All kinds of viruses have been put together today. Once you find that your computer is abnormal, it is regarded as a virus, and anti-virus software is everywhere, in a word, it seems that we cannot find the "culprit". As a result, the virus software has been used one after another. Maybe the RMB has been used one after another, or no trace of "culprit" has been found, in fact, this is not necessarily a virus.
Such examples are not uncommon, especially for some beginner computer users. Next, I will introduce how to determine whether a virus is detected in the following aspects based on my computer experience and enterprise network maintenance experience, hope to help identify "real virus!
Differences and connection between viruses and software and hardware faults
Computer faults are not only caused by viruses, but also caused by software and hardware faults, the network is mostly caused by permission settings. Only by fully understanding the differences and connections between the two can we make a correct judgment and discover the virus in time when it comes. Below I will briefly list some common symptoms of computer faults caused by viruses, software and hardware faults.
Possibility of symptom virus intrusion: Possibility of software and hardware faults
Frequent crashes: Viruses open many files or occupy a large amount of memory; instability (such as poor memory quality and poor hardware overclocking performance); large-capacity software occupies a large amount of memory and disk space; some testing software is used (with many bugs), hard disk space is not enough, and so on; when running software on the network, it is often crashed because the network speed is too slow and the runningProgramToo large, or your workstation hardware configuration is too low.
The system cannot be started.: The virus modifies the boot information of the hard disk or deletes some startup files. If the boot virus boot file is damaged, the hard disk is damaged, the parameter settings are incorrect, and the system file is deleted by mistake.
File cannot be opened: The virus modifies the file format, and the virus modifies the File Link location. File damage; hard disk damage; the link location of the file shortcut has changed; the software for editing the file has been deleted; if the file storage location on the server changes in the LAN, and the workstation does not promptly update the content of the server (the resource manager is opened for a long time ).
Insufficient memory frequently reported: The virus illegally occupies a large amount of memory, opens a large number of software, runs the software that requires memory resources, the system configuration is incorrect, and the memory is not enough (the current basic memory requirement is 128 MB).
Insufficient hard disk space: The virus copies a large number of virus files (this has happened in several cases. Sometimes, if a Win98 or winnt4.0 system is installed on a top 10 Gb hard drive, it means there is no space, when software is installed, the system prompts that the hard disk space is insufficient. The disk capacity in each partition is too small; a large number of large-capacity software is installed; all software is installed in one partition; the hard disk itself is small; if the system administrator sets the "Private disk" space limit for each user in the LAN, the system administrator can view the size of the entire network disk, in fact, the capacity of the "Private disk" has been used up.
A read/write signal is generated when a floppy disk or other device is not accessed.: Virus infection; a floppy disk has taken away files that have been opened on a floppy disk.
A large number of unknown files: Virus copy files, which may be temporary files generated during software installation, or software configuration information and Operation Records.
Black screen startup: Virus infection (the most important thing I remember is 4.26 in 98 years. I paid thousands of yuan for CIH. That day, when I first started my computer on Windows, the screen crashed, after the second boot, there will be no more); Display fault; Display Card fault; motherboard fault; overclocking; CPU damage, etc.
Data Loss: The virus has deleted the file; the hard disk sector is damaged; the original file is overwritten due to restoration; if the file is on the network, it may be deleted by another user by mistake.
The keyboard or mouse is locked for no reason: Virus, special attention should be paid to "Trojan"; damaged keyboard or mouse interface on the motherboard; running a keyboard or mouse lock program, the program is too large, the system was very busy for a long time and showed that pressing the keyboard or mouse did not work.
Slow system running speed: The virus occupies memory and CPU resources, and runs a large number of illegal operations in the background; low hardware configuration; too many or too large open programs; incorrect system configuration; if the program running on the network is mostly caused by the low configuration of your machine, it may also be because the network is busy, and many users open a program at the same time; another possibility is that your hard disk space is insufficient for temporary data exchange during program running.
The system automatically performs the operation.: The virus performs illegal operations in the background. The user sets the relevant program to run automatically in the registry or Startup Group. After some software is installed or upgraded, the system needs to be restarted automatically.
Through the above analysis and comparison, we know that most faults may be caused by human or software or hardware faults. Do not rush to assert when an exception is found, when the anti-virus solution cannot be solved, the fault characteristics should be carefully analyzed to eliminate the possibility of software, hardware and human resources.
Virus classification and features
To truly identify viruses and immediately scan and kill viruses, we also need to have a more detailed understanding of the virus, and the more detailed the better!
Viruses are compiled by a large number of scattered individuals or organizations, and there is no standard for measuring and dividing them. Therefore, virus classification can be roughly divided by multiple perspectives.
For example, viruses can be divided into the following categories by the infected objects:
A. Boot Virus
The target of these virus attacks is the Boot Sector of the disk. In this way, the system can obtain the execution priority at startup to control the entire system. This virus is infected with the boot sector, as a result, the loss is relatively large. Generally, the system cannot be started normally, but it is also easy to kill such viruses. Most anti-virus software can kill such viruses, such as kv300 and kill series.
B. File Virus
Early versions of these viruses generally infect executable files with extensions such as EXE and COM, so that the virus program is activated when you execute an executable file. Recently, some files with extensions such as DLL, OVl, and SYS are infected because these files are usually the configuration and link files of a program, therefore, when a program is executed, the virus is automatically loaded into the quilt. They are loaded by inserting a virusCodeInsert the entire section or distributed to the blank bytes of these files. For example, the CIH virus splits itself into 9 segments and embeds them into an executable file in the PE structure, after infection, the number of bytes in a file is usually not increased, which is the hidden side.
C. Network Viruses
This virus is the product of rapid network development in recent years. Infected objects are no longer limited to a single mode and a single executable file, but more comprehensive and hidden. Nowadays, some Internet viruses can infect almost all office files, such as Word, Excel, and email. The attack methods have also changed, from the original deletion, modification of files to the current file encryption, theft of user useful information (such as hacker programs), etc, the transmission path has also experienced a qualitative leap, instead of being limited to disks, but through a more concealed network, such as e-mails and e-advertisements.
D. Compound viruses
It is classified as a "Compound virus" because they both have some characteristics of the "Boot" and "file" viruses, which can infect the disk's Boot Sector files, this executable file can also be infected. If the virus is not completely cleared, the residual virus can be self-restored, and the boot sector file and executable file may be infected, therefore, it is extremely difficult to scan and kill such viruses. The anti-virus software used must have the function of killing both types of viruses at the same time.
The above is based on the virus infection object. If we divide the virus by the degree of damage, we can divide the virus into the following types::
A. benign virus
These viruses call them benign viruses because they do not attack your system, they just want to have fun, most of them are beginner virus enthusiasts who want to test their own virus program development level. They don't want to damage your system, just make some sound, or there are some prompts, except occupying a certain amount of hard disk space and CPU processing time, there is no other harm. This is also true for some Trojans and virus programs. They just want to steal some communication information from your computer, such as passwords and IP addresses, for use when necessary.
B. Malignant Virus
We treat viruses that only cause interference to software systems, steal information, modify system information, and do not cause hardware damage or data loss as "malignant viruses ", this type of virus can cause no loss except for the system being unavailable. After the system is damaged, you only need to reinstall a part of the system file to restore the system, of course, the system should be reinstalled after the virus is killed.
C. Extremely malignant Virus
These viruses are more damaged than the above B-type viruses. Generally, if your system is infected with these viruses, it will crash completely and cannot be started properly, you may not be able to obtain the useful data that you keep on your hard disk, but delete system files and applications.
D. Catastrophic viruses
From its name, we can know the extent of damage it will cause. This type of virus is generally used to damage the Boot Sector file of the disk, modify the File Allocation Table and the hard disk partition table, as a result, the system cannot be started at all. Sometimes, your hard disk may be formatted or locked, so that you cannot use the hard disk. If you are infected with this type of virus, your system will be difficult to recover, and the data retained in the hard disk will be difficult to obtain, resulting in huge losses, therefore, when should we make the worst plans for evolution, especially for enterprise users, we should make full and catastrophic backup. Fortunately, most large enterprises have realized the significance of backup, spending huge amounts of money on daily system and data backup. Although we all know that such disastrous consequences may not have been met for several years, we still need to relax ". I am in Nestle, and I pay great attention to this issue. For example, 4.26 of CIH attacks in can be classified as this, because it not only damages software, but also directly damages hardware such as hard disk and motherboard BIOS.
For example, the intrusion is divided into the following types:
A,Source codeEmbedded attack type
From its name, we know that this type of virus invades the source program of the advanced language. The virus inserts the virus code before the source program compilation, and is finally compiled into an executable file together with the source program, in this way, the generated file is a virus-infected file. Of course, there are very few such files, because these virus developers cannot easily obtain the source programs compiled by those software development companies. Moreover, this intrusion method is difficult and requires a very professional programming level.
B. Replacing attack type with code
This type of virus is mainly used to replace the whole or some modules of an intrusion program with its own virus code. This type of virus is also rare. It mainly attacks specific programs and is highly targeted, but it is not easy to be detected, and it is difficult to clear it.
C. System Modification type
These viruses mainly use their own programs to overwrite or modify some files in the system to call or replace some functions in the operating system. Because they directly infect the system and cause great harm, it is also the most common virus type, most of which are file-type viruses.
D. Shell Additional Model
This type of virus usually attaches the virus to the header or tail of a normal program, which is equivalent to adding a shell to the program. When the infected program is executed, the virus code is first executed, then the normal program is transferred to the memory. Currently, most file-type viruses belong to this category.
With some basic knowledge about viruses, we can now check whether your computer contains viruses. To learn about these, we can use the following methods to determine.
1. Scanning of anti-virus software
This is probably the first choice for most of our friends, and I am afraid it is the only choice. Now there are more and more types of viruses, and more concealed means, which brings new difficulties to virus detection and removal, it also brings challenges to anti-virus software developers. However, as the computer program development language becomes more technical and computer networks become more and more popular, virus development and dissemination become more and more easy, so there are more and more anti-virus software development companies. However, there are still some well-known anti-virus software systems, such as Kingsoft drug overlord, kv300, kill, PC-cillin, VRV, rising, and Norton. As for the use of these anti-virus software, you don't have to mention it here. I believe everyone has this level!
2. Observation
This method can be observed accurately only when you understand the symptoms of a virus attack and the common locations. For example, when hard disk boot often encounters failures, such as crashes, long system boot time, slow operation speed, hard disk access failure, special sound, or prompts, the first thing we need to consider is that the virus is acting as a monster, but we cannot go through the holes. I have not mentioned the symptoms of software and hardware faults! We can observe the following aspects for viruses:
A. Memory observation
This method is generally used for viruses found under DOS. We can use the "MEM/C/P" command under DOS to view the memory usage of each program, it is found that the memory occupied by viruses (usually not separately occupied, but attached to other programs), and some viruses also occupy relatively hidden memory, we can't find it with "MEM/C/P", but we can see that the total basic memory is less than 1 K or a few K.
B. Registry observation
This method is generally applicable to recent so-called hacking programs, such as Trojans. These viruses are automatically started or loaded by modifying the startup and loading configurations in the registry, it is generally implemented in the following aspects:
[Hkey_current_usersoftwaremicrosoftwindowscurrentversion
Wait. For details, refer to my other article.Article-- A thorough analysis of what may appear in the registry.
C. System Configuration File observation
This type of method is also applicable to hacker programs. This type of virus is typically hidden in the system. INI, wini. in the INI (Win9x/winme) and Startup Group. the INI file contains a "shell =" item, while in wini. INI files contain "load =" and "run =". These viruses generally load their own programs in these projects. Note that sometimes they modify an original program. Run the msconfig.exe program in Win9x/winmeto view the information one by one. For details, refer to my article "transparent Trojan watching.
D. Feature string observation
This method is mainly for some special viruses. These viruses will write the corresponding feature code During intrusion. For example, CIH will write the "CIH" character string in the compromised file. Of course, we cannot easily find the system file (for example, explorer.exe) you can use the hexadecimal code editor to edit the file. Of course, you 'd better back up the file before editing. After all, it is the main system file.
E. Hard Disk Space Observation
some viruses do not damage your system file, but only generate a hidden file. This file contains very little content, but occupies a large disk space, sometimes your hard disk cannot run a general program, but you cannot find it. In this case, we need to open the resource manager, then, set the viewed content property to a file that allows you to view all the properties (this method does not need to be discussed by me ?), I believe that this giant object will be visible at that time, because the virus generally sets it as a hidden attribute. In this case, I will see several examples during my computer network maintenance and personal computer maintenance. I have installed only a few common programs, why is there no display of several GB of hard disk space in drive C? the above method can quickly display the virus.