What happens when an infected program starts working. Computer viruses. What is a computer virus

A computer virus is a small program specifically written to infect other programs (i.e., “attribute” itself to them) and perform unwanted actions of various types on the computer. An infected program is a program with a virus inside. When such a program starts working, the virus initially takes control. Computer viruses find and infect other programs, and also perform all sorts of harmful actions (for example, they corrupt the file table of the hard drive, or the files themselves, clog up RAM, etc.).

While masquerading, the virus does not always perform any actions to infect other programs and cause harm to them, and when certain actions are performed on the computer, the virus can begin its work. After performing the necessary manipulations, the virus transfers control to the program in which it is located, and this program continues to work as usual. So, outwardly, the work of the infected program does not show itself in any way, and looks like it is not infected.

Many types of viruses are designed in such a way that when an infected program is launched, the virus remains resident in the computer’s memory (until the operating system is restarted) and, if possible, infects running programs or performs malicious actions on the computer.

All the actions of the virus are performed quite quickly, without issuing any preliminary messages, so the user may not notice that anything unusual is happening on his computer. When a small number of programs are infected on a computer, the presence of the virus can be almost invisible. But, after a while, something strange starts happening on the computer, for example:

  • some programs start to work incorrectly or stop working altogether;
  • foreign characters, messages, etc. appear on the screen;
  • The computer slows down significantly;
  • some files turn out to be corrupted, etc.

As a rule, by this time, most of the programs you use are infected with a virus, and some disks and files are corrupted. In addition, infected programs may have already been transferred from your computer to other computers over the network or external media.

Some computer viruses and their variants are even more insidious. They quietly infect a large number of programs at once, and then cause quite serious damage, for example, formatting the entire hard drive on the computer. And there are computer viruses that try to behave as unnoticed as possible, but little by little and gradually corrupt the data stored on the computer’s hard drive.

From all of the above, it follows that if you do not take measures to protect against viruses, the consequences of an infected computer will be very serious. For example, in 1989, American student Morris wrote a virus that infected and disabled thousands of computers, including those belonging to the US Department of Defense. The court fined the author of the virus $270,000 and sentenced him to three months in prison. The punishment could have been more severe, but the court took into account the fact that the virus was only multiplying and did not have time to corrupt the data.

The virus program is small in size and therefore invisible. Some authors create such programs out of mischief, others - trying to harm someone, or gain access to information or computer resources. In any case, the created virus program can spread to all computers compatible with the one for which it was written and cause very great destruction.

It should be noted that writing a virus is not such a difficult task, and is quite accessible to a student studying programming. Therefore, more and more new computer viruses appear on the Internet every day.


(9 Votes)

Computer viruses

Computer virus - concept and classification.


Computer virus is a specially written, small-sized program (i.e., a certain set of executable code) that can “attribute” itself to other programs (“infect” them), create copies of itself and inject them into files, system areas of the computer, etc. .d., and also perform various unwanted actions on the computer.
A program containing a virus is called “infected”. When such a program starts working, the virus first takes control. The virus finds and “infects” other programs, and also performs some harmful actions (for example, it corrupts files or the file allocation table on the disk, “clogs” RAM, etc.). To disguise a virus, actions to infect other programs and cause harm may not always be carried out, but, say, when certain conditions are met.

For example, the Anti-MIT virus destroys all information on the hard drive every year on December 1, the Tea Time virus prevents you from entering information from the keyboard from 15:10 to 15:13, and the famous One Half, which has been “walking” throughout our city throughout the past year , quietly encrypts data on your hard drive. In 1989, an American student managed to create a virus that disabled about 6,000 computers of the US Department of Defense. The epidemic of the famous Dir-II virus broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfection of traditional antivirus tools. Christopher Pyne succeeded in creating the Pathogen and Queeq viruses, as well as the Smeg virus. It was the last one that was the most dangerous; it could be superimposed on the first two viruses, and because of this, after each run of the program they changed the configuration. Therefore, it was impossible to destroy them. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back onto the network. Users downloaded infected programs onto their computers and infected their disks. The situation was aggravated by the fact that Pine managed to introduce viruses into the program that fights them. By launching it, instead of destroying viruses, users received another one. As a result, the files of many companies were destroyed, causing losses amounting to millions of pounds.

The American programmer Morris became widely known. He is known as the creator of the virus, which in November 1988 infected about 7 thousand personal computers connected to the Internet.
The first studies of self-replicating artificial structures were carried out in the middle of this century. Term "computer virus" appeared later - officially its author is considered to be an employee of Lehigh University (USA) F. Cohen in 1984 at the seventh conference on information security.

Experts believe that today the number of existing viruses has exceeded 20 thousand, with 6 to 9 new ones appearing every day. There are currently about 260 “wild”, that is, actually circulating viruses.


One of the most authoritative “virologists” in the country, Evgeny Kaspersky, proposes to conditionally classify viruses according to the following criteria:

  1. according to the habitat of the virus

  2. according to the method of infection of the habitat

  3. according to destructive possibilities

  4. according to the characteristics of the virus algorithm.

A more detailed classification within these groups can be presented something like this:


network

spread over a computer network

Habitat:

file

injected into executable files

boot

are embedded in the boot sector of the disk (Boot sector)

Methods

resident

are in memory, active until the computer is turned off

infections:

non-resident

do not infect memory, are active for a limited time

harmless

practically do not affect the work; reduce free disk space as a result of their spread

Destructive

non-hazardous

reduce free memory, create sound, graphic and other effects

possibilities:

dangerous

can lead to serious malfunctions

very dangerous

may result in loss of programs or system data

"satellite" viruses

viruses that do not change files create satellite files for EXE files with the extension, COM

worm viruses

spread across the network, send out copies of themselves, calculating network addresses

Peculiarities

"student"

primitive, contain a large number of errors

virus:

stealth viruses

(invisible)
intercept DOS calls to infected files or sectors and substitute uninfected areas in their place

ghost viruses

do not have a single permanent piece of code, are difficult to detect, the main body of the virus is encrypted

macroviruses

are written not in machine codes, but in WordBasic, live in Word documents, rewrite themselves in Normal.dot

The main ways viruses enter a computer are removable disks (floppy and laser), as well as computer networks. A hard drive can become infected with viruses when loading a program from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was rebooted, and the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.


How the virus works.
Let's look at the operation of a very simple boot virus that infects floppy disks.

What happens when you turn on your computer? First, control is transferred to the boot program, which is stored in read-only memory (ROM), i.e. PNZ ROM.

This program tests the hardware and, if the tests are successful, tries to find the floppy disk in drive A:

Every floppy disk is marked with the so-called. sectors and tracks. Sectors are combined into clusters, but this is not significant for us.

Among the sectors there are several service ones, used by the operating system for its own needs (these sectors cannot contain your data). Among the service sectors, we are currently interested in one - the so-called. boot sector (boot-sector).

The boot sector stores information about the floppy disk - the number of surfaces, the number of tracks, the number of sectors, etc. But what we are interested in now is not this information, but a small boot program (BLP), which must load the operating system itself and transfer control to it.

So the normal bootstrap scheme is as follows:

Now let's look at the virus. Boot viruses have two parts - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Suppose you have a clean floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a floppy disk that is not write-protected and has not yet been infected, it begins to infect. When infecting a floppy disk, the virus performs the following actions:


  1. allocates a certain area of ​​the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, the sectors occupied by the virus are marked as bad (bad)

  2. copies its tail and the original (healthy) boot sector to the selected area of ​​the disk

  3. replaces the boot program in the boot sector (the real one) with its head

  4. organizes the chain of control transfer according to the scheme.
Thus, the head of the virus is now the first to receive control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

We examined the functioning scheme of a simple boot virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. Moreover, unlike floppy disks, the hard drive has two types of boot sectors containing boot programs that receive control. When the computer boots from the hard drive, the boot program in the MBR (Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as boot. The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program of this partition. The code of the latter coincides with the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, on the hard drive there are two objects of attack by boot viruses - the boot program in the MBR and the boot program in the boot sector of the boot disk.

Signs of the virus.


When your computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of viruses. These include the following:

  1. cessation of operation or incorrect operation of previously successfully functioning programs

  2. slow computer

  3. inability to load the operating system

  4. disappearance of files and directories or corruption of their contents

  5. changing the date and time of file modification

  6. resizing files

  7. unexpected significant increase in the number of files on the disk

  8. significant reduction in the size of free RAM

  9. Displaying unexpected messages or images on the screen

  10. giving unexpected sound signals

  11. Frequent freezes and crashes in the computer
It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be the result of other reasons. Therefore, it is always difficult to correctly diagnose the condition of a computer.
Protection methods. Antiviruses.

Whatever the virus, the user needs to know the basic methods of protecting against computer viruses.

To protect against viruses you can use:


  1. general information protection tools, which are also useful as insurance against physical damage to disks, malfunctioning programs or erroneous user actions;

  2. preventive measures to reduce the likelihood of contracting the virus;

  3. specialized programs for virus protection.

General information security tools are useful for more than just virus protection. There are two main types of these funds:


  1. copying information - creating copies of files and system areas of disks;

  2. access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous user actions.

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus. There are the following types of antivirus programs:


  1. detector programs

  2. doctor programs or phages

  3. audit programs

  4. filter programs

  5. vaccine or immunizer programs
Detector programs They search for a signature characteristic of a particular virus in RAM and files and, if found, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even clean up changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program, widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:


  1. attempts to correct files with COM, EXE extensions

  2. changing file attributes

  3. direct writing to disk at absolute address

  4. writing to disk boot sectors
When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.

Vaccines or immunizers- These are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.

Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.


In order to avoid exposing your computer to viruses and to ensure reliable storage of information on disks, you must follow the following rules:

  1. equip your computer with modern antivirus programs, such as Aidstest, Doctor Web, and constantly update their versions

  2. Before reading information stored on other computers from floppy disks, always check these floppy disks for viruses by running your computer's anti-virus programs

  3. When transferring files in archived form to your computer, scan them immediately after unzipping them on your hard drive, limiting the scan area to only newly recorded files

  4. periodically check your computer hard drives for viruses by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system floppy disk

  5. Always write-protect your floppy disks when working on other computers unless information will be written to them

  6. Be sure to make backup copies on floppy disks of information that is valuable to you

  7. do not leave floppy disks in drive A pocket when you turn on or restart the operating system to prevent your computer from becoming infected with boot viruses

  8. use anti-virus programs for input control of all executable files received from computer networks

  9. To ensure greater security, Aidstest and Doctor Web must be combined with the daily use of the Adinf disk auditor.

Antivirus program AntiViral Toolkit Pro.

The AVP antivirus program was developed by the leading Russian company Kaspersky Lab. The program has entered the global market and is quite actively sold in many countries.
When launched, AVP loads anti-virus databases, tests RAM for the presence of resident viruses, and checks itself for virus infection. After a successful download, a message appears in the status bar " Last update: date> , quantity> viruses » , where is the date of the last update, and is the number of known viruses (data about viruses is in files with the extension .AVC)

The main program window contains four menu items:


  1. file

  2. virus scan

  3. service
five tabs:

  1. region

  2. objects

  3. actions

  4. settings

  5. statistics
buttons « P usk" (" One hundred P » while scanning the disk) and the viewing window "Object - Result" . When loading, a tab automatically opens "Area" (Fig. 1.) To start scanning, you need to select on the tab "Area" drives and/or folders that you want to check and click the button « P usk" (or menu item "Start Virus Scan" ). You can select the disk and/or folders to be checked by double-clicking on the desired object with the left mouse button. To quickly select disks, you need to check the appropriate boxes « L ocal discs » and/or " WITH e te disks » and/or « Flopp And -disk drives » . If you want to select a folder to scan, you need to press the key "Select folder" , after which you will see a standard Windows 95 dialog box in which you need to select the name of the folder that you want to add to the testing area. If you click the “Start” button without selecting an object to scan, AVP will display the following message: The scanning area is not specified. Please mark the drives in the "Area" tab. If you want to stop testing urgently, click the button " Stop " or select menu item "Stop Virus Scan" .
Tab "Objects" , specifies the list of objects to be scanned and the types of files that will be tested.

On the Objects tab, you can select the following checkboxes:


  1. Memory- enable the system memory scanning procedure (including High Memory Area)

  2. Sectors - include a check of system sectors in the scanning procedure

  3. Files- include file checking in the scanning procedure (including files with the Hidden, System, ReadOnly attributes)

  4. Packed objects- enable Unpack Engine, which unpacks files for testing
Archives- enable Extract Engine, which allows you to search for viruses in archives.

"File Type" contains four switches:

Programs by format - scan programs (Files.com, .exe, .vxd, .dll and Microsoft Office formats). Thus, when scanning by format, all files that may contain virus code are checked.

Expansion programs- scan all files with the extension *.BAT, *.COM, *.EXE, *.OV*, *.SYS, *.BIN, *PRG.

All files- scan all files.

By mask- scan using a mask specified by the user in the input line.


Tab "Actions" allows you to set actions in case infected or suspicious objects are detected during testing.

The tab contains four buttons and two checkboxes.

At your request, the program will either only inform you about detected viruses, treat the infected object after opening it, or treat it automatically. Suspicious objects can be copied either to a folder you specify or to the program’s working folder.


Tab "Settings" allows you to configure the program for different modes.

Warnings - Enables an additional checking mechanism.

Code analyzer - includes a mechanism capable of detecting as yet unknown viruses in the objects being examined.

Redundant scanning - enables a mechanism to completely scan the contents of a file. It is recommended to enable this mode when a virus is not detected, but strange phenomena are observed in the computer’s operation - slowdowns, frequent spontaneous reboots, etc. In other cases, using this mode is not recommended, as there is a possibility of false positives when scanning clean files.




The settings allow the user to show the name of the object being scanned in the “Object” column during scanning; in the “Result” window, an “ok” message will appear opposite the object name if the object is clean. You can also set a sound signal to sound when a virus is detected, which is very useful in practice, since the scanning process is quite long and monotonous. You can also monitor the scanning sequence (checkbox Report tracking) or write a report file, specifying the name of the resulting file (checkbox File report). By checking this checkbox, the user gains access to two auxiliary checkboxes:

  1. Add- the new report will be added strictly to the end of the old one

  2. Size limitation- limit the size of the report file at the user's request (by default - 500 kilobytes)

After checking the specified objects, the tab is automatically activated "Statistics"




This tab contains the results of the program. The tab is divided into two parts containing information about the number of scanned objects, files, folders and the number of viruses, warnings, corrupted objects, etc. found.
The AVP signature database is one of the largest - the latest version of the program contains more than 25,000 viruses. It should be noted that working with the program does not cause difficulties even for an inexperienced user, and you can easily get a new version from the Internet.

LIST OF REFERENCES USED


Akhmetov K. Course of a young fighter. Moscow, Computer press, 1997.
Kaspersky E. Computer viruses in MS-DOS. Moscow, Edel-Renaissance, 1992.
PC World. No. 4,1998.

Characteristics of computer viruses

The essence and manifestation of computer viruses

The widespread use of personal computers, unfortunately, turned out to be associated with the emergence of self-replicating virus programs that interfere with the normal operation of the computer, destroy the file structure of disks and damage the information stored on the computer. Once a computer virus penetrates one computer, it can spread to other computers. Computer virus is a specially written program that is capable of spontaneously attaching to other programs, creating copies of itself and introducing them into files, system areas of the computer and into computer networks in order to disrupt the operation of programs, damage files and directories, and create all kinds of interference with work on the computer. Reasons for the appearance and the spread of computer viruses, on the one hand, is hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively use one’s abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating system of a personal computer .Despite the laws adopted in many countries to combat computer crimes and the development of special software tools to protect against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to have knowledge about the nature of viruses, methods of infection by viruses and protection against them. The main routes for viruses to enter a computer are removable disks (floppy and laser), as well as computer networks. Your hard drive can become infected with viruses when you boot your computer from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A: and the computer was rebooted, while the floppy disk may not be the system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read. Infected disk- this is a disk in the boot sector of which there is a program - a virus. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the extensions EXE, .COM, SYS or BAT are infected with a virus. It is extremely rare for text and graphic files to become infected. Infected program is a program that contains a virus program embedded in it. When a computer is infected with a virus, it is very important to detect it in a timely manner. To do this, you should know about the main signs of viruses. These include the following:
  • cessation of operation or incorrect operation of previously successfully functioning programs;
  • slow computer performance;
  • inability to load the operating system;
  • disappearance of files and directories or corruption of their contents;
  • changing the date and time of file modification;
  • resizing files;
  • unexpected significant increase in the number of files on the disk;
  • a significant reduction in the size of free RAM;
  • displaying unexpected messages or images on the screen;
  • giving unexpected sound signals;
  • Frequent freezes and crashes in the computer.
It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be a consequence of other reasons. Therefore, it is always difficult to correctly diagnose the condition of a computer. Main types of viruses There are currently more than 5,000 known software viruses, they can be classified according to the following criteria (Fig. 11.10): Fig. 11.10. Classification of computer viruses: a - by habitat; b - by method of infection; c - according to the degree of impact; g - according to the features of the algorithms, depending from the habitat Viruses can be divided into network, file, boot and file-boot viruses. Network viruses distributed over various computer networks. File viruses are embedded mainly in executable modules, i.e. to files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never gain control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Record). File boot viruses infect both files and boot sectors of disks. By method of infection viruses are divided into resident and non-resident. Resident virus when a computer is infected (infected), it leaves its resident part in the RAM, which then intercepts the operating system's access to infection objects (files, disk boot sectors, etc.) and injects itself into them. Resident viruses reside in memory and are active until the computer is turned off or rebooted. Non-resident viruses do not infect computer memory and are active for a limited time. degree of impact Viruses can be divided into the following types:
  • non-hazardous, not interfering with the operation of the computer, but reducing the amount of free RAM and disk memory, the actions of such viruses are manifested in some graphic or sound effects;
  • dangerous viruses that can lead to various problems with your computer;
  • very dangerous the impact of which can lead to loss of programs, destruction of data, and erasure of information in system areas of the disk.
By features of the algorithm Viruses are difficult to classify due to their wide variety. The simplest viruses - parasitic, they change the contents of files and disk sectors and can be detected and destroyed quite easily. You can note replicator viruses, called worms, which spread over computer networks, calculate the addresses of network computers and write copies of themselves at these addresses. Known invisible viruses, called stealth viruses, which are very difficult to detect and neutralize, since they intercept calls from the operating system to infected files and disk sectors and substitute uninfected areas of the disk in their place. The most difficult to detect are mutant viruses that contain encryption-decryption algorithms, thanks to which copies of the same virus do not have a single repeating string of bytes. There are also so-called quasi-viral or "Trojan" programs that, although not capable of self-propagation, are very dangerous because, masquerading as a useful program, they destroy the boot sector and file system of disks.

VIRUS DETECTION AND PROTECTION PROGRAMS

Characteristics of antivirus programs To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus. There are the following types of anti-virus programs (Fig. 11.11): Detector programs They search for a sequence of bytes (virus signature) characteristic of a particular virus in RAM and files and, when found, issue a corresponding message. The disadvantage of such antivirus pro-Fig. 11.11. Types of antivirus programs
gram is that they can only find viruses that are known to the developers of such programs. Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages there are polyphages, those. Doctor programs designed to search and destroy a large number of viruses. The most famous polyphages are the Aidstest programs , Scan, Norton AntiVirus and Doctor Web . Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular updates of their versions are required. Auditor program are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the video monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even distinguish changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program from Dialog-Science, which is widely used in Russia. Filter programs or "watchmen" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:
  • attempts to correct files with COM and EXE extensions;
  • changing file attributes;
  • direct writing to disk at absolute address;
  • writing to boot sectors of the disk.
When any program tries to perform the specified actions, the “watchman” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the program Vsafe, included in the package of utilities for the MS DOS operating system. Vaccines or immunizers- These are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use. Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers. Anti-virus kit JSC "Dialog-Science" Among the abundance of modern software tools for combating computer viruses, preference should be given to the anti-virus kit of Dialog-Science JSC, which includes four software products: Aidstest and Doctor Web polyphages (Dr.Web for short), ADinf disk auditor and ADinf Cure Module treatment unit. Let's take a brief look at how and when to use these antivirus programs. Aidstest polyphage program . Aidstest - This is a program that can detect and destroy more than 1,300 computer viruses that are most widespread in Russia. Versions Aidstest are regularly updated and supplemented with information about new viruses. To call Aidstest you should enter the command:AIDSTEST []where path is the drive name, full name or file specification, file group mask:* - all hard drive partitions,** - all drives, including network and CD ROM drives; options - any combination of the following keys: /F - fix infected programs and erase corrupted ones; /G - scan all files in a row (not only COM, EXE and SYS); /S - slow work to search for corrupted viruses; /X - erase all files with violations in the structure of the virus; /Q - ask permission to delete corrupted files; /B - do not offer to process the next floppy disk. Example 11.27 Aidstest to check and “treat” the disk IN:. Detected infected programs will be fixed. All files on the disk are subject to scanning. If the file cannot be fixed, the program will ask for permission to delete it: aidstest b: /f/g/q Doctor Web polyphage program. This program is designed primarily to combat polymorphic viruses that have appeared relatively recently in the computer world. Usage Dr. Web to scan disks and remove detected viruses, generally similar to the program Aidstest. In this case, there is practically no duplication of checks, since Aidstest And Dr.Web work on different sets of viruses. Program Dr.Web can effectively fight complex mutant viruses that are beyond the capabilities of the program Aidstest. Unlike Aidstest program Dr.Web is capable of detecting changes in its own program code, effectively identifying files infected with new, unknown viruses, penetrating encrypted and packaged files, and also overcoming the “vaccine cover”. This is achieved thanks to the presence of a fairly powerful heuristic analyzer. In heuristic analysis mode, the program Dr.Web examines files and system areas of disks, trying to detect new or unknown viruses by code sequences characteristic of viruses. If any are found, a warning is displayed indicating that the object may be infected with an unknown virus. Three levels of heuristic analysis are provided. In heuristic analysis mode, false positives are possible, i.e. detection of files that are not infected. The "heuristics" level implies a level of code analysis without the presence of false positives. The higher the level of heuristics, the higher the percentage of errors or false positives. The first two levels of the heuristic analyzer are recommended. The third level of heuristic analysis provides for additional checking of files for the “suspicious” time of their creation. Some viruses, when infecting files, set an incorrect creation time, as a sign that the files are infected. For example, for infected files, the seconds may be 62, and the year of creation may be increased by 100 years. Included in the antivirus program Dr.Web may also include add-on files to the main virus database of the program, expanding its capabilities. Work with the program Dr. Web possible in two modes:
  • in full-screen interface mode using menus and dialog boxes;
  • in command line control mode.
For one-time, irregular use, the first mode is more convenient, but for regular use for the purpose of systematic input control of floppy disks, it is better to use the second mode. When using the second mode, the corresponding start command Dr. Web must be included either in the user menu of the Norton Commander operating shell, or in a special batch file. Command line to launch Dr. Web looks like this: DrWeb [drive: [path] ] [keys] where drive:X: - a logical device of a hard disk or a physical device of a floppy disk, for example F: or A:, * - all logical devices on a hard disk, path - this is the path or mask of the required files. The most important keys: /AL - diagnostics of all files on a given device; /CU[P] - “disinfection” of disks and files, removal of detected viruses; P - removal of viruses with user confirmation; /DL - removal files for which correct treatment is impossible; /NA[level] - heuristic analysis of files and search for unknown viruses in them, where the level can take the values ​​0, 1, 2; /RP[file name] - recording the work log to a file (by default in file REPORT. WEB);/CL - launch the program in command line mode; when testing files and system areas, the full-screen interface is not used;/QU - exit to DOS immediately after testing;/? - displaying brief help on the screen. If no key is specified on the Dr.Web command line, then all information for the current launch will be read from the DRWEB.INI configuration file, located in the same directory as the DRWEB.EXE file. The configuration file is created while working with the program Dr.Web using the command to save the parameters required for testing. Example 11.28. Running an antivirus program Dr.Web for checking and treating the disc IN:. Detected infected files will be “cured”. All files on the disk are subject to scanning. If the file cannot be “cured”, the program will ask permission to delete it. To search for viruses, heuristic analysis level 1 should be used. The program should be executed only in command line mode with exit to DOS after testing is completed: DrWeb In: /AL /CUP /HA1 /QU / CL Technology for working with the Dr. program. Web in full screen interface mode. To launch in full-screen interface mode, just enter only the program name into the command line. Immediately after loading the program, testing of the computer's RAM will begin, unless it was disabled by the previous settings. The testing progress is displayed in the testing window. Once the memory test is completed, it will stop. You can continue running the program if you use the main menu located on the top line of the screen. To activate the menu, press the key .The main menu contains the following modes: Dr.WebTest Settings Add-onsWhen you select any mode, the corresponding submenu opens.Submenu Dr.Web allows you to temporarily exit to DOS, get brief information about the Dr.Web program and its author, or leave the program. The Test submenu allows you to perform basic operations of testing and disinfecting files and disks, as well as view reports on the actions performed. The Settings submenu is used to install using dialog boxes for program settings, setting search paths and masks, and saving parameters in the DRWEB.INI configuration file. To connect add-on files to the main virus database of the program, expanding its capabilities, the mode Add-ons.Anti-Virus Disk Auditor ADinf. The ADinf inspector allows you to detect the appearance of any virus, including stealth viruses, mutant viruses and currently unknown viruses. Program ADinf remembers:
  • information about boot sectors;
  • information about failed clusters;
  • length and checksums of files;
  • date and time the files were created.
Throughout the entire operation of the computer, the program ADinf monitors the preservation of these characteristics. In daily control mode ADinf starts automatically every day when you turn on your computer for the first time. Virus-like changes are especially monitored and an immediate warning is issued. In addition to monitoring file integrity ADinf monitors the creation and deletion of subdirectories, the creation, deletion, movement and renaming of files, the emergence of new failed clusters, the safety of boot sectors and much more. All possible places for the virus to enter the system are blocked. Adinf checks disks without using DOS, reading them sector by sector by directly accessing the BIOS. Thanks to this method of verification ADinf detects camouflaged stealth viruses and provides high-speed disk scanning. Treatment block ADinfCure Module. ADinfCure Module - this is a program that helps to “cure” your computer from a new virus without waiting for the latest versions of Aidstest or Dr.Web, to whom this virus will be known. Program ADinfCure Module takes advantage of the fact that, despite the huge variety of viruses, there are very few different methods for injecting them into files. During normal operation, when the Adinf auditor is launched regularly, it reports ADinf Cure Module about which files have changed since the last launch. Adinf Cure Module analyzes these files and records information in its tables that may be needed to recover the file if it is infected with a virus. If an infection has occurred, ADinf will notice the changes and call again Adinf Cure Module, which, based on analyzing the infected file and comparing it with the recorded information, will try to restore the original state of the file. Basic measures to protect against viruses In order to avoid exposing your computer to viruses and to ensure reliable storage of information on disks, you must follow the following rules:
  • equip your computer with up-to-date antivirus software, such as Aidstest or Doctor Web, and constantly update their versions;
  • Before reading information recorded on other computers from floppy disks, always check these floppy disks for viruses by running anti-virus programs on your computer;
  • when transferring files in archived form to your computer, check them immediately after unzipping them on your hard drive, limiting the scan area to only newly recorded files;
  • periodically check your computer's hard drives for viruses by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system also from a write-protected system floppy disk;
  • Always protect your floppy disks from writing when working on other computers if information will not be recorded on them;
  • be sure to make backup copies on floppy disks of information that is valuable to you;
  • do not leave floppy disks in the pocket of drive A: when turning on or rebooting the operating system to prevent the computer from becoming infected with boot viruses;
  • use anti-virus programs for input control of all executable files received from computer networks;
  • to ensure greater safety of use Aidstest And Doctor Web must be combined with everyday use of Disk Auditor ADinf.


Related publications