File non-resident virus. Resident viruses Non-resident viruses are active

Most users at least once in their lives came across the concept of computer viruses. True, not many know that the classification of threats based on its two large categories: non-resident and resident viruses. Let us dwell on the second grade, because it is his representatives are the most dangerous, and sometimes unsuccessful even when formatting a disk or logical partition.

What are resident viruses?

So what is the case of the user? For a simplified explanation of the structure and principles of the work of such viruses, it is worth to stop on explaining what a resident program is at all.

What are resident viruses?

So what is the case of the user? For a simplified explanation of the structure and principles of the work of such viruses, it is worth to stop on explaining what a resident program is at all.

It is believed that such types of programs include applications that work constantly in monitoring mode explicitly showing their actions (for example, the same regular anti-virus scanners). As for the threats penetrating into computer systems, they are not only hanging constantly in the memory of the computer, but also create their own duplications. Thus, copies of viruses and constantly monitor the system, and move along it, which significantly complicates their search. Some threats are also capable of changing their own structure, and their detection based on generally accepted methods becomes almost impossible. A little later, consider how to get rid of the viruses of this type. In the meantime, we will focus on the main varieties of resident threats.

DOS-threat

Initially, when there was no Windows or UNIX-like systems, and the user's communication with the computer took place at the command level, "Operation" DOS appeared, a long time spent at the peak of popularity.

And it was for such systems that non-resident and resident viruses began to be created, the action of which was first aimed at violating system performance or deleting user files and folders.

The principle of action of such threats, which, by the way, is widely applied and still is that they intercept appeals to files, and after that infect the called object. However, most of the threats known today work precisely on this type. But the viruses enter the system or by creating a resident module in the form of a driver, which is specified in the config.sys system configuration file, or through the use of a special KEEP function to track interrupts.

Worse, the situation is when resident viruses of this type use the selection of areas system Memory. The situation is such that first the virus "cuts off" a piece free memory, then marks this area as employed, after which it saves its own copy. What is the saddest, there are cases when copies are also in video memory, and in areas reserved for the clipboard, and in the tables of interrupt vectors, and in DOS workspaces.

All this makes copies of viral threats so lively that they, in contrast to non-resident viruses that work while some program is running or operating the operating system is capable of activated again even after rebooting. In addition, when accessing an infected object, the virus is able to create its own copy even in random access memory. As a result - instantant, as already understandable, treatment of viruses of this type should be made using special scanners, and preferably not stationary, but portable or those that are able to load with optical disks or USB media. But about it a little later.

Boot threats

Boot viruses penetrate the system by a similar method. But they lead themselves what is called, sophisticated, first "eating" a piece of system memory (usually 1 KB, but sometimes this indicator can reach a maximum of 30 KB), then prescribing its own code in the form of a copy, after which it starts to reboot. This is fraught with negative consequences, because after restarting the virus restores the reduced memory to the source size, and its copy is out of the system memory.

In addition to tracking interrupts, such viruses are able to prescribe their own codes in the boot sector (Recording MBR). Several less often intercepted BIOS and DOS interceptions, and the viruses themselves are loaded once, without checking the presence of their own copy.

Viruses under Windows.

With the advent of Windows and virus development systems, a new level was released, unfortunately. Today is Windows Any. Versions are considered the most vulnerable system, despite the efforts made by Microsoft specialists in the development of safety modules.

Wires designed for Windows work according to the principles similar to DOS-threats, here are only ways to penetrate the computer here much more. Of the most common allocate three main, according to which the virus can register its own code:

virus registration as working in this moment applications;
selecting the memory block and record your own copy;
work in the system under the type of driver VXD or disguise under windows Driver NT.

Infected files or system memory areas, in principle, can be cured standard methodsthat are used in (detecting on the mask of the virus, comparison with the databases of signatures, etc.). However, if unpretentious free programsThey can do a virus and not determine, and sometimes even give false triggering. Therefore, the beam apply portable utilities like "Dr. Web" (in particular, Dr. Web Cureit.!) Or Kaspersky Lab products. However, today you can find a lot of utilities of this type.

Macro viruses

Before us is another variety of threats. The name comes from the word "macro", that is, an executable applet or superstructure used in some editors. It is not surprising that the launch of the virus occurs at the time of the program start (Word, Excel, etc.), opening office document, Print it, menu items call, etc.

Such threats in the form of systemic macros are in memory during the entire operation time of the editor. But in general, if we consider how to get rid of viruses of this type, the solution is quite simple. In some cases, even the usual shutdown of add-ons or macros is helped in the editor itself, as well as anti-virus protection Applements, not to mention the usual rapid scanning of the system by anti-virus packages.

Viruses based on Stelc technology

Now let's look at the masking viruses, because they didn't get their name from the invisible aircraft.

The essence of their functioning is just that they give themselves system componentand determine their in conventional ways Sometimes it turns out to be quite complex. Among such threats can also be made macroviruses, and boot threats, and DOS viruses. It is believed that for Windows, stealth viruses have not yet been developed, although many experts argue that this is just a matter of time.

File varieties

In general, all viruses can be called file, because they affect anyway file System And influence files, whether infecting them with its own code, or ciphering, whether making inaccessible due to damage or removal.

The simplest examples can be called modern encryption viruses (extortionists), as well as the infamous I LOVE You. With them without special decrypting keys, the treatment of viruses do not make something difficult, and it is often impossible at all. Even the leading antivirus developers are able to dilute their hands, because, unlike modern Systems Encryption AES256, AES1024 technology is used here. You understand that there may be no one ten years old on the decoding, based on the quantity possible options key

Polymorphic threats

Finally, another kind of threats in which the phenomenon of polymorphism is applied. What is it? The fact that viruses constantly change their own code, and this is done on the basis of the so-called floating key.

In other words, it is impossible to determine the mask on the mask, because, as we see, it changes not only its code-based structure, but also the key to decoding. To combat such problems, special polymorphic decoders (deciphers) are used. True, as practice shows, they are able to decipher only the most simple viruses. More complex algorithms, alas, in most cases they are not affected. Separately, it is worth saying that changing the code of such viruses accompanies the creation of copies with a reduced length, which may differ from the original very significantly.

How to deal with residency threats

Finally, go to the question concerning the fight against resident viruses and protect computer systems of any level of complexity. Most. simple way Protection can be considered the installation of a regular anti-virus package, that's just not free to use free programs, but at least a conditionally free (trial) version from developers like "Dr. Web", "Kaspersky Anti-Virus", ESET NOD32 or type Smart SecurityIf the user is constantly working with the Internet.

However, in this case, no one is insured against the fact that the threat does not penetrate the computer. If such a situation happened, portable scanners should be used to begin with, and it is better to use disk utilities Rescue Disk. With their help, you can download the program interface and scan before starting the main operating system (Viruses can create and store their own copies in the system and even in RAM).

And also: it is not recommended to use the software like Spyhunter, and then from the package itself and its associated components to get rid of the uninitiated user will be problematic. And, of course, you should not immediately delete infected files or try to format the hard drive. It is better to leave treatment with professional antivirus products.

Conclusion

It remains to add that only the main aspects relating to resident viruses and methods of combating them are considered above. After all, if you look at computer threatsSo to speak, in a global sense, such a huge amount of their number appears every day that developers of protection products simply do not have time to invent new methods of dealing with such misfortunes.

Non-resident viruses, on the contrary, are active enough short time - only at the time of launching an infected program. For its distribution, they are looking for unreleased files on the disk and recorded in them. After the virus code transfers the control of the carrier program, the effect of the virus to work the operating system is reduced to zero until the next launch of any infected program.

Thus, non-resident viruses are dangerous only during the execution of an infected program when they show their destructive capabilities or create their copies. Files affected by such viruses are usually easier to detect and treat than files containing a resident virus.

Methods of security information security

According to experts, the task of providing information security should be solved systemically. This means that various means of protection (hardware, software, physical, organizational, etc.) should be applied simultaneously under centralized management. In this case, the system components must "know" about each other's existence, interact and provide protection from both external and internal threats.

Modern anti-virus technologies allow you to identify almost all known viral programs through a comparison of the suspicious file code with samples stored in the anti-virus database. In addition, behavioral modeling technologies have been developed to detect newly created viral programs. Detectable objects may be treated, isolate (placed in quarantine) or deleted. Virus protection can be installed on workstations, file and mail Servers, Firewalls, working under practically any of the common operating systems, on processors of various types.

Timely detection of files infected with viruses and disks, the complete destruction of detected viruses on each computer allows you to avoid the spread of a viral epidemic to other computers.

The main weapon in the fight against viruses are antivirus programs. They allow not only to detect viruses, including viruses using various methods Masking, but also remove them from the computer. The last operation can be quite complicated and take some time.

There are several fundamental methods for finding viruses that are used by antivirus programs. The most traditional method for searching for viruses is scanning.

To detect, delete and protect against computer viruses, several types of antivirus programs have been developed:

1. Detectors programs

2. Doctors or phage programs

3. Programs - Auditors (inspector)

4. Filters (monitors)

5. Vaccine programs or immunizers

Detectors programs

Detectors programs search for a specific signature virus in RAM and in files and when detected, a corresponding message is given. The disadvantage of such antivirus programs is that they can find only those viruses that are known to developers of such programs.

4.2 Doctor Programs

Doctor or phage programs, as well as vaccine programs not only find files infected with viruses, but also "treated" them, that is, they are removed from the file the body-virus, returning files to the initial state. At the beginning of his work, phages are looking for viruses in RAM, destroying them, and only then go to "treatment" of files. Among the phages, polyphags are isolated, that is, the doctors programs designed to search and destroy a large number of viruses.

Revolution Programs (inspector)

Programs and auditors (inspector) refer to the most reliable means of protection against viruses.

The auditors (inspector) check the data on the disk for invisible viruses, learn whether the virus climbed into files, is there no extraneous in the boot sector hard disk, is there any unauthorized changes windows registry. Moreover, the inspector may not use the means of the operating system to appeal to the disks (and therefore the active virus will not be able to intercept this appeal).

Programs - Filters (Monitors)

Filters (monitors) or "Storam" are small resident programs designed to detect suspicious actions when working on a computer characteristic of viruses. Such actions may be:

1. Attempts to correct files with COM, EXE extensions

2. Change file attributes

4. Recording to the boot sector of the disk

Vaccines or immunizers

Vaccines or immunizers are resident programs that prevent infection of files. Vaccines are used if there are no doctors programs, "attending" this virus. Vaccination is possible only from famous viruses. The vaccine modifies the program or disc in such a way that this is not reflected in their work, and the virus will perceive them infected and therefore will not be implemented. Currently, vaccine programs have limited use.

Scanner

The principle of operation of anti-virus scanners is based on verifying files, sectors and system memory, as well as the search for known and new (unknown scanner) of viruses. To search for famous viruses, the so-called "masks" are used. The mask of the virus is some permanent code sequence specific to a particular virus. If the virus does not contain a permanent mask or the length of this mask is not enough, then other methods are used.

Methods of organization computer security

Network monitoring

Monitoring networks tools for monitoring the network and detecting in its operation "bottlenecks" can be divided into two main classes: - strategic; - Tactical. The appointment of strategic means is to control the wide range of parameters of the operation of the entire network and solving the problems of configuring the LAN. Appointment of tactical means - monitoring and troubleshooting network devices and network cable. Strategic funds include: - Network management systems - built-in diagnostic systems - distributed monitoring systems - means of diagnosing operating systems operating on large machines and servers. The most complete control of the work is carried out by network management systems developed by such firms as Dec, Hewlett - Packard, IBM and AT & T. These systems are typically based on a separate computer and include workstation control systems, a cable system, connecting and other devices, a database containing control parameters for networks of various standards, as well as a variety of technical documentation. One of the best developments for managing the network that allows the network administrator to access all its elements up to the workstation is the Landesk Manager package of Intel, providing various tools for monitoring applications, hardware inventory and software and protection against viruses. This package provides real-time diverse information on applications and servers, data on user network. Built-in diagnostic systems have become the usual component of network devices such as bridges, repeators and modems. Examples of such systems can serve Open Packages - View Bridge Manager of the company Hewlett - Packard and Remote Bridge Management Software company Dec. Unfortunately, most of them are focused on the equipment of some manufacturer and is almost incompatible with the equipment of other firms. Distributed monitoring systems are special devices installed on network segments and intended for comprehensive traffic information, as well as violations in the network. These devices usually connected to the administrator workstation are mainly used in many segment networks. Tactical means include different kinds Testing devices (network cable testers and scanners), as well as devices for integrated network operation analysis - protocol analyzers. Testing devices help the administrator detect the network cable and connector faults, and protocol analyzers are to receive information on the exchange of data on the network. In addition, this category of funds include special software that allows real-time to receive detailed reports on the status of the network.

Most users of personal computers probably have come across such a thing in life with such a thing as computer virus. True, not many users know that the classification of threats consists of two large categories, namely resident and non-resident viruses. Let us dwell in more detail in the first grade of viruses, since it is their representatives that are the most dangerous, and sometimes unsuccessful even when formatting a logical partition or disk.

Resident viruses: What do they represent themselves?

So, what is the user to deal with? For a simplified explanation of the structure and principles of these viruses, it is necessary to stop on what a resident program actually represents. It is believed that this type of programs includes applications that constantly work in monitoring mode without showing their actions. Such type of programs include regular antiviruses. As for the threats that can penetrate computer systems, they will not only be constantly hanging in memory personal computerBut also create your copies. Thus, it turns out that copies of viruses are constantly monitored and moved along it. This significantly makes it difficult to search for such objects. Some threats are even capable of changing their structure. Detection of such threats based on generally accepted methods becomes almost impossible. A little later we will try to consider how to get rid of viruses of this type. While we will dwell on the main varieties of resident threats.

DOS Threat

Initially, when operating uNIX systems And Windows has not existed yet, and the user communication with a personal computer occurred at the command level, there was a DOS operating system. At the peak of popularity, this operating system lasted long enough. It was for such systems that resident and non-resident viruses began to be created. Their action was first aimed at violating system performance and removal custom folders and files. The principle of these threats is widely applied until now. It is that malicious objects intercept appeals to files, and then infect caused objects. Most threats known to date work precisely on this principle. Penetrated the virus system or by creating a resident module made in the form of a driver, which is specified in the config.sys system configuration file, or when using a special Keep function to track interrupts. In the case when the residual viruses of this type use the selection of system memory areas, things are much worse. It turns out about the following situation: the virus first cuts off a piece of free memory, and thus marks this area How to occupy. After that, he saves his copy in it. The sad thing is that copies can be in video memory, areas reserved for clipboard and in the tables of interrupt vectors, as well as in DOS workspaces. This makes copies of viral threats incredibly survivable. Unlike non-resident viruses, which work only when some program or operating system is running, this type of threats is capable of activating every time after rebooting the computer. In addition, the virus when accessing an infected object is capable of creating its own copy and in RAM. As a result, the user faces instant computer hang. It should be clear that the treatment of this type of viruses is carried out using special scanners. It is advisable to use nonpatient antivirus programs for this purpose, but portable, which are able to download from USB carriers or optical disks. This will be discussed somewhat later.

Boot threats

Boot threats can penetrate the system by a similar method. They lead themselves sophisticated: first eat a piece of system memory, and then they prescribe their own code in the form of a copy, and then begin to require a reboot. This may lead to negative consequences, since after rebooting the virus restores the reduced amount of memory to the source size, and its copy is out of the system memory. In addition to tracking interrupts, such viruses can also prescribe their own codes in the boot sector - MBR recording. DOSIBIOS interceptions are used slightly. The viruses themselves can be downloaded once and at the same time check the availability of their own copy.

Viruses under operational windows system

With the appearance of Windows-type operating systems, the development of viruses, unfortunately, have reached a qualitatively new level. Today, the Windows operating system of any version is considered the most vulnerable despite the efforts that Microsoft's specialists are attached in the development of security modules. Those viruses that are designed to operate Windows operating system work on principles similar to DOS threats. However, the methods of penetration of threats to the computer in this case are much more. From the most common ways, you can select three main ones by which the virus in the system can register its own code: this is registration of the virus as an application running at the moment, highlighting the memory block and record its own copy, work in the system under the type of VXD driver, disguise under Driver WindowsNT. Infected areas of system memory or files can be tried to cure standard methods that are used in various anti-virus scanners. These are methods such as a virus mask detection, comparison with signature databases, etc. However, if simple free programs are used, they may not define the virus, and sometimes even give false response. It is better to use portable antivirus utilities like Dr. WEB or Kaspersky Lab products. Today you can find sufficiently the amount of utilities of this type.

Macro viruses

There is another kind of viral threats - these are macro viruses. This name comes from the word "macro", which is denoted by an executable applet or superstructure used in some editors. It is not surprising that the launch of this virus can occur at the time of the program, opening or printing an office document, calling various menu items. Such threats in the form of system macros are stored in the computer's memory during the entire operation time of the editor. However, if we consider the question of the removal of viruses of this type as a whole, the solution turns out to be quite simple. In some cases, even disabling certain settings or macros in the editor can help. It may also be effective to use anti-virus protection of applets, and this is not to mention a simple rapid scanning of the system using anti-virus software packages.

Virus on the basis of the "Stealth" technology

Consider now masking viruses. They did not in vain got their name in honor of the invisible aircraft. The essence of the functioning of these objects is that they provide themselves to the system component. To determine them in conventional ways in some cases is very difficult. Such threats include macoviruses, boot threats and DOS viruses. It is believed that stealth viruses for the Windows operating system are still not yet developed, but many specialists in the field information technologies They argue that this is only a matter of time.

File varieties

All viruses can generally be called file, as they actually affect the files and affect the file system, infecting it with their own code or encrypting, making it inaccessible due to removal or damage. As the most simple examples Modern encryption viruses can be brought, as well as the famous ILOVEYOU virus. With them Without the use of special decoding keys, the treatment of this type of viruses will not be performed not just difficult, and it is often impossible at all. Even leading antivirus developers are powerless here. software. Unlike modern AES256 encryption systems in this type Viruses use AES1024 technology. As you yourself can guess, no one dozen years can be taken to decrypt infected files, depending on the number of possible options for the key.

Polymorphic threats

Another variety of threats are polymorphic threats. What is the manifestation of polymorphism? The fact is that viruses can constantly change their own code. This is done on the basis of the so-called floating key. In other words, it is impossible to determine the threat to the mask, as it changes not only its structure, which underlies the code, but the key itself to decipher. To deal with such threats, it is necessary to use special polymorphic decoders. Practice shows that these objects are able to decipher only the most simple viruses. More complex algorithms of their impact in most cases are simply not amenable. It should be separately noted that changing the code of such viruses accompanies the creation of copies with a reduced length, which is very significantly different from the original.

Ways to combat residency threats

Go to the question that concerns the ways to combat resident threats, as well as the protection of the PC from the threats of any level of complexity. The easiest way to protect a personal computer is the installation of a regular anti-virus package. It is better to use not free programs for this purpose, but at least the conditionally free versions from such developers asDr.Web, Kaspersky, Esetnod 32 or programs like SmartSecurity. However, even in this case you will not be insured against the penetration of the threat to the computer. If such a situation happened, it is recommended to apply portable scanners to begin with, and even better to use Disk Utilities Rescuedisk. With the help of such tools, you can download the program interface and start scanning before the start of the main operating system. Not recommended to use software packages Type Spyhunter. The uninitiated user will then be problematic to get rid of the package itself and its associated components. Also do not immediately try to remove infected files and format hDD. Treatment is better to entrust special antivirus programs.

RESULTS

In conclusion, I would like to add that this review covered only the main aspects that relate to resident viruses and ways to combat them. After all, if we consider various computer threats, we can say that every day a huge number of such objects appear. Developers of protective equipment simply do not have time to invent new methods to combat these objects.

Boot viruses

Boot viruses infect the boot (boot) of the floppy disk sector and the boot sector or Master Boot Record (MBR) of the hard drive. The principle of the operation of the loading viruses is based on the operating system launch algorithms when you turn on or restart the computer - after the required tests of the installed hardware, the system download program reads the first physical sector boot disk (A:, C: or CD-ROM, depending on the parameters installed in the BIOS Setup) and transfers control.

File viruses

This group includes viruses that, with their reproduction, in one way or another use a file system of any or any OS.

There are viruses that infect files that contain source code of programs, library or object modules. It is possible to record the virus and data files, but this happens either as a result of the virus error, or when its aggressive properties manifest.

File-boot viruses

Very often there are combined viruses that combine the properties of the file and boot.

The OneHalf file-bootable virus is widely distributed, infecting the main boot sector (MBR) and executable files. Basic destructive action - Encryption of Winching sectors. Each time you launch, the virus encrypts the next portion of the sectors, and, encrypting half the hard disk, happily reports it. The main problem in the treatment of this virus is that it is not enough to simply remove the virus from the MBR and the files, it is necessary to decipher the information encrypted them.

Onehalf virus uses various disguise mechanisms. It is a stealth virus and use polymorphic algorithms when distributed.

Network viruses

Network includes viruses that are actively using protocols and possibilities of local and local and global networks. The main principle of the network virus is the ability to independently transfer your code to a remote server or workstation. "Full-fledged" network viruses at the same time have the ability to start their code on remote computer Or at least "push the user to launch an infected file.

Macro viruses

Macro viruses (Macro Viruses) are languages \u200b\u200b(macro-languages) embedded in some data processing systems ( text editors, spreadsheets, etc.). For its reproduction, such viruses use the capabilities of macro-languages \u200b\u200band with their help transfer themselves from one infected file (document or table) to others. Macro viruses received the greatest distribution for Microsoft Word., Excel and Office. There are also macro viruses infecting datches microsoft data Access.

Resident viruses

Under the term "Residents" (DOS "TSR term, TSR - Terminate and Stay Resident) understands the ability of viruses to leave their copies in the system memory, intercepting some events (for example, access to files or disks) and call the procedures for infecting detected objects (files and files and Sectors). Thus, resident viruses are active not only at the time of the infected program, but after the program has completed its work. Resident copies of such viruses remain viable until another reboot, even if all infected files are destroyed. Often Such viruses are impossible to get rid of all copies of files from distribution disks or backup copies. The veil copy of the virus remains active and infect again created files. The same is true for the boot viruses - the formatting of the disk in the presence of a dispensary virus does not always cure the disk, since many resident viruses infect the disk again after it is formatted.

File non-resident virus. Resident viruses Non-resident viruses are active

What are resident viruses?

What are resident viruses?

DOS-threat

Boot threats

Viruses under Windows.

Macro viruses

Viruses based on Stelc technology

File varieties

Polymorphic threats

How to deal with residency threats

Conclusion

Boot viruses

File viruses

File-boot viruses

Network viruses

Macro viruses

Resident viruses

Non-resident viruses

Last

It is necessary to know