Malware and viruses (macro viruses, stealth and polymorphic viruses). Antivirus protection What script viruses can infect
Macro viruses are programs in languages (macrolanguages) built into some data processing systems (text editors, spreadsheets, etc.), as well as in script languages such as VBA ( Visual Basic for Applications), JS (Java Script). To reproduce, such viruses use the capabilities of macro languages and, with their help, transfer themselves from one infected file (document or table) to others. Macro viruses for Microsoft Office are the most widespread. There are also macro viruses that infect Ami Pro documents and databases. For viruses to exist in a specific system (editor), it is necessary to have a macro language built into the system with the following capabilities:
1. linking a program in a macro language to a specific file;
2. copying macro programs from one file to another;
3. the ability to gain control of a macro program without user intervention (automatic or standard macros).
These conditions are satisfied Microsoft editors Word, Office and AmiPro, as well as spreadsheet Excel and Database Microsoft Access. These systems contain macro languages: Word - Word Basic; Excel, Access - VBA. Wherein:
1. macro programs are tied to a specific file (AmiPro) or are located inside a file (Word, Excel, Access);
2. macro language allows you to copy files (AmiPro) or move macro programs to system service files and editable files (Word, Excel);
3. when working with a file under certain conditions (opening, closing, etc.), macro programs (if any) are called, which are defined in a special way (AmiPro) or have standard names (Word, Excel).
This feature of macrolanguages is intended for automatic data processing in large organizations or in global networks and allows you to organize the so-called “automated document flow”. On the other hand, the macro-language capabilities of such systems allow the virus to transfer its code to other files and thus infect them. Viruses gain control when an infected file is opened or closed and intercept standard file functions and then infect files that are somehow accessed. By analogy with MS-DOS, we can say that most macro viruses are resident: they are active not only at the moment of opening/closing a file, but as long as the editor itself is active.
Word/Excel/Office viruses: general information
The physical location of the virus inside a file depends on its format, which in the case of Microsoft products is extremely complex - each Word document file and Excel table is a sequence of data blocks (each of which also has its own format), interconnected using a large amount of service data . This format is called OLE2 - Object Linking and Embedding.
The structure of Word, Excel and Office (OLE2) files resembles a complicated one file system disks: the “root directory” of a document file or table indicates the main subdirectories of various data blocks, several FAT tables contain information about the location of data blocks in the document, etc. Moreover, the Office Binder system, which supports Word and Excel standards, allows you to create files that simultaneously contain one or more documents in Word format and one or more tables in Excel format. At the same time, Word viruses can infect Word documents, and Excel viruses can infect Excel tables, and all this is possible within the same disk file. The same is true for Office. Most known viruses for Word are incompatible with national (including Russian) versions of Word, or vice versa - they are designed only for localized versions of Word and do not work under English version. However, the virus in the document still remains active and can infect other computers with the corresponding version of Word installed on them. Word viruses can infect computers of any class. Infection is possible if this computer a text editor is installed that is fully compatible with Microsoft Word version 6 or 7 or higher (for example, MS Word for Macintosh).
The same is true for Excel and Office. It should also be noted that the complexity of Word document formats, Excel spreadsheets and especially Office has next feature: in document files and tables there are “extra” data blocks, i.e. data that is in no way related to the edited text or tables, or are copies of other file data that accidentally ended up there. The reason for the occurrence of such data blocks is the cluster organization of data in OLE2 documents and tables - even if only one character of text is entered, one or even several data clusters are allocated for it. When saving documents and tables in clusters that are not filled with “useful” data, “garbage” remains, which ends up in the file along with other data. The amount of "garbage" in files can be reduced by canceling the Word/Excel "Allow Fast Save" settings item, however, this only reduces the total amount of "garbage" but does not remove it completely. The consequence of this is the fact that when editing a document, its size changes regardless of the actions performed on it - when adding new text, the file size may decrease, and when part of the text is deleted, it may increase.
It’s the same with macro viruses: when a file is infected, its size may decrease, increase, or remain unchanged. It should also be noted that some versions of OLE2.DLL contain a small flaw, as a result of which, when working with Word, Excel and especially Office documents, random data from the disk, including confidential ones, can get into the garbage blocks ( deleted files, catalogues, etc.). Virus commands can also be included in these blocks. As a result, after disinfecting infected documents, the active virus code is removed from the file, but some of its commands may remain in the “garbage” blocks. Such traces of the presence of a virus are sometimes visible using text editors and can even cause a reaction in some antivirus programs. However, these remnants of the virus are completely harmless: Word and Excel do not pay any attention to them.
Word/Excel/Office viruses: principles of operation
When working with a Word document versions 6 and 7 or higher, performs various actions: opens the document, saves, prints, closes, etc. At the same time, Word searches for and executes the corresponding “built-in macros” - when saving a file using the File/Save command, the FileSave macro is called, when saving using the File/SaveAs command - FileSaveAs, when printing documents - FilePrint, etc., if, of course, there are any macros are defined. There are also several "auto-macros" that are called automatically under various conditions. For example, when opening Word document checks it for the presence of the AutoOpen macro. If such a macro is present, then Word executes it. When closing a document, Word executes the AutoClose macro, when starting Word, the AutoExec macro is called, when shutting down - AutoExit, and when creating a new document - AutoNew.
Similar mechanisms (but with different names of macros and functions) are used in Excel/Office, in which the role of auto- and built-in macros is performed by auto- and built-in functions present in any macro or macros, and several built-in ones may be present in one macro and auto functions. Macros/functions associated with a key or a point in time or date are also executed automatically (i.e. without user intervention), i.e. Word/Excel calls a macro/function when a specific key (or combination of keys) is pressed or when a certain point in time is reached. In Office, the capabilities for intercepting events are somewhat expanded, but the principle is the same.
Macro viruses that infect Word, Excel or Office files usually use one of the three techniques listed above - the virus either contains an auto-macro (auto-function) or overrides one of the standard system macros (associated with some menu item) , or the virus macro is called automatically when you press any key or key combination. There are also semi-viruses that do not use all these techniques and reproduce only when the user independently launches them. Thus, if a document is infected, when opening the document, Word calls the infected automatic macro AutoOpen (or AutoClose when closing the document) and thus runs the virus code, unless disabled by the DisableAutoMacros system variable. If a virus contains macros with standard names, they are controlled when the corresponding menu item is called (File/Open, File/Close, File/SaveAs). If any keyboard symbol is overridden, the virus is activated only after pressing the corresponding key.
Most macro viruses contain all their functions as standard Word/Excel/Office macros. There are, however, viruses that use techniques to hide their code and store their code in the form of non-macros. There are three known techniques, all of which use the ability of macros to create, edit, and execute other macros. As a rule, such viruses have a small (sometimes polymorphic) virus macro loader, which calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes it and then, as a rule, destroys it (to hide traces of the virus). The main code of such viruses is present either in the virus macro itself in the form text strings(sometimes encrypted), or stored in the document variable area or in the Auto-text area.
Algorithm of Word macro viruses
Most well-known Word viruses, when launched, transfer their code (macros) to the global macro area of the document ("general" macros). To do this, they use the macro copy commands MacroCopy, Organizer.Copy, or using the macro editor - the virus calls it and creates a new macro , inserts your code into it, which it saves in the document. When you exit Word, global macros (including virus macros) are automatically written to the global macros DOT file (usually NORMAL.DOT). Thus, the next time you start the MS-Word editor, the virus is activated at the moment when WinWord loads global macros, i.e. straightaway. Then the virus overrides (or already contains) one or more standard macros (for example, FileOpen, FileSave, FileSaveAs, FilePrint) and thus intercepts commands for working with files. When these commands are called, the virus infects the file being accessed. To do this, the virus converts the file into the Template format (which makes further changes to the file format, i.e., converting to any non-Template format impossible) and writes its macros into the file, including the Auto macro. Thus, if a virus intercepts the FileSaveAs macro, then every DOC file saved through the macro intercepted by the virus is infected. If the FileOpen macro is intercepted, the virus is written to the file when it is read from disk.
The second method of introducing a virus into a system is used much less frequently - it is based on so-called “Add-in” files, i.e. files that are service additions to Word. In this case, NORMAL.DOT is not changed, and Word, when launched, loads the virus macros from the file (or files) defined as "Add-in". This method almost completely replicates the infection of global macros, with the exception that the virus macros are stored not in NORMAL.DOT, but in some other file. It is also possible to introduce a virus into files located in the STARTUP directory - Word automatically loads template files from this directory, but such viruses have not yet been encountered. The methods of introduction into the system discussed above are some kind of analogue of resident DOS viruses. An analogue of non-residence are macro viruses that do not transfer their code to the area of system macros - to infect other document files, they either search for them using built-in Word functions work with files, or access the list of recently edited files (Recently used file list). These viruses then open the document, infect it, and close it.
Algorithm Excel work macro viruses
Reproduction methods for Excel viruses are generally similar to those for Word viruses. The differences lie in the macro copy commands (for example, Sheets.Copy) and the absence of NORMAL.DOT - its function (in the viral sense) is performed by files in the STARTUP directory of Excel. It should be noted that there are two possible options location of macro virus code in Excel tables. The vast majority of these viruses write their code in VBA (Visual Basic for Applications) format, but there are viruses that store their code in the old Excel version 4.0 format. Such viruses are essentially no different from VBA viruses, with the exception of differences in the format of the location of virus codes in Excel tables. Although newer versions of Excel (starting with version 5) use more advanced technologies, the ability to run macros from older versions of Excel has been retained to maintain compatibility. For this reason, all macros written in Excel 4 format are fully functional in all subsequent versions, despite the fact that Microsoft does not recommend their use and does not include the necessary documentation with Excel.
Virus operation algorithm for Access
Because Access is part of the Office Pro suite, viruses for Access are the same Visual Basic macros as other viruses that infect Office applications. However, in this case, instead of auto-macros, the system contains automatic scripts that are called by the system upon various events (for example, Autoexec). These scripts can then call various macro programs. Thus, when the databases are infected Access data the virus needs to replace some auto-script and copy its macros to the infected database. Infecting scripts without additional macros is not possible, since the script language is quite primitive and does not contain the functions necessary for this.
It should be noted that in Access terms, scripts are called macros (macro), and macros are called modules (module), however, in the future, unified terminology will be used - scripts and macros. Treating Access databases is a more difficult task than removing other macro viruses, since in the case of Access it is necessary to neutralize not only virus macros, but also auto-scripts. Since a significant part of Access’s work is entrusted to scripts and macros, incorrect deletion or deactivation of any element can lead to the impossibility of operations with the database. The same is true for viruses - incorrect replacement of auto-scripts can lead to loss of data stored in the database.
AmiPro viruses
When working with any document, the AmiPro editor creates two files - the document text itself (with the name extension SAM) and an additional file containing document macros and, possibly, other information (name extension - SMM). The format of both files is quite simple - they are a regular text file in which both editable text and control commands are present in the form of regular text strings. The document can be assigned to any macro from the SMM file (AssignMacroToFile command). This macro is analogous to AutoOpen and AutoClose in MS Word and is called by the AmiPro editor when opening or closing a file. Apparently, AmiPro does not have the ability to place macros in the "common" area, so viruses for AmiPro can only infect the system when opening an infected file, but not when loading the system, as happens with MS-Word after infecting the NORMAL.DOT file. Like MS Word, AmiPro allows you to override system macros (for example, SaveAs, Save) with the ChangeMenuAction command. When overridden functions (menu commands) are called, control is given to infected macros, i.e. virus code.
Stealth viruses
Representatives of this class use various means to disguise their presence in the system. This is usually achieved by intercepting a number of system functions responsible for working with files. "Stealth" technologies make it impossible to detect a virus without special tools. The virus masks both the increment in the length of the affected object (file) and its body in it, “substituting” the “healthy” part of the file in its place.
While checking your computer antivirus programs read data - files and system areas - from hard drives and floppy disks using the tools operating system and BIOS. Stealth viruses, or invisible viruses, are left in random access memory computer special modules that intercept programs accessing the computer's disk subsystem. If such a module detects that a user program is trying to read an infected file or system disk area, it replaces the data being read on the fly and thus remains undetected, deceiving anti-virus programs.
Also, stealth viruses can hide in the form of threads in system and other processes, which also makes them much more difficult to identify. Such stealth viruses cannot even be seen in the list of all running ones, this moment, in a process system.
There is a simple way to disable the camouflage mechanism of Stealth viruses. It is enough to boot the computer from an uninfected system floppy disk and scan the computer with an anti-virus program without launching programs from the computer disk (they may be infected). In this case, the virus will not be able to gain control and install in the RAM a resident module that implements the stealth algorithm; the antivirus will read the information actually written on the disk and will easily detect the “bacillus”.
Most antivirus programs counteract the attempts of stealth viruses to remain undetected, but in order not to give them a single chance, before scanning the computer with an antivirus program, the computer should be booted from a floppy disk, on which the antivirus programs should be written. Many antiviruses are so successful in resisting stealth viruses that they detect them when they try to disguise themselves. Such programs read the program files to be scanned from the disk, using several various methods- for example, using the operating system and through the BIOS: if discrepancies are detected, then it is concluded that there is probably a stealth virus in the RAM.
Polymorphic viruses
Polymorphic viruses include those that cannot be detected (or are extremely difficult) using so-called virus signatures - sections of constant code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself. There are also other, rather exotic examples of polymorphism - the DOS virus "Bomber", for example, is unencrypted, but the sequence of commands that transfers control to the virus code is completely polymorphic.
Polymorphism of varying degrees of complexity is found in viruses of all types - from boot and file DOS viruses to Windows viruses and even macro viruses.
Most questions are related to the term "polymorphic virus". This kind computer viruses seems to be the most dangerous today.
Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.
Such viruses not only encrypt their code using different encryption paths, but also contain encryptor and decryptor generation code, which distinguishes them from ordinary encryption viruses, which can also encrypt sections of their code, but at the same time have a constant encryptor and decryptor code.
Polymorphic viruses are viruses with self-modifying decryptors. The purpose of such encryption: if you have an infected and original file, you still will not be able to analyze its code using regular disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself during execution. In this case, options are possible: he can decrypt himself all at once, or he can perform such decryption “on the fly,” he can re-encrypt sections that have already been used. All this is done to make it difficult to analyze the virus code.
Polymorphic decryptors
Polymorphic viruses use complex algorithms to generate the code of their decryptors: instructions (or their equivalents) are rearranged from infection to infection, diluted with commands that do not change anything like NOP, STI, CLI, STC, CLC, DEC unused register, XCHG unused registers, etc. d.
Full-fledged polymorphic viruses use even more complex algorithms, as a result of which the virus decryptor may contain operations SUB, ADD, XOR, ROR, ROL and others in an arbitrary number and order. Loading and changing keys and other encryption parameters is also performed by an arbitrary set of operations, in which almost all instructions can be found Intel processor(ADD, SUB, TEST, XOR, OR, SHR, SHL, ROR, MOV, XCHG, JNZ, PUSH, POP...) with all possible addressing modes. Polymorphic viruses also appear, the decryptor of which uses instructions up to Intel386, and in the summer of 1997, a 32-bit polymorphic virus was discovered that infects Windows95 EXE files. Now there are already polymorphic viruses that can also use various commands of modern processors.
As a result, at the beginning of a file infected with such a virus there is a set of instructions that are meaningless at first glance, and some combinations that are quite functional are not taken by proprietary disassemblers (for example, the combination CS:CS: or CS:NOP). And among this “mess” of commands and data, MOV, XOR, LOOP, JMP occasionally slip through - instructions that are really “working”.
Levels of polymorphism
There is a division of polymorphic viruses into levels depending on the complexity of the code that is found in the decryptors of these viruses. This division was first proposed by Dr. Alan Solomon, after some time Vesselin Bonchev expanded it.
Level 1: viruses that have a certain set of decryptors with a constant code and, when infected, choose one of them. Such viruses are “semi-polymorphic” and are also called “oligomorphic”. Examples: "Cheeba", "Slovakia", "Whale".
Level 2: The virus decryptor contains one or more permanent instructions, but the main part is non-persistent.
Level 3: the decryptor contains unused instructions - "garbage" such as NOP, CLI, STI, etc.
Level 4: The decryptor uses interchangeable instructions and reordering (shuffling) instructions. The decryption algorithm does not change.
Level 5: all of the above techniques are used, the decryption algorithm is not constant, it is possible to re-encrypt the virus code and even partially encrypt the decryptor code itself.
Level 6: permutating viruses. The main code of the virus is subject to change - it is divided into blocks, which, when infected, are rearranged in random order. The virus remains functional. Such viruses may not be encrypted.
The above division is not free from shortcomings, since it is made according to a single criterion - the ability to detect a virus by the decryptor code using the standard technique of virus masks:
Level 1: to detect the virus, it is enough to have several masks
Level 2: mask detection using "wildcards"
Level 3: detection by mask after removing “garbage” instructions
Level 4: the mask contains several possible code options, i.e. becomes algorithmic
Level 5: inability to detect the virus using a mask
The insufficiency of such division is demonstrated in the virus of the 3rd level of polymorphism, which is called “Level3”. This virus, being one of the most complex polymorphic viruses, according to the above division falls into Level 3, since it has a constant decryption algorithm, which is preceded by a large number of “garbage” commands. However, in this virus the garbage generation algorithm has been brought to perfection: almost all instructions of the i8086 processor can be found in the decryptor code.
If we divide into levels from the point of view of antiviruses that use systems for automatically deciphering the virus code (emulators), then the division into levels will depend on the complexity of emulating the virus code. It is possible to detect a virus using other methods, for example, decryption using elementary mathematical laws, etc.
Therefore, it seems to me a more objective division in which, in addition to the criterion of viral masks, other parameters also participate:
The degree of complexity of the polymorphic code (percentage of all processor instructions that can be found in the decryptor code)
Using anti-emulation techniques
Consistency of the decryptor algorithm
Constancy of decryptor length
Changing Executable Code
Most often, this method of polymorphism is used by macro viruses, which, when creating new copies of themselves, randomly change the names of their variables, insert empty lines, or change their code in some other way. Thus, the algorithm of the virus remains unchanged, but the virus code changes almost completely from infection to infection.
This method is used less frequently by complex boot viruses. Such viruses inject only a fairly short procedure into the boot sectors, which reads the main virus code from the disk and transfers control to it. The code for this procedure is selected from several different options (which can also be mixed with “empty” commands), the commands are rearranged, etc.
This technique is even less common with file viruses - after all, they have to completely change their code, and this requires quite complex algorithms. To date, only two such viruses are known, one of which ("Ply") randomly moves its commands around its body and replaces them with JMP or CALL commands. Another virus (“TMC”) uses a more complex method - each time it is infected, the virus swaps blocks of its code and data, inserts “garbage”, sets new offset values for data in its assembly instructions, changes constants, etc. As a result, although the virus does not encrypt its code, it is a polymorphic virus - there is no constant set of commands in the code. Moreover, when creating new copies of itself, the virus changes its length.
Viruses by type of destructive action
By appearance destructive actions Viruses can be divided into three groups:
Information viruses (first generation viruses)
The so-called first generation viruses are all currently existing viruses whose actions are aimed at destroying, modifying or stealing information.
Hardware viruses (second generation viruses)
This type of virus can damage the computer hardware. For example, erase the BIOS or corrupt it, disrupt the logical structure of the hard disk in such a way that it will only be possible to restore it low level formatting(and not always). The only representative of this species is the most dangerous virus that has ever existed, the Win95.CIH "Chernobly" virus. At one time, this virus disabled millions of computers. He erased the program from the BIOS, thereby disabling the computer, and the same one destroyed all information from hard drive so that it was almost impossible to restore it.
Currently, no “wild” hardware viruses have been detected. But experts are already predicting the emergence of new viruses of this kind that will be able to infect the BIOS. To protect against such viruses, it is planned to install special jumpers on each motherboard that will block writing to the BIOS.
Psychotropic viruses (third generation viruses)
These viruses are capable of killing a person by affecting him through a computer monitor or speakers. By reproducing certain sounds, a given frequency, or a certain flickering of different colors on the screen, psychotropic viruses can cause an epileptic attack (in people prone to this), or cardiac arrest, or cerebral hemorrhage.
Fortunately, today the real existence of such viruses is not known. Many experts question the general existence of this type of virus. But one thing is certain. Psychotropic technologies have long been invented to influence a person through sound or image (not to be confused with frame 25). It is very easy to cause an epileptic attack in a person prone to this. Several years ago, there was a buzz in some media about the emergence of a new virus called "666". After every 24 frames, this virus displays a special color combination on the screen that can change the viewer’s life. As a result, a person enters a hypnotic trance, the brain loses control over the functioning of the body, which can lead to a painful condition, a change in the mode of operation of the heart, blood pressure, etc. But color combinations today are not prohibited by law. Therefore, they can appear on screens quite legally, although the results of their influence can be catastrophic for all of us.
An example of such an impact is the cartoon “Pokemon”; after one of the episodes was shown in Japan, hundreds of children were hospitalized with a terrible headache and cerebral hemorrhage. Some of them have died. In the cartoon there were frames with a bright generation of a certain palette of colors, as a rule, these are red flashes on a black background in a certain sequence. After this incident, this cartoon was BANNED for showing in Japan.
One more example can be given. Everyone probably remembers what happened in Moscow after the broadcast of our national football team’s match with the Japanese national team (if I’m not mistaken). But on big screen All they did was show a video of a man with a bat smashing a car. This is also a psychotropic effect, seeing the video “people” began to destroy everything and everyone in their path.
Materials and data were taken from resources:
http://www.stopinfection.narod.ru
http://hackers100.narod.ru
http://broxer.narod.ru
http://www.viruslist.com
http://logic-bratsk.ru
http://www.offt.ru
http://www.almanet.info
- To post comments, please login or register
Almost every computer owner, even if he is not yet familiar with viruses, has certainly heard various tales and stories about them. Most of which, of course, are exaggerated by other novice users.
So what is a virus?
Virus is a self-replicating program. Many viruses do nothing destructive to your PC at all; some viruses, for example, do a little mischief: display some picture on the screen, launch unnecessary services, open Internet pages for adults, etc. But there are also those that can cause your computer fails, formatting the disk, or corrupting Bios motherboard fees.
To begin with, it’s probably worth understanding the most popular myths about viruses floating around the Internet.
1. Antivirus - protection against all viruses
Unfortunately, it is not. Even with a sophisticated antivirus with last base- you are not immune from a virus attack. However, you will be more or less protected from known viruses; only new ones, unknown to the anti-virus database, will pose a threat.
2. Viruses spread with any files
This is wrong. For example, with music, videos, pictures, viruses do not spread. But it often happens that a virus disguises itself as these files, forcing an inexperienced user to make a mistake and launch a malicious program.
3. If you become infected with a virus, your PC is under serious threat
This is also not true. Most viruses don't do anything at all. It is enough for them that they simply infect programs. But in any case, it’s worth paying attention to this: at least check the entire computer with an antivirus with the latest database. If they got infected with one, then why couldn’t they get the second?!
4. Do not use mail - a guarantee of safety
I'm afraid this won't help. It happens that you receive letters by mail from unfamiliar addresses. It's best to simply not open them, deleting them and emptying the trash immediately. Usually the virus comes in a letter as an attachment, and if you launch it, your PC will be infected. It’s quite easy to protect yourself: don’t open letters from strangers... It’s also a good idea to set up anti-spam filters.
5. If you copied an infected file, you are infected
In general, until you run the executable file, the virus, like a regular file, will simply lie on your disk and will not do anything bad to you.
Types of computer viruses
The very first viruses (history)
This story began approximately in the 60-70s in some laboratories in the USA. On the computer, in addition to the usual programs, there were also those that worked on their own, not controlled by anyone. And everything would be fine if they didn’t heavily load the computer and waste resources.
Some ten years later, by the 80s, there were already several hundred such programs. In 1984, the term “computer virus” itself appeared.
Such viruses usually do not hide their presence from the user in any way. Most often they interfered with his work by showing him some messages.
In 1985, the first dangerous (and most importantly quickly spreading) computer virus, Brain, appeared. Although, it was written with good intentions - to punish pirates who illegally copy programs. The virus only worked on illegal copies of software.
The heirs of the Brain virus existed for about another ten years and then their numbers began to decline sharply. They did not act cleverly: they simply recorded their body in a program file, thereby increasing its size. Antiviruses quickly learned to determine the size and find infected files.
Software viruses
Following the viruses that were attached to the body of the program, new types began to appear - in the form of a separate program. But the main difficulty is how to force the user to run such a malicious program? It turns out to be very simple! It is enough to call it some kind of breaker for the program and put it on the network. Many people will simply download it, and despite all the antivirus warnings (if there is one), they will still launch it...
In 1998-1999, the world was shaken by the most dangerous virus - Win95.CIH. It disabled Bios motherboard. Thousands of computers around the world were disabled.
A virus spread through email attachments.
In 2003, the SoBig virus was able to infect hundreds of thousands of computers due to the fact that it itself was attached to letters sent by the user.
The main fight against such viruses: regularly update Windows OS and install an antivirus. Also refuse to run any programs obtained from dubious sources.
Macro viruses
Many users probably do not even suspect that, in addition to executable exe files or com, ordinary files from Microsoft Word or Excel can pose a very real threat. How is this possible? It’s just that the VBA programming language was built into these editors at one time so that macros could be added as an addition to documents. Thus, if you replace them with your own macro, you may well end up with a virus...
Today, almost all versions of office programs, before launching a document from an unfamiliar source, will definitely ask you again whether you really want to run macros from this document, and if you click on the “no” button, nothing will happen, even if the document had a virus. The paradox is that most users themselves click on the “yes” button...
One of the most famous macroviruses can be considered Mellis’y, which peaked in 1999. The virus infected documents and sent an infected letter to your friends via Outlook. Thus, in a short period of time, tens of thousands of computers around the world were infected with it!
Script viruses
Macroviruses, as a specific type, are included in the group of script viruses. The point here is that not only does Microsoft Office use scripts in its products, but other software packages also contain them. For example, Media Player, Internet Explorer.
Most of these viruses are spread through attachments to letters, via email. Often investments are disguised as some newfangled picture or musical composition. In any case, do not launch, or better yet, do not even open attachments from unfamiliar addresses.
Users are often misled by file extensions... After all, it has long been known that pictures are safe, then why can’t you open a picture that was sent in the mail... By default, Explorer does not show file extensions. And if you see a picture name like “interesnoe.jpg”, this does not mean that the file has exactly that extension.
To see extensions, enable the following option.
Let's show using Windows 7 as an example. If you go to any folder and click “organize/folder and search options” you can get to the “view” menu. There is our treasured check mark.
Uncheck the option “hide extensions for registered file types”, and also enable the “show hidden files and folders."
Now, if you look at the picture that was sent to you, it may well turn out that “interesnoe.jpg” suddenly became “interesnoe.jpg.vbs”. That's the whole trick. Many novice users have fallen for this trap more than once, and will continue to fall for it...
The main protection against script viruses is to timely update the OS and antivirus. Also, avoid viewing suspicious emails, especially those that contain incomprehensible files... By the way, it wouldn’t hurt to do this regularly backup save important data. Then you will be 99.99% protected from any threats.
Trojans
Although this species has been classified as a virus, it is not directly one. Their penetration into your PC is in many ways similar to viruses, only their tasks are different. If the virus’s goal is to infect as many computers as possible and perform deletion actions, opening windows, etc., then the Trojan program, as a rule, has one goal - to copy your passwords from various services and find out some information. It often happens that a Trojan program can be controlled via a network, and by order of the owner, it can instantly reboot your PC, or, even worse, delete some files.
It is also worth noting one more feature. If viruses often infect others executable files, Trojans do not do this, it is a self-sufficient separate program that works on its own. She often disguises herself as some kind of system process, so that it would be difficult for a novice user to catch it.
To avoid becoming a victim of Trojans, firstly, do not download any files, such as hacking the Internet, hacking some programs, etc. Secondly, in addition to the antivirus, you will also need special program, for example: The Cleaner, Trojan Remover, AntiViral Toolkit Pro, etc. Thirdly, it would not be superfluous to install a firewall (a program that controls Internet access of other applications), with manual setting, where all suspicious and unknown processes will be blocked by you. If the Trojan program does not get access to the network, half the work is already done, at least your passwords will not go anywhere...
To summarize, I would like to say that all the measures and recommendations taken will be useless if the user himself, out of curiosity, launches files, disables anti-virus programs, etc. The paradox is that virus infection occurs in 90% of cases through the fault of the PC owner himself. Well, in order not to become a victim of those 10%, it’s enough to produce sometimes. Then you can be almost 100% sure that everything will be OK!
Types of computer viruses
There is not a person today who has not heard about computer viruses. What is it, what are they? types of computer viruses and malware, let's try to figure it out in this article. So, computer viruses can be divided into the following types:
Advertising and information programs are understood as programs that, in addition to their main function, also display advertising banners and all kinds of pop-up advertising windows. Such advertising messages can sometimes be quite difficult to hide or disable. Such advertising programs rely on the behavior of computer users and are quite problematic for system security reasons.
Backdoors
Hidden administration utilities allow you to bypass security systems and put the computer of the installed user under your control. A program that runs in stealth mode gives the hacker unlimited rights to control the system. With the help of such backdoor programs, it is possible to gain access to the user's personal and private data. Often, such programs are used to infect the system with computer viruses and to covertly install malware without the user’s knowledge.
Boot viruses
Often the main boot sector your HDD is affected by special boot viruses. Viruses of this type replace information that is necessary for the smooth launch of the system. One of the consequences of such a malicious program is the inability to boot the operating system...
Bot network
A bot network is a full-fledged network on the Internet, which is subject to administration by an attacker and consists of many infected computers that interact with each other. Control over such a network is achieved using viruses or Trojans that penetrate the system. During operation, malware does not manifest itself in any way, awaiting commands from the attacker. Such networks are used for sending SPAM messages or for organizing DDoS attacks to the required servers. Interestingly, users of infected computers may have absolutely no idea what is happening on the network.
Exploit
An exploit (literally a security hole) is a script or program that exploits specific holes and vulnerabilities of the OS or any program. In a similar way, programs penetrate the system, using which administrator access rights can be obtained.
Hoax (literally joke, lie, hoax, joke, deception)
For several years now, many Internet users have been receiving emails about viruses that are allegedly distributed via e-mail. Such warnings are sent out en masse with a tearful request that they be sent to all contacts on your personal list.
Traps
Honeypot (honey pot) is a network service that has the task of monitoring the entire network and recording attacks when an outbreak occurs. The average user is completely unaware of the existence of such a service. If a hacker explores and monitors the network for gaps, then he can take advantage of the services that such a trap offers. This will record in the log files and also trigger an automatic alarm.
Macro viruses
Macro viruses are very small programs that are written in an application macro language. Such programs are distributed only among those documents that were created specifically for this application.
To activate such malicious programs, the application must be launched, as well as the execution of an infected macro file. The difference from ordinary macro viruses is that the infection occurs in application documents, and not in application startup files.
Farming
Pharming is the hidden manipulation of the browser's host file in order to direct the user to a fake website. Fraudsters maintain large servers; such servers store a large database of fake Internet pages. When manipulating the host file using a Trojan or virus, it is quite possible to manipulate the infected system. As a result, the infected system will only load fake sites, even if you enter the address correctly in the browser.
Phishing
Phishing literally translates as “fishing” for a user’s personal information while on the Internet. The attacker, through his actions, sends to the potential victim email, where it is indicated that it is necessary to send personal information for confirmation. Often this is the user’s first and last name, required passwords, PIN codes to access user accounts online. Using such stolen data, a hacker may well impersonate another person and carry out any actions on his behalf.
Polymorphic viruses
Polymorphic viruses are viruses that use camouflage and transformation in their work. In the process they can change their program code themselves and are therefore very difficult to detect because the signature changes over time.
Software viruses
A computer virus is a common program that can independently attach itself to other running programs, thus affecting their operation. Viruses independently distribute copies of themselves; this significantly distinguishes them from Trojan programs. Also, the difference between a virus and a worm is that in order to work, a virus needs a program to which it can attach its code.
Rootkit
A rootkit is a specific set software, which is covertly installed on the user’s system, ensuring that the cybercriminal’s personal login and various processes are hidden, while making copies of the data.
Script viruses and worms
These types of computer viruses are quite simple to write and are spread mainly through Email. Script viruses use scripting languages to work in order to add themselves to newly created scripts or spread through operating network functions. Often infection occurs via e-mail or as a result of file exchange between users. A worm is a program that reproduces itself, but which infects other programs in the process. When worms reproduce, they cannot become part of other programs, which distinguishes them from common species computer viruses.
Spyware
Spies can send the user's personal data without his knowledge to third parties. Spyware at the same time, they analyze the user’s behavior on the Internet, and also, based on the collected data, show the user advertisements or pop-ups (pop-up windows), which will certainly interest the user.
Macro viruses.
The most widespread are macro viruses for the integrated office application Microsoft Office (Word, Excel, PowerPoint and Access). Macro viruses are actually macros (macros) in the built-in programming language Visual Basic for Applications (VBA) that are placed in a document.
When working with a document, the user performs various actions: opens the document, saves, prints, closes, etc. At the same time, the application searches for and executes the corresponding standard macros. Macro viruses contain standard macros, are called instead of them, and infect every document that is opened or saved. The harmful actions of macro viruses are implemented using built-in macros (inserting texts, prohibiting the execution of application menu commands, etc.).
Macro viruses are limited to resident,
In August 1995, the epidemic of the first macro virus “Concept” began for word processor Microsoft Word. The Concept macro virus is still widespread, and about 100 of its modifications are currently known.
Preventive protection against macro viruses consists of preventing the virus from starting. When you open a document in Microsoft Office applications, you are notified of the presence of macros (potential viruses) in them and are asked to block their downloading. Choosing to prohibit loading macros will reliably protect your computer from infection by macro viruses, but will also disable useful macros contained in the document.
A special type of virus is active elements (programs) written in JavaScript or VBScript, which can be contained in Web page files. Infection local computer occurs when they are transmitted via World Wide Web from Internet servers to the browser of the local computer.
In November 1998, the first script virus VBScript.Rabbit appeared, infecting scripts on Web pages, and a year and a half later, in May 2000, a global epidemic of the script virus “LoveLetter” broke out. Now this type of virus firmly holds first place in the list of the most common and dangerous viruses.
Preventative protection against script viruses consists of preventing the browser from receiving active elements on the local computer.
KNOW
Computer viruses are malicious programs that can “multiply” and secretly inject copies of themselves into executable files, disk boot sectors and documents. Activation of a computer virus can cause the destruction of programs and data.
The consequences of viruses are varied. Based on the magnitude of their harmful effects, viruses can be divided into:
- non-hazardous, the impact of which is limited by a decrease in free memory on the disk, graphic, sound and other external effects;
- dangerous, which can lead to failures and freezes during computer operation;
- very dangerous, the activation of which can lead to loss of programs and data (change or deletion of files and directories), formatting of the hard drive, etc.
Currently, several tens of thousands of viruses are known that infect computers of various operating systems. Based on the way they save and execute their code, viruses can be divided into boot, file, macro viruses And script viruses.
Boot viruses infect the boot sector of a floppy or hard disk. The operating principle of boot viruses is based on algorithms for starting the operating system when the computer is turned on or rebooted.
File viruses are embedded in executable files in various ways and are usually activated when they are launched. After running an infected file, the virus resides in the computer’s RAM and remains active until the computer is turned off or the operating system is restarted.
Macro viruses are limited to resident, that is, they reside in RAM and infect documents while the application is open. In addition, macro viruses infect document templates and are therefore activated when the infected application is launched.
Control questions
1. What types of computer viruses exist, how do they differ from each other, and what should be the prevention of infection?
2. Why can even a clean formatted floppy disk become a source of virus infection?
3. Using the Virus Encyclopedia, familiarize yourself with the classification of viruses and methods of anti-virus protection.
A virus is a program capable of creating copies of itself (not necessarily identical to the original) and introducing them into files, system areas of a computer, computer networks, as well as carrying out other destructive actions. At the same time, copies retain the ability to be further distributed. A computer virus is a type of malicious program.
A malicious program is a computer program or portable code designed to implement threats to information stored in a computer system, or for hidden misuse of computer resources, or other impacts that impede the normal functioning of the computer system. Malicious programs include computer viruses, Trojans, network worms, etc.
2. Virus life cycle.
Since a distinctive feature of viruses in the traditional sense is the ability to reproduce within one computer, viruses are divided into types in accordance with the methods of reproduction.
The reproduction process itself can be divided into several stages:
– Computer penetration
– Virus activation
– Search for objects to infect
– Preparation of virus copies
– Introduction of viral copies
The implementation features of each stage give rise to attributes, the set of which actually determines the class of the virus.
3. Macroviruses. Script viruses. Give examples.
Macro viruses are viruses written in macro language and executed in the environment of an application. In the vast majority of cases, we are talking about macros in Microsoft Office documents.
Examples. Some of the most destructive macroviruses are members of the Macro.Word97.Thus family. These viruses contain three procedures Document_Open, Document_Close and Document_New, which replace standard macros that are executed when opening, closing and creating a document, thereby infecting other documents. On December 13, the destructive function of the virus is triggered - it deletes all files on the C: drive, including directories and subdirectories. The Macro.Word97.Thus.aa modification, in addition to the specified actions, when opening each infected document, selects a random file on the local disk and encrypts the first 32 bytes of this file, gradually rendering the system inoperable.
Script viruses are viruses executed in the environment of a specific command shell: previously - bat files in the command shell DOS shell, now more often VBS and JS scripts in the Windows Scripting Host (WSH) command shell.
Examples. Virus.VBS.Sling is written in VBScript (Visual Basic Script). When launched, it looks for files with .VBS or .VBE extensions and infects them. When the 16th of June or July comes, the virus, when launched, deletes all files with the .VBS and .VBE extensions, including itself.
Virus.WinHLP.Pluma.a is a virus that infects Windows help files. When an infected help file is opened, a viral script is executed, which, using a non-trivial method (essentially, a vulnerability in script processing), launches a certain line of code contained in the script for execution as a regular Windows file. The running code searches for help files on disk and injects an autorun script into their System area.