What are computer viruses. My animal. All about computer viruses Computer control which virus

Windows Setup

INTRODUCTION


We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century, special devices appeared - computers focused on storing and converting information, and a computer revolution took place.

Today, the mass use of personal computers, unfortunately, turned out to be associated with the emergence of self-reproducing virus programs that prevent the normal operation of a computer, destroy the file structure of disks and damage the information stored in a computer.

Despite the laws adopted in many countries to combat computer crimes and the development of special software to protect against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to be knowledgeable about the nature of viruses, how to infect and protect against viruses. This was the stimulus for choosing the theme of my work.

That's what I'm talking about in my essay. I show the main types of viruses, consider the schemes of their functioning, the reasons for their appearance and ways of penetrating the computer, and also suggest measures for protection and prevention.

The purpose of the work is to acquaint the user with the basics of computer virology, to teach how to detect viruses and fight them. The method of work is the analysis of printed publications on this topic. I faced a difficult task - to talk about what has been very little studied, and how it happened - you be the judge.


1. COMPUTER VIRUSES AND THEIR PROPERTIES

AND CLASSIFICATION

1.1. Properties of computer viruses

Now personal computers are used, in which the user has free access to all the resources of the machine. This is what opened up the possibility for the danger that has come to be known as a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to give a "modern" definition of the virus have not been successful. To feel the complexity of the problem, try, for example, to define the concept of "editor". You will either come up with something very general, or you will start listing all known types of editors. Both can hardly be considered acceptable. Therefore, we will confine ourselves to considering some properties of computer viruses that allow us to speak of them as a certain specific class of programs.

First of all, a virus is a program. Such a simple statement alone can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. Legends about killer viruses “destroying operators by displaying a deadly color scheme on the 25th frame” should not be taken seriously either. Unfortunately, some authoritative publications from time to time publish "the latest news from the computer front", which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.

A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the same virus not only do not have to completely match the original, but may not match it at all!

A virus cannot exist in "complete isolation": today one cannot imagine a virus that does not use other programs' code, file structure information, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.


1.2. Virus classification

Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ way of environmental contamination

¨ impact

¨ features of the algorithm


Depending on the habitat, viruses can be divided into network, file, boot, and file-boot. Network viruses distributed over various computer networks. File viruses are introduced mainly into executable modules, that is, into files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never get control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Re-

cord). File-boot viruses infect both files and disk boot sectors.

According to the method of infection, viruses are divided into resident and non-resident. Resident virus when infecting (infecting) a computer, it leaves its resident part in RAM, which then intercepts the operating system's access to infection objects (files, disk boot sectors, etc.) and intrudes into them. Resident viruses reside in memory and remain active until the computer is turned off or restarted. Non-resident viruses do not infect computer memory and are active for a limited time.

According to the degree of impact, viruses can be divided into the following types:

¨ non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk memory, the actions of such viruses are manifested in any graphic or sound effects

¨ dangerous viruses that can cause various problems with your computer

¨ very dangerous, the impact of which can lead to the loss of programs, the destruction of data, the erasure of information in the system areas of the disk.

2. MAIN VIRUS TYPES

AND SCHEMES OF THEIR FUNCTIONING

Among the variety of viruses, the following main groups can be distinguished:

¨ boot

¨ file

¨ file-boot

Now in more detail about each of these groups.


2.1. Boot viruses

Consider the operation of a very simple boot virus that infects floppy disks. We deliberately bypass all the numerous subtleties that would inevitably be encountered in a rigorous analysis of the algorithm for its functioning.

What happens when you turn on your computer? First, control is transferred bootstrap program, which is stored in read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the tests pass, tries to find the floppy disk in drive A:

Every floppy disk is marked on the so-called. sectors and tracks. Sectors are combined into clusters, but this is not essential for us.

Among the sectors there are several service ones used by the operating system for its own needs (your data cannot be placed in these sectors). Among the service sectors, we are still interested in one - the so-called. bootstrap sector(boot sector).

The bootstrap sector stores diskette information- the number of surfaces, the number of tracks, the number of sectors, etc. But now we are not interested in this information, but in a small bootstrap program(PNZ), which should load the operating system itself and transfer control to it.

So the normal bootstrap pattern is as follows:

Now consider the virus. In boot viruses, two parts are distinguished - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a diskette that is not write-protected and not yet infected, it proceeds to infect. When infecting a floppy disk, the virus performs the following actions:

n allocates a certain area of ​​the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, sectors occupied by a virus are marked as bad (bad)

n copies its tail and the original (healthy) boot sector to the allocated disk area

n replaces the bootstrapper in the (real) boot sector with its head

n organizes the transfer chain according to the scheme.

Thus, the head of the virus is now the first to take control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

The moral is clear: never (accidentally) leave floppy disks in drive A.

We have examined the operation of a simple butovy virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. In this case, unlike floppy disks, a hard drive has two types of boot sectors containing boot programs that receive control. When booting a computer from a hard drive, the boot program in the MBR (Master Boot Record - Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as bootable (boot). The bootstrap program in the MBR finds the boot partition of the hard drive and transfers control to the bootloader of this partition. The code of the latter is the same as the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, there are two objects of attack of boot viruses on the hard drive - bootstrap program inMBR And elementary downloads in the boot sector boot disk.


2.2. File viruses

Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the scheme of functioning of a non-resident file virus. Suppose we have an infected executable file. When such a file is launched, the virus takes control, performs some actions, and transfers control to the "master" (although it is still unknown who is the master in such a situation).

What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected (in the event that the virus is “decent”, otherwise there are those that infect immediately without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is run. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If a file virus is resident, it will install itself into memory and gain the ability to infect files and display other abilities not only while the infected file is running. By infecting an executable file, a virus always modifies its code - therefore, an infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:

à it is not obliged to change the length of the file

à unused sections of code

à is not required to change the beginning of the file

Finally, file viruses often include viruses that "have something to do with files" but are not required to intrude into their code. Let us consider as an example the scheme of functioning of viruses of the known Dir-II family. It must be admitted that having appeared in 1991, these viruses caused a real plague epidemic in Russia. Consider a model that clearly shows the basic idea of ​​a virus. Information about files is stored in directories. Each directory entry includes the file name, creation date and time, some additional information, number of the first cluster file, etc. spare bytes. The latter are left "in reserve" and MS-DOS itself is not used.

When running executable files, the system reads the first cluster of the file from the directory entry and then all other clusters. Viruses of the Dir-II family produce the following "reorganization" of the file system: the virus itself is written to some free disk sectors, which it marks as bad. In addition, it stores information about the first clusters of executable files in spare bits, and writes references to itself in place of this information.

Thus, when any file is launched, the virus receives control (the operating system launches it itself), resides in memory, and transfers control to the called file.


2.3. Boot-file viruses

We will not consider the boot-file virus model, because you will not learn any new information in this case. But here is an opportunity to briefly discuss the recently extremely "popular" OneHalf boot-file virus that infects the master boot sector (MBR) and executable files. The main destructive action is the encryption of hard drive sectors. Each time it is launched, the virus encrypts another portion of sectors, and after encrypting half of the hard drive, it happily announces this. The main problem in the treatment of this virus is that it is not enough just to remove the virus from the MBR and files, it is necessary to decrypt the information encrypted by it. The most "deadly" action is to simply rewrite a new healthy MBR. The main thing - do not panic. Weigh everything calmly, consult with experts.


2.4. Polymorphic viruses

Most of the questions are related to the term "polymorphic virus". This type of computer virus is by far the most dangerous. Let's explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two instances of the same virus may not match in one bit.

Such viruses not only encrypt their code using different encryption paths, but also contain the generation code of the encryptor and decryptor, which distinguishes them from ordinary encryption viruses, which can also encrypt sections of their code, but at the same time have a constant code of the encryptor and decryptor.

Polymorphic viruses are viruses with self-modifying decoders. The purpose of such encryption is that if you have an infected and original file, you will still not be able to analyze its code using conventional disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself at run time. At the same time, options are possible: he can decrypt himself all at once, or he can perform such a decryption "on the go", he can again encrypt already worked out sections. All this is done for the sake of making it difficult to analyze the virus code.


3. HISTORY OF COMPUTER VIROLOGY

AND REASONS FOR THE APPEARANCE OF VIRUSES


The history of computer virology today seems to be a constant "race for the leader", and, despite the full power of modern anti-virus programs, it is viruses that are the leaders. Among the thousands of viruses, only a few dozen are original developments using truly fundamentally new ideas. All others are "variations on a theme". But each original development forces the creators of antiviruses to adapt to new conditions, to catch up with virus technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 US Department of Defense computers. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfections of traditional anti-virus tools.

Or the outbreak of computer viruses in the UK: Christopher Pine managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the latter that was the most dangerous, it could be applied to the first two viruses, and because of this, after each run of the program, they changed the configuration. Therefore, they were impossible to destroy. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back to the network. Users downloaded infected programs to their computers and infected disks. The situation was aggravated by the fact that Pine managed to bring viruses into the program that fights them. By running it, users instead of destroying viruses received another one. As a result, the files of many companies were destroyed, the losses amounted to millions of pounds.

American programmer Morris is widely known. He is known as the creator of the virus that in November 1988 infected about 7,000 personal computers connected to the Internet.

The reasons for the appearance and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively apply their abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating room. personal computer systems.


4. WAYS OF PENETRATION OF VIRUSES INTO A COMPUTER AND MECHANISM OF DISTRIBUTION OF VIRUS PROGRAMS


The main ways for viruses to enter a computer are removable disks (floppy and laser), as well as computer networks. Hard disk infection with viruses can occur when a program is loaded from a floppy disk containing a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was restarted, while the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get on it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.

The virus, as a rule, is introduced into the working program in such a way that when it is launched, control is first transferred to it, and only after all its commands have been executed, it returns to the working program again. Having gained access to control, the virus first of all rewrites itself into another working program and infects it. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the EXE, COM, SYS, BAT extensions are infected with the virus. Text files are extremely rarely infected.

After infecting the program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, do not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.

To illustrate the process of infecting a computer program with a virus, it makes sense to liken disk storage to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for the introduction of a virus in this case will look like this. (See Appendix 1)


5. SIGNS OF VIRUSES

When a computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of the manifestation of viruses. These include the following:

¨ termination of work or incorrect operation of previously successfully functioning programs

¨ slow computer performance

¨ inability to boot the operating system

¨ disappearance of files and directories or distortion of their contents

¨ change the date and time of modification of files

¨ file resizing

¨ unexpected large increase in the number of files on the disk

¨ a significant decrease in the size of free RAM

¨ displaying unexpected messages or images on the screen

¨ giving unforeseen sound signals

¨ frequent freezes and computer crashes

It should be noted that the above phenomena are not necessarily caused by the presence of the virus, but may be due to other causes. Therefore, it is always difficult to correctly diagnose the state of the computer.


6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES

6.1. How to detect a virus? Traditional approach

So, a certain virus writer creates a virus and launches it into "life". For some time, he may walk freely, but sooner or later the “lafa” will end. Someone will suspect something is wrong. As a rule, viruses are detected by ordinary users who notice certain anomalies in the behavior of the computer. They, in most cases, are not able to cope with the infection on their own, but this is not required of them.

It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study it, find out “what it does”, “how it does”, “when it does”, etc. In the process of such work, all the necessary information about this virus is collected, in particular, the virus signature is highlighted - a sequence of bytes that defines it quite clearly. To build a signature, the most important and characteristic parts of the virus code are usually taken. At the same time, the mechanisms of how the virus works become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file one, how the file is infected. The information obtained allows us to find out:

How to detect a virus, for this, methods for searching for signatures in potential objects of a virus attack - files and / or boot sectors are specified

how to neutralize the virus, if possible, algorithms for removing virus code from affected objects are being developed


6.2. Virus detection and protection programs

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antiviral . There are the following types of antivirus programs:

programs-detectors

programs-doctors or phages

program auditors

filter programs

vaccine programs or immunizers

Programs-detectors perform a search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue an appropriate message. The disadvantage of such anti-virus programs is that they can only find viruses that are known to the developers of such programs.

Doctor Programs or phages, and vaccine programs not only find virus-infected files, but also “treat” them, i.e. the body of the virus program is removed from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses. The most famous of them are: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly advanced algorithms, detect stealth viruses, and can even clean up changes to the version of the program being checked from changes made by the virus. Among the programs-auditors is the Adinf program widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious computer activity that is characteristic of viruses. Such actions may be:

Attempts to correct files with COM, EXE extensions

changing file attributes

Direct write to disk at absolute address

Write to disk boot sectors

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful, as they are able to detect a virus at the earliest stage of its existence before reproduction. However, they do not "heal" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "annoyance" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.

Vaccines or immunizers are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.

Timely detection of virus-infected files and disks, complete destruction of detected viruses on each computer helps to avoid the spread of a virus epidemic to other computers.


6.3. Basic measures to protect against viruses

In order not to expose your computer to viruses and ensure reliable storage of information on disks, you must follow the following rules:

¨ equip your computer with up-to-date anti-virus programs, such as Aidstest, Doctor Web, and constantly update their versions

¨ before reading information stored on other computers from floppy disks, always check these diskettes for viruses by running anti-virus programs on your computer

¨ when transferring archived files to your computer, check them immediately after unzipping them on your hard disk, limiting the check area only to newly recorded files

¨ Periodically scan your computer's hard drives for viruses by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system diskette

¨ always write protect your floppy disks when working on other computers if they will not be written to information

¨ be sure to make archival copies on diskettes of valuable information for you

¨ do not leave floppy disks in the pocket of drive A when turning on or rebooting the operating system to prevent infection of the computer with boot viruses

¨ use anti-virus programs for input control of all executable files received from computer networks

¨ to ensure greater security, the use of Aidstest and Doctor Web must be combined with the daily use of the Adinf disk auditor

CONCLUSION

So, we can cite a lot of facts indicating that the threat to the information resource is increasing every day, panicking responsible persons in banks, enterprises and companies around the world. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.

Computer virus - a specially written program that can spontaneously attach to other programs, create copies of itself and embed them in files, computer system areas and computer networks in order to disrupt programs, damage files and directories, and create all kinds of interference in the computer.

Currently, more than 5,000 software viruses are known, the number of which is constantly growing. There are cases when tutorials were created to help in writing viruses.

The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.

From the history of computer virology, it is clear that any original computer development forces the creators of antiviruses to adapt to new technologies, constantly improve antivirus programs.

The reasons for the appearance and spread of viruses are hidden on the one hand in human psychology, on the other hand, with the lack of protection in the operating system.

The main ways for viruses to penetrate are removable drives and computer networks. To prevent this from happening, take precautions. Also, several types of special programs called anti-virus programs have been developed to detect, remove and protect against computer viruses. If you still find a virus in your computer, then according to the traditional approach, it is better to call a professional so that he can figure it out further.

But some properties of viruses puzzle even experts. Until quite recently, it was hard to imagine that a virus could survive a cold reboot or spread through document files. Under such conditions, it is impossible not to attach importance to at least the initial anti-virus education of users. Despite the seriousness of the problem, no virus is capable of causing as much harm as a whitened user with trembling hands!


So, the health of your computers, the safety of your data - in your hands!


Bibliographic list

1. Informatics: Textbook / ed. Prof. N.V. Makarova. - M.: Finance and statistics, 1997.

2. Encyclopedia of secrets and sensations / Prepared. text by Yu.N. Petrov. - Minsk: Literature, 1996.

3. Bezrukov N.N. Computer viruses. - M.: Nauka, 1991.

4. Mostovoy D.Yu. Modern technologies for fighting viruses // PC World. - No. 8. - 1993.


Tutoring

Need help learning a topic?

Our experts will advise or provide tutoring services on topics of interest to you.
Submit an application indicating the topic right now to find out about the possibility of obtaining a consultation.

E. KASPERSKY and D. ZENKIN

The outbreak of the computer virus "LoveLetter" ("Love Letters") that broke out in May of this year once again confirmed the danger posed by such a "computer fauna". Having penetrated hundreds of thousands of computers around the world, the virus destroyed a huge amount of important information, literally paralyzing the work of the largest commercial and government organizations.

This is how the "love letters" sent by the "LoveLetter" virus to email look like. To start the virus, just click on the icon.

This picture shows the "Tentacle" virus when trying to view any GIF file on infected computers. The inscription on the picture: "I am the Tentacle virus."

The "Marburg" virus shows those lovely crosses and... deletes files from disks.

Script virus "Monopoly" mocked the head of Microsoft Bill Gates. In addition to displaying a funny picture, the virus quietly sends secret information from the computer.

Unfortunately, the phenomenon of "computer virus" still causes more superstitious awe than the desire to soberly understand the situation and take security measures. What are these viruses? How dangerous are they? What methods of anti-virus protection exist today and how effective are they? Experts of the leading Russian manufacturer of anti-virus programs Kaspersky Lab discuss these and other topics.

WHAT IS A COMPUTER VIRUS?

This seemingly simple question has not yet been answered unambiguously. In the specialized literature, one can find hundreds of definitions of the concept of "computer virus", while many of them differ almost diametrically. Domestic "virology" usually adheres to the following definition: a computer virus is a program that infiltrates computers without the knowledge of the user and performs various unauthorized actions there. This definition would be incomplete if we did not mention one more property that is required for a computer virus. This is its ability to "reproduce", that is, to create its duplicates and embed them in computer networks and / or files, computer system areas and other executable objects. Moreover, duplicates of the virus may not coincide with the original.

The ability of viruses to "reproduce" makes some people want to compare them with a "special form of life" and even endow these programs with some kind of "evil intelligence" that makes them perform vile tricks in order to achieve their goal. However, this is nothing more than fiction and a fantasy game. Such a perception of events is reminiscent of medieval ideas about evil spirits and witches, which no one saw, but everyone was afraid of. "Reproduction" of viruses is no different from, for example, copying files from one directory to another by a program. The only difference is that these actions are performed without the knowledge of the user, that is, no messages appear on the screen. In all other respects, a virus is the most common program that uses certain computer commands.

Computer viruses are one of the subspecies of a large class of programs called malicious codes. Today, these concepts are often identified, however, from a scientific point of view, this is not true. The group of malicious codes also includes the so-called "worms" and "Trojan horses". Their main difference from viruses is that they cannot "reproduce".

The worm program spreads over computer networks (local or global) without resorting to "propagation". Instead, it automatically, without the knowledge of the user, sends out its original, for example, by e-mail.

"Trojan" programs are generally devoid of any built-in distribution functions: they get onto computers exclusively "with the help" of their authors or persons who illegally use them. Consider Homer's Iliad. After many unsuccessful attempts to take Troy by storm, the Greeks resorted to trickery. They built a statue of a horse and left it to the Trojans, pretending to retreat. However, the horse was empty inside and hid a detachment of Greek soldiers. The Trojans, who worshiped the deity in the form of a horse, themselves dragged the statue into the gates of the city. Trojans use a similar method of infiltration: they enter computers under the guise of useful, funny, and often highly lucrative programs. For example, the user receives an e-mail with a proposal to run the file sent, which contains, say, a million rubles. After launching this file, a program that performs various undesirable actions quietly enters the computer. For example, it can spy on the owner of an infected computer (keep track of which sites he visits, which passwords he uses to access the Internet, etc.) and then send the resulting data to its author.

Recently, cases of the appearance of so-called "mutants", that is, malicious codes that combine the features of several classes at once, have become more frequent. A typical example is the "Melissa" macro virus, which caused a major epidemic in March last year. It spread over networks like a classic Internet worm. "LoveLetter" is also a cross between a network worm and a virus. In more complex cases, a malicious program can contain the characteristics of all three types (for example, the "BABYLONIA" virus).

ORIGIN OF COMPUTER VIRUSES

Oddly enough, the idea of ​​computer viruses arose long before the advent of personal computers. In 1959, the American scientist L. S. Penrose published an article in the journal Scientific American on self-reproducing mechanical structures. This article described the simplest model of two-dimensional structures capable of activation, reproduction, mutation, capture. Soon, a US researcher, F. G. Stahl, implemented this model using machine code on an IBM 650.

In those days, computers were huge, difficult to operate and extremely expensive machines, so only large companies or government computing and research centers could become their owners. But on April 20, 1977, the first "people's" personal computer Apple II rolled off the assembly line. Price, reliability, simplicity and ease of use predetermined its wide distribution in the world. The total sales volume of computers in this series amounted to more than three million units (excluding its numerous copies, such as Pravets 8M / S, Agat, etc.), which was an order of magnitude higher than the number of all other computers available at that time. Thus, millions of people of various professions, social strata and mentality have gained access to computers. It is not surprising that it was then that the first prototypes of modern computer viruses appeared, because two of the most important conditions for their development were fulfilled - the expansion of "living space" and the emergence of means of distribution.

In the future, conditions became more and more favorable for viruses. The range of personal computers available to the average user was expanding, in addition to floppy 5-inch magnetic disks, hard disks appeared, local networks were rapidly developing, as well as information transfer technologies using conventional dial-up telephone lines. The first network databanks BBS (Bulletin Board System), or "bulletin boards" arose, greatly facilitating the exchange of programs between users. Later, many of them grew into large online help systems (CompuServe, AOL, etc.). All this contributed to the fulfillment of the third most important condition for the development and spread of viruses - individuals and groups of people involved in their creation began to appear.

Who writes virus programs and why? This question (with a request to indicate the address and phone number) is of particular concern to those who have already been exposed to a virus attack and have lost the results of many years of painstaking work. Today, the portrait of an average "virus writer" looks like this: a man, 23 years old, an employee of a bank or financial organization responsible for information security or network administration. However, according to our data, his age is somewhat lower (14-20 years old), he studies or has no classes at all. The main thing that unites all the creators of viruses is the desire to stand out and prove themselves, even in the herostratic field. In everyday life, such people often look like touching quiet people who wouldn’t hurt a fly. All their vital energy, hatred for the world and selfishness find an outlet in the creation of small "computer scoundrels". They shake with pleasure when they find out that their "brainchild" has caused a real epidemic in the computer world. However, this is already the area of ​​competence of psychiatrists.

The 90s, marked by the heyday of the global Internet, turned out to be the most fertile time for computer viruses. Hundreds of millions of people around the world have perforce become "users", and computer literacy has become almost as necessary as the ability to read and write. If earlier computer viruses developed mainly extensively (that is, their number grew, but not their qualitative characteristics), today, thanks to the improvement of data transmission technologies, we can say the opposite. The "primitive ancestors" are being replaced by more and more "intelligent" and "cunning" viruses, much better adapted to new living conditions. Today, virus programs are no longer limited to corrupting files, boot sectors, or playing harmless tunes. Some of them are capable of destroying data on motherboard chips. At the same time, the technologies of masking, encryption and distribution of viruses sometimes surprise even the most experienced specialists.

WHAT ARE VIRUSES

To date, about 55,000 computer viruses have been registered. Their number is constantly growing, completely new, previously unknown types appear. Classifying viruses becomes more difficult year by year. In the general case, they can be divided into groups according to the following main features: habitat, operating system, features of the work algorithm. According to these three classifications, the well-known Chernobyl virus, for example, can be attributed to file-resident non-polymorphic Windows viruses. Let's explain in more detail what this means.

1. Habitat

Depending on the habitat, file, boot and macro viruses are distinguished.

At first, the most common form of computer "infection" was file viruses, "dwelling" in the files and folders of the computer's operating system. These include, for example, "overwriting" viruses (from the English "overwrite"). Once in the computer, they write their own code instead of the code of the infected file, destroying its contents. Naturally, in this case, the file stops working and is not restored. However, these are rather primitive viruses: as a rule, they detect themselves very quickly and cannot cause an epidemic.

Even more "cunningly" behave "companion"-viruses (from the English. "Friend", "companion"). They do not change the file itself, but create a duplicate file for it in such a way that when an infected file is launched, it is this twin, that is, the virus, that takes control. For example, "companion" viruses running under DOS use the peculiarity of this operating system to execute files with the COM extension first, and then with the EXE extension. Such viruses create twins for EXE files that have the same name, but with the COM extension. The virus writes to the COM file and does not change the EXE file in any way. When an infected file is launched, DOS will be the first to detect and execute the COM file, that is, the virus, and only then the virus will launch the file with the EXE extension.

Sometimes "companion" viruses simply rename the infected file and write their own code to the disk under the old name. For example, the file XCOPY.EXE is renamed to XCOPY.EXD, and the virus is written under the name XCOPY.EXE. When the file is launched, the virus code takes control, which then launches the original XCOPY, stored under the name XCOPY.EXD. Viruses of this type have been found in many operating systems - not only in DOS, but also in Windows and OS/2.

There are other ways to create duplicate files. For example, viruses like "path-companion" "play" on the features of DOS PATH - a hierarchical record of the location of a file in a DOS system. The virus copies its code under the name of the infected file, but places it not in the same directory, but one level higher. In this case, DOS will be the first to detect and launch the virus file.

Operating principle boot viruses based on operating system startup algorithms. These viruses infect the boot sector (boot sector) of a floppy or hard drive - a special area on the disk that contains the computer's boot program. If you change the contents of the boot sector, you may not even be able to start your computer.

Macroviruses- a kind of computer viruses created using macro languages ​​built into popular office applications like Word, Excel, Access, PowerPoint, Project, Corel Draw, etc. (see "Science and Life" No. 6, 2000). Macrolanguages ​​are used to write special programs (macros) that improve the efficiency of office applications. For example, you can create a macro in Word that automates the process of filling out and sending faxes. Then it will be enough for the user to enter data into the form fields and click on the button - the macro will do the rest. The trouble is that, in addition to useful ones, malicious macros can also get into the computer, which have the ability to create copies of themselves and perform some actions without the user's knowledge, such as changing the content of documents, deleting files or directories. These are macro viruses.

The wider the possibilities of a particular macrolanguage, the more cunning, sophisticated and dangerous macroviruses written in it can be. The most common macro language today is Visual Basic for Applications (VBA). Its capabilities are rapidly increasing with each new version. Thus, the more advanced office applications are, the more dangerous it will be to work in them. Therefore, macro viruses pose a real threat to computer users today. According to our forecasts, every year they will become more elusive and dangerous, and the speed of their spread will soon reach unprecedented levels.

2. Operating system used.

Each file or network virus infects files of one or more operating systems - DOS, Windows, OS / 2, Linux, MacOS, etc. This is the basis for the second way of classifying viruses. For example, the "BOZA" virus, which only works on Windows and nowhere else, is a Windows virus. Virus "BLISS" - to Linux-viruses, etc.

3. Work algorithms.

Viruses can also be distinguished by the algorithms they use, that is, various software tricks that make them so dangerous and elusive.

First, all viruses can be divided into resident and non-resident. A resident virus is like a spy constantly working in a foreign country. Once loaded into the computer's RAM, the virus remains in it until the computer is turned off or restarted. It is from there that the resident virus performs all its destructive actions. Non-resident viruses do not infect computer memory and can "reproduce" only if they are launched.

All macro viruses can also be classified as resident. They are present in the computer's memory during the entire time the application infected by them is running.

Second, viruses are visible and invisible. For a simple layman, the invisibility of a virus is perhaps its most mysterious property. However, there is nothing demonic about it. "Invisibility" is that the virus, through software tricks, does not allow the user or the anti-virus program to notice the changes that he made to the infected file. Permanently present in the computer's memory, the stealth virus intercepts requests from the operating system to read and write such files. Having intercepted the request, it substitutes its original uncorrupted version instead of the infected file. Thus, the user always sees only "clean" programs, while the virus quietly performs its "dirty deed". One of the first stealth file viruses was "Frodo", and the first boot stealth virus was "Brain".

In order to disguise themselves from anti-virus programs as much as possible, almost all viruses use methods self-encrypting or polymorphism, that is, they can encrypt and modify themselves. By changing their appearance (program code), viruses completely retain the ability to perform certain malicious actions. Previously, anti-virus programs were able to detect viruses only "by sight", that is, by their unique program code. Therefore, the appearance of polymorphic viruses a few years ago made a real revolution in computer virology. Now there are already universal methods of dealing with such viruses.

METHODS TO FIGHT AGAINST COMPUTER VIRUSES

It is necessary to remember the main condition for the fight against computer viruses - do not panic. Around the clock, thousands of high-class anti-virus specialists are on guard of computer security, whose professionalism many times exceeds the combined potential of all computer hooligans - hackers. In Russia, two computer companies are engaged in anti-virus research - Kaspersky Lab (www.avp.ru) and SalD (www.drweb.ru).

In order to successfully resist the attempts of viruses to penetrate your computer, you must fulfill two simple conditions: follow the basic rules of "computer hygiene" and use antivirus programs.

Since the antivirus industry has existed, many ways have been invented to counteract computer viruses. The diversity and variety of protection systems offered today is truly amazing. Let's try to figure out what are the advantages and disadvantages of certain methods of protection and how effective they are in relation to various types of viruses.

To date, there are five main approaches to ensuring anti-virus security.

1. Antivirus scanners.

The pioneer of the anti-virus movement is a scanner program that was born almost simultaneously with the computer viruses themselves. The principle of operation of the scanner is to scan all files, boot sectors and memory with a chain of detecting virus signatures in them, that is, the unique program code of the virus.

The main drawback of the scanner is the inability to track various modifications of the virus. For example, there are dozens of variants of the "Melissa" virus, and for almost every one of them, anti-virus companies had to release a separate anti-virus database update.

This leads to the second problem: for the time between the appearance of a new modification of the virus and the release of the corresponding antivirus, the user remains practically unprotected. True, later experts came up with and introduced into the scanners an original algorithm for detecting unknown viruses - a heuristic analyzer that checked the program code for the possibility of the presence of a computer virus in it. However, this method has a high false positive rate, is not reliable enough, and, moreover, does not allow you to eliminate the detected viruses.

And, finally, the third drawback of the anti-virus scanner is that it scans files only when you "ask" it to do so, that is, run the program. Meanwhile, users very often forget to check dubious files downloaded, for example, from the Internet, and as a result, they infect the computer with their own hands. The scanner is able to determine the fact of infection only after the virus has already appeared in the system.

2. Antivirus monitors.

At its core, anti-virus monitors are a type of scanners. But unlike the latter, they are constantly in the computer's memory and perform background checks of files, boot sectors and memory in real time. To enable anti-virus protection, the user only needs to load the monitor when the operating system boots. All executable files will be automatically scanned for viruses.

3. Change auditors.

The work of this type of anti-virus programs is based on the removal of original "fingerprints" (CRC-sums) from files and system sectors. These "fingerprints" are stored in a database. At the next start, the auditor checks the "fingerprints" with their originals and informs the user about the changes that have occurred.

Change auditors also have disadvantages. Firstly, they are not able to catch the virus at the moment of its appearance in the system, but do it only after some time, after the virus has spread throughout the computer. Secondly, they cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup copy, or when unpacking files from an archive), because there is no information about these files in the auditors' databases. This is what some viruses use, infecting only newly created files and thus remaining invisible to auditors. Thirdly, the auditors require regular launch - the more often this is done, the more reliable the control over viral activity will be.

4. Immunizers.

Anti-virus programs-immunizers are divided into two types: immunizers that report infection, and immunizers that block infection by any type of virus.

The first ones are usually written to the end of files (according to the principle of a file virus) and each time the file is launched, it is checked for changes. Such immunizers have only one drawback, but it is fundamental: they are absolutely incapable of detecting invisible viruses that cleverly hide their presence in an infected file.

The second type of immunizers protects the system from being attacked by a specific virus. To do this, the files are modified in such a way that the virus takes them for already infected. For example, to prevent infection of a COM file with the "Jerusalem" virus, it is enough to add the line MsDos. And to protect against a resident virus, a program that imitates a copy of the virus is entered into the computer's memory. When launched, the virus stumbles upon it and believes that the system is already infected and can not be dealt with.

Of course, you cannot immunize files against all known viruses: each of them has its own methods for determining infection. That is why immunizers are not widely used and are currently practically not used.

5. Behavioral blockers.

All the types of antiviruses listed above do not solve the main problem - protection against unknown viruses. Thus, computer systems are defenseless against them until antivirus manufacturers develop antidotes. Sometimes it takes several weeks. During this time, you can lose all important information.

Unequivocally answer the question "what to do with unknown viruses?" we will succeed only in the coming millennium. However, some predictions can already be made today. In our opinion, the most promising direction of anti-virus protection is the creation of so-called behavioral blockers. It is they who are able to resist the attacks of new viruses with almost a 100% guarantee.

What is a behavior blocker? This is a program that is constantly in the computer's RAM and "intercepts" various events in the system. If "suspicious" actions are detected (which can be performed by a virus or other malicious program), the blocker prohibits this action or asks the user for permission. In other words, the blocker does not look for the virus code, but monitors and prevents its actions.

Theoretically, a blocker can prevent the spread of any known or unknown (written after the blocker) virus. But the problem is that "virus-like" actions can be performed by the operating system itself, as well as useful programs. A behavioral blocker (here we mean the "classic" blocker that is used to fight file viruses) cannot independently determine who exactly is performing a suspicious action - a virus, an operating system, or some program, and therefore has to ask the user for confirmation. Thus, the user making the final decision must have sufficient knowledge and experience in order to give the correct answer. But there are few such people. That is why blockers have not yet become popular, although the very idea of ​​\u200b\u200bcreating them appeared quite a long time ago. The advantages of these antivirus programs often became their disadvantages: they seemed too intrusive, bothering the user with their constant requests, and users simply deleted them. Unfortunately, this situation can only be corrected by the use of artificial intelligence, which would independently understand the reasons for this or that suspicious action.

However, even today, behavioral blockers can be successfully used to combat macro viruses. In programs written in the VBA macro language, it is possible to distinguish harmful actions from useful ones with a very high degree of probability. At the end of 1999, Kaspersky Lab developed a unique anti-virus protection system for MS Office (versions 97 and 2000) based on new approaches to behavioral blocking principles - AVP Office Guard. Thanks to the analysis of the behavior of macroviruses, the most common sequences of their actions were determined. This made it possible to introduce a new highly intelligent system for filtering macro actions into the blocker program, which almost unmistakably identifies those that are a real danger. Thanks to this, the AVP Office Guard blocker, on the one hand, asks the user much fewer questions and is not as "intrusive" as its file counterparts, and on the other hand, it almost 100% protects the computer from macro viruses, both known and not yet written.

AVP Office Guard even intercepts and blocks the execution of multi-platform macro viruses, that is, viruses that can work in several applications at once. In addition, the AVP Office Guard program controls the operation of macros with external applications, including email programs. This eliminates the possibility of spreading macro viruses via e-mail. But in this way in May of this year the "LoveLetter" virus hit tens of thousands of computers around the world.

The effectiveness of the blocker would be zero if macro viruses could arbitrarily disable it. (This is one of the shortcomings of the anti-virus protection built into MS Office applications.) AVP Office Guard has a new mechanism to counteract macro virus attacks on itself in order to disable it and eliminate it from the system. Only the user can do this. Thus, using AVP Office Guard will save you from the eternal headache of downloading and connecting anti-virus database updates to protect against new macro viruses. Once installed, this program will reliably protect your computer from macro viruses until the release of a new version of the VBA programming language with new functions that can be used to write viruses.

Although the behavior blocker solves the problem of detecting and preventing the spread of macro viruses, it is not designed to remove them. Therefore, it must be used in conjunction with an anti-virus scanner that is able to successfully destroy the detected virus. The blocker will allow you to safely wait out the period between the detection of a new virus and the release of an update to the anti-virus database for the scanner, without interrupting the operation of computer systems for fear of permanently losing valuable data or seriously damaging the computer hardware.

RULES OF "COMPUTER HYGIENE"

"In no case do not open files sent by e-mail by people unknown to you. Even if the addressee is known to you, be careful: your friends and partners may not suspect that a virus has wound up on their computer, which silently sends its copies to addresses from their address book.

" Be sure to scan all floppy disks, CDs and other mobile storage media, as well as files received from the Internet and other public resources (BBS, electronic conferences, etc.) with a maximum level of scanning with a virus scanner.

" Run a full anti-virus scan of your computer after you receive it from the repair service. Repairers use the same floppy disks to check all computers - they can very easily bring "infection" from another machine!

" Install "patches" from the manufacturers of the operating systems and programs you use in a timely manner.

" Be careful when allowing other users to access your computer.

" To increase the safety of your data, periodically back up information on independent media.

For comfortable and safe work at the computer, it is necessary to have a minimum of knowledge on ensuring the protection of personal data. To do this, first of all, you need to know what a computer virus is. You also need to remember that the best way to deal with it is antivirus software.

The definition of a computer virus is as follows: "A computer virus is software with the ability to copy itself, infiltrate system code and other software products, and cause irreparable damage to computer hardware and information stored on its media.

The main purpose of any virus is to harm, steal information or monitor a computer. Other actions of computer viruses are also traced. The propensity to breed allows you to deal maximum damage. The fact that viruses can reproduce not only within a local machine, but also travel over networks, including global ones, suggests that outbreaks of computer virus epidemics are possible.

Phases and states characteristic of computer viruses

  • Passive existence: in this state, the virus is written to the hard drive, but does not take any action until the conditions specified by the programmer are met.
  • Reproduction: a condition in which a virus creates an uncountable number of copies of itself and is placed on the computer's hard drive, as well as transmitted to the local network with service packages.
  • Active existence: in this mode, the virus begins to fulfill its purpose - to destroy, copy data, artificially occupy disk space and absorb RAM.

How did computer viruses originate?

Officially, the history of computer viruses begins in 1981. Computer technology was in its infancy. Back then, no one knew what a computer virus was. Richard Skrenta wrote the first boot virus for the Apple II computer. He was relatively harmless and displayed a poem. Later, viruses for MS-DOS also began to appear. In 1987, three epidemics of viruses were recorded at once. This was facilitated by the entry into the market of a relatively inexpensive IBM computer and the growth of computerization in general around the globe.

The first outbreak was caused by the Brain malware, or "Pakistan Virus". It was developed by the Alvi brothers to punish users who use cracked versions of their software. The brothers did not expect the virus to spread outside of Pakistan, but it did, and computers around the world were infected with the Brain virus.

The second outbreak occurred at Lehigh University in the United States of America, and several hundred floppy disks in the university's computer center library were destroyed. The epidemic was of medium scale for those times, and the virus affected only 4,000 computers.

The third virus - Jerusalem arose in several countries of the world at once. The virus destroyed all files at once at their start. Among the epidemics of 1987-1988, this was the largest.

1990 was the starting point for an active fight against viruses. By this time, many programs that harmed computers had already been written, but until the 90s this was not a big problem.

In 1995, complex viruses began to appear, and there was an incident in which all disks with a beta version of Windows 95 were infected with viruses.

Today, the expression "computer virus" has become familiar to everyone, and the malware industry is rapidly growing and developing. New viruses appear daily: computer, telephone, and now viruses for watches. In defiance of them, various companies produce protective systems, but computers are still infected in all corners of the world.

Ebola computer virus

Ebola computer virus is very relevant today. Hackers send it by e-mail, hiding behind the names of well-known companies. The virus infects the software installed on computers and is able to very quickly remove everything that is installed on the machine. In addition, it can multiply, including over a local network. Thus, "Ebola" is considered one of the most dangerous objects today.

Malware classification

Computer viruses are classified according to various criteria. Depending on their behavior, they were conditionally divided into 6 categories: by habitat, by code structure features, by the method of infecting a computer, by integrity, by capabilities, and additionally there is a category of unclassified viruses.

By habitat, there are the following types of computer viruses:

  • Network- these viruses spread over local or global networks, infecting a huge number of computers around the world.
  • File- are introduced into the file, infecting it. The danger begins at the moment of execution of the infected file.
  • Boot- are embedded in the boot sector of the hard disk and start execution at the time of system boot.

According to the structural features of the code, viruses are divided into:

Viruses are divided into two groups according to the way they infect code:

  • Residential- Malicious programs that infect RAM.
  • Non-resident- viruses that do not infect RAM.

According to integrity, they are divided into:

  • Distributed- programs divided into several files, but having a script for the sequence of their execution.
  • Holistic- a single block of programs that is executed by a direct algorithm.

According to their capabilities, viruses are divided into the following four categories:

  • Harmless- types of computer viruses that can slow down the computer by multiplying and absorbing free space on the hard drive.
  • Non-hazardous- viruses that slow down the computer, take up a significant amount of RAM and create sound and graphic effects.
  • Dangerous- viruses that can cause serious system failures, from freezing the computer to destroying the operating system.
  • Very dangerous- viruses that can erase system information, as well as lead to physical destruction of the computer by disrupting the power distribution of the main components.

Various viruses that do not fall under the general classification:

  • Network worms- viruses that calculate the addresses of available computers on the network and multiply. As a rule, they are classified as harmless viruses.
  • Trojans, or trojans. These types of computer viruses got its name in honor of the famous Trojan horse. These viruses masquerade as useful programs. They are mainly intended to steal confidential information, but there are also varieties of more dangerous representatives of malware.

How to detect a virus on a computer?

Viruses are able to be invisible, but at the same time perform unwanted actions with the computer. In one case, the presence of a virus is almost impossible to detect, and in another, the user observes a number of signs of computer infection.

For those who do not know what a computer virus is, the following computer actions should cause suspicion of a danger:

  • The computer started to run slower. Moreover, the slowdown is more than significant.
  • The appearance of files that the user did not create. Particular attention should be paid to files that have a character set or an unknown extension instead of an adequate name.
  • Suspicious increase in the occupied area of ​​RAM.
  • Spontaneous shutdown and restart of the computer, its non-standard behavior, screen flashing.
  • Unable to download programs.
  • Unexpected errors and crash messages.

All these signs indicate that the computer is most likely infected, and it is urgent to check it for files with malicious code. There is only one way to check your computer for viruses - antivirus software.

Antivirus programs, or antiviruses,- these are software systems that have extensive computer virus databases and perform a thorough check of the hard drive for familiar files or code. Antivirus software can disinfect, delete or isolate the file in a designated area.

Ways and methods of protection against malware

Protection against computer viruses is based on technical and organizational methods. Technical methods are aimed at using means to prevent virus threats: antiviruses, firewalls, antispam and, of course, timely updating of the operating system. Organizational - methods that describe the correct behavior of the user at the computer in terms of information security.

Technical methods prevent viruses from entering a computer through software.

Antivirus- control the file system, relentlessly check and look for traces of malicious code. The firewall is designed to control information coming through network channels and block unwanted packets.
The firewall allows you to prohibit a certain type of connection according to various criteria: ports, protocols, addresses, and actions.

Antispam- control the receipt of unwanted mail, and when a suspicious message arrives in the mail client, they block the possibility of executing attached files until the user performs them forcibly. There is an opinion that anti-spam is the most inefficient way to fight, but every day they block tens of millions of messages with embedded viruses.

Operating system update- a process in which developers correct errors and shortcomings in the operation of the OS, which are used by programmers to write viruses.

Organizational methods describe the rules for working with a personal computer, processing information, launching and using software, based on four basic principles:

  1. Run and open only those documents and files that come from trusted sources, and in the safety of which there is a firm belief. In this case, the user takes responsibility for running this or that program.
  2. Check all incoming information from any external sources, be it the Internet, an optical disc or a flash drive.
  3. Always keep anti-virus databases and the shell version of the threat detection and elimination software up to date. This is due to the fact that anti-virus software developers are constantly improving their products based on the emergence of new viruses;
  4. Always agree with the offers of antivirus programs to check the flash drive or hard drive connected to the computer.

With the advent of viruses, programs began to appear that allow them to be found and neutralized. Every day new viruses appear in the world. Troubleshooting computer products are updated several times a day to stay up to date. So, without ceasing, there is a constant fight against computer viruses.

To date, the choice of antivirus programs is very large. New offers appear on the market every now and then, and the most diverse ones: from full-fledged software systems to small subroutines focused on only one type of virus. You can find free or paid term security solutions.

Antiviruses store excerpts from the code of a huge number of objects dangerous for computer systems in their signature databases, and during the scan they compare the codes of documents and executable files with their database. If a match is found, the antivirus will notify the user and offer one of the security options.

Computer viruses and anti-virus programs are integral parts of each other. There is an opinion that anti-virus programs independently develop dangerous objects for commercial gain.

Antivirus software utilities are divided into several types:

  • Programs-detectors. Designed to search for objects infected with one of the currently known computer viruses. Usually, detectors only look for infected files, but in some cases they are able to treat them.
  • Auditor programs - these programs remember the state of the file system, and after some time check and verify the changes. If the data does not match, the program checks if the suspicious file has been edited by the user. If the result of the scan is negative, a message is displayed to the user about a possible infection of the object.
  • Programs-healers- designed to treat programs and entire hard drives.
  • Filter programs- check the information coming to the computer from the outside and deny access to suspicious files. As a rule, they display a request to the user. Filter programs are already being implemented in all modern browsers in order to find a computer virus in a timely manner. This is a very effective solution, given the current degree of development of the Internet.

The largest anti-virus complexes contain all the utilities that are combined into one large protective mechanism. Prominent representatives of antivirus software today are: Kaspersky Antivirus, Eset NOD32, Dr.Web, Norton Anti-Virus, Avira Antivir and Avast.

These programs have all the basic features to have the right to be called security software systems. Some of them have extremely limited free versions, and some are only available for cash rewards.

Varieties of antivirus programs

Antiviruses are available for home computers, office networks, file servers and network gateways. Each of them can find and remove viruses, but the main emphasis in different versions of such programs is on their intended purpose. The most complete functionality, of course, is the anti-virus software for the home, which has to perform tasks to protect all possible vulnerabilities.

What to do if you suspect a computer infection?

If it seems to the user that the computer is infected with a virus, first of all, you should not panic, but strictly follow the following sequence of actions:

  • Close all programs and files the user is currently working with.
  • Run an anti-virus program (if the program is not installed, install it).
  • Find the full scan function and run.
  • After the scan is completed, the antivirus will offer the user several options for dealing with the found malicious objects: files - disinfect, malware - delete, what is not deleted - quarantined.
  • It is advisable to strictly follow the recommendations of antivirus software.
  • After cleaning is complete, restart the scan.

If the antivirus did not find a single threat during the scan, it means that the non-standard operation of the computer is caused by malfunctions in the PC hardware or internal operating system errors, which also happens quite often, especially if the operating system is rarely updated.

Viruses are the most famous and widespread electronic threat. Almost every computer owner, one way or another, faces this infection, but few people know what computer viruses are, how they infect a computer, how they multiply and how they differ from each other, and - most importantly - how to deal with them.

In fact, most of the most popular questions about computer viruses can be answered simply by giving a strict definition of this type of threat. So, computer virus- this is a separate type of software for a computer, characterized by destructive functions (destruction of data, blocking access to documents, damage to programs) and the ability to reproduce.

A bit of history
Before proceeding to consider the various classifications of viruses, let's recall their history.
For the first time, self-replicating programs were described by John von Neumann himself in 1951. The first model of such a program was described by the Penroses in an article for the journal Nature in 1957, after which a certain F. J. Stahl wrote in the machine language of the IBM 650 computer a biocybernetic model in which virtual creatures moved, "eating" characters entered from the keyboard. After "eating" a certain number of symbols, the creature multiplied, and some of its functions could "mutate". This program, however, was not a virus as such, since it did not have the ability to infect and did not carry any destructive functions.
The first "real" viruses were programs for Apple computers that appeared in 1977 and were able to network. These viruses "reproduced" "manually" - the authors laid them out under the guise of useful programs on BBS (the forerunners of modern forums and chats) and after launch they destroyed user data. Moreover, some modifications of these proto-viruses could manifest their true nature after a certain time or under certain conditions.

The first virus to become known among users was written in 1981 by Richard Skrent. The infection, dubbed ELK CLONER, infiltrated the boot record of the Apple II disk and found itself displaying a message with a short poem. That same year, Texas A&M University student Joe Dellinger created a virus for the Apple II operating system that interfered with the then-popular CONGO game. Within a few weeks, the copies of this game available on the university's computers stopped working, and the author of the "infection" decided to write the first "antivirus" - a modification of the virus that replaced the code of its predecessor.
Actually the term "computer virus" was first proposed in September 1984 by F. Cohen. His article, which described the results of his research into malware, was the second academic study of the new problem.
The first serious virus epidemics occurred in 1987, when cheap IBM PC computers became widespread. Thus, the Brain virus (“Pakistan virus”), written by the brothers Amjat and Bazit Alvi, was discovered in the summer of 1987, when an epidemic struck 18,000 computers in the United States. This virus, however, was a kind of "punishment" for users using unlicensed programs of the same developers. Interestingly, this virus was the first to use masking - when trying to read an infected sector, it "given" an uninfected original to the questioning program.

The first virus, originally designed to infect entire networks, appeared in 1988. This "worm", however, did not carry any destructive actions and was created by a certain Robert Morris with the sole purpose of infecting the UNIX Berkeley 4.3 operating system on all computers connected to the ARPANET without revealing itself. Having achieved its goal, this virus began to multiply and send out copies of itself. In total, the Morris worm infected more than 6 thousand computers, some of which (due to the active reproduction of the virus) failed for several days (until the source of problems was discovered and errors in the OS were corrected). Two years later, Morris was found guilty of causing property damage (not being able to use the network for several days) and was sentenced to two years' probation, 400 hours of community service, and a $10,000 fine.
A year after the "Morris worm", in 1989, the first "Trojan horse" appeared. A virus called AIDS (HIV) blocked access to all information on the hard drive, along the way displaying the message "Send a check for $ 189 to such and such address" on the screen. Of course, according to the exact coordinates of the author, it was possible to quickly calculate and later he was convicted of extortion.
But the turning point in the history of development can be considered 1990. It all started with the first polymorphic Chameleon virus, which became a role model, as it was hiding from anti-virus programs. When virus writers began to combine various methods of concealment in their creations, the problem of computer viruses acquired a truly global scale.

Classification of computer viruses
United classification of computer viruses does not exist, but anti-virus companies from different countries have developed a generally accepted system that divides viruses into groups that differ in their habitat, methods of penetration and infection, malicious actions and features of functioning.

Habitat classification . With the first classification, everything is simple. File viruses embed their body into executable files (read - programs) with extensions *.exe, *.dll, *.sys, *.bat and *.com. Such viruses, like them, "stick" to the carrier, intercepting the basic control functions. As a result, when the infected program is launched, it first executes the code of the virus, and only then starts itself. In rare cases, file viruses completely replace the program code with their own body, thus performing destructive functions (see below).
More cunningly hide boot viruses- they write their code to the disk boot sector (boot sector) or the so-called Master Boot Record (hard drive sector containing the bootloader call code).
The next type of virus macro viruses, are no longer embedded in programs, but in documents processed by programs that support macros (algorithms for automating routine user actions). More often than others, Microsoft Word and Excel documents “suffer” from such viruses.
Strictly speaking, this classification is not comprehensive, since there are more and more viruses that can hide their body in several environments at once (for example, in executable files and in the boot sector).

Classification by means of penetration and infection . As computers and software become more complex, viruses have more and more ways to enter computers. The simplest one is launch of an infected program by the user. As a rule, viruses launched by this method come in e-mails or are distributed under the guise of various useful programs (including in the form of links sent via ICQ). Moreover, more and more often, the authors of such a technically simple infection use social engineering methods, by hook or by crook convincing the user to launch a virus (for example, a virus can be disguised as a picture, from which even experienced users do not expect a dirty trick).
More advanced viruses use themselves to run built-in functions of operating systems. The most popular of them is autorun program in Windows. By inserting a banal USB flash drive into a USB port, you can get an infection without even running any programs from this media - everything will be done for you by the autorun.inf file, which an active virus has already written to a USB flash drive on another computer.
Another type of virus is a web infection that enters a computer. from infected sites. Everything is simple here - browsers (especially often Internet Explorer sins with this) process the code on the page (most often JavaScript), which does the “dirty deed” - for example, downloads from the Web and launches a “traditional” software virus.
Finally, the most dangerous infection that can do without explicit or implicit help from the user is the so-called "worms" - viruses that penetrate the victim computer through the so-called "holes" (vulnerabilities) in programs or operating system. Most often, such viruses use a "fan" method of penetration - each infected computer becomes a source of infection, sending new copies of the virus to all available computers.

Concerning ways of infection , then here all viruses can be divided into two groups: resident(such an "infection" constantly "hangs" in the computer's memory and can not only perform destructive actions, but actively prevent its destruction) and non-resident(after performing a certain set of actions, such viruses are unloaded from memory and do not show any activity).

Malicious activity classification . Oddly enough, but in this classification in the first place are viruses are harmless. They are usually the "first signs" on which virus writers test new technologies and penetration methods. On the next step are viruses are not dangerous, whose impact on the computer is limited to various effects (message output, wallpaper replacement, sound effects, etc.). The third place in the classification is occupied by dangerous viruses that can cause your computer to malfunction (for example, block certain websites or prevent certain programs from opening). Finally, there are very dangerous viruses, capable of destroying data, damaging the file system, completely blocking the computer, etc.

Treatment
In fact, having summarized all the common classifications of viruses, we have given answers to the most common questions about viruses, with the exception of the main one - how to deal with them.
As with , the best treatment is prevention. Simply put - the use of active anti-virus protection (the so-called "monitors"). "Monitors" are constantly in the computer's memory, controlling all processes in the computer's RAM and all file accesses.
For a one-time check of a computer (for example, if infection is suspected in the absence of a "monitor"), you can use scanner programs that check the operating system and user files on request.
Both types of anti-virus programs use several algorithms in their work to detect "infection". The most common of these is "signature" (comparative method, database check). The anti-virus simply uses a database containing virus code samples, comparing fragments of scanned programs and documents with "references". Databases are created by developers of anti-virus programs and are constantly updated. If a match is found, the antivirus can delete the infected file completely, try to “cure” the file by removing the body of the virus, block access to the infected file, or send the file to “quarantine” (a special folder in which all virus actions are again blocked).
For all its effectiveness, the signature method has one significant drawback: if a suitable entry was not found in the anti-virus database (which is not uncommon in the case of new "polymorphs"), the anti-virus is useless.
More efficient method - "behavioral" (proactive protection, behavior blocker, Host Intrusion Prevention System, HIPS). It is based on analyzing the behavior of programs and comparing the data obtained with the "normal" behavioral algorithms known to the antivirus. If "suspicious" actions are detected, the antivirus will notify the user.

In modern antiviruses, the behavioral method is usually combined with "heuristic" based on "guess" algorithms. For example, an antivirus may assume that a program that writes to the boot record of a disk, but is not a disk utility known to the antivirus, becomes “suspicious” and can be removed. This method, being a good help in detecting new and unknown threats, cannot, however, be considered absolutely reliable and using a high level of heuristics gives the largest number of false positives. Heuristic methods also include emulation of the program being checked in a kind of "virtual" machine created by the antivirus. For example, an antivirus can start executing a program infected with a polymorphic virus, step by step executing the program and controlling its actions until it is convinced of its safety, or until it "calculates" the virus. Finally, "heuristics" allows you to check the source code of the program (after disassembling it in memory), analyzing its likely actions or comparing code fragments with the database of known virus algorithms.
Finally, the most effective (but at the same time the most inconvenient from the user's point of view) method is "White list". Its essence lies in the compilation by the user of a list of "trusted" programs that can be run on the protected computer. All other programs will be completely blocked by the antivirus. This method, however, is more often implemented not in antiviruses, but in firewalls (“protective screens”), since strictly speaking, it cannot guarantee the “purity” of programs on its own (the user himself, without knowing it, can add an already infected program to the list).
As a rule, anti-virus programs use various combinations of the described methods. The main problem of antivirus developers in this case is to achieve the optimal ratio of threat detection efficiency and program performance. Some developers put this concern on the shoulders of users, offering them to choose the necessary algorithms themselves, as well as adjust the level of their “suspiciousness”.

Conclusion
We talked about all aspects of the "life" of computer viruses that are of interest to ordinary users. In conclusion, let's summarize briefly.
So, virus is a program that performs destructive actions and is capable of reproduction. Viruses differ in how they spread, penetrate users' computers, work algorithms, and the type of destructive actions.
Viruses can live independently, the name is a separate "body" file, or "attached" to the user's program and documents. Most viruses "live" in executable files (*.exe, *.dll and others) or documents that may contain macros. However, in theory, a virus can be embedded in any file processed by a vulnerable program. “Mistakes” such a program launches the code from the most innocuous file (say, a picture) for execution.
Computer viruses can replicate by copying their own body, or by transmitting their code through computer networks.
It is also worth remembering that the creation and distribution of computer viruses and malware is prosecuted in Russia by law (Chapter 28, Article 273 of the Criminal Code of the Russian Federation).

Almost every computer owner, if not yet familiar with viruses, has heard various tales and stories about them. Most of which, of course, are exaggerated by other novice users.

So what is a virus?

Virus is a self-propagating program. Many viruses do nothing destructive with your PC at all, some viruses, for example, do a little dirty trick: display some picture on the screen, launch unnecessary services, open Internet pages for adults, etc. But there are also those that can display crashing your computer by formatting the drive, or corrupting the BIOS of the motherboard.

For starters, it's probably worth sorting out the most popular myths about viruses circulating the net.

1. Antivirus - protection against all viruses

Unfortunately, it is not. Even with a sophisticated antivirus with the latest database, you are not immune from a virus attack. Nevertheless, you will be more or less protected from known viruses, only new ones, unknown to the anti-virus database, will pose a threat.

2. Viruses spread with any files

This is wrong. For example, with music, video, pictures - viruses do not spread. But it often happens that a virus disguises itself as these files, forcing an inexperienced user to make a mistake and launch a malicious program.

3. If you are infected with a virus - your PC is under serious threat

This is not true either. Most viruses do nothing at all. It is enough for them that they simply infect programs. But in any case, you should pay attention to this: at least check the entire computer with an antivirus with the latest database. If they got infected with one, then why couldn't they have the second?!

4. Do not use mail - a guarantee of security

I'm afraid it won't help. It happens that you receive letters in the mail from unknown addresses. It's best to just not open them, deleting and emptying the Trash right away. Usually, the virus comes as an attachment in a letter, by running it, your PC will be infected. It is easy enough to protect yourself: do not open letters from strangers ... It will also not be superfluous to set up anti-spam filters.

5. If you copied an infected file, you got infected

In general, until you run the executable file, the virus, like a regular file, will simply lie on your disk and will not do anything bad to you.

Types of computer viruses

The very first viruses (history)

This story began around the 60-70s in some US laboratories. On the computer, in addition to the usual programs, there were also those that worked on their own, not controlled by anyone. And everything would be fine if they did not heavily load the computer and did not waste resources in vain.

After some ten years, by the 80s, there were already several hundred such programs. In 1984, the term "computer virus" itself appeared.

Such viruses usually did not hide their presence from the user. Most often, they prevented him from working by showing some messages.

In 1985, the first dangerous (and most importantly rapidly spreading) computer virus Brain appeared. Although, it was written out of good intentions - to punish pirates who illegally copy programs. The virus worked only on illegal copies of the software.

The heirs of the Brain virus survived for about a dozen more years and then their population began to decline sharply. They did not act cunningly: they simply wrote their body into the program file, thereby it increased in size. Antiviruses quickly learned to determine the size and find infected files.

Software viruses

Following the viruses that were attached to the body of the program, new types began to appear - in the form of a separate program. But, the main difficulty is how to force the user to run such a malicious program? It turns out it's very simple! It is enough to call it some kind of cracker for the program and put it on the network. Many will simply download, and despite all the warnings of the antivirus (if any) they will still launch ...

In 1998-1999 the world shuddered from the most dangerous virus - Win95.CIH. It disabled the bios of the motherboard. Thousands of computers around the world were disabled.

A virus spread through email attachments.

In 2003, the SoBig virus was able to infect hundreds of thousands of computers by attaching itself to emails sent by the user.

The main fight against such viruses: regular updating of Windows OS, installation of an antivirus. Also refuse to run any programs obtained from dubious sources.

Macroviruses

Many users probably do not even suspect that in addition to executable exe or com files, regular files from Microsoft Word or Excel can also carry a very real threat. How is this possible? It's just that the VBA programming language was built into these editors at one time, in order to be able to add macros as an addition to documents. Thus, if you replace them with your own macro, it may well turn out to be a virus ...

Today, almost all versions of office programs, before launching a document from an unfamiliar source, will definitely ask you again if you really want to run macros from this document, and if you click on the “no” button, then nothing will happen, even if the document was with a virus. The paradox is that most users themselves click on the “yes” button ...

One of the most famous macro viruses can be considered Mellis’y, which peaked in 1999. The virus infects documents and sends an email to your friends with an infected content via Outlook mail. Thus, in a short period of time, tens of thousands of computers around the world were infected with it!

Script viruses

Macro viruses, as a specific type, are included in the group of script viruses. The bottom line here is that not only Microsoft Office uses scripts in its products, but other software packages contain them. For example, Media Player, Internet Explorer.

Most of these viruses are spread through email attachments. Often, attachments are disguised as some newfangled picture or musical composition. In any case, do not launch and even better do not open attachments from unfamiliar addresses.

Often, users are misled by the file extension ... After all, it has long been known that pictures are safe, then why can't you open the picture that was sent to the mail ... By default, File Explorer does not show file extensions. And if you see the name of the picture, like "interesnoe.jpg" - this does not mean that the file has exactly this extension.

To see extensions, enable the following option.

Let's use Windows 7 as an example. If you go to any folder and click "arrange / folder and search options", you can get to the "view" menu. There that is our cherished tick.

Uncheck the option "hide extensions for known file types", and also enable the "show hidden files and folders" function.

Now, if you look at the picture sent to you, it may well turn out that “interesnoe.jpg” has suddenly become “interesnoe.jpg.vbs”. Here, in fact, is the whole focus. Many novice users have fallen into this trap more than once, and will come across more ...

The main protection against script viruses is the timely updating of the OS and antivirus. Also, refusal to view suspicious emails, especially those containing incomprehensible files ... By the way, it will not be superfluous to regularly back up important data. Then you will be 99.99% protected from any threats.

Trojans

This species, although it was classified as a virus, is not directly one. Their penetration into your PC is in many ways similar to viruses, only their tasks are different. If the task of a virus is to infect as many computers as possible and perform the action of deleting, opening windows, etc., then the Trojan program, as a rule, has one goal - to copy your passwords from various services, to find out some information. It often happens that a Trojan can be controlled through the network, and at the order of the owner, it can instantly reboot your PC, or, even worse, delete some files.

It is also worth noting another feature. If viruses often infect other executable files, Trojans do not do this, it is a self-sufficient separate program that works on its own. Often it is disguised as some kind of system process, so that it would be difficult for a novice user to catch it.

In order not to become a victim of trojans, firstly, do not download any files, such as hacking the Internet, hacking some programs, etc. Secondly, in addition to the antivirus, you will also need a special program, for example: The Cleaner, Trojan Remover, AntiViral Toolkit Pro, etc. Thirdly, it will not be superfluous to install a firewall (a program that controls access to the Internet of other applications), with manual settings, where all suspicious and unknown processes will be blocked by you. If the Trojan does not get access to the network, half the work has already been done, at least your passwords will not float away ...

Summing up, I would like to say that all the measures and recommendations taken will be useless if the user himself, out of curiosity, launches files, disables antivirus programs, etc. The paradox is that virus infection occurs in 90% of cases through the fault of the PC owner himself. Well, in order not to become a victim of those 10%, it is enough to sometimes produce. Then you can be almost 100% sure that everything will be OK!

Liked the article? Share with friends:
You may also be interested