Category: Computer/Network gt; gt; Anti-virus
Question description:
1. In what year was the first computer virus discovered?
2. In what year was there no computer virus?
3. In which year did computer viruses become more common?
Answer these 3 questions separately!
Analysis:
With the popularity of computers, almost all computer users already know the term "computer virus". For most computer users, when it comes to "computer viruses" it seems to be unfathomable and unfathomable. The following is a brief introduction to it:
History of viruses
Since the birth of the first von Neumann computer ENIAC in 1946, computers have been applied to all aspects of human society. field. However, the "worm virus" incident that occurred in the United States in 1988 cast a shadow over the development of computer technology. The worm was written by Morris, a graduate student at CORNELL University in the United States. Although it was not malicious, at that time, the "worm" spread wildly on the Internet, causing thousands of connected computers to stop running, causing huge losses, and becoming the focus of public opinion for a while.
In China, the viruses that initially attracted people's attention were the "Black Friday", "Microvirus", "Microvirus", etc. that appeared in the late 1980s. Because there were not many types of software at that time, software exchanges between users were relatively frequent and anti-virus software was not widely available, resulting in the widespread prevalence of viruses. Later, the word macro virus and CIH virus under win95 appeared, which made people's understanding of viruses deeper.
The initial conception of virus theory can be traced back to science fiction. In the book "The Youth of P1" published by American writer Lane in the 1970s, he conceived a computer program that could replicate itself and spread through communications, and called it a computer virus.
Definition of virus
Why is "computer virus" called a virus. First of all, unlike medical "viruses", they do not exist naturally. Some people use the inherent vulnerabilities of computer software and hardware to compile programs with special functions. Because it has the same infectious and destructive characteristics as the biomedical "virus", this term is derived from the concept of biomedical "virus".
Defined in a broad sense, any program that can cause computer malfunctions and destroy computer data is collectively called a computer virus. According to this definition, viruses such as logic bombs and worms can be called computer viruses. In China, experts and researchers have different definitions of computer viruses, but there has never been a clear and generally accepted definition.
Until February 18, 1994, our country officially promulgated and implemented the "Regulations on the Security Protection of Computer Information Systems of the People's Republic of China", which clearly stated in Article 28 of the "Regulations": " A computer virus refers to a set of computer instructions or program codes that are compiled or inserted into a computer program to destroy computer functions or destroy data, affect the use of the computer, and can replicate itself. "This definition is legal and authoritative. (This section is excerpted from the book "Computer Security Management and Practical Technology")
The Generation of Viruses
So how exactly is it generated? The process can be divided into: programming - propagation - latent - triggering, running - executing the attack. The reasons are nothing more than the following:
It’s a joke, a prank. In order to show off their superb skills and wisdom, some people who love computers and are proficient in computer technology compile these special programs based on their in-depth understanding of software and hardware. After these programs are spread through the carrier, they are triggered under certain conditions. For example, displaying some animations, playing a piece of music, or asking some quiz questions, etc., the purpose is nothing more than self-expression. Such viruses are generally benign and will not cause damage to operations.
It arises from the revengeful psychology of individual people.
Everyone is in a social environment, but there are always people who are dissatisfied with society or receive unfair treatment. If this happens to a programming master, he may program some dangerous programs. There is an example abroad: a company employee compiled a piece of code and hid it in his company's system during his employment. Once it was detected that his name was deleted from the salary report, the program would immediately occur and destroy the entire system. Similar cases have also occurred in the country.
Used for copyright protection. In the early days of computer development, legal protection of software copyright was not as complete as it is today. Many commercial software have been illegally copied, and some developers have created some special programs and included them with their products in order to protect their own interests. For example: Pakistani virus, its creators are trying to track down users who illegally copy their products. Viruses used for this purpose are now rare.
For special purposes. In order to achieve a special purpose, an organization or individual promotes or destroys the special systems of *** institutions and units. or for military purposes.
Virus characteristics
This special program has the following characteristics:
Infectiousness is the basic characteristic of viruses. In the biological world, viruses spread from one organism to another through infectious diseases. Under the right conditions, it can multiply and cause symptoms or even death of infected organisms. Similarly, computer viruses will spread from infected computers to uninfected computers through various channels, causing the infected computers to malfunction or even become paralyzed in some cases. Different from biological viruses, computer viruses are a piece of artificially prepared computer program code. Once this piece of program code enters the computer and is executed, it will search for other programs or storage media that meet its infection conditions. After determining the target, it will Insert it into it to achieve the purpose of self-reproduction. As long as a computer is infected with a virus, if it is not dealt with in time, the virus will spread rapidly on the machine, and a large number of files (usually executable files) will be infected. The infected file becomes a new source of infection. If it exchanges data with other machines or contacts through the network, the virus will continue to infect.
Normal computer programs generally do not forcibly connect their own code to other programs. The virus, on the other hand, can forcibly infect its own code to all uninfected programs that meet its infection conditions. Computer viruses can infect other computers through various possible channels, such as floppy disks and computer networks. When you find a virus on a machine, the floppy disks that have been used on this computer are often infected with the virus, and other computers connected to this machine may also be infected by the virus. Whether it is contagious or not is the most important condition to determine whether a program is a computer virus.
Execution without authorization. Generally, a normal program is called by the user, and then the system allocates resources to complete the tasks assigned by the user. Its purpose is visible and transparent to users. The virus has all the characteristics of a normal program. It hides in the normal program. When the user calls the normal program, it steals control of the system and executes it before the normal program. The actions and purpose of the virus are unknown to the user and cannot be accessed without the user's permission. allowed.
Concealment. Viruses are generally short and concise programs with high programming skills. They are usually attached to normal programs or hidden places on the disk, and some may appear as hidden files. The purpose is to prevent users from discovering its existence. Without code analysis, it is not easy to distinguish virus programs from normal programs. Generally, without protective measures, computer virus programs can infect a large number of programs in a short period of time after gaining control of the system. And after being infected, the computer system can usually still run normally, so that the user will not feel anything abnormal. Just imagine, if a virus infects a computer and the machine immediately becomes unable to operate normally, then it will not be able to continue to infect itself. It is precisely because of their stealth that computer viruses can spread to millions of computers without users noticing.
The reason why most virus codes are designed to be very short is to hide them.
Viruses generally only have a few hundred or 1k bytes, and the access speed of PCs to DOS files can reach hundreds of KB per second, so the virus can attach these few hundred bytes to normal programs in an instant. , making it very difficult to detect.
Latent. Most viruses generally do not attack immediately after infecting the system. They can hide in the system for a long time and only activate their performance (destruction) module when specific conditions are met. Only then can it be widely disseminated. For example, "PETER-2" will ask three questions on February 27th every year. If the answer is wrong, the hard drive will be encrypted. The famous "Black Friday" occurs on Friday the 13th. Domestic "Shanghai No. 1" will occur on the 13th of March, June and September every year. Of course, the most unforgettable thing was the CIH that broke out on the 26th. These viruses hide well during normal times and only reveal their true colors on days of attack.
Destructive. As long as any virus invades the system, it will have varying degrees of impact on the system and applications. In mild cases, it will reduce computer work efficiency and occupy system resources. In severe cases, it can cause system crashes. Based on this characteristic, viruses can be divided into benign viruses and malignant viruses. Benign diseases may only display some pictures, play some music, boring sentences, or not have any destructive actions at all, but they will occupy system resources. There are many such viruses, such as: GENP, pellets, W-BOOT, etc. Malignant viruses have specific purposes, such as destroying data, deleting files, encrypting disks, formatting disks, and some causing irreparable damage to data. This also reflects the sinister intentions of virus programmers.
From the perspective of virus detection, viruses are still unpredictable. Different types of viruses have very different codes, but some operations are unique (such as memory storage, changing interrupts). Some people take advantage of the virus's vulnerability and create programs that claim to be able to detect all viruses. This kind of program can indeed detect some new viruses, but because the current software types are extremely rich, and some normal programs also use virus-like operations and even borrow technology from some viruses. Using this method to detect viruses will inevitably cause more false positives. Moreover, virus production technology is constantly improving, and viruses are always ahead of anti-virus software.
Classification of viruses
Since the birth of the first virus, there are different opinions on how many types of viruses there are in the world. No matter how many there are, the number of viruses continues to increase. According to foreign statistics, computer viruses are increasing at a rate of 10 types per week. According to statistics from the Ministry of Public Security of my country, the number of computer viruses is increasing at a rate of 4 types per month in China. There are so many types that you can better understand them by classifying them.
According to the mode of infection, they are divided into: boot viruses, file viruses and hybrid viruses.
File-type viruses generally only infect executable files (COM, EXE) on the disk. When a user calls a virus-infected executable file, the virus is first run, and then the virus resides in the memory waiting for the opportunity to infect other files or directly infect other files. Its characteristic is that it is attached to the normal program file and becomes a shell or component of the program file. This is a more common way of infection.
Mixed viruses have the characteristics of the above two viruses, infecting both the boot area and files, thus expanding the infection route of this virus (such as "TPVO-3783", which was widely popular in China in 1997 ( SPY)").
According to the connection method, they are divided into: source code viruses, intrusion viruses, operating system viruses, and shell viruses.
Source code viruses are rare and difficult to write. Because it attacks the source program written in a high-level language, it is inserted into the source program before compilation, and compiled and linked together with the source program into an executable file. At this time, the executable file just generated is already infected.
Invasive viruses can use themselves to replace some modules or stack areas of normal programs. Therefore, this type of virus only attacks certain specific programs and is highly targeted. It is generally difficult to find and difficult to remove.
Operating system viruses can use their own parts to add to or replace some functions of the operating system. Because they directly infect the operating system, this type of virus is also more harmful.
The shell virus attaches itself to the beginning or end of the normal program, which is equivalent to adding a shell to the normal program. Most file-based viruses fall into this category.
According to their destructiveness, they can be divided into: benign viruses and malignant viruses. Already introduced before.
An emerging group: macro viruses. Macro viruses have only appeared in the past two years. If classified, they can be regarded as file types. It is specially introduced here.
Virus naming
Each anti-virus software also has different names for viruses. Sometimes different software will report different names for a virus. For example, the "SPY" virus is named SPY by KILL and "TPVO-3783" by KV300. The methods of naming the virus are as follows:
According to the place where the virus appeared, such as "ZHENJIANG_JES", the sample first came from a user in Zhenjiang. Press the person's name or characteristic characters that appear in the virus, such as "ZHANGFANG-1535", "DISK KILLER", "Shanghai No. 1". Named according to the symptoms of the virus, such as "torch" and "worm". According to the time of the virus outbreak, for example, "NOVEMBER 9TH" broke out on November 9. Some names contain the length of the virus code, such as "PIXEL.xxx" series, "KO.xxx", etc.
Preliminary analysis of viruses
Although there are many types of computer viruses, analysis and comparison of virus codes shows that their main structures are similar and they have their own differences. Features. Although the entire virus code is short, it also contains three parts: the guidance part, the infection part, and the performance part.
The function of the boot part is to load the virus body into the memory to prepare for the infection part (such as resident memory, modifying interrupts, modifying high-end memory, saving the original interrupt vector, etc.).
The function of the infection part is to copy the virus code to the infection target. Different types of viruses have different modes of infection and conditions of infection.
The performance part is the part that differs the most among viruses, and the first two parts also serve this part. Most viruses have certain conditions that trigger their manifestations. For example: using clocks and counters as trigger conditions or using the keyboard to input specific characters. This part is also the most flexible part. This part varies widely according to the different purposes of the compiler, or there is no part at all.
Preliminary identification and prevention of viruses
If you want to know whether your computer is infected with viruses, the easiest way is to use newer anti-virus software to comprehensively detect the disk. . But anti-virus software is always the last resort when it comes to viruses. How to detect new viruses early? Users can make the following simple judgment: No matter how sophisticated the virus is, it will always leave some "clues" after it invades the system.
First of all, you should pay attention to the memory situation. Most viruses need to reside in memory. For DOS users, you can start the machine on the C drive, and then use the "MEM" command to check whether the total basic memory is 640K (because most boot viruses will change this number when they reside in memory). If there is a virus, it may be changed to 638K or 637K. In some machines, 639K is also normal under normal circumstances (such as some COMPAQ machines). You should also pay attention to whether the amount of occupied memory is reduced for no reason.
Secondly, you should pay attention to the number of bytes of commonly used executable files (such as COMMAND.COM). Most viruses will increase the length of the file after infecting it. When checking the file byte count, you should first boot with a clean system disk.
For floppy disks, you should pay attention to whether bad blocks appear for no reason (some viruses will mark bad clusters on the disk in order to partially hide themselves in it). Other phenomena such as slower software operation (except for disk reading speed), abnormal output ports, etc. may be caused by viruses. The most accurate method is to check whether the interrupt vector and boot sector have been changed for no reason. Of course, this requires a certain understanding of the system and disk format