14 purpose of anti-virus programs and their classification. Classification, characteristics, examples. Combined antiviruses and optimizers

Classification of viruses

Computer virus is a small program designed to exist and reproduce in a file due to its unauthorized modification, i.e. infection , as well as performing unwanted actions on the computer. Signs of infection are: inability to load operating system; some programs stop working or start working incorrectly; extraneous characters and messages are displayed on the screen; work on the computer slows down significantly; some files become corrupted or disappear; file size changes; date and time of their modification; the number of files on the disk increases, etc.

The main sources of infection are email, the Internet, the local network, removable disks (floppy disks and CD-ROMs). You should not run files received from a dubious source and not previously checked with anti-virus programs, install general access to folders and files on a computer running on the network.

The main directions for preventing virus infection:

1. Periodic checking for viruses using latest versions antivirus programs;

2. Verification of data coming from outside;

3. Copying information and strict access control.

The targets of the virus attack are the OS boot loader, the main boot record disk, device drivers, programs and documents.

According to their “habitat”, viruses are divided into file, systemic, boot, file-boot, macro viruses And network.

File viruses mainly infect executable files with name extension .com and .exe; system viruses – operating system modules, device drivers, file allocation tables and partition tables; bootloaders are being introduced into the sector bootstrap. Multifunctional viruses – file-boot viruses – damage boot sectors of disks and files.

The habitat of network viruses is computer networks. Currently, this is the most common type of virus, most often transmitted in the form of attached files. mail messages.

The so-called macroviruses , which use the capabilities of macro languages built into office packages.

According to the “degree of impact,” viruses are divided into: harmless, non-dangerous, dangerous and destructive.

The manifestation and functioning of the virus is greatly influenced by the “feature of the algorithm” implemented in the virus program. For example, the so-called viruses replicators They multiply very quickly and fill the RAM with their copies, and usually the copy does not completely correspond to the original, which makes it difficult to find and destroy the virus. They act similarly worm viruses , which live in computer networks and send copies of themselves to computers on the network. When a virus is destroyed on a computer, it is re-infected.

Some viruses masquerade as useful programs, but additionally perform destructive actions (for example, collecting confidential information - passwords, names) up to the destruction of the system. Such viruses are called " Trojan horses ».

Virus programs can be embedded in software systems. Usually they are inactive until a certain event occurs, after which the functions inherent in them are implemented. Such viruses are called logic bombs.

Viruses- invisible (stealth viruses ) are very difficult to detect and neutralize, since they intercept calls from the operating system to infected files and disk sectors and substitute uninfected objects in place of their bodies.

Based on the method of infecting the environment, viruses are divided into resident And non-resident . The first are characterized by the fact that the virus is constantly located in random access memory, intercepts OS calls to other objects and infects them. The second ones are active limited time and the memory is not infected.

Wide use computer viruses, virus attacks on the global Internet have led to the development of such a direction in software development as the creation of anti-virus programs.

Classification of antivirus programs

Antivirus programs are designed to prevent infection and eliminate the consequences of a virus infection. They can monitor access to the hard drive and warn the user about suspicious activity, and also provide reliable protection of email messages from viruses.

Based on the functions they perform, antivirus programs are divided into the following types: detectors; the doctors; auditors; filters or watchmen; vaccines or immunizers.

Programs- auditors remember the initial state programs, directories and system areas before the computer is infected and periodically compares it with the current state. If a discrepancy is detected, a warning is issued to the user.

Programs- filters are resident programs that detect suspicious actions during computer operation, for example, attempts to change executable files, change file attributes, write to boot sector disk, etc.

Programs- detectors configured to detect infection by one or more known viruses. Most detector programs also perform the “doctor” function, i.e. they try to return infected files and disk areas to their original state; those files that cannot be restored are usually rendered inoperable and deleted.

Programs- the doctors detect and treat infected objects by “biting off” the body of the virus. Programs of this type are divided into phages And polyphages (detection and destruction of a large number of different viruses).

Programs- vaccines modify a file or disk in such a way that it does not affect their operation, but the virus would consider them already infected. Vaccination is carried out only against known viruses.

Polyphage program Doctor Web(developer: I. Danilov) searches for and removes viruses known to it from the memory and disks of the computer. The presence of an intelligent heuristic analyzer allows you to detect new, previously unknown viruses and modifications of known ones. Dr.Web anti-virus checks mail arriving via POP3 protocol before processing it mail client, and also checks mail outgoing via the SMTP protocol. Antivirus guard ( monitor ), working automatically, checks files “on the fly” when accessing them from any program, notifies the user when infected or suspicious files are detected. The program uses intelligent technology for monitoring virus activity, which consists of analyzing the actions that programs perform. The analysis is structured in such a way that it almost completely eliminates “false alarms” and at the same time makes it possible to stop any actions that a malicious program can perform. Antivirus scanner allows you to detect infected objects on all media and in the computer’s RAM, as well as neutralize viruses.

AVP(AntiVirus Protect, developer – Kaspersky Lab) allows you to disinfect and scan packed and archived files, network drives. Using unique scanning technology, it detects and removes viruses in archived and compressed files in more than 700 different file formats. In addition, in ZIP archives, Kaspersky Anti-Virus is able to delete from an infected compressed file malicious codes and disinfect files. Integrated Office Guard™ creates the most secure space for applications Microsoft Office. Thanks to this, Kaspersky Anti-Virus Personal Pro provides complete control over all office documents and guarantees 100% protection even from unknown macroviruses.

Norton AntiVirus automatically protects against viruses, malicious ActiveX programs, Java applets when using the Internet and working with floppy disks, CDs or the network, scans incoming applications in the most common email programs, detects viruses and disinfects compressed files. Clearly allows uninfected files to pass through, but stops files with viruses before they can enter and harm your system. Norton AntiVirus 2003 automatically removes dangerous program codes, and also protects attachments in messages and emails from viruses, guarantees the maximum level of security thanks to the ability to constantly automatic update anti-virus databases and creation of comprehensive protection of users from the penetration of dangerous program codes. Unique heuristic technology can identify email worms like Nimda and Badtrans and stop them before they can spread further through outgoing mail.

Professional version ( Pro) besides everyone functionality standard edition also includes data recovery and system cleaning tools designed specifically for professionals in the field of information technologies and small businesses. These tools allow users to protect and recover critical files and maintain privacy by fragmenting files that are no longer needed.

Panda Titanium Antivirus 2004(developer Panda Software) – the latest generation antivirus program with improved technology for detecting and removing viruses of any type, provides protection against any program, document or email that can harm your computer system. Thanks to effective heuristic technologies, Panda software is especially effective in the fight against new unknown viruses that may appear in the future, automatically detects and removes all types of viruses while receiving/sending email, downloading files or surfing the Internet, protects against dialers - programs that quietly connect the modem to toll numbers, hidden management utilities, dangerous hidden files, programs with dangerous hidden files and other security threats. The program identifies and eliminates errors in software installed on the computer and performs self-diagnosis to ensure uninterrupted and productive operation of the antivirus.

Let's look at how the program works Kaspersky Anti-Virus when checking a personal floppy disk and folder for viruses My Documents.

1. Download the program Kaspersky Anti-Virus Scanner team Start the Kaspersky Anti-Virus program Kaspersky Anti-Virus Scanner.

2. To display scanned objects in the window Kaspersky Anti-Virus Scanner on the left side select a category Objects, Click on the [Expert] button and check the boxes for the disk A: and folders My Documents(subfolders can be opened in the same way as in Conductor).

3. In the right area of the window, specify the program's action if a virus is detected. It is recommended to check the following boxes:

· Treat, and if treatment is impossible, then delete the object.

· Scan the following file types: all files.

· Scan compound files: tick all the boxes here .

4. Start scanning by selecting the command Scan Start scan.

5. To monitor the process of scanning for viruses and disinfecting disks, click the [Statistics] button.

Let's check your personal floppy disk and folder for viruses My Documents using Norton AntiVirus Professional Edition.

1. Download Norton AntiVirus Professional Edition with the command Start Programs Norton AntiVirus Norton AntiVirus 2003 Professional Edition

2. Set scan parameters.

3. Go to the tab Scan for Virus to specify scan objects: to scan a floppy disk, click the button.

4. At the bottom of the window, in the Actions area, select .

5. To check the folder My Documents double click on the button and in the window that opens select the desired folder and press the button.

On the tab Reports View the scan results in reports.

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But besides matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century, special devices appeared - computers, focused on storing and converting information, and the computer revolution took place.

Massive use today personal computers, unfortunately, turned out to be associated with the emergence of self-replicating virus programs that prevent normal operation computer, destroying the file structure of disks and causing damage to information stored on the computer.

Despite the laws adopted in many countries to combat computer crimes and the development special programs With the help of new antivirus protection tools, the number of new software viruses is constantly growing. This requires the user of a personal computer to have knowledge about the nature of viruses, methods of infection by viruses and protection against them. This was the impetus for choosing the topic of my work.

This is exactly what I talk about in my essay. I show the main types of viruses, consider the patterns of their functioning, the reasons for their appearance and ways of penetrating into a computer, and also offer protection and prevention measures.

The purpose of the work is to familiarize the user with the basics of computer virology, teach how to detect viruses and fight them. Method of work - analysis of printed publications on this topic. I was faced with a difficult task - to talk about something that has been studied very little, and how it turned out is up to you to judge.

1. COMPUTER VIRUSES AND THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Nowadays, personal computers are used in which the user has free access to all the resources of the machine. This is what opened up the possibility of a danger that became known as a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to provide a “modern” definition of the virus have failed. To get a sense of the complexity of the problem, try, for example, to define the concept of “editor”. You will either come up with something very general, or you will start listing all the known types of editors. Both can hardly be considered acceptable. Therefore, we will limit ourselves to considering some properties of computer viruses that allow us to talk about them as a certain class of programs.

First of all, a virus is a program. Such a simple statement in itself can dispel many legends about the extraordinary capabilities of computer viruses. A virus can flip the image on your monitor, but it cannot flip the monitor itself. Legends about killer viruses “destroying operators by displaying a deadly color scheme on the screen in the 25th frame” should also not be taken seriously. Unfortunately, some reputable publications from time to time publish “the latest news from the computer front,” which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.

A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the virus not only do not have to completely coincide with the original, but may not coincide with it at all!

A virus cannot exist in “complete isolation”: today it is impossible to imagine a virus that does not use the code of other programs, information about file structure or even just the names of other programs. The reason is clear: the virus must somehow ensure that control is transferred to itself.

1.2. Classification of viruses

Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ method of contamination of the habitat

¨ influence

¨ features of the algorithm

Depending on their habitat, viruses can be divided into network, file, boot, and file-boot viruses. Network viruses distributed over various computer networks. File viruses are embedded mainly in executable modules, i.e., in files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never receive control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the boot program system disk(Master Boot Re-

cord). File-boot Viruses infect both files and boot sectors of disks.

Based on the method of infection, viruses are divided into resident and non-resident. Resident virus when a computer is infected (infected), it leaves its resident part in the RAM, which then intercepts the operating system’s access to infection objects (files, disk boot sectors, etc.) and injects itself into them. Resident viruses reside in memory and are active until the computer is turned off or rebooted. Non-resident viruses do not infect the computer’s memory and are active for a limited time.

Based on the degree of impact, viruses can be divided into the following types:

¨ non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk memory, the actions of such viruses are manifested in some graphic or sound effects

¨ dangerous viruses that can lead to various problems with your computer

¨ very dangerous, the impact of which can lead to loss of programs, destruction of data, and erasure of information in system areas of the disk.

2. MAIN TYPES OF VIRUSES AND THEIR FUNCTIONING SCHEME

Among the variety of viruses, the following main groups can be distinguished:

¨ boot

¨ file

¨ file-boot

Now let's take a closer look at each of these groups.

2.1. Boot viruses

Let's look at the operation of a very simple boot virus that infects floppy disks. We will deliberately bypass all the numerous subtleties that would inevitably be encountered during a strict analysis of the algorithm of its functioning.

What happens when you turn on your computer? First of all, control is transferred bootstrap program, which is stored in a read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the tests are successful, tries to find the floppy disk in drive A:

Every floppy disk is marked with the so-called. sectors and tracks. Sectors are combined into clusters, but this is not significant for us.

Among the sectors there are several service ones, used by the operating system for its own needs (these sectors cannot contain your data). Among the service sectors, we are currently interested in one - the so-called. boot sector(boot-sector).

The boot sector stores floppy disk information- number of surfaces, number of tracks, number of sectors, etc. But now we are not interested in this information, but in small bootstrap program(PNZ), which must load the operating system itself and transfer control to it.

So the normal bootstrap scheme is as follows:

Now let's look at the virus. Boot viruses have two parts - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Suppose you have a clean floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a floppy disk that is not write-protected and has not yet been infected, it begins to infect. When infecting a floppy disk, the virus performs the following actions:

Selects a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, sectors occupied by the virus are marked as bad (bad)

Copies its tail and the original (healthy) boot sector to the selected area of the disk

Replaces the boot program in the (real) boot sector with its head

Organizes a chain of control transfer according to the scheme.

Thus, the head of the virus is now the first to receive control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

The moral is clear: Never leave floppy disks (accidentally) in drive A.

We examined the functioning scheme of a simple boot virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. Moreover, unlike floppy disks, the hard drive has two types of boot sectors containing boot programs that receive control. When the computer boots from the hard drive, the boot program in the MBR (Master Boot Record) takes control first. If your HDD is divided into several partitions, then only one of them is marked as boot. The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program of this partition. The code of the latter coincides with the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, on the hard drive there are two objects of attack by boot viruses - boot program in MBR And primary program boot sector downloads boot disk.

2.2. File viruses

Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the functioning scheme of a non-resident file virus. Let's say we have an infected executable file. When such a file is launched, the virus gains control, performs some actions and transfers control to the “master” (although it is not yet known who the master is in such a situation).

What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected (if the virus is “decent”, otherwise there are some that infect immediately without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is executed. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If the file virus is resident, then it will install itself in memory and will be able to infect files and exhibit other abilities not only while the infected file is running. When infecting an executable file, a virus always changes its code - therefore, infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:

à he is not obliged to change the file length

à unused code sections

à is not required to change the beginning of the file

Finally, file viruses often include viruses that “have some relation to files” but do not have to be embedded in their code. Let us consider as an example the functioning scheme of viruses of the known Dir-II family. It must be admitted that, having appeared in 1991, these viruses became the cause of a real plague epidemic in Russia. Let's look at a model that clearly shows the basic idea of the virus. Information about files is stored in directories. Each directory entry includes the file name, the date and time it was created, some additional information, first cluster number file, etc. reserve bytes. The latter are left “in reserve” and are not used by MS-DOS itself.

When running executable files, the system reads the first cluster of the file and then all other clusters from the directory entry. Viruses of the Dir-II family perform the following “reorganization” file system: the virus itself writes to some free sectors of the disk, which it marks as bad. In addition, it stores information about the first clusters of executable files in reserved bits, and in place of this information writes references to itself.

Thus, when any file is launched, the virus gains control (the operating system launches it itself), installs itself resident in memory and transfers control to the called file.

2.3. Boot file viruses

We will not consider the boot-file virus model, because you will not learn any new information. But here is a good opportunity to briefly discuss the recently extremely “popular” boot-file virus OneHalf, which infects the master boot sector (MBR) and executable files. The main destructive effect is the encryption of hard drive sectors. Each time the virus is launched, it encrypts another portion of sectors, and after encrypting half hard drive, happily reports this. The main problem in treating this virus is that it is not enough to simply remove the virus from the MBR and files; you must decrypt the information encrypted by it. The deadliest action is to simply overwrite a new healthy MBR. The main thing is don't panic. Weigh everything calmly and consult with experts.

2.4. Polymorphic viruses

Most questions are related to the term “polymorphic virus”. This type of computer virus seems to be the most dangerous today. Let us explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.

Such viruses not only encrypt their code using different encryption paths, but also contain encryptor and decryptor generation code, which distinguishes them from ordinary encryption viruses, which can also encrypt sections of their code, but at the same time have a constant encryptor and decryptor code.

Polymorphic viruses are viruses with self-modifying decryptors. The purpose of such encryption: if you have an infected and original file, you still will not be able to analyze its code using regular disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself during execution. In this case, options are possible: he can decrypt himself all at once, or he can perform such decryption “on the fly,” he can re-encrypt sections that have already been used. All this is done to make it difficult to analyze the virus code.

3. HISTORY OF COMPUTER VIROLOGY AND REASONS FOR THE APPEARANCE OF VIRUSES

The history of computer virology today seems to be a constant “race for the leader”, and, despite all the power of modern anti-virus programs, it is viruses that are the leaders. Among thousands of viruses, only a few dozen are original developments that use truly fundamentally new ideas. All the rest are “variations on a theme.” But every original development forces antivirus creators to adapt to new conditions and catch up with virus technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 computers of the US Department of Defense. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfection of traditional antivirus tools.

Or the surge in computer viruses in the UK: Christopher Pyne managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the last one that was the most dangerous; it could be superimposed on the first two viruses, and because of this, after each run of the program they changed the configuration. Therefore, it was impossible to destroy them. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back to the network. Users downloaded infected programs onto their computers and infected their disks. The situation was aggravated by the fact that Pine managed to introduce viruses into the program that fights them. By launching it, instead of destroying viruses, users received another one. As a result, the files of many companies were destroyed, causing losses amounting to millions of pounds.

The American programmer Morris became widely known. He is known as the creator of the virus, which in November 1988 infected about 7 thousand personal computers connected to the Internet.

The reasons for the emergence and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively use one’s abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating room. personal computer systems.

4. WAYS OF VIRUSES ENTERING A COMPUTER AND THE MECHANISM OF VIRUS PROGRAM DISTRIBUTION

The main ways viruses enter a computer are removable disks (floppy and laser), as well as computer networks. A hard drive can become infected with viruses when loading a program from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was rebooted, and the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.

The virus usually invades work program in such a way that when it starts, control is first transferred to him and only after all his commands are completed, he returns to the working program. Having gained access to control, the virus first of all rewrites itself into another working program and infects it. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the extensions EXE, COM, SYS, BAT are infected with a virus. It is extremely rare for text files to become infected.

After infecting a program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, do not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.

To illustrate the infection process computer program With a virus, it makes sense to liken disk memory to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for introducing a virus in this case will look like this. (See Appendix 1)

5. SIGNS OF VIRUSES

When your computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of viruses. These include the following:

¨ termination or incorrect operation of previously successfully functioning programs

¨ slow computer performance

¨ inability to load the operating system

¨ disappearance of files and directories or distortion of their contents

¨ changing the date and time of file modification

¨ resizing files

¨ unexpected significant increase in the number of files on the disk

¨ significant reduction in the size of free RAM

¨ display of unexpected messages or images

¨ giving unexpected sound signals

¨ frequent freezes and computer crashes

It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be the result of other reasons. Therefore, it is always difficult to correctly diagnose the condition of a computer.

6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES

6.1. How to detect a virus ? Traditional approach

So, a certain virus writer creates a virus and launches it into “life”. He might walk around to his heart’s content for a while, but sooner or later the “lafa” will end. Someone will suspect something is wrong. As a rule, viruses are discovered by ordinary users who notice certain anomalies in the behavior of their computer. In most cases, they are not able to cope with the infection on their own, but this is not required of them.

It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study him, find out “what he does”, “how he does”, “when he does”, etc. In the process of such work, all necessary information about this virus, in particular, the signature of the virus is highlighted - a sequence of bytes that quite definitely characterizes it. To build a signature, the most important and characteristic sections of the virus code are usually taken. At the same time, the mechanisms of how the virus works become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file virus, the method of infecting the file. The information obtained allows you to find out:

· how to detect a virus, for this purpose, methods for searching for signatures in potential objects of a virus attack - files and / or boot sectors are specified

· how to neutralize the virus, if possible, algorithms are being developed to remove virus code from affected objects

6.2. Virus detection and protection programs

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus . There are the following types of antivirus programs:

· detector programs

· doctor programs or phages

· audit programs

· filter programs

Vaccine or immunizer programs

Detector programs They search for a signature characteristic of a particular virus in RAM and files and, if found, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even clean up changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program, widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:

· attempts to correct files with COM, EXE extensions

· changing file attributes

direct writing to disk at absolute address

· writing to disk boot sectors

When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with another software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.

Vaccines or immunizers- These are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.

Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.

6.3. Basic measures to protect against viruses

In order to avoid exposing your computer to viruses and to ensure reliable storage of information on disks, you must follow the following rules:

¨ equip your computer with modern antivirus programs, such as Aidstest, Doctor Web, and constantly update their versions

¨ before reading information stored on other computers from floppy disks, always check these floppy disks for viruses by running anti-virus programs on your computer

¨ when transferring files in archived form to your computer, check them immediately after unzipping them on your hard drive, limiting the scan area to only newly recorded files

¨ periodically check for viruses hard disks computer, running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system floppy disk

¨ always protect your floppy disks from writing when working on other computers, if information will not be written to them

¨ be sure to make backup copies on floppy disks of information that is valuable to you

¨ do not leave floppy disks in the pocket of drive A when turning on or rebooting the operating system to prevent the computer from becoming infected with boot viruses

¨ use anti-virus programs for input control of all executable files received from computer networks

¨ to ensure greater security, Aidstest and Doctor Web must be combined with everyday use of the Adinf disk auditor

CONCLUSION

So, we can cite a lot of facts indicating that the threat information resource is increasing every day, causing decision-makers in banks, factories and companies around the world to panic. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.

Computer virus - a specially written program that is capable of spontaneously attaching to other programs, creating copies of itself and introducing them into files, system areas of the computer and into computer networks in order to disrupt the operation of programs, damage files and directories, and create all kinds of interference in the operation of the computer.

Currently, more than 5,000 software viruses are known, the number of which is constantly growing. There are known cases when they were created teaching aids, helping in writing viruses.

The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.

From the history of computer virology it is clear that any original computer development forces antivirus creators to adapt to new technologies and constantly improve antivirus programs.

The reasons for the appearance and spread of viruses are hidden, on the one hand, in human psychology, and on the other hand, due to the lack of protection measures in the operating system.

The main routes for viruses to penetrate are removable disks and computer networks. To prevent this from happening, follow protective measures. Also, several types of special programs called anti-virus programs have been developed to detect, remove and protect against computer viruses. If you do find a virus on your computer, then using the traditional approach it is better to call a professional to figure it out further.

But some properties of viruses puzzle even specialists. Just recently, it was hard to imagine that a virus could survive a cold boot or spread through document files. In such conditions, it is impossible not to attach importance to at least the initial anti-virus education of users. Despite the seriousness of the problem, no virus can cause as much harm as a white-faced user with trembling hands!

So, the health of your computers, the safety of your data is in your hands!

Bibliography

1. Computer Science: Textbook / ed. Prof. N.V. Makarova. - M.: Finance and Statistics, 1997.

2. Encyclopedia of secrets and sensations / Prepared by. text by Yu.N. Petrova. - Mn.: Literature, 1996.

3. Bezrukov N.N. Computer viruses. - M.: Nauka, 1991.

4. Mostovoy D.Yu. Modern technologies fight against viruses // PC World. - No. 8. - 1993.

The most popular and effective antivirus programs are antivirus scanners (detector programs) and CRC scanners (auditors). There are also antivirus blockers and immunizers.

Scanners. Principle of operation antivirus scanners is based on checking files, sectors and system memory and searching them for known and new (unknown to the scanner) viruses. To search for known viruses, so-called “masks” are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a permanent mask or the length of this mask is not long enough, then other methods are used. An example of such a method is algorithmic language, describing everything possible options code that may occur when infected with a virus of this type. This approach is used by some antiviruses to detect polymorphic viruses.

Many scanners also use “heuristic scanning” algorithms, i.e. analyzing the sequence of commands in the object being scanned, collecting some statistics and making a decision for each object being scanned. Since heuristic scanning is a largely probabilistic method of searching for viruses, many laws of probability theory apply to it. For example, the higher the percentage of detected viruses, the more quantity false positives.

Scanners can also be divided into two categories – “universal” and “specialized”. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, for example macro viruses.

Scanners are also divided into “resident” (monitors), which scan on the fly, and “non-resident”, which scan the system only upon request. As a rule, “resident” scanners provide more reliable system protection, since they immediately respond to the appearance of a virus, while a “non-resident” scanner is able to identify the virus only during its next launch.

The advantages of scanners of all types include their versatility, the disadvantages are the size of the anti-virus databases that scanners have to store and update, and the relatively low speed of searching for viruses.

CRC scanners. The operating principle of CRC scanners is based on calculating CRC sums (checksums) for files/system sectors present on the disk. These CRC amounts are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. When subsequently launched, CRC scanners compare the data contained in the database with the actual calculated values . If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.

CRC scanners that use anti-stealth algorithms respond to almost 100% of viruses immediately after changes appear on the computer. A characteristic drawback of these antiviruses is the inability to detect a virus from the moment it appears until changes are made to the computer. CRC scanners cannot detect a virus in new files (in email, on floppy disks, in recoverable files, or when unpacking files from an archive) because their databases do not contain information about these files.

Blockers. Anti-virus blockers are resident programs that intercept “virus-dangerous” situations and notify the user about it. “Virus-dangerous” ones include calls to open for writing to executable files, writing to the boot sector of the disk, etc., which are typical for viruses at the time of their reproduction.

The advantages of blockers include their ability to detect and block a virus at the earliest stage of its reproduction, which, by the way, can be very useful in cases where a long-known virus is constantly activated.

Immunizers. Immunizers are divided into two types: immunizers that report infection, and immunizers that block infection by any type of virus.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Filter programs or "watchman" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:

· attempts to correct files with COM, EXE extensions

· changing file attributes

direct writing to disk at absolute address

· writing to disk boot sectors

When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS Windows utility package.

Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.

People who constantly work at a computer often encounter problems when using it and begin to call programmers for help, although in most cases such incidents happen due to the inattention and lack of education of the user himself. After all, the main troubles come precisely when a computer is infected with a virus. The concept and classification of computer viruses is the basis, knowledge of which can prevent 50% of problems on the user’s computer.

Knowledge is power

Let's try to define what a computer virus is. As in real life, a virus is an organism capable of self-copying and uncontrolled reproduction. This is a program that is capable of developing independently, without the user’s knowledge, and performing its functions assigned to it by the programmer. This is not enough to catch a virus or prevent infection of your computer, but in the simplest cases it will help you at least sound the alarm and call a specialist. The classification of computer viruses will help the latter accurately select the tool necessary to save your computer. Therefore, we will try to understand it too.

General concept

Having compared a computer virus with a real microorganism a little earlier, we can draw a parallel with what a specific virus or worm infects. One of the fundamental ones is the classification of computer viruses by habitat, because, depending on the purpose, the location of the virus in the computer environment will also vary. Let's give a general standard diagram.

File viruses. Perhaps the most common today are viruses that infect files on your computer. In most cases, they infiltrate executable files or program libraries to perform their tasks. These viruses are a script written in a scripting programming language (for example JavA).
Boot viruses. As the name suggests, they are launched when the operating system boots. They write their code to the Windows boot sector.
Network viruses. A rather unpleasant thing that sends copies of itself over the network, mail or messaging systems like ICQ. Another unpleasant point is that such a virus can multiply until it fills all the space on the user’s computer, and in the worst case, it also begins to make room for itself by deleting user programs.
Macro viruses. They only affect files from applications that support macros, such as Office.

It is worth noting that such a classification of viruses cannot be complete, since the development of this infection does not stand still, and there are viruses that can be classified into several subtypes.

Caution - danger!

Viruses can be viewed from completely different angles. If we talk about them according to the degree of impact on the system, then the classification of computer viruses will briefly look like this:

Specialists are working

The classification of computer viruses and anti-virus programs deserves special mention. Most specialists working in the field of computer security have their own classifications and ways of designating computer viruses. For example, the well-known Kaspersky Laboratory. After many years of work, they created perhaps the most detailed classification of computer viruses. Kaspersky identifies the following types of “pests”:

Already known network viruses are worms that use email to spread.
Packers. These are, rather, just pests, rather than viruses sent for a specific purpose. Their task is to archive files in such a way that unarchiving them is impossible. Often, when archiving, they also encode information.
Malicious utilities.
Trojan programs. Their name comes from the myth of the Trojan horse. True to their prototype, such viruses disguise themselves as harmless programs to penetrate a computer. Their main functional purpose is to provide an attacker with access to control your computer. Some subcategories can also be distinguished here:

1) viruses, for remote control your computer;

2) viruses to download malware from the Internet;

3) programs that unauthorizedly install other viruses on the computer.

How to get infected

Forewarned is forearmed. This is what folk wisdom says. By knowing where and how you can catch a computer virus, you can avoid the enormous problems associated with removing it. Preventing infection is much easier than curing a computer after a virus has entered it. There is also a classification of computer viruses according to the method of infection:

Virus protection

As has already become clear, there are a great variety of malware. No classification of viruses will help protect against them. There are so many computer scammers and spammers that it is impossible to deal with them all with your own hands. This is why there are a large number of antivirus programs that can help cope with this problem. Let's look at them from the point of view of ordinary users.

The most common anti-virus program is Kaspersky Anti-Virus. Offered to users in all possible stores, this program is able to reliably protect your computer from malware. However, advanced users are aware of the significant side effects of this reliability. Kaspersky not only overloads the system and raises an alarm at the slightest danger, but also prevents it from working adequately with user applications. Therefore, at the moment, this antivirus is used mainly in enterprises, since its purchase is easier to carry out through accounting, and security verification commissions are much more loyal to it. It is worth noting that, thanks to this laboratory, a basic classification of computer viruses was created. The message that a virus was found on the computer that their antivirus gives, unfortunately, does not always contain reliable information.

NOD32 can serve as a worthy replacement for Kaspersky. Reliably and firmly protects, there are specially designed for ordinary users free versions. It works like a clock and without failures, but it provides absolute reliability only in a fully paid package. Therefore, the only drawback of this antivirus will be the price, if you exclude downloading of unsupported hacked versions.

Dr.Web can rightfully be considered the leader among antiviruses. Without chasing fame and earnings, he provides everyone with a download on his website. trial version with full functionality. One of the main features of “Doctor” is the ability to completely suspend the operating system, which allows you to catch even the most “cunning pests”. This program uses its own classification of viruses. The utility finds computer worms quickly and efficiently, and resident viruses are not able to “hide” in RAM.

You need to know the enemy by sight

So, the classification of computer viruses was discussed above. It would probably be easier for you to understand with examples, so we will give a few for clarity.

Trj.Reboot - forces your computer to reboot.

Relax - infects documents Microsoft Word, as well as global variables. It was especially popular and relevant on Windows 98. The result of the work is the display of an information message on the screen.

Marburg - attacks executable files with EXE extension, running them in different directories, as a result of which their size increases.

Flame is a computer worm discovered by Kaspersky Lab. Its peculiarity is that it consists of several dozen parts, each of which has its own functionality.

Think about safety

This article discussed the concept and classification of computer viruses. If you have carefully and thoughtfully read everything written, you probably already realized that absolute protection does not exist. Despite this, the choice of protective equipment falls on your shoulders. The last thing worth pointing out is just a couple of useful tips:

Do not go to suspicious sites or follow links sent by strangers.
Don't be fooled by advertisements and pop-ups on the Internet.
If you download programs from the Internet, make sure the source is safe.
If you are looking for any program, try to download it from popular resources, and not on the outskirts of the World Wide Web.
Do not use storage media that may have been inserted into computers common use(Internet cafe).

Following these simple tips, you can do it even without an antivirus. You will only need the classification of computer viruses for study or self-development.

Evgeny Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (determining functionality):

1. Scanners (an outdated version - “polyphages”) - determine the presence of a virus using a signature database that stores signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer (see: Heuristic scanning).

2. Auditors (a class close to IDS) - remember the state of the file system, which makes it possible to analyze changes in the future.

3. Watchmen (monitors) - monitor potentially dangerous operations, issuing the user a corresponding request to permit/prohibit the operation.

4. Vaccines - change the vaccinated file so that the virus against which the vaccination is being made already considers the file infected. In modern (2007) conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

1. Products for home users:

2. Antiviruses themselves;

3. Combined products (for example, antispam, firewall, anti-rootkit, etc. are added to the classic antivirus);

4. Corporate products:

5. Server antiviruses;

6. Antiviruses on workstations (“endpoint”).

Antiviruses on SIM, flash cards and USB devices

Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Consumers should carefully review protection methods before connecting any small devices.

Protection methods such as hardware, possibly antiviruses on USB devices or on SIM, are more suitable for consumers mobile phones. The technical assessment and review of how to install an antivirus program on a cellular mobile phone should be considered as a scanning process that may affect other legitimate applications on that phone.

Antivirus programs on SIM with antivirus built into a small memory area provide anti-malware/virus protection while protecting the phone user's PIN and information. Antiviruses on flash cards give the user the ability to exchange information and use these products with various hardware devices, as well as send this data to other devices using various communication channels.

Antiviruses, mobile devices and innovative solutions

In the future, it is possible that mobile phones will be infected with a virus. More and more developers in this area are offering antivirus programs to combat viruses and protect mobile phones. IN mobile devices There are the following types of fighting viruses.