1 computer virus Overview
Computer Virus (CV. It is a special program, and the problems caused by viruses are software faults. This program can infect itself to other programs and disrupt the normal operation of the computer system. If the system cannot be properly guided, the program cannot be correctly executed, and the files are lost, according to computer virus program analysis, this article summarizes their commonalities. Thus, there is a concept that computer viruses are transmitted and parasitic in the special sector or program of the disk in some way, waiting for the computer to enter the memory when the system starts or runs a program with viruses, a program that is activated when certain conditions are met. It can spread itself to other programs or special sectors of the disk, and may interfere with and damage the computer system.
2 computer virus features
The virus is a strange thing, but it does not leave it alone. They all have the following features:
● Contagious
Infectious is a major feature of all virus programs. Through transmission, the virus can spread. By modifying the disk sector information or file content and embedding itself into it, the virus program can infect and spread the virus, the embedded program is called the Host Program.
● Destructive
Most computer viruses are destructive to different programs during the attack, and sometimes interfere with the normal operation of computer systems (for example, displaying a ball beating back and forth on the screen. Interfere with the normal display of the screen) Some use system resources (for example, constantly copying itself to lengthen the file length, but instead use a large number of disks for consultation) some modify and delete disk data or file content.
● Concealment
The concealment of computer viruses is manifested in two aspects. First, the concealment of results. Most viruses are extremely fast during transmission, and are generally not only external, but not easily discovered, second, virus programs are concealed. Common virus programs are stuck in normal programs and are difficult to detect. Once a virus attack occurs, different programs may be damaged on computer systems.
● Parasitic
The virus program is embedded in the Host Program and depends on the execution of the Host Program to survive. This is the parasitic nature of computer viruses. After a virus program invades into the host program, it generally modifies the Host Program. Once the Host Program is executed, the virus program is activated, this allows for self-replication and reproduction.
● Latent
After computer viruses intrude into the system, they generally do not attack immediately, but have a certain period of latency. The latency of a virus varies depending on the duration of the system. Some of the latencies are several weeks, and some of the latencies are several years, during the incubation period, virus programs will continuously replicate themselves and reproduce the results as long as possible. once the conditions are ripe, the virus will start to attack, the attack condition varies with the virus. This condition is designed by computer virus designers to detect the attack condition every time a virus program is running.
3. Computer Viruses
● Static existence mode
Computer viruses are parasitic on disks, CDs, and other storage media. The virus that exists in the Memory RAM virtual disk, external ramdisk or ROM disk is "static" and will not take the initiative to infect other programs, or even attack. When it is shut down, in addition to the Memory RAM virtual disk, viruses will disappear. Viruses on computer external storage media will continue to exist. Static viruses are not terrible, but they become dynamic viruses.
● Dynamic existence mode
Computer viruses have been transferred to the memory and can be controlled at any time. The virus may immediately infect or attack, that is, enter the active state, or reside in the memory of the computer, enter the latent state. Once activated, the data will be transmitted and generated. The dynamic existence of viruses in the memory is very dangerous for users. It is like a bomb that may explode at any time. However, as long as the dynamic virus is shut down, the key to eliminating computer viruses is to clear the static virus, otherwise there will be no dynamic virus.
4
Computer Virus Storage Method
There are two ways to store computer viruses: memory resident mode and disk storage mode. Resident memory is a necessary condition for computer viruses to take effect, while disk storage is an objective condition for viruses. If we destroy any of the virus storage methods, computer viruses can lose their original features, thus protecting our computer systems from computer viruses.
4.1 memory resident Mode
The key to virus resident in memory is to select the storage space, so there are several memory resident methods:
● Reduce DOS system allocable Space
● Use System gap
● Use the function to call resident energy
● Use space of system programs
4.2 disk storage
To prevent computer viruses, you must understand the possible storage methods of viruses on the disk. Generally, computer viruses are stored on the disk only when the virus can be copied to the memory by the system, when conditions are ripe, you can gain control over the system. Currently, there are two popular methods: file resident and direct access.
● File resident
● Direct sector access
5 computer virus infection principles
5.1 computer virus infection Process Analysis
The whole process of computer virus infection in the computer system is discussed from the example of infectious disease virus in the Boot area. The system is normal as follows:
(1) Check the basic device of the system after startup and during Boot;
(2) read the system's logic 0th sectors (that is, the BOOT zone) to 0000 of the memory: 7C00;
(3) Start Boot );
(4) determine whether disk A is A system disk. If the disk is not A system disk, the system prompts non_system disk or disk error, Replace and strike any key when ready; otherwise, read the Bios and pass it into the Bios;
(5) then the system runs normally.
For example, the system first reads the code of the virus program during execution with viruses:
(1) read the virus code (or part) in the BOOT area to 0000: 7C00 in the memory;
(2) The virus virtualizes itself and presents its complete virus program to the xxxx: xxxx address in the memory. For example, if the virus is a small ball, it is directed to 97C0: 7C00 in the memory;
(3) modify the vector entry of the interrupt vector INT 13 H to point to the virus control block so that the virus program has control;
(4) read 0000: 7C00 of memory in the content column of the normal BOOT area for normal startup;
(5) The virus obtains control and monitors the operation of the system.
If an attacked object is running, the virus performs the following operations:
(1) read the target logical 0th sector (for floppy disk );
(2) Determine whether the virus is infected;
(3) If the conditions for transmission are met, write all or part of the virus into the Boot zone and write part of the virus code, normal Boot programs, or only normal Boot programs to a specific disk location;
(4) For this particular bucket, or marked with a bad cluster FF7, or not;
(5) The virus program is returned and the normal INT 13 H interrupt program is introduced by the virus program. At this time, the virus program has completed the infection process on the target disk, the target disk contains a copy of the virus itself. The above two steps complete the virus "reproduction" process, and the virus that has been inserted into the memory still monitors the system operation.
For Viruses Infected with executable files, the infection principle is the same as that of Viruses Infected with the Boot zone, except that viruses run on infected files are stored in the memory, the process of its resident memory is as follows (there is an infected file HZG.com with its Virus x and its first link)
(1) Run HZG.com;
(2) The System reads the file;
(3) because the virus is in the file header, virus program X can be directly executed;
(4) X reads the memory and completes regionalization;
(5) obtain the interrupt vector and turn it into a virus program;
(6) The virus obtains control over the system and monitors system operation;
(7) read and control the normal HZG. COM file;
In this case, Virus X is in the system memory and starts to monitor the system running. When it finds the target to be infected, do the following:
(1) read the specific address information (identification bit) before HZG. COM for judgment;
(2) if conditions are met, the link between the virus and the HZG. COM file will be saved to the target by interrupting the INT 13 H (disk read/write;
(3) determine the cause of infection and continue to monitor the operation of the system.
In terms of the connection between the virus and the end of the file, one or more JMP commands are set before the normal target during the virus infection so that the program starts to run, that is, pointing to the virus program, before running the normal file, the virus program is run first, and its infection is similar to that on it.
5.2 Computer Virus Infection
When the computer is not running, there is no read/write or data sharing to the disk. Without disk read/write, viruses cannot be transmitted to magnetic storage media, but can only reside in the memory or in the storage device, if the data cannot be stored in the memory, the computer runs frequently and reads and writes data to the disk. Therefore, it is easy to obtain the prerequisite for virus infection.
How is a conditional virus infected?
(1) resident memory: The virus must reside in the memory for the purpose of infection, so the first step of virus infection is resident memory;
(2) looking for an opportunity for infection: After the virus enters the memory, first find the target object that can be attacked and determine whether the object can be infected (some viruses are infected unconditionally );
(3) Infectious: when the virus finds the infected object and determines that the virus can be infected, the disk will interrupt the service program through INT 13H to infect the disk, and write it into the disk system;
Generally, viruses apply for a space in the memory so that they can be resident memory or resident Memory Program (TSR). If the virus does not discover itself, it generally does not overwrite other data, virus programs are usually written to high-end memory, and the transmission mode is as follows.
6. The computer virus source channels mainly cover the following five aspects:
● Pirated software
During the process of copying and circulating pirated software, it cannot be guaranteed that it will not be infected by viruses. Because piracy is an illegal activity, people who make viruses will use pirated software.
To spread his work to avoid legal liability.
● Open Software
Whether it is completely open software or semi-open public software, people are allowed to copy it at will. Just like pirated software, people cannot determine whether the public software is infected with viruses or viruses, however, because it is legal, the probability of virus infection is not as high as that of pirated software.
● Bulletin board
When using the Bulletin Board (BBS), you should note that because anyone can block or record files from the bulletin board, there is no way to ensure that the recorded program has viruses.
● Communication and network
Similar to the bulletin board, we cannot guarantee that a program is sent, or that a remote request program is infected or infected with viruses.
● Genuine software
Some software companies, in order to avoid being pirated, will put a Password check program in their products. This program can stimulate the virus concurrency that has already been prepared, said to the pirated users to disciplinary.
7 conclusion
To sum up, preventing virus software alone is not enough to cope with virus attacks. We need a comprehensive, active, and adaptive security threat management method, which should include three parties.