What happens when an infected program starts working. Computer viruses. What is a computer virus
A computer virus is a small program specifically written to infect other programs (i.e., “attribute” itself to them) and perform unwanted actions of various types on the computer. An infected program is a program with a virus inside. When such a program starts working, the virus initially takes control. Computer viruses find and infect other programs, and also perform all sorts of harmful actions (for example, they corrupt the file table of the hard drive, or the files themselves, clog up RAM, etc.).
While masquerading, the virus does not always perform any actions to infect other programs and cause harm to them, and when certain actions are performed on the computer, the virus can begin its work. After performing the necessary manipulations, the virus transfers control to the program in which it is located, and this program continues to work as usual. So, outwardly, the work of the infected program does not show itself in any way, and looks like it is not infected.
Many types of viruses are designed in such a way that when an infected program is launched, the virus remains resident in the computer’s memory (until the operating system is restarted) and, if possible, infects running programs or performs malicious actions on the computer.
All the actions of the virus are performed quite quickly, without issuing any preliminary messages, so the user may not notice that anything unusual is happening on his computer. When a small number of programs are infected on a computer, the presence of the virus can be almost invisible. But, after a while, something strange starts happening on the computer, for example:
- some programs start to work incorrectly or stop working altogether;
- foreign characters, messages, etc. appear on the screen;
- The computer slows down significantly;
- some files turn out to be corrupted, etc.
As a rule, by this time, most of the programs you use are infected with a virus, and some disks and files are corrupted. In addition, infected programs may have already been transferred from your computer to other computers over the network or external media.
Some computer viruses and their variants are even more insidious. They quietly infect a large number of programs at once, and then cause quite serious damage, for example, formatting the entire hard drive on the computer. And there are computer viruses that try to behave as unnoticed as possible, but little by little and gradually corrupt the data stored on the computer’s hard drive.
From all of the above, it follows that if you do not take measures to protect against viruses, the consequences of an infected computer will be very serious. For example, in 1989, American student Morris wrote a virus that infected and disabled thousands of computers, including those belonging to the US Department of Defense. The court fined the author of the virus $270,000 and sentenced him to three months in prison. The punishment could have been more severe, but the court took into account the fact that the virus was only multiplying and did not have time to corrupt the data.
The virus program is small in size and therefore invisible. Some authors create such programs out of mischief, others - trying to harm someone, or gain access to information or computer resources. In any case, the created virus program can spread to all computers compatible with the one for which it was written and cause very great destruction.
It should be noted that writing a virus is not such a difficult task, and is quite accessible to a student studying programming. Therefore, more and more new computer viruses appear on the Internet every day.
(9 Votes)
Computer viruses
Computer virus - concept and classification.
Computer virus is a specially written, small-sized program (i.e., a certain set of executable code) that can “attribute” itself to other programs (“infect” them), create copies of itself and inject them into files, system areas of the computer, etc. .d., and also perform various unwanted actions on the computer.
A program containing a virus is called “infected”. When such a program starts working, the virus first takes control. The virus finds and “infects” other programs, and also performs some harmful actions (for example, it corrupts files or the file allocation table on the disk, “clogs” RAM, etc.). To disguise a virus, actions to infect other programs and cause harm may not always be carried out, but, say, when certain conditions are met.
For example, the Anti-MIT virus destroys all information on the hard drive every year on December 1, the Tea Time virus prevents you from entering information from the keyboard from 15:10 to 15:13, and the famous One Half, which has been “walking” throughout our city throughout the past year , quietly encrypts data on your hard drive. In 1989, an American student managed to create a virus that disabled about 6,000 computers of the US Department of Defense. The epidemic of the famous Dir-II virus broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfection of traditional antivirus tools. Christopher Pyne succeeded in creating the Pathogen and Queeq viruses, as well as the Smeg virus. It was the last one that was the most dangerous; it could be superimposed on the first two viruses, and because of this, after each run of the program they changed the configuration. Therefore, it was impossible to destroy them. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back onto the network. Users downloaded infected programs onto their computers and infected their disks. The situation was aggravated by the fact that Pine managed to introduce viruses into the program that fights them. By launching it, instead of destroying viruses, users received another one. As a result, the files of many companies were destroyed, causing losses amounting to millions of pounds.
The American programmer Morris became widely known. He is known as the creator of the virus, which in November 1988 infected about 7 thousand personal computers connected to the Internet.
The first studies of self-replicating artificial structures were carried out in the middle of this century. Term "computer virus"
appeared later - officially its author is considered to be an employee of Lehigh University (USA) F. Cohen in 1984 at the seventh conference on information security.
Experts believe that today the number of existing viruses has exceeded 20 thousand, with 6 to 9 new ones appearing every day. There are currently about 260 “wild”, that is, actually circulating viruses.
One of the most authoritative “virologists” in the country, Evgeny Kaspersky, proposes to conditionally classify viruses according to the following criteria:
according to the habitat of the virus
according to the method of infection of the habitat
according to destructive possibilities
according to the characteristics of the virus algorithm.
A more detailed classification within these groups can be presented something like this:
network |
spread over a computer network |
||
Habitat: |
file |
injected into executable files |
|
boot |
are embedded in the boot sector of the disk (Boot sector) |
||
Methods |
resident |
are in memory, active until the computer is turned off |
|
infections: |
non-resident |
do not infect memory, are active for a limited time |
|
harmless |
practically do not affect the work; reduce free disk space as a result of their spread |
||
Destructive |
non-hazardous |
reduce free memory, create sound, graphic and other effects |
|
possibilities: |
dangerous |
can lead to serious malfunctions |
|
very dangerous |
may result in loss of programs or system data |
||
"satellite" viruses |
viruses that do not change files create satellite files for EXE files with the extension, COM |
||
worm viruses |
spread across the network, send out copies of themselves, calculating network addresses |
||
Peculiarities |
"student" |
primitive, contain a large number of errors |
|
virus: |
stealth viruses (invisible) |
intercept DOS calls to infected files or sectors and substitute uninfected areas in their place |
|
ghost viruses |
do not have a single permanent piece of code, are difficult to detect, the main body of the virus is encrypted |
||
macroviruses |
are written not in machine codes, but in WordBasic, live in Word documents, rewrite themselves in Normal.dot |
The main ways viruses enter a computer are removable disks (floppy and laser), as well as computer networks. A hard drive can become infected with viruses when loading a program from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was rebooted, and the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.
How the virus works.
Let's look at the operation of a very simple boot virus that infects floppy disks.
What happens when you turn on your computer? First, control is transferred to the boot program, which is stored in read-only memory (ROM), i.e. PNZ ROM.
This program tests the hardware and, if the tests are successful, tries to find the floppy disk in drive A:
Every floppy disk is marked with the so-called. sectors and tracks. Sectors are combined into clusters, but this is not significant for us.
Among the sectors there are several service ones, used by the operating system for its own needs (these sectors cannot contain your data). Among the service sectors, we are currently interested in one - the so-called. boot sector (boot-sector).
The boot sector stores information about the floppy disk - the number of surfaces, the number of tracks, the number of sectors, etc. But what we are interested in now is not this information, but a small boot program (BLP), which must load the operating system itself and transfer control to it.
So the normal bootstrap scheme is as follows:
Now let's look at the virus. Boot viruses have two parts - the so-called. head etc. tail. The tail, generally speaking, can be empty.
Suppose you have a clean floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a floppy disk that is not write-protected and has not yet been infected, it begins to infect. When infecting a floppy disk, the virus performs the following actions:
allocates a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, the sectors occupied by the virus are marked as bad (bad)
copies its tail and the original (healthy) boot sector to the selected area of the disk
replaces the boot program in the boot sector (the real one) with its head
organizes the chain of control transfer according to the scheme.
PNZ (ROM) - PNZ (disk) - SYSTEM
a new link appears:
PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM
We examined the functioning scheme of a simple boot virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. Moreover, unlike floppy disks, the hard drive has two types of boot sectors containing boot programs that receive control. When the computer boots from the hard drive, the boot program in the MBR (Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as boot. The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program of this partition. The code of the latter coincides with the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, on the hard drive there are two objects of attack by boot viruses - the boot program in the MBR and the boot program in the boot sector of the boot disk.
Signs of the virus.
When your computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of viruses. These include the following:
cessation of operation or incorrect operation of previously successfully functioning programs
slow computer
inability to load the operating system
disappearance of files and directories or corruption of their contents
changing the date and time of file modification
resizing files
unexpected significant increase in the number of files on the disk
significant reduction in the size of free RAM
Displaying unexpected messages or images on the screen
giving unexpected sound signals
Frequent freezes and crashes in the computer
Protection methods. Antiviruses.
Whatever the virus, the user needs to know the basic methods of protecting against computer viruses.
To protect against viruses you can use:
general information protection tools, which are also useful as insurance against physical damage to disks, malfunctioning programs or erroneous user actions;
preventive measures to reduce the likelihood of contracting the virus;
specialized programs for virus protection.
General information security tools are useful for more than just virus protection. There are two main types of these funds:
copying information - creating copies of files and system areas of disks;
access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous user actions.
To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus. There are the following types of antivirus programs:
detector programs
doctor programs or phages
audit programs
filter programs
vaccine or immunizer programs
Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.
Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.
Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even clean up changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program, widely used in Russia.
Filter programs or "watchman" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:
attempts to correct files with COM, EXE extensions
changing file attributes
direct writing to disk at absolute address
writing to disk boot sectors
Vaccines or immunizers- These are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.
Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.
In order to avoid exposing your computer to viruses and to ensure reliable storage of information on disks, you must follow the following rules:
equip your computer with modern antivirus programs, such as Aidstest, Doctor Web, and constantly update their versions
Before reading information stored on other computers from floppy disks, always check these floppy disks for viruses by running your computer's anti-virus programs
When transferring files in archived form to your computer, scan them immediately after unzipping them on your hard drive, limiting the scan area to only newly recorded files
periodically check your computer hard drives for viruses by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system floppy disk
Always write-protect your floppy disks when working on other computers unless information will be written to them
Be sure to make backup copies on floppy disks of information that is valuable to you
do not leave floppy disks in drive A pocket when you turn on or restart the operating system to prevent your computer from becoming infected with boot viruses
use anti-virus programs for input control of all executable files received from computer networks
To ensure greater security, Aidstest and Doctor Web must be combined with the daily use of the Adinf disk auditor.
Antivirus program AntiViral Toolkit Pro.
The AVP antivirus program was developed by the leading Russian company Kaspersky Lab. The program has entered the global market and is quite actively sold in many countries.
When launched, AVP loads anti-virus databases, tests RAM for the presence of resident viruses, and checks itself for virus infection. After a successful download, a message appears in the status bar " Last update:
date> ,
quantity> viruses »
, where is the date of the last update, and is the number of known viruses (data about viruses is in files with the extension .AVC)
The main program window contains four menu items:
file
virus scan
service
region
objects
actions
settings
statistics
Tab "Objects" , specifies the list of objects to be scanned and the types of files that will be tested.
On the Objects tab, you can select the following checkboxes:
Memory- enable the system memory scanning procedure (including High Memory Area)
Sectors - include a check of system sectors in the scanning procedure
Files- include file checking in the scanning procedure (including files with the Hidden, System, ReadOnly attributes)
Packed objects- enable Unpack Engine, which unpacks files for testing
"File Type" contains four switches:
Programs by format - scan programs (Files.com, .exe, .vxd, .dll and Microsoft Office formats). Thus, when scanning by format, all files that may contain virus code are checked.
Expansion programs- scan all files with the extension *.BAT, *.COM, *.EXE, *.OV*, *.SYS, *.BIN, *PRG.
All files- scan all files.
By mask- scan using a mask specified by the user in the input line.
Tab "Actions" allows you to set actions in case infected or suspicious objects are detected during testing.
The tab contains four buttons and two checkboxes.
At your request, the program will either only inform you about detected viruses, treat the infected object after opening it, or treat it automatically. Suspicious objects can be copied either to a folder you specify or to the program’s working folder.
Tab "Settings" allows you to configure the program for different modes.
Warnings - Enables an additional checking mechanism.
Code analyzer - includes a mechanism capable of detecting as yet unknown viruses in the objects being examined.
Redundant scanning - enables a mechanism to completely scan the contents of a file. It is recommended to enable this mode when a virus is not detected, but strange phenomena are observed in the computer’s operation - slowdowns, frequent spontaneous reboots, etc. In other cases, using this mode is not recommended, as there is a possibility of false positives when scanning clean files.
The settings allow the user to show the name of the object being scanned in the “Object” column during scanning; in the “Result” window, an “ok” message will appear opposite the object name if the object is clean. You can also set a sound signal to sound when a virus is detected, which is very useful in practice, since the scanning process is quite long and monotonous. You can also monitor the scanning sequence (checkbox Report tracking) or write a report file, specifying the name of the resulting file (checkbox File report). By checking this checkbox, the user gains access to two auxiliary checkboxes:
Add- the new report will be added strictly to the end of the old one
Size limitation- limit the size of the report file at the user's request (by default - 500 kilobytes)
After checking the specified objects, the tab is automatically activated "Statistics"
This tab contains the results of the program. The tab is divided into two parts containing information about the number of scanned objects, files, folders and the number of viruses, warnings, corrupted objects, etc. found.
The AVP signature database is one of the largest - the latest version of the program contains more than 25,000 viruses. It should be noted that working with the program does not cause difficulties even for an inexperienced user, and you can easily get a new version from the Internet.
LIST OF REFERENCES USED
Akhmetov K. Course of a young fighter. Moscow, Computer press, 1997.
Kaspersky E. Computer viruses in MS-DOS. Moscow, Edel-Renaissance, 1992.
PC World. No. 4,1998.
Characteristics of computer viruses
The essence and manifestation of computer viruses
The widespread use of personal computers, unfortunately, turned out to be associated with the emergence of self-replicating virus programs that interfere with the normal operation of the computer, destroy the file structure of disks and damage the information stored on the computer. Once a computer virus penetrates one computer, it can spread to other computers. Computer virus is a specially written program that is capable of spontaneously attaching to other programs, creating copies of itself and introducing them into files, system areas of the computer and into computer networks in order to disrupt the operation of programs, damage files and directories, and create all kinds of interference with work on the computer. Reasons for the appearance and the spread of computer viruses, on the one hand, is hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively use one’s abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating system of a personal computer .Despite the laws adopted in many countries to combat computer crimes and the development of special software tools to protect against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to have knowledge about the nature of viruses, methods of infection by viruses and protection against them. The main routes for viruses to enter a computer are removable disks (floppy and laser), as well as computer networks. Your hard drive can become infected with viruses when you boot your computer from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A: and the computer was rebooted, while the floppy disk may not be the system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read. Infected disk- this is a disk in the boot sector of which there is a program - a virus. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the extensions EXE, .COM, SYS or BAT are infected with a virus. It is extremely rare for text and graphic files to become infected. Infected program is a program that contains a virus program embedded in it. When a computer is infected with a virus, it is very important to detect it in a timely manner. To do this, you should know about the main signs of viruses. These include the following:- cessation of operation or incorrect operation of previously successfully functioning programs;
- slow computer performance;
- inability to load the operating system;
- disappearance of files and directories or corruption of their contents;
- changing the date and time of file modification;
- resizing files;
- unexpected significant increase in the number of files on the disk;
- a significant reduction in the size of free RAM;
- displaying unexpected messages or images on the screen;
- giving unexpected sound signals;
- Frequent freezes and crashes in the computer.
- non-hazardous, not interfering with the operation of the computer, but reducing the amount of free RAM and disk memory, the actions of such viruses are manifested in some graphic or sound effects;
- dangerous viruses that can lead to various problems with your computer;
- very dangerous the impact of which can lead to loss of programs, destruction of data, and erasure of information in system areas of the disk.
VIRUS DETECTION AND PROTECTION PROGRAMS
Characteristics of antivirus programs To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus. There are the following types of anti-virus programs (Fig. 11.11): Detector programs They search for a sequence of bytes (virus signature) characteristic of a particular virus in RAM and files and, when found, issue a corresponding message. The disadvantage of such antivirus pro-Fig. 11.11. Types of antivirus programsgram is that they can only find viruses that are known to the developers of such programs. Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages there are polyphages, those. Doctor programs designed to search and destroy a large number of viruses. The most famous polyphages are the Aidstest programs , Scan, Norton AntiVirus and Doctor Web . Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular updates of their versions are required. Auditor program are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the video monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even distinguish changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program from Dialog-Science, which is widely used in Russia. Filter programs or "watchmen" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:
- attempts to correct files with COM and EXE extensions;
- changing file attributes;
- direct writing to disk at absolute address;
- writing to boot sectors of the disk.
- in full-screen interface mode using menus and dialog boxes;
- in command line control mode.
- information about boot sectors;
- information about failed clusters;
- length and checksums of files;
- date and time the files were created.
- equip your computer with up-to-date antivirus software, such as Aidstest or Doctor Web, and constantly update their versions;
- Before reading information recorded on other computers from floppy disks, always check these floppy disks for viruses by running anti-virus programs on your computer;
- when transferring files in archived form to your computer, check them immediately after unzipping them on your hard drive, limiting the scan area to only newly recorded files;
- periodically check your computer's hard drives for viruses by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system also from a write-protected system floppy disk;
- Always protect your floppy disks from writing when working on other computers if information will not be recorded on them;
- be sure to make backup copies on floppy disks of information that is valuable to you;
- do not leave floppy disks in the pocket of drive A: when turning on or rebooting the operating system to prevent the computer from becoming infected with boot viruses;
- use anti-virus programs for input control of all executable files received from computer networks;
- to ensure greater safety of use Aidstest And Doctor Web must be combined with everyday use of Disk Auditor ADinf.