Computer virus - this is malware, capable of self-propagation and performing destructive actions. Viruses usually enter your computer under the guise of something attractive or useful. They act only programmatically: they attach to the file and, together with the infected file, penetrate the computer. There are viruses that remain in the computer's RAM after infection. In this case, they continue to harm other downloadable files and programs until the environment in which the viruses are running is shut down. Such viruses are called memory resident. Once launched, another type of virus searches for victims once, after which it exits and transfers control to the infected file. The effect of viruses can manifest itself in different ways: from visual effects that interfere with work, to complete loss of information.
The main sources of the virus
There are several ways a virus can enter your computer. First, through the flash drive (or floppy disk) containing the infected files. Another option is through computer network, including the e-mail system and the Internet. The source can be a hard disk, which got a virus as a result of working with infected programs. In addition, the installation of an infected operating system will also lead to malware entering your computer.
The process of spreading the virus itself can be divided into several stages. In the beginning, the virus enters the computer. After that, it is activated and the search for infected objects begins. This is followed by the stage of preparing virus copies and their further implementation into computer programs.
You can learn about a virus on your computer by a number of signs. At an early stage of infection, the amount of free RAM decreases, or the loading and operation of the computer slows down. Incomprehensible changes in files, inability to save files in the necessary directories, incomprehensible system messages, musical and visual effects - all this also serves as a signal that a virus has entered your computer. During the active phase, files disappear, they cannot be loaded, as well as the operating system is loaded. In addition, when a computer becomes infected with a virus, the hard disk can be formatted.
Virus classification
About 50 thousand computer viruses are known today. Depending on the characteristic properties viruses to detect and neutralize them, various methods can be used. This raises the question of the classification of malware. Experts conditionally identify the following types of viruses.
Boot viruses
This type of virus infects the boot sectors of permanent and removable media. Often, a virus does not completely fit into the boot record: only its beginning is written there, and the virus body is saved in another place on the disk. It remains resident in memory after startup.
File viruses
These viruses infect files. This group is further divided into three, depending on the environment in which the viral code is executed:
File viruses themselves are those that directly work with the resources of the operating system. Files with the .com, .exe extension are affected.
Macroviruses are viruses written in the macro language and executed in the environment of an application. In the vast majority of cases, we are talking about macros in Microsoft Office documents.
Script viruses are viruses executed in the environment of a specific command shell: earlier - bat files in the DOS command shell, now more often VBS and JS - scripts in the Windows Scripting Host (WSH) command shell.
Invisible viruses
This type is also called a stealth virus. The main feature of the invisible virus is that the virus, being constantly in the computer's memory, intercepts calls to the infected file and removes the virus code from it on the fly, transmitting an unchanged version of the file in response to the request. Thus, stealth viruses mask their presence in the system. To detect them, antivirus tools require the ability to directly access the disk, bypassing the operating system tools.
There are several ways you can prevent infection and its devastating consequences. For example, you can back up your information, or try not to use random and unknown programs. You can also install an antivirus on your computer. There is a wide choice here: from paid professional antivirus packages to.
Under computer virus (or just a virus) is understood as an autonomously functioning program that has the ability to independently insert into the bodies of other programs, followed by self-reproduction and self-propagation in computer networks and individual computers. The predecessors of viruses are considered to be the so-called trojanswhose bodies contain hidden command sequences (modules) that perform actions that harm users. The most widespread type of Trojan horse is the well-known mass-use programs (editors, games, translators, etc.), which have embedded so-called "logic bombs" that are triggered when an event occurs. It should be noted that Trojans are not self-replicating.
The fundamental difference between a virus and a Trojan program is that the virus, after its activation, exists independently (autonomously) and in the process of its functioning infects (infects) programs by including (implanting) its text in them. Programs infected with a virus are called virus carriers.
As a rule, a program is infected in such a way that the virus gets control before the program itself. To do this, it is either embedded in the beginning of the program, or implanted into its body so that the first command of the infected program is an unconditional transition to a computer virus. The text of the virus ends with an unconditional jump command to the command of the virus carrier, similar to the former first before infection. After gaining control, the virus selects the next file, infects it, possibly performs some other actions, and then gives control to the virus carrier.
"Primary" infection occurs in the process of receiving infected programs from the memory of one machine into the memory of another, and as a means of moving these programs can be used as magnetic media (floppy disks), laser disks and channels of computer networks. Viruses that use network tools for propagation are usually called network... The life cycle of a virus usually includes the following periods: introduction, incubation, replication (self-propagation) and manifestation. During the incubation period, the virus is passive, which complicates the task of finding and neutralizing it. At the stage of manifestation, the virus performs its characteristic target functions, for example, irreversible correction of information in a computer or on magnetic media.
Signs of viruses are:
reduction of available RAM space;
changing the number of files;
resizing files;
the speed of the system slows down sharply;
the lamp of access to the drive starts to light up, although there is no access;
system freeze.
The most essential signs of computer viruses allow us to carry out the following classification.
By mode of operation:
memory resident viruses - viruses that, after activation, are constantly in the computer's RAM and control access to its resources;
transit viruses - viruses that are executed only at the moment the infected program is launched.
By the object of implementation:
file viruses - viruses that infect files with programs;
boot (rubble) viruses - viruses that infect programs stored in the system areas of disks.
By the degree and method of disguise:
viruses that do not use camouflage tools;
stealth-viruses (stealth) - viruses trying to be invisible;
mutant viruses (MtE-viruses) - Viruses containing encryption algorithms that distinguish different copies of the virus.
The most common types of viruses are characterized by the following main features.
File transit virus is entirely located in the executable file, therefore it is activated only if the virus carrier is activated, and upon completion of the necessary actions, it returns control to the program itself. In this case, the choice of the next file for infection is carried out by the virus by searching the directory. A file resident virus differs from a nonmemory resident in its logical structure and general algorithm of operation.
Memory resident virus When a computer is infected, it leaves its resident part in RAM, which then intercepts OS calls to objects of infection (files, boot sectors of disks, etc.) and injects itself into them. Resident viruses reside in memory and remain active until the computer is shut down or the OS is rebooted.
The most common way to infect a PC with viruses is to infect programs that are launched, as well as files when they are opened or read. One of the infection options is to infect the boot sector (boot sector) of the magnetic media. Boot viruses can implement a very wide range of infection methods and target functions.
Stealth viruses use weak security of some operating systems and replace some of their components (disk drivers, interrupts) in such a way that the virus becomes invisible (transparent) to other programs.
Polymorphic viruses - these are quite difficult to detect viruses that do not contain a single permanent section of their code. In most cases, two samples of the same polymorphic virus will not have a single match.
Macroviruses distributed under the control of application programs, which makes them independent of the operating system. The overwhelming majority of macro viruses operate under Microsoft Word for Windows. The result of the "work" of a macro virus can be the destruction of a document created by the application.
The basic principle of work network a virus is the ability to independently transfer your code to a remote server or workstation. "Full-fledged" network viruses also have the ability to execute their code on a remote computer or, at least, to "push" a user to launch an infected file.
The most famous network viruses of the late 1980s, they are also called network worms (worms). These include the Morris virus, Christmas Tree viruses, and Wank Worm viruses. For their distribution, they used the errors of global networks of that time. Viruses transferred their copies from server to server and launched them for execution. The Morris virus epidemic paralyzed several global networks in the United States.
Network viruses of the past spread over a computer network and, as a rule, did not modify files or sectors on disks. They penetrated the computer memory from a computer network, calculated the network addresses of other computers and sent copies of themselves to these addresses. These viruses sometimes also created working files on the system disks, but might not access computer resources at all (with the exception of RAM).
After several outbreaks of network viruses, errors in network protocols and software have been fixed. As a result, not a single case of network virus infection has been recorded for several years and not a single new network virus has appeared.
It was not until early 1997 that the problem of network viruses emerged again with the advent of viruses that exploited the power of e-mail. The virus creates a new message containing an infected document file, then selects three random addresses from the list of addresses and sends the infected message to them. Since many users set their mail parameters in such a way that when they receive a message, it is automatically opened, the virus "automatically" injects itself into the recipient's computer of the infected message.
By destructive opportunities viruses can be divided into the following groups:
useful viruses that are used in games to simulate non-standard situations;
harmless or non-hazardous viruses, that is, viruses that do not affect the operation of the computer in any way (they can only reduce the free memory on the disk as a result of their distribution, and also create various graphic, sound and other effects);
dangerous viruses that can lead to serious malfunctions of the computer;
very dangerous viruses, in the algorithm of operation of which procedures that can lead to the loss of programs, destroy data, erase the information necessary for the operation of the computer recorded in the system memory areas.
table 2 Characteristics of computer viruses
|
Virus class |
Virus types |
The nature of the impact |
|
Non-damaging file structure |
Breeding in RAM Annoying operator |
Simulation of malfunction of the processor, memory, NMD, floppy disk drive, printer, ports, display, keyboard Formation of text and graphic messages on the terminal. Synthesis of speech, formation of melody and sound special effects Switching modes of setting keyboard, display, printer, ports. |
|
Damaging file structure |
Damaging user programs and data Destructive system information (including crypto-viruses) |
Destruction of source code of programs, computer libraries, distortion without data, text documents, graphics and spreadsheets. Destruction of the logical system of the disk, distortion of the filling structure of the media, the formation of media, damage to the operating system files. |
|
Acting on operator equipment |
Disabling equipment Operator acting |
Burnout of the phosphor, damage to microcircuits, magnetic disks, printer. Impact on the psyche of the operator, etc. |
Modern computer viruses have a wide range of hostile effects, ranging from harmless jokes to serious damage to hardware. In this direction, the most recent example is the Win95 virus. CIH, it destroys the BIOS (Basic Input \\ Output System) memory, which determines the very operating logic of the computer. At the same time, the damage caused is quite easy to correct, the prevention of the destructive function is satisfied, simple - it is enough to set a prohibition on BIOS update in the Setup program.
4.1 File viruses
File viruses- these are viruses that, when replicating, use the system of any operating system. The injection of a file virus is possible in all executable files of all popular operating systems - DOS, Windows, OS \\ 2, Macintosh, UNIX, etc.
4.1.1 Nonmemory resident file virus
File nonmemory resident virus is entirely located in the executable file, therefore it is activated only if the virus carrier is activated, and upon completion of the necessary actions it returns control to the program itself. In this case, the choice of the next file for infection is carried out by the virus by searching the directory.
4.1.2 File resident virus
File resident virus differs from non-resident in that it infects not only executable files located in external memory, but also the computer's RAM.
A memory resident virus consists of a so-called installer and interrupt handling programs. The installer gains control when the virus carrier is activated and infects the RAM by placing the control part of the virus in it and replacing the addresses in the elements of the interrupt vector with the addresses of its programs that process these interrupts. In the so-called monitoring phase following the described installation phase, if an interruption occurs, the corresponding virus program takes over control.
Due to the general scheme of functioning that is much more universal in comparison with non-resident viruses, resident viruses can implement a variety of methods of infection. The most common methods are infecting programs that are launched, as well as files when they are opened or read.
4.1.3 Overwriting viruses
Overwriting virus writes its own code instead of the code of the infected file, destroying its contents, after which the file stops working and is not restored. Such viruses quickly detect themselves, as the operating system and applications quickly stop working.
4.1.4 Parasitic viruses
Parasitic viruses change the contents of files, while leaving the files themselves fully or partially functional. Such viruses are subdivided into viruses that write to the beginning, end, and middle of files.
4.1.5 Companion viruses
Companion viruses they do not modify the infected files, but create a double file for the infected file, and when the infected file is launched, this double, that is, the virus, gets control.
4.1.6 File worms
File worms (worms) are a kind of companion virus, but do not associate their presence with any executable file. When replicating, they just copy their code to some disk directories in the hope that these new copies will ever be launched by the user.
4.1.7 Link viruses
Link viruses use especially file system organizations. They, like their companion viruses, do not change the physical content of files; however, when an infected file is launched, they "force" the operating system to execute its code by modifying the required fields of the file system.
4.1.8 OBJ, LIB and viruses in source
Viruses that infect compiler libraries, object modules and program source codes. Viruses infecting OBJ and LIB files write their code to them in the format of an object module or library. The infected file is not executable and is not capable of further spreading the virus in its current state. The carrier of the "live" virus is the COM, or EXE file, obtained in the process of linking the infected OBJ / LIB file with other object modules and libraries. Thus, the virus spreads in two stages: the first is infected with OBJ / LIB
files, at the second stage (linking) a workable virus is obtained.
4.2 Macroviruses
Macroviruses are programs in macro languages, built into some system data processing (word processing, spreadsheets, etc.). They infect documents and spreadsheets of a number of office editors.
To reproduce, they use the capabilities of macro languages \u200b\u200band with their help transfer themselves from one infected file to others. The most widespread are Macroviruses for Microsoft Word, Excel and Office 97. Viruses of this type gain control when an infected file is opened and identify files that are subsequently accessed from the corresponding office application - Word, Excel, etc.
Computer virus - variety computer programs or malicious code, the hallmark of which is the ability to reproduce (self-replication). In addition, viruses can, without the user's knowledge, perform other arbitrary actions, including those that harm the user and / or computer.
Spread. Viruses spread by copying their body and ensuring its subsequent execution: by embedding themselves in the executable code of other programs, replacing other programs, prescribing to autorun, and more. Channels: Flash drives (flash drives); Email; Instant messaging systems; Web pages; Internet and local area networks (worms).
Therefore, you should take some precautions, in particular:
· Do not work under privileged accounts unless absolutely necessary.
· Do not run unfamiliar programs from questionable sources.
· Try to block the possibility of unauthorized changes to system files.
· Disable potentially dangerous system functionality (for example, autorun-media in MS Windows, hiding files, their extensions, etc.).
· Do not go to suspicious sites, pay attention to the address in the address bar of the browser.
· Use only trusted distributions.
· Constantly make backups of important data and have a system image with all the settings for quick deployment.
· Perform regular updates of frequently used programs, especially those that ensure system security.
Computer viruses are of the following types:
· File viruses that infect exe and com files, sometimes only com. The shell is infected first, and through it all other programs. The most dangerous are memory resident viruses that remain permanently in the RAM. Infection occurs when the infected program is launched (at least once), that is, when the virus gains control and is activated. These viruses damage programs and data, but sometimes they can destroy the contents of an entire hard drive.
· Boot or boot viruses - infect the boot sectors of hard drives and floppy disks. They are the most dangerous for a computer, because as a result of their destructive work, the computer stops loading, sometimes immediately after an infection, which occurs even when the contents of the infected floppy disk are displayed.
· Viruses that infect drivers specified in the config.sys file and DOS disk files. This stops the computer from booting.
· DIR viruses that change the file structure.
· Invisible or stealth viruses. They are very difficult to find. The simplest way masking - when a file is infected, the virus pretends that the file length has not changed.
· Self-modifying viruses. They change their structure and code at random and are very difficult to detect. They are also called polymorphic. Two copies of the same virus of this type may not contain the same byte sequences.
· Network viruses — infect machines running on a network, including the Internet.
· Viruses Word, Excel, Access, PowerPoint - infect documents and macros of programs from MS Office.
· Windows viruses - function and corrupt data in the Windows environment.
18. Computer viruses. Characteristics.
1.Logic bomb. Secret embedding into a computer program. Should work only once when certain logical conditions are received. In this case, the "bomb" is automatically eliminated at the end of the execution of a given crime.
2. Trojan horse. It consists in the secret introduction of a malicious computer program into someone else's software, which allows secretly implementing other functions that are not planned by the developer of the program. These means of committing a crime are used to secretly obtain confidential information, for example, a login or password for accessing the Internet.
3 Trojan matryoshka An automatic constructor for creating malicious computer programs according to an algorithm set by the criminal. It camouflages as usual computer programs. When the victim enters the software environment of the victim's computer, an algorithm is automatically triggered, according to which modules are created, from which the malicious program will subsequently be created. Once created, the original software products self-destruct. Then the modules self-destruct. Such cycles can be repeated endlessly, like nesting dolls built into each other.
4. The worm. Self-replicating and self-propagating virus, which was created specifically for functioning in a computer network. Unlike a common virus that spreads as a separate data file, this malicious program stores its modules on several computers in workstations on the network. When one or more modules are destroyed on the corresponding number of work pages, the worm will automatically recreate them after each connection of the disinfected computer to the network, like an earthworm cut into pieces.