Four ways to detect a virus on a hard disk

To carry on the infection, must leave the trace. Biomedical viruses are the same, so are computer viruses. Detection of computer viruses, it is necessary to go to the site of the virus to check, find abnormal situation, and then identify "in", confirm the existence of computer viruses. The computer virus is stored in the hard disk while it is active and resides in memory, so the detection of computer virus can be divided into the detection of the hard disk and the memory.

In general, the virus detection of the hard drive requires no virus in memory, because some computer viruses will report false cases to the tester. For example, when the "4096" virus is in memory, looking at the file that it infects, you will not find that the length of the file has changed, and when there is no virus in memory, the file length has increased by 4096 bytes; For example, "DIR2" virus in memory, with the debug program to view infected files, The code for the "DIR2" virus is not seen at all. Many of the detection programs have missed the infected files, as well as the boot zone's "Pakistan think tank" virus, when it is active in memory, check the boot area can not see the virus program and only see the normal boot sector. Therefore, only when the identification of a type of virus and its analysis, research, can be in memory with the poison in the case of detection work.

Boot from the original, virus-less-infected DOS system floppy disk to ensure no virus in memory. The boot must be a hot boot on the power off instead of pressing the "Alt+ctrl+del" triple key on the keyboard, because some viruses can be interrupted by intercepting the keyboard and hosting themselves in memory. Detect the virus in the hard drive, boot system floppy disk DOS version number should be equal to or higher than the DOS system in the hard drive version number. If you use the hard Disk Management software DM, ADM, hard disk compressed storage management software stacker, DoubleSpace, etc., boot system floppy disk should be included in these software drivers on a floppy disk, and write them into the Config.sys file, otherwise the system floppy boot, you will not be able to access all partitions on the hard drive, so that the hidden virus escaped detection.

Detection of viruses in the hard drive can be divided into detecting boot zone viruses and detecting file-type viruses. The principles of the two Tests are the same, but the detection method is different because of the way the virus is stored. It is mainly based on the following four methods: Comparing the detected object with the original backup comparison method, searching by using the virus characteristic code string, searching the characteristic character recognition method of specific location in the virus, and using the disassembly technology to analyze the object and confirm whether it is the virus analysis method.

Comparison method

This is a method of comparing the original backup with the detected boot sector or detected files, which can be compared using a printed code list (such as the Debug D command output format), or a program to compare (such as Dos diskcomp, comp, or PCTools, and other software). The comparison method does not require a dedicated virus detection program, as long as the use of conventional DOS software and pctools tools such as software can be carried out, but also can be found in those who are not yet found by the existing anti-virus software virus. Because the virus spreads fast, new viruses are emerging, and there is no common program to detect all viruses, or through code analysis, you can determine whether a program contains virus detection procedures, so only by comparison and analysis, or combination of these two methods to discover new viruses.

Check the main boot area of the hard disk or the boot sector of DOS to find out whether the program source code has changed in the comparison method. Because of the comparison, it is important to keep the original backup. Make a backup must be in the environment without computer viruses, make good backup must be properly kept, write a good label, paste good write protection. The advantage of the comparison method is simple, convenient, no special software; The disadvantage is the inability to confirm the name of the type of virus. In addition, the reason for the difference between the detected program and the original backup needs to be further validated to find out whether it was a computer virus or if the DOS data was accidentally caused, such as a sudden blackout, a program out of control, a malicious program, and so on. These will be used for later analysis, to see the nature of the changed part of the code to confirm that there is a virus.

Search method

This method primarily scans for specific strings that each virus contains, and if a particular byte string is found inside a detected object, it indicates that the virus represented by that byte string is found. The virus scanning software that works according to the search method is called "Scanner" abroad. This virus scanning software consists of two parts: part of this is the virus code base, which contains code strings that have been specially selected for a variety of computer viruses, and a scanning program that uses the code base for scanning, and the number of computer viruses that the virus scanner can identify depends entirely on the type of virus contained within the virus code base.

The choice of the virus code string is very important, the short virus code only has more than 100 bytes, and the length is only 10KB bytes. Be sure to select the most representative feature after careful analysis of the program, enough to distinguish the virus from other viruses and other variants of the virus. In general, a code string is made up of several consecutive bytes, but some scanning software uses a variable length string that contains one to several "fuzzy" bytes in the string. When scanning software encounters this kind of string, as long as except "The Fuzzy" byte the string all can match perfectly, can also distinguish the virus. In addition, the feature string must also be able to virus and normal non-virus program area, otherwise there will be "false, false positives." Feature word recognition method

This is based on the feature series scanning method developed a way, running faster, false alarm frequency is low. The feature word recognition method only needs to extract a few key characters from the virus body, and compose the character font. Because of the small number of bytes to be processed and the need for string matching, it greatly accelerates the recognition speed, which is more appropriate when the program being processed is large. Because the character recognition method pay more attention to the "program activity" of computer virus, it reduces the possibility of false report. Using the method of virus detection based on feature string scanning method is the same as using the method of virus detection based on feature word recognition, so as long as the virus detection program is run, the known viruses can be checked out. The use of these two methods, all need to continue to expand the virus, once the virus captured, extracted features and added to the virus library, you can search the virus program to check out a new virus.

Analytical method

This method can be used to determine whether the observed disk boot areas and programs contain viruses, on the other hand can identify the type and types of viruses, determine whether it is a new virus, but also to understand the approximate structure of the virus body, extraction for feature recognition of the byte string or character, Added to the virus code base for use by virus scanning and recognition programs. At the same time, the detailed analysis of virus code, but also to help develop a corresponding anti-virus program.

Unlike the first three methods of detecting viruses, using analytical methods to detect viruses, in addition to having relevant knowledge, you need to use analytical tools such as Debug, Proview, and dedicated test computers. Because even the virus-savvy technician, using sophisticated analytics software, also can not fully guarantee the virus code analysis in a short period of time, and the virus may continue to be in the analysis phase of infection or even attack, the floppy disk, hard disk data completely destroyed, so the analysis must be carried out on a dedicated test PC machine, Not afraid of the data being destroyed. Do not have the necessary conditions, do not easily start analytical work.

Many computer viruses use the technology of self encryption and anti tracking, which makes the task of analyzing virus often tedious and tedious. In particular, some file-type virus source code can reach more than 10KB, and the system involved in a very deep level, so that detailed analysis of the work is very complex. The analysis method of virus detection is an indispensable technology in anti-virus work, and the development and development of any anti-virus system with excellent performance can not be separated from the detailed and serious analysis of various viruses by the specialized personnel.

The Analytic method is divided into two kinds: static and dynamic. Static analysis refers to the use of debug and other disassembly program to print the virus code into the disassembly of the list of programs to analyze, see the virus into which modules, what system calls used, what techniques used, how the virus infected with the file process turned to clean the virus, repair the file process, Which code can be used as a signature and how to defend against the virus and so on. The higher the quality of the analyst, the faster the analysis process, the deeper the understanding; Dynamic analysis refers to the use of debug tools such as debugging tool in the case of memory virus, dynamic tracking of viruses, to observe the specific work of the virus, in order to further on the basis of static analysis to understand the principle of virus work. Dynamic analysis is not necessary when virus coding is simpler. However, when the virus uses more technical means, we must use the combination of dynamic and static analysis method to complete the analysis process.

To sum up, the use of the original backup and detection procedures compared to the method is suitable for the use of special software, can be found in the case of abnormal conditions, is a simple, basic virus detection method; The scanning feature string and the recognition character Word method are more suitable for the general PC users, convenient and quick; However, it is necessary to use the analysis and comparison method in the case of the newly arisen virus.

By taking technical and managerial measures, computer viruses can be completely prevented.