Computer Virus classification: infection targets

1 --- there are many types of viruses, but the virus can be divided into Boot virus, file virus, and hybrid virus based on the virus infection target.

2 --- boot virus, for a floppy disk, there is usually a section called DOS boot section, which is the boot area of a floppy disk. Its role is to find the file IO on the floppy disk. sys and DOS. SYS file,

If all disks are found, the boot disk is started successfully. Otherwise, the system prompts "No System Disk" or other errors. For hard disks, the boot disk is divided into the master boot area and the slave boot area, and the master boot area is located at 0.

0: 0: 1 slice. The function is to store the primary boot program and the partition table. The primary boot program searches for the active zone and stores it in the 1 slice, that is, the first sector is

DOS boot disk. For the vast majority of viruses, it is infected with the primary Boot Sector of the hard disk and the DOS boot disk sector of the floppy disk.

Boot virus intrusion principle:

Boot the computer --> load the BIOS program --> the BIOS program reads the hard disk master boot area to the memory 0: 7c00, and then gives the control to the boot program --> the virus will be 0: 413

(BIOS has read the memory size to this address before), so that the system will not be able to access the address that is 1 K later --> calculate the available high-segment address zone, virus

Move to this place to continue executing --> modify the system interruption, direct the int13 address to the virus program, and save the original int13 address in a unit known to the virus --> when the virus wants

After the action is completed, load the original boot program to address 0: 7c00 and run the system boot program.

Analysis:

Advantages: High concealment and compatibility. It is not easy to discover as long as it is compiled. It is applicable to DoS windows Win95 operating system.

Disadvantages: Many, slow speed of virus infection, must be started with a virus floppy disk to be uploaded to the hard disk, anti-virus is easy, just rewrite the boot area, such as: fdisk/MBR, kv200/K. kv200 can detect all Boot viruses.

The Board can write protection to the boot area, so there are few pure Boot viruses.

3-file Virus

. Com file: This type of virus inserts the virus into the header or tail of the file. The file format is

[Virus jmp xxx] [modifying the first three bytes of the original file]

Original file-original file

Original file-original file

[Virus]

. EXE file: the virus usually adds itself to the end of the file, and modifies CS. The IP value points to the starting address of the virus program, and simultaneously modifies the file length SS, SP

The EXE file is complex. Each EXE file has a file header with the following structure:

EXE file header information
----------------------------------
Offsets offset offsets indicate offsets.
---------------------------------
When 00 h-01 h when mz' EXE file mark

201702 H-03 h. The length of the file except the remainder of 512.

{04 H-05 h} the length of the file except the vendor token of 512

06 h-07 h Number of relocation items

08 h-09 h except for 16 vendor names

20170ah-0bh required minimum number of segments

Maximum number of segments required for running the 0ch-0dh Program

Segment value (SS) segment of the rollback oeh-0fh stack segment

Listen 10 h-11 h later ...... SP then

├ 12 h-13 H others file checksum

Listen 14 h-15 h accept IP address limit

Listen 16 h-17 h then CS success

When 18 h-19 h then ......

When 1ah-1bh exceeds ......

When 1ch-xxh then ......

-------------------------------------

When an EXE file is loaded by DOS, a certain length of files are transferred according to the file header information, and SS and SP are set to start from CS: IP. viruses usually add themselves to the end of the file and modify the Cs and IP addresses.

And modify the file length information and SS, SP.

4-hybrid virus: virus that can infect both the boot zone and files. But it is not simply to add file-type viruses and boot-type viruses together. There is a conversion process,
This is the most important thing. Generally, the following methods are used: when the virus in the file is executed, the virus is written into the boot zone, which is easy to understand. Guide Virus

The method resident memory, but DOS is not loaded at this time, and int21 cannot be modified, so the file cannot be infected. You can use this method to modify Int 8, save the current address of int 21, and use

The Int 8 service program monitors whether the IP address of int 21 is changed. If the IP address of int 21 is changed, it indicates that DOS has been loaded. You can modify int 21 to point to the virus segment.

NOTE: Refer to 51cto article: http://bbs.51cto.com/thread-2817-1-1.html