files, a large number of virus will hide in the CD, on a compact disc read-only, can not write, so the virus can not remove the disc. Profit making illegal copies of software production process, can not bear special responsibility for virus protection, there can never be truly reliable technical support possible to avoid the virus spread, transmission, prevalence and spread. At present, the proliferation of pirated CDs to the spread of the virus has brought great convenience.
3. Hard
As with the virus in the local hard disk or moved to other places for use, maintenance, etc., to clean infected floppy disk and then spread.
4.BBS
Electronic bulletin board (BBS) as the station is easy, less investment, so well loved by the public users. BBS is a computer enthusiast from the self-organized communication site, users can exchange files on the BBS (including free software, games, self process). As the BBS stations generally do not have strict security management, there was no restriction, which has had a number of virus writers spread the virus to provide a place. BBS stations between cities conducted through the central station transmission, spread wider area. With the popularity of BBS in China, to the spread of the virus were added to the new medium.
5. Network
Modern communications technology has made great progress in not remote distance, data, files, Dianziyoujian Keyifangbian to Wang Luo workstations in various cable between the Tong Guo, Guang Xian or Dianhua line Jinxingzhuansong, workstations, the distance can be placed side by side the Jisuan Ji Duan Zhi, can be up to thousands of kilometers, is the so-called "separated by Wandering us disappear," but also the spread of computer viruses provides a new "highway." Computer viruses can be attached to the normal file, the other end from the network when you get an infected program and your computer does not add any protective measures that run with it, open to the transmission of the virus. Modes of transmission of this virus is very popular in the computer network to connect countries is common, the domestic computer infected with "import" what the virus is no longer surprising things. Information in our international, we are international virus. With a large number of foreign virus into the domestic network.
With the Internet's popularity, to the spread of the virus has added a new way, and will become the first transmission. Internet pioneering the development of the virus can be devastating, even more rapid spread of the virus, anti-virus, even more arduous. Internet has brought two different kinds of security threats, a threat from the file to download, they are browsing or downloading files via FTP may exist in the virus. Another threat comes from e-mail. Most Internet e-mail system provides networks with transmission function of the message format document, therefore, documents or files being virus could flood through the gateway and mail server enterprise network. Network uses the simplicity and openness makes this threat more serious.
At present, Internet is the latest trend online virus: (1) criminals or the only good thing making anonymous personal web pages directly to download a large number of virus samples to facilitate the means of living. (2) As the virus sample to provide academic research institutions can also become tools of people with ulterior motives. (3) logged in as anonymous Internet possible the Zhuanmenguanyu virus writers have discussed academic nature of the electronic papers, journals, magazines and related Wangshang academic exchange activities, such virus-Association annual Hui, etc., may all be Guonei Wai anyone who wants to become a new virus creators learn from, theft, copying the target with the object. (4) a large number of scattered sites on the virus production tools, wizards, program, etc., so no programming experience and the foundation of the people to create new virus is possible. (5) New technologies, new virus makes almost all of the time unknowingly spread the virus unwittingly become a vehicle or a communicator.
Discussed above, the spread of computer viruses channels, with the various anti-virus technology and people's understanding of various characteristics of the virus, spread through various means of strict control from the virus would become less intrusive.
Virus using the new PowerPoint vulnerability to network attacks
Recently learned from Kaspersky Lab, Kaspersky Lab intercepted some components using Microsoft Office's PowerPoint file samples vulnerability to attack, such as: Trojan-Dropper.MSPPoint.Apptom.a / b and Trojan -Dropper.Win32.Cryptrun.a / b. Numbers of visitors should be noted that the recent use of Microsoft Office's PowerPoint component vulnerabilities of network attacks.
Microsoft on April 2 at its official website released a security bulletin, bulletin, Microsoft office products claim to find components in PowerPoint there is a serious flaw that could allow remote code execution. Has established that the flaw affects the Microsoft products that have Office 2000, Office XP and Office 2003 and Mac version of Office. The latest version of Microsoft Office products that Office 2007 will not be affected by this vulnerability.
Kaspersky Lab found in the current network attacks using this vulnerability is still very limited, not very wide scope. These attacks are targeted, so the current number of users affected is very limited.
Typical of such successful attack, the attacker will get the current user on the computer the appropriate permissions. If the user is administrator rights, harm the greater. Typical Web-based attack is implanted in the web page containing malicious code that exploits the vulnerability of Office documents. Only users click and run these documents before they are infected. But the attacker can not force the user to open or click on a malicious file, but by Email or other information in real-time communications tools to lure users to click on the PowerPoint file has been tampered with. In order to better spread, such a malicious PowerPoint files have been camouflaged, highly deceptive file name, if they run a malicious PowerPoint file is opened, it will release a malicious program to the user's computer, then the user complete control computer.
Microsoft on April 2 at its official website released a security bulletin, bulletin, Microsoft office products claim to find components in PowerPoint there is a serious flaw that could allow remote code execution. Has established that the flaw affects the Microsoft products that have Office 2000, Office XP and Office 2003 and Mac version of Office. The latest version of Microsoft Office products that Office 2007 will not be affected by this vulnerability.
Kaspersky Lab found in the current network attacks using this vulnerability is still very limited, not very wide scope. These attacks are targeted, so the current number of users affected is very limited.
Typical of such successful attack, the attacker will get the current user on the computer the appropriate permissions. If the user is administrator rights, harm the greater. Typical Web-based attack is implanted in the web page containing malicious code that exploits the vulnerability of Office documents. Only users click and run these documents before they are infected. But the attacker can not force the user to open or click on a malicious file, but by Email or other information in real-time communications tools to lure users to click on the PowerPoint file has been tampered with. In order to better spread, such a malicious PowerPoint files have been camouflaged, highly deceptive file name, if they run a malicious PowerPoint file is opened, it will release a malicious program to the user's computer, then the user complete control computer.
Trojan-Downloader.Win32.Cntr.ioq Analysis
First, virus Tags:
Virus Name: Trojan-Downloader.Win32.Cntr.ioq
Virus Type: Worm Category
File MD5: F8820809EBCAB9AC87CA039A0D974F59
Open range: a fully open
Hazard rating: 4
File length: 7,680 bytes
Infected with system: Windows98 or later
Development Tools: Microsoft Visual C + + 7.0
Second, the virus description:
The virus is the worm-like virus, the virus creates the mutex after running "gagagaradio", prevent the virus from running on many occasions, called HttpOpenRequestA hide open a hyperlink to connect to a website, create a svcp.csv file to the% System32% directory, call the API function InternetReadFile read network information, save the information to svcp.csv file, call InternetQueryDataAvailable function, in the% System32% directory Create a back.exe use of remote access to network information Diaoyong code Jishu virus data written to the sub- file, access the network to judge whether the data size to meet the conditions for the virus, such as to meet the call to download a virus file to run after, and svcp.csv file delete, modify and delete the registry, after downloading the back.exe behavior analysis: call back.exe call the function, the release of driver files "glok +3 c51-3a43.sys, glok + serv.config" (which glok other for the fixed random numbers or letters) to the% Windir% directory, EnumServicesStatus enumeration system services, determine whether there is virus services to existing services, such as the existence of the virus service is not created, or create a virus, the virus service, hidden in the local press in order to open a large number of viruses a predetermined address.
Third, behavior analysis:
Local acts:
1, the file will run after the release of the following documents:
% System32% \ back.exe 92,672 bytes
% System32% \ svcp.csv 64 bytes
% System32% \ glok +3 c51-3a43.sys 128,640 bytes (Random files
% System32% \ glok + serv.config 47,901 bytes (random file name
% System32% \ winsub.xml 4 bytes
2, modify the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ ShowCmd
New: DWORD: 1 (0x1)
Old: DWORD: 3 (0x3)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ WFlags
New: DWORD: 0 (0)
Old: DWORD: 2 (0x2)
3, delete the registry entries:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Capabilities
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "LegacyDriver"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ClassGUID
Value: string: "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ConfigFlags
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Control \ ActiveService
Value: string: "Gpc"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ DeviceDesc
Value: string: "Generic Packet Classifier"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Legacy
Value: DWORD: 1 (0x1)
4, the virus creates the mutex after running "gagagaradio", prevent the virus from running on many occasions, call
HttpOpenRequestA open a super-hidden connection to a website, create a svcp.csv
File to the% System32% directory.
5, call the API function InternetReadFile read the network information, the information is saved to the svcp.csv file
Call InternetQueryDataAvailable function, in% System32% directory Create a back.exe
Calling code using remote access to network information technology section to write the virus data files, access the network connection http://213.155.3 .** / aff / cntr.php? E =!! />
45337902_85_1_2_2 & x => = 98 & y = 7621
Determine whether the data size to meet the conditions for the virus, such as closed networks to meet the sentence C, after the call to download the virus file to run, and svcp.csv file deletion.
6, after downloading the back.exe behavior analysis: call back.exe call the function, the release of driver files "glok +3 c51-3a43.sys, glok + serv.config (which glok other for the fixed random numbers or letters) , to% Windir% directory, EnumServicesStatus enumeration system service to determine whether there is virus services to existing services, such as the existence of the virus service is not created, or create a virus, the virus service, hidden in the local press in order to open a large number of viruses a predetermined address.
Network behavior:
Open the large number of viruses hide a predetermined Web site addresses.
Note:% System32% is a variable path. Determined by querying the operating system virus, the current System folder location.
% Windir% WINDODWS
Directory
% DriveLetter% logical drive root
Directory
% ProgramFiles% default system programs
Installation directory
% Temp% \ Documents
Where the system partition
% Documents and Settings% current user documentation
Root:
% Temp% \ Documents
and Settings
\ Current user
\ Local Settings \ Temp
System System32 folder
Windows2000/NT in the default installation path is C: \ Winnt \ System32
windows95/98/me in the default installation path is C: \ Windows \ System
windowsXP in the default installation path is C: \ Windows \ System32
4, clear the program:
1, using the safe days can completely remove the Trojan virus defense (recommended).
Days Go On website: http://www.antiy.com />
2, Manual removal Please follow the behavior of the corresponding files to delete and restore the relevant system settings.
(1) the use of ATOOL "process management" off virus-related processes
(2) restoration of the virus changes the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ ShowCmd
New: DWORD: 1 (0x1)
Old: DWORD: 3 (0x3)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ WFlags
New: DWORD: 0 (0)
Old: DWORD: 2 (0x2)
(3) restoration of the virus to delete the registry entries:
Remove the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Capabilities
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "LegacyDriver"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ConfigFlags
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Control \ ActiveService
Value: string: "Gpc"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ DeviceDesc
Value: string: "Generic Packet Classifier"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Legacy
Value: DWORD: 1 (0x1)
HKEY_CURRENT_USER \ Software \ Microsoft
\ Windows \ ShellNoRoam \ MUICache
Delete all keys under MUICache key
(4) remove the virus, drug-derived files:
% System32% \ back.exe 92,672 bytes
% System32% \ svcp.csv 64 bytes
% System32% \ glok +3 c51-3a43.sys 128,640 bytes (random file name)
% System32% \ glok + serv.config 47,901 bytes (random file name)
% System32% \ winsub.xml 4 bytes
Virus Name: Trojan-Downloader.Win32.Cntr.ioq
Virus Type: Worm Category
File MD5: F8820809EBCAB9AC87CA039A0D974F59
Open range: a fully open
Hazard rating: 4
File length: 7,680 bytes
Infected with system: Windows98 or later
Development Tools: Microsoft Visual C + + 7.0
Second, the virus description:
The virus is the worm-like virus, the virus creates the mutex after running "gagagaradio", prevent the virus from running on many occasions, called HttpOpenRequestA hide open a hyperlink to connect to a website, create a svcp.csv file to the% System32% directory, call the API function InternetReadFile read network information, save the information to svcp.csv file, call InternetQueryDataAvailable function, in the% System32% directory Create a back.exe use of remote access to network information Diaoyong code Jishu virus data written to the sub- file, access the network to judge whether the data size to meet the conditions for the virus, such as to meet the call to download a virus file to run after, and svcp.csv file delete, modify and delete the registry, after downloading the back.exe behavior analysis: call back.exe call the function, the release of driver files "glok +3 c51-3a43.sys, glok + serv.config" (which glok other for the fixed random numbers or letters) to the% Windir% directory, EnumServicesStatus enumeration system services, determine whether there is virus services to existing services, such as the existence of the virus service is not created, or create a virus, the virus service, hidden in the local press in order to open a large number of viruses a predetermined address.
Third, behavior analysis:
Local acts:
1, the file will run after the release of the following documents:
% System32% \ back.exe 92,672 bytes
% System32% \ svcp.csv 64 bytes
% System32% \ glok +3 c51-3a43.sys 128,640 bytes (Random files
% System32% \ glok + serv.config 47,901 bytes (random file name
% System32% \ winsub.xml 4 bytes
2, modify the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ ShowCmd
New: DWORD: 1 (0x1)
Old: DWORD: 3 (0x3)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ WFlags
New: DWORD: 0 (0)
Old: DWORD: 2 (0x2)
3, delete the registry entries:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Capabilities
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "LegacyDriver"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ClassGUID
Value: string: "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ConfigFlags
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Control \ ActiveService
Value: string: "Gpc"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ DeviceDesc
Value: string: "Generic Packet Classifier"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Legacy
Value: DWORD: 1 (0x1)
4, the virus creates the mutex after running "gagagaradio", prevent the virus from running on many occasions, call
HttpOpenRequestA open a super-hidden connection to a website, create a svcp.csv
File to the% System32% directory.
5, call the API function InternetReadFile read the network information, the information is saved to the svcp.csv file
Call InternetQueryDataAvailable function, in% System32% directory Create a back.exe
Calling code using remote access to network information technology section to write the virus data files, access the network connection http://213.155.3 .** / aff / cntr.php? E =!! />
45337902_85_1_2_2 & x => = 98 & y = 7621
Determine whether the data size to meet the conditions for the virus, such as closed networks to meet the sentence C, after the call to download the virus file to run, and svcp.csv file deletion.
6, after downloading the back.exe behavior analysis: call back.exe call the function, the release of driver files "glok +3 c51-3a43.sys, glok + serv.config (which glok other for the fixed random numbers or letters) , to% Windir% directory, EnumServicesStatus enumeration system service to determine whether there is virus services to existing services, such as the existence of the virus service is not created, or create a virus, the virus service, hidden in the local press in order to open a large number of viruses a predetermined address.
Network behavior:
Open the large number of viruses hide a predetermined Web site addresses.
Note:% System32% is a variable path. Determined by querying the operating system virus, the current System folder location.
% Windir% WINDODWS
Directory
% DriveLetter% logical drive root
Directory
% ProgramFiles% default system programs
Installation directory
% Temp% \ Documents
Where the system partition
% Documents and Settings% current user documentation
Root:
% Temp% \ Documents
and Settings
\ Current user
\ Local Settings \ Temp
System System32 folder
Windows2000/NT in the default installation path is C: \ Winnt \ System32
windows95/98/me in the default installation path is C: \ Windows \ System
windowsXP in the default installation path is C: \ Windows \ System32
4, clear the program:
1, using the safe days can completely remove the Trojan virus defense (recommended).
Days Go On website: http://www.antiy.com />
2, Manual removal Please follow the behavior of the corresponding files to delete and restore the relevant system settings.
(1) the use of ATOOL "process management" off virus-related processes
(2) restoration of the virus changes the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ ShowCmd
New: DWORD: 1 (0x1)
Old: DWORD: 3 (0x3)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ WFlags
New: DWORD: 0 (0)
Old: DWORD: 2 (0x2)
(3) restoration of the virus to delete the registry entries:
Remove the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Capabilities
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "LegacyDriver"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ConfigFlags
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Control \ ActiveService
Value: string: "Gpc"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ DeviceDesc
Value: string: "Generic Packet Classifier"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Legacy
Value: DWORD: 1 (0x1)
HKEY_CURRENT_USER \ Software \ Microsoft
\ Windows \ ShellNoRoam \ MUICache
Delete all keys under MUICache key
(4) remove the virus, drug-derived files:
% System32% \ back.exe 92,672 bytes
% System32% \ svcp.csv 64 bytes
% System32% \ glok +3 c51-3a43.sys 128,640 bytes (random file name)
% System32% \ glok + serv.config 47,901 bytes (random file name)
% System32% \ winsub.xml 4 bytes
New Message W32/Porkis @ MM worm small files
Virus Name: W32/Porkis @ MM
Found to date :02-03-19
First appeared Region: Unknown
Length: 49,664 bytes
Virus Type: Mail Virus
Alias: I-Worm.Borzella (AVP), W32.Atram @ mm (NAV), W32.Storiel @ mm (NAV), WORM_PORKIS.A (trend)
Virus Characteristics:
The virus has its own message of the SMTP engine, will use the system default SMTP server to the recipient to the address book to send infected e-mail, to the purpose of transmission of the virus. However, the virus in the English \ American English operating systems, you can not send infected messages.
Virus e-mail message as follows:
Theme:
'Divertimento assicurato' or,
'Leggete urgentemente questa e-mail (se avete tempo da perdere)' or,
'Storielle'
From:
Attachment:
49,664-byte executable file (not packed), file name:
PORKIS.EXE or,
PIPPO.EXE or,
BAR.EXE
Once the virus is running, the dialog box will pop up a series of Italian, for example, the first dialog box as follows:
Moreover, it will generate files in Windows directory DLLMGR.EXE, and modify the registry run key:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ _
Run "Dll Manager" = C: \ WINDOWS \ DLLMGR.EXE
Restart the system after a while, the virus will try in the SMTP server to connect the system default (from the registry to obtain), then send itself to the Windows address book, all the recipients. However, as noted above, if in the English \ English operating systems, it can not connect with the SMTP server, which can not be sent successfully.
Poisoning signs:
Poisoning occur documents:
C: \ WINDOWS \ DLLMGR.EXE (49,664 bytes)
Mode of transmission:
After running the virus infection affected the user's machine, and to generate the virus in Windows directory copy, and modify the registry makes the system reboot, the virus will run automatically. And then to the address book to send infected messages to all recipients.
Found to date :02-03-19
First appeared Region: Unknown
Length: 49,664 bytes
Virus Type: Mail Virus
Alias: I-Worm.Borzella (AVP), W32.Atram @ mm (NAV), W32.Storiel @ mm (NAV), WORM_PORKIS.A (trend)
Virus Characteristics:
The virus has its own message of the SMTP engine, will use the system default SMTP server to the recipient to the address book to send infected e-mail, to the purpose of transmission of the virus. However, the virus in the English \ American English operating systems, you can not send infected messages.
Virus e-mail message as follows:
Theme:
'Divertimento assicurato' or,
'Leggete urgentemente questa e-mail (se avete tempo da perdere)' or,
'Storielle'
From:
Attachment:
49,664-byte executable file (not packed), file name:
PORKIS.EXE or,
PIPPO.EXE or,
BAR.EXE
Once the virus is running, the dialog box will pop up a series of Italian, for example, the first dialog box as follows:
Moreover, it will generate files in Windows directory DLLMGR.EXE, and modify the registry run key:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ _
Run "Dll Manager" = C: \ WINDOWS \ DLLMGR.EXE
Restart the system after a while, the virus will try in the SMTP server to connect the system default (from the registry to obtain), then send itself to the Windows address book, all the recipients. However, as noted above, if in the English \ English operating systems, it can not connect with the SMTP server, which can not be sent successfully.
Poisoning signs:
Poisoning occur documents:
C: \ WINDOWS \ DLLMGR.EXE (49,664 bytes)
Mode of transmission:
After running the virus infection affected the user's machine, and to generate the virus in Windows directory copy, and modify the registry makes the system reboot, the virus will run automatically. And then to the address book to send infected messages to all recipients.
订阅:
博文 (Atom)