Knowledge about viruses

1. frequent crashes: viruses open many files or occupy a large amount of memory; unstable (such as poor memory quality and poor hardware overclocking performance ); software running with large capacity occupies a large amount of memory and disk space. Some testing software (with many bugs) is used, and hard disk space is insufficient; when running software on the network, it may be because the network speed is too slow, the program running is too large, or the hardware configuration of the workstation is too low. 2. The system cannot be started: the virus modifies the boot information of the hard disk or deletes some boot files. If the boot virus boot file is damaged, the hard disk is damaged, the parameter settings are incorrect, and the system file is deleted by mistake. 3. file cannot be opened: the virus modifies the file format, and the virus modifies the File Link location. File damage; hard disk damage; the link location of the file shortcut has changed; the software for editing the file has been deleted; if the file storage location on the server changes in the LAN, and the workstation does not promptly update the content of the server (the resource manager is opened for a long time ). 4. frequent reports of insufficient memory: viruses illegally occupy a large amount of memory, open a large number of software, run the software that requires memory resources, and the system configuration is incorrect; the memory is not enough (the current basic memory requirement is 128 MB. 5. tip: the hard disk space is not enough: the virus copies a large number of virus files (this has happened in several cases. Sometimes, when a Win98 or winnt4.0 system is installed on a top 10 Gb hard disk, the system says there is no space, when software is installed, the system prompts that the hard disk space is insufficient. The disk capacity in each partition is too small; a large number of large-capacity software is installed; all software is installed in one partition; the hard disk itself is small; if the system administrator sets a "private disk" space limit for each user in the LAN, the system administrator can view the size of the entire network disk, in fact, the capacity of the "Private disk" is used up. 6. When the disk or other devices are not accessed, the read/write signal is displayed: virus infection; the disk is removed from the file that has been opened in the floppy disk. 7. There are a large number of unknown files: virus copy files, temporary files generated during software installation, or configuration information and operation records of some software. 8. black screen startup: virus infection (the most important thing to remember is 4.26 in 98 years. I paid thousands of yuan for CIH. That day, when I first started windows, the screen crashed, after the second boot, there will be no more); Display fault; Display Card fault; motherboard fault; overclocking; CPU damage, etc. 9. Data loss: the virus deletes the file; the hard disk sector is damaged; the original file is overwritten due to restoration; if the file is on the network, it may also be deleted by another user by mistake. 10. keyboard or mouse locking without reason: virus, special attention should be paid to "Trojan"; keyboard or mouse damage; keyboard or mouse interface damage on the motherboard; a keyboard or mouse lock program is running, the running program is too large, and the system is very busy for a long time. It does not work if you press the keyboard or mouse. 11. slow system running speed: the virus occupies memory and CPU resources and runs a large number of illegal operations in the background; low hardware configuration; too many or too many open programs; incorrect system configuration; if the program running on the network is mostly caused by the low configuration of your machine, it may also be because the network is busy, and many users open a program at the same time; another possibility is that your hard disk space is insufficient for temporary data exchange during program running. 12. Automatic operation by the system: Illegal operation is performed on the virus in the background. You have set automatic operation of related programs in the registry or Startup Group. After some software is installed or upgraded, You need to automatically restart the system. Through the above analysis and comparison, we know that most faults may be caused by human or software or hardware faults. Do not rush to assert when an exception is found, when the anti-virus solution cannot be solved, the fault characteristics should be carefully analyzed to eliminate the possibility of software, hardware and human resources. Knowledge about viruses (2) To truly identify viruses and immediately scan and kill viruses, we also need to have a more detailed understanding of the virus, and the more detailed the better! Viruses are compiled by a large number of scattered individuals or organizations, and there is no standard for measuring and dividing them. Therefore, virus classification can be roughly divided by multiple perspectives. For example, viruses can be divided into the following categories by the infected objects: A. Boot Virus The target of these virus attacks is the Boot Sector of the disk. In this way, the system can obtain the execution priority at startup to control the entire system. This virus is infected with the boot sector, as a result, the loss is relatively large. Generally, the system cannot be started normally, but it is also easy to kill such viruses. Most anti-virus software can kill such viruses, such as kv300 and kill series. B. File Virus Early versions of these viruses generally infect executable files with extensions such as EXE and COM, so that the virus program is activated when you execute an executable file. Recently, some files with extensions such as DLL, OVl, and SYS are infected because these files are usually the configuration and link files of a program, therefore, when a program is executed, the virus is automatically loaded into the quilt. They are loaded by inserting the entire section of the virus code or inserting them into the blank bytes of these files separately, for example, the CIH virus splits itself into nine segments and embeds it into an executable file in the PE Structure. After infection, the number of bytes of the infected file does not increase, which is its hidden side. C. Network Viruses This virus is the product of rapid network development in recent years. Infected objects are no longer limited to a single mode and a single executable file, but more comprehensive and hidden. Nowadays, some Internet viruses can infect almost all office files, such as Word, Excel, and email. The attack methods have also changed, from the original deletion, modification of files to the current file encryption, theft of user useful information (such as hacker programs), etc, the transmission path has also experienced a qualitative leap, instead of being limited to disks, but through a more concealed network, such as e-mails and e-advertisements. D. Compound viruses It is classified as a "Compound virus" because they both have some characteristics of the "boot" and "file" viruses, which can infect the Boot Sector files of the disk, this executable file can also be infected. If the virus is not completely cleared, the residual virus can be self-restored, and the boot sector file and executable file may be infected, therefore, it is extremely difficult to scan and kill such viruses. The anti-virus software used must have the function of killing both types of viruses at the same time. Required knowledge about viruses (3) If we divide the virus into the following types based on the degree of destruction: A. benign viruses: These viruses call them benign viruses because they do not attack your system, they just want to have fun, most of them are beginner virus enthusiasts who want to test their own virus program development level. They don't want to damage your system, just make some sound, or there are some prompts, except occupying a certain amount of hard disk space and CPU processing time, there is no other harm. This is also true for some Trojans and virus programs. They just want to steal some communication information from your computer, such as passwords and IP addresses, for use when necessary. B. Malignant Virus We treat viruses that only cause interference to software systems, steal information, modify system information, and do not cause hardware damage or data loss as "malignant viruses ", this type of virus can cause no loss except for the system being unavailable. After the system is damaged, you only need to reinstall a part of the system file to restore the system, of course, the system should be reinstalled after the virus is killed. C. Extremely malignant Virus These viruses are more damaged than the above B-type viruses. Generally, if your system is infected with these viruses, it will crash completely and cannot be started properly, you may not be able to obtain the useful data that you keep on your hard disk, but delete system files and applications. D. Catastrophic viruses From its name, we can know the extent of damage it will cause. This type of virus is generally used to damage the Boot Sector file of the disk, modify the File Allocation Table and the hard disk partition table, as a result, the system cannot be started at all. Sometimes, your hard disk may be formatted or locked, so that you cannot use the hard disk. If you are infected with this type of virus, your system will be difficult to recover, and the data retained in the hard disk will be difficult to obtain, resulting in huge losses, therefore, when should we make the worst plans for evolution, especially for enterprise users, we should make full and catastrophic backup. Fortunately, most large enterprises have realized the significance of backup, spending a huge amount of money on daily system and data backup, although everyone knows that it may not be possible to have such disastrous consequences in a few years, but still relax this "in case ". I am in Nestle, and I pay great attention to this issue. For example, 4.26 of CIH attacks in can be classified as this, because it not only damages software, but also directly damages hardware such as hard disk and motherboard BIOS. Knowledge about viruses (4) For example, there are several types of intrusion by virus: A. Source Code embedding attack type From its name, we know that this type of virus invades the source program of the advanced language. The virus inserts the virus code before the source program compilation, and is finally compiled into an executable file together with the source program, in this way, the generated file is a virus-infected file. Of course, there are very few such files, because these virus developers cannot easily obtain the source programs compiled by those software development companies. Moreover, this intrusion method is difficult and requires a very professional programming level. B. Replacing attack type with code This type of virus is mainly used to replace the whole or some modules of an intrusion program with its own virus code. This type of virus is also rare. It mainly attacks specific programs and is highly targeted, but it is not easy to be detected, and it is difficult to clear it. C. System Modification type These viruses mainly use their own programs to overwrite or modify some files in the system to call or replace some functions in the operating system. Because they directly infect the system and cause great harm, it is also the most common virus type, most of which are file-type viruses. D. Shell Additional Model This type of virus usually attaches the virus to the header or tail of a normal program, which is equivalent to adding a shell to the program. When the infected program is executed, the virus code is first executed, then the normal program is transferred to the memory. Currently, most file-type viruses belong to this category. With some basic knowledge about viruses, we can now check whether your computer contains viruses. To learn about these, we can use the following methods to determine. 1. Scanning of anti-virus software This is probably the first choice for most of our friends, and I am afraid it is the only choice. Now there are more and more types of viruses, and more concealed means, which brings new difficulties to virus detection and removal, it also brings challenges to anti-virus software developers. However, as the computer program development language becomes more technical and computer networks become more and more popular, virus development and dissemination become more and more easy, so there are more and more anti-virus software development companies. However, there are still some well-known anti-virus software systems, such as Kingsoft drug overlord, kv300, kill, PC-cillin, VRV, rising, and Norton. As for the use of these anti-virus software, you don't have to mention it here. I believe everyone has this level! 2. Observation This method can be observed accurately only when you understand the symptoms of a virus attack and the common locations. For example, when hard disk boot often encounters failures, such as crashes, long system boot time, slow operation speed, hard disk access failure, special sound, or prompts, the first thing we need to consider is that the virus is acting as a monster, but we cannot go through the holes. I have not mentioned the symptoms of software and hardware faults! We can observe the following aspects for viruses: A. Memory observation This method is generally used for viruses found under DOS. We can use the "MEM/C/P" command under DOS to check the memory usage of each program, it is found that the memory occupied by viruses (usually not separately occupied, but attached to other programs), and some viruses also occupy relatively hidden memory, we can't find it with "MEM/C/P", but we can see that the total basic memory is less than 1 K or a few K. B. Registry observation This method is generally applicable to recent so-called hacking programs, such as Trojans. These viruses are automatically started or loaded by modifying the startup and loading configurations in the registry, it is generally implemented in the following aspects: [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion C. System Configuration File observation This type of method is also applicable to hacker programs. This type of virus is typically hidden in the system. INI, wini. in the INI (Win9x/winme) and Startup Group. the INI file contains a "shell =" item, while in wini. INI files include "load =" and "run =". These viruses generally load their own programs in these projects. Note that sometimes they modify an original program. Run the msconfig.exe program in Win9x/winmeto view the information one by one. D. Feature string observation Using the hexadecimal code editor for editing, you can find that, of course, you 'd better back up before editing, after all, it is the main system file. E. Hard Disk Space Observation Some viruses will not damage your system file, but only generate a hidden file. This file contains very little content, but occupies a large disk space, sometimes your hard disk cannot run a general program, but you cannot find it. In this case, we need to open the resource manager, then, set the viewed content property to a file that allows you to view all the properties (this method does not need to be discussed by me ?), I believe that this giant object will be visible at that time, because the virus generally sets it as a hidden attribute. In this case, I will see several examples during my computer network maintenance and personal computer maintenance. I have installed only a few common programs, why is there no display of several GB of hard disk space in drive C? the above method can quickly display the virus