Joke Collection Website - Bulletin headlines - Comprehensive knowledge of computer virus prevention.
Comprehensive knowledge of computer virus prevention.
computer virus
Computer virus refers to a set of computer instructions or program codes compiled or inserted into a computer program, which destroys computer functions or data, affects the use of the computer, and can replicate itself.
1. Characteristics of computer viruses
The main features of computer viruses are as follows.
(1) hide
The concealment of computer virus makes it difficult for people to find it. For example, some viruses don't attack until a month 13, and it's Friday, and they don't attack on normal days. It is generally impossible to know in advance that the computer or floppy disk is infected with the virus. A virus program is a program without a file name.
(2) incubation period
It usually takes a period of time from computer virus infection to computer virus operation. When the specified environmental conditions for virus attack are met, the virus program begins to attack.
(3) infectivity
One of the main characteristics of computer virus programs is that they can copy their own programs to other programs (file viruses) or put them in designated locations, such as boot sectors (boot viruses).
(4) deception
Every computer virus has the characteristics of Trojan horse, and it parasitizes other files by deception. Once the file is loaded, it will cause a virus attack, destroy the software and hardware resources of the computer, and force the computer to work normally.
(5) Harmfulness
The harm of viruses is obvious, and there are almost no harmless viruses. Its harmfulness is not only reflected in destroying the system, deleting or modifying data, but also occupying system resources and interfering with the normal operation of the machine.
2. The classification of computer viruses
2. 1 Classification by infection mode
Viruses can be divided into:
1). Boot computer virus
2). File computer virus
3). Composite computer virus
4). Macro virus
5). Trojan horse
6) Worms
1). Boot zone computer virus:
Hidden in the disk, the computer virus existed in the memory before the system file was started. In this way, the computer virus can completely control the DOS interrupt function, thus spreading and destroying the virus. Boot zone viruses designed to run on DOS or Windows3. 1 cannot spread on new computer operating systems.
2). File computer virus
Also known as parasitic virus, it usually infects executable files. E__E), but some will infect other executable files, such as DLL and SCR. Every time an infected file is executed, a computer virus will break out (the computer virus will copy itself into other executable files and continue to execute the original program to avoid being noticed by users).
Typical example: CIH will be infected. E__E files and severely damaged on 26th of each month. On the 26th of every month, this pc virus will try to overwrite some random data on the system hard disk, so that the hard disk cannot read the original data. In addition, this virus will try to destroy the data in Flash BIOS.
3). Composite computer virus:
It has the dual characteristics of boot zone virus and file virus.
4). Macro virus:
Macro virus is specifically aimed at specific application software and can infect macro instructions attached to some application software. It can be easily spread through email attachments, floppy disks, file downloads and group software (such as Microsoft Word and E__cel).
The difference with other computer viruses is that macro viruses attack data files instead of program files.
5). Trojan or Trojan horse
It seems to be a proper procedure, but in fact, some vicious and improper activities will be carried out when it is implemented. Trojan can be used as a hacking tool to steal users' password data or destroy programs or data on the hard disk.
The main difference between Trojans and computer viruses is that Trojans are not contagious. It can't copy itself like a virus, and it won't "intentionally" infect other files. Mainly by disguising yourself to attract users to download and execute.
6). Worm:
It is generally believed that a worm is a kind of malignant viruses that spreads through the Internet. It has some characteristics of virus, such as spreading, concealment and destructiveness. At the same time, it has its own characteristics, such as not using file parasitism (some only exist in memory), causing denial of service to the network, combining with hacking technology and so on.
According to the situation of users, worms can be divided into two categories: one is aimed at enterprise users and local area networks; This virus takes advantage of system vulnerabilities and attacks actively, which can paralyze the whole Internet. The other is a worm virus that spreads rapidly through the network (mainly in the form of e-mail and malicious web pages) for individual users, represented by love bug virus and cover letter virus.
Worms infect all computers, shared folders, e-mails, malicious web pages in the network and a large number of servers with vulnerabilities.
It is somewhat different from computer viruses. Computer viruses usually focus on infecting other programs, but worms focus on spreading through the network.
2.2 Classification by connection mode
Viruses are divided into four types according to the connection mode: source virus, intrusion virus, operating system virus and shell virus.
(1) source virus
This virus attacks programs written in high-level languages. The virus was inserted into the original program before the program written in a high-level language was compiled into a legal program.
(2) Embedded virus
This virus embeds itself into the existing program, and connects the main program of the computer virus with the object it attacks through insertion. This kind of computer virus is difficult to write, and it is difficult to eliminate once it invades the program body. If polymorphic virus technology, super virus technology and hidden virus technology are adopted at the same time, it will bring severe challenges to the current anti-virus technology.
(3) coat virus
Shell viruses surround the main program without modifying the original program. This virus is the most common, easy to write, easy to find, and the size of the general test file can be known.
(4) Operating system virus
This virus uses its own program to join or replace some operating systems, which is very destructive and can cause the whole system to be paralyzed. Point virus and cannabis virus are typical operating system viruses.
When the virus is running, it replaces the legitimate program module of the operating system with its own logical part. According to the characteristics of the virus itself, the position and role of the legitimate program module in the replaced operating system, and the replacement method of the virus replacing the operating system, it destroys the operating system.
2.3 according to the computer virus activation time classification
According to the activation time of computer virus, it can be divided into timed and random. Timed viruses only attack at a certain time, and random viruses are generally not activated by the clock.
2.4 Classification by media
According to the media of computer virus transmission, it can be divided into stand-alone virus and network virus.
(1) independent virus
The carrier of stand-alone virus is disk. It is common for viruses to spread from floppy disks to hard disks, infect the system, then infect other floppy disks, and then infect other systems.
(2) Network virus
The media of network virus is no longer a mobile carrier, but a network channel, which is more contagious and destructive.
2.5 Classification according to parasitic mode and route of infection
Computer viruses can be roughly divided into two types according to their parasitic ways, one is boot virus and the other is file virus; According to its infection route, it can be divided into permanent memory type and non-permanent memory type, and the permanent memory type can be subdivided according to its permanent memory mode. Mixed virus combines the characteristics of boot virus and file virus.
2.6 according to the characteristics of the virus classification
The Trojan-Trojan horse with this prefix is a Trojan horse. In the name of this kind of virus, PSW or PWD generally means that this virus has the function of stealing passwords. Such as Trojuan.qqpass.a
Win32 Pewin 95w 32w 95- System virus, which can infect _ _. E__e and _ _. Dll file of windows operating system.
Worm-A worm virus that spreads through network or system vulnerabilities. The more famous is the shock wave.
Script-Script Virus Generally speaking, script viruses also have the following prefixes: VBSJS (indicating what kind of script is written), such as Happy Hour.
Backdoor virus-Backdoor virus, which is characterized by spreading through the network and opening the back door to the system, is the most famous one.
The dropper planting program virus is characterized by releasing one or several new viruses from the body to the system directory during operation, indicating that it is snowing.
Joke-a joke virus, it is just terrible and harmless.
Hacking tools.
Downloader-Trojan horse downloader, download a big Trojan horse and a small downloader for easy hiding.
Advertising software-advertising virus, which monitors your every move while surfing the Internet, and then feeds back the information to the company that uses it.
3. Computer virus program structure
3. 1 boot module
The main function of the virus boot module is to activate the static virus and make it a dynamic virus (load).
The loading of virus programs is divided into two steps: one is the system loading process; The second is the extra loading process of the virus. The loading points and targets selected by virus programs are mostly the inherent weaknesses of computers or the input nodes of software systems.
The loading of virus programs is limited by the operating system. Under DOS system, there are three ways to load virus programs: ① to participate in the system startup process; (2) loading ordinary files; ③ Run the virus program directly.
Under the DOS system, the process of virus loading mainly includes three steps:
(1) Open up memory space;
(2) virus location and residence;
There are several ways to store memory:
① Reduce the allocatable space of DOS system.
② Use the gap between system modules and DOS gap.
③ Use function calls to reside in memory.
(4) occupying system program space (also called program coverage method)
There are three ways for viruses to reside in memory in general Windows environment: one is to treat viruses as applications in Windows environment, with its own window (hiding) and message processing functions; Second, apply for a system memory with DPMI and put the virus code in it; The third is to load the virus into memory and run it as V _ _ D(win 9 _ _) or VDD (device driver under VDD (WIN2000/NT)).
(3) Restore system functions
3.2 Infection module
The infection module mainly completes the dynamic infection of viruses, and is an essential module for all kinds of viruses. After the virus gains the control right of the system, it first executes the condition judgment module in its infection operation to judge whether the infection condition is met, and if the infection condition is met, it infects and puts the virus code into the host program; Then carry out other operations (such as executing the virus expression (destruction) module), and finally carry out the correct treatment of the system, which is one of the means often taken by virus infection.
Infection mark, also known as virus signature, indicates the existence characteristics of the virus and is often an important infection condition of the virus. Infection mark is a unique and unchangeable number or string, which is stored in a specific position in the program in the form of ASCII code. The infection mark can exist at any point in the virus program, or it can be a combined code in the program. The infection mark is intentionally set by the virus maker, but it is not necessary to set the mark. The infection markers of different viruses have different positions and contents. When a virus program infects a host program, an infection mark should be written in the host program as a mark that the program has been infected.
Before the virus infects a health program, it is necessary to search the infected object to see if it is marked as infected. If so, it means that it has been infected and will not be infected again; Otherwise, the virus will infect the program.
Target and mode of virus infection
As far as various computer viruses are concerned, there are two kinds of parasitic targets:
One is the (main) boot sector parasitic on the disk (by dumping or directly accessing the sector, this method can also store the virus in the file allocation table, file directory area and data storage area of the disk, which is often interrupted by INT 13H);
The other is parasitic in executable files (for example. E__E,。 COM,。 Bats. SYS,。 OVL。 DLL,。 V__D files, etc. ).
Some recent data files (mainly Microsoft office software system, Word documents, data tables, databases, presentation documents, etc.). These frequently infected files can actually be regarded as a special executable file (macro).
File viruses often use INT 2 1H to interrupt and infect executable files. Virus infection usually adopts substitution method, linking method and independent existence method.
Virus infection mechanism
The mechanism of virus infecting different vectors is different. Infection to a network or system is achieved through communication or data sharing mechanism between networks or systems. Infection between storage media (floppy disk, hard disk or tape, etc.). ) or files generally use memory as an intermediate medium. Viruses first enter memory from toxic media or files, and then invade non-toxic media or files from memory.
When viruses invade non-toxic media from memory, they often use the entry address of the operating system interrupt vector to read and write from the disk or modify the loading mechanism (such as INT l3H or INT 2 1H) to make the interrupt vector point to the virus infection module. The virus in the memory monitors every operation of the operating system at all times, so that once the system performs disk read-write operation or system function call, the virus infection module will be activated. When the infection conditions are met, the infection module will infect the read-write disk or the loaded program to carry out virus infection, and the virus will be stored on the disk according to the disk storage structure of the virus, and then transferred to the original interrupt service program to perform the original operation. And passive infection.
3.3 Performance (Destruction) Module
The performance (destruction) module mainly completes the performance or destruction function of the virus.
Its attack part should have two characteristics: the program should be hidden and latent, and the virus attack is conditional and diverse.
The destruction and expression module of computer virus is generally divided into two parts: one is to judge the triggering conditions of the destruction module; One is to destroy the implementation part of the function.
Like the virus infection module, the destruction module may run when the virus program is loaded for the first time, or it may just introduce the boot module into the memory when it is loaded for the first time, and then run after being triggered by some interrupt mechanism. The destruction mechanism and infection mechanism are basically the same in design principle.
4.4 Basic system knowledge. disc operating system (DOS)
The basic program module of DOS system consists of the following parts (taking MS-DOS as an example):
(1) boot. It is located in the 1 sector of the system disk. When the computer starts, it automatically reads into the memory first, and then is responsible for transferring other DOS programs into the memory.
ROMBIOS in BOM. It provides a program for managing computer input/output devices, which is solidified in ROM on the motherboard and is the lowest interface between computer hardware and software.
(3) I/O management IO. System module. Its function is to initialize the operating system and provide the interface between DOS system and ROM BIOS.
(4) core MSDOS. System module. It mainly provides functions such as device management, memory management, disk file and directory management. These functions can be used by the so-called system function call INT 2 1H, which is a high-level software interface between user programs and computer hardware.
(5) Command processing COMMAND.COM module. This is the last module that DOS calls into memory. Its task is to receive and interpret commands input by users, and it can execute all internal and external commands and batch commands of DOS. It mainly consists of three parts: resident part, initialization part and temporary resident part.
The startup process of DOS mainly includes the following steps:
(1) When the system is reset or powered on, the instruction pointer of the computer program automatically starts to execute from the memory address 0FFFF:0000H, which contains an unconditional transfer instruction to transfer the control right to the rom board of the system, execute the system self-check and initial initialization work program in the ROM BIOS, and establish the interrupt vector table before INT 1FH. If the self-check is normal, read the system boot record stored in 1 sector on the system disk into the memory address 0000:7000H, and hand over the control to the first instruction in the boot program.
(2) The boot record is used to check whether these two files are IO. SYS and MSDOS. The SYS specified by the system is stored in the startup disk according to the specified location. If it meets the requirements, read the memory address 0060:0000H, otherwise the startup disk is considered illegal and the startup fails.
(3) After Io. SYS and MSDOS. When SYS is loaded into memory, the task of booting records is completed, and control is given to io. Sys, which completes the initialization of the system and locates MSDOS. System and load it into COMMAND.COM.
The main process is:
① Establish a new disk cardinality table, and modify the disk cardinality table pointed by INT lEH vector address.
② Initialize asynchronous communication port R5-232 and printer port.
③ Modify 0lH, 03H, 04H and 1BH interrupt entries.
④ Call INT 1 1H and INT l2H to determine the hardware configuration and RAM capacity of the system.
⑤ Move the system initialization program to the high end of memory, and move MSDOS. SYS program down to occupy its position.
⑥ Give control to msdos.sys.msdos.. SYS is the core part of DOS. After receiving the control, a series of initialization work is also carried out, including: initializing the internal table and workspace of DOS, initializing the interrupt vector of DOS to 20H~2EH, establishing the disk input/output parameter table, and setting the disk buffer and file control block. After completing these tasks, continue to execute the system initialization program of IO. System copy command (short for system)
⑦ The initialization program checks the system CONFIGuration program config. SYS, if it exists, executes the program, and establishes the running environment of DOS according to the configuration command: setting the size of disk buffer, the number of handle files that can be opened at the same time, loading installable device drivers, etc.
⑧ Load the COMMAND.COM program of the command processor into the memory and hand over the control to the program. At this point, Io's mission. SYS file completed.
(4) After receiving the control, command the processor to reset the entry addresses of interrupt vectors 22H, 23H, 24H and 27H, and then check whether AUTOE__EC is correct. The BAT file exists on the system disk. If the file does not exist on the system disk, the date and time will be displayed for the user to input, and a DOS prompt will be displayed. If stored in this file, the program will be transferred to the temporary resident area, interpreted and executed by the batch program, and a DOS prompt will be displayed after execution. At this point, the whole startup process of DOS is over, and the system is in the state of command acceptance.
The memory allocation after DOS startup is shown in Figure 2.6, which only shows the memory allocation status of DOS when the basic memory (640KB) is running. Generally speaking, under the normal working mode (real mode) of the computer, the memory space that DOS can manage is 1 MB. This lMByte space can be divided into two parts, one is the RAM area, and the other is the ROM area. RAM is divided into system program area, data area and user program area. Because different versions of DOS and DOS system files have different lengths, the memory space occupied by system programs residing in memory is also different, so the segment address of user program area is an uncertain value.
From the absolute address of memory 0040: 0000h to 0040: 00ffh, some important data are stored. These data are loaded by the ROM BIOS program during the boot process, which records the system configuration of the system and the system parameters of the storage unit. They are important data necessary for ROM BIOS routines to operate devices. Two bytes with addresses of 40: 13 ~ 40: 14 store the total memory capacity (including the memory expansion board capacity) in lKB, for example, 640 KB RAM is 280H. Some virus programs modify the memory of 40: 13 ~ 40: 14 by calling the high end of the internal terminal and exist in the memory; 4 bytes with addresses of 40: 6c ~ 40: 6f are the clock data area; The first two bytes (40: 6c ~ 40: 6d) are a number between 0 and 65535. The 8253 timer adjusts 1NT 8H every 55 ms, and adds 1 to this value. The last two bytes (40: 6e ~ 40: 6f) are hours. When the count value reaches 65,535 (exactly 65,438+0 hours), the hours are added with 65,438+0. Viruses often call this clock data to detect whether the time is ripe for activation.
How did you get these knowledge points about preventing computer viruses?
We often use computers in our daily study and life, and most of our friends have experienced the troubles of viruses in computers. In laboratories with computers, teachers don't advise students to bring USB flash drives to copy things, for fear that viruses in computers will affect everyone's daily classes. For everyone's information security and safe internet access, today I will explain to you the relevant knowledge of computer viruses. If it helps you, don't forget to praise it at the end of the article!
Knowledge points, circle them
Maybe we have heard someone say, "The computer has a virus, so hurry to find anti-virus software!" Computers are neither animals nor people. How can it have a virus?
Computer virus is a short and special program written by people and stored in computers. This program is usually in a "quiet" state and will not attack immediately. In some cases, it will attack and destroy computer systems. For example, spheroid virus is a computer virus. When it breaks out, there will be many bouncing balls, and then you will be prompted "Your computer has turned to stone!" " "Then, the data in the computer was slowly destroyed. Make the computer unable to start. In addition, worms can spread automatically and quickly through the network mail system, causing large-scale network congestion or world Internet paralysis in a short time. Some viruses can also control your computer at will, get important files and so on through the network. Computer viruses can spread between computers like biological viruses, which is extremely harmful. Computers can spread through software disks and the Internet, making computers "sick".
Prevention and protection
1, how does a computer prevent viruses?
Install antivirus software and network firewall, and update virus database in time.
Do not install unknown software at will.
Don't go to websites with insecure security.
Antivirus in time after downloading from the network.
Close the redundant ports and let the computer be used within a reasonable range.
Close the running activity _ _ in IE security. Many websites use it to invade your computer.
If possible, try to use a browser without IE kernel, such as OPERA.
Do not use a modified version of the software. If you must use it, please disinfect it before using it. Trojan horse to ensure safety.
2. What about ransomware?
Processing flow of Win7, Win8 and Win 10:
Open Control Panel-System and Security -Windows Firewall, and then click on the left to turn Windows Firewall on or off.
Select Start Firewall, and then click OK.
Click Advanced Settings.
Click Inbound Rule to create a new rule.
Select the port, next.
Specific local port, enter 445, next.
Select Block Connection, Next.
Profile, Select All, Next.
Name, can be entered at will, complete.
3. What about other viruses?
(1) The computer can still run.
1. If the computer can still run normally after poisoning, then don't log in to any account and don't change the password. You should use computer antivirus software to kill virus in time.
2. Then, after the antivirus is finished, you must restart the computer, because most viruses will be completely removed after the restart. After restarting, change the account password used when poisoning.
(2) The computer can't run normally.
1. If the computer can't run normally after poisoning, such as the program can't be opened, the computer keyboard and mouse are locked and crashed, then you must unplug your own network cable in time and turn off the router directly with the wireless router.
2. Then, in the process of restarting the computer, keep pressing F8 to enter the network security mode, then connect to the network normally, download the antivirus software in the computer, and disinfect your computer.
3. Or reinstall the system directly, but all the disks are formatted.
Computer virus knowledge
Replicability: Computer viruses can replicate like biological viruses.
Destructive: After the computer is poisoned, normal programs may not run, and files in the computer may be deleted or damaged to varying degrees.
Infectious: computer virus infectivity refers to that computer viruses infect their own copies or variants to other non-toxic objects by modifying other programs.
Latency: Latency of computer virus refers to the ability of computer virus to attach to other media, and the invading virus will not attack until the conditions are ripe.
Concealment: Computer viruses have strong concealment, and a few of them can be detected by virus software. The concealment makes computer viruses appear and disappear from time to time, which is very difficult to deal with.
Triggerability: people who write computer viruses usually set some trigger conditions for virus programs, such as a certain time or date of the system clock, and the system running some programs.
Common computer viruses
0 1
Trojan horse/botnet
Some of them are also called remote control software. If the Trojan horse can be connected, it can be said that the controller has obtained all the operation control rights of the remote computer, and there is basically no big difference between operating the remote computer and operating his own computer.
02
worm virus
Worms use system vulnerabilities to spread through the network and e-mail. Worms are self-contained programs (or groups of programs). Unlike ordinary viruses, worms do not need to attach themselves to the host program. For example, "Panda Burning Incense" and its variants are bugs.
03
Script virus
Script virus is usually malicious code written in script language code, which is generally advertising in nature. It will modify the browser home page, modify the registry and other information, and bring inconvenience to users when using computers.
04
macro virus
Macro virus infects office series software developed by Microsoft. Word, E__cel, these office softwares, support running commands and can operate some documents, so they are also used by malicious macro viruses in office documents.
05
File virus
File viruses usually exist in executable files (files with the extension.). E__e or. com)。 When the infected file runs, the virus begins to destroy the computer.
06
Blackmail virus
Blackmail virus is a new type of computer virus, which uses various encryption algorithms to encrypt files. Infected people generally can't decrypt it, and they can only decrypt it if they get the decrypted private key. This virus has a bad nature and is extremely harmful. Once infected, it will bring immeasurable losses to users.
The ransomware mainly spreads through vulnerabilities, emails, Trojans and web pages. It can also spread through mobile devices.
Transmission path and clearing method
Computer viruses mainly spread through mobile storage devices, computer networks and e-mail.
Cleaning methods: use antivirus software, manually clean, format storage devices, and reinstall the system.
Articles related to computer virus prevention encyclopedia:
★ Virus Prevention: Introduction to the Basic Knowledge of Computer Virus
★ Computer security settings and protection
★ Network security knowledge content
What are the anti-virus methods for Linux? What do you usually need us to do?
★ How to solve the virus in the computer?
★ Common infectious disease prevention knowledge sharing in spring of 2020
★ Prevent novel coronavirus
★ The latest 2020 recipe for preventing novel coronavirus.
★ 5 Choose the latest 2020 teaching plan of the network security knowledge theme class meeting.
★ Five selected books on network security knowledge teaching plan design.
- Related articles
- Funeral Services in Baoxing Funeral Home
- Garbage classification starts with me
- Express "don't pee anywhere" in the form of poetry or classical Chinese.
- How to suspend classes humorously?
- Classified slogan
- How to write a short comment on teaching effect evaluation?
- Report on epidemic prevention and control and resumption of work and production in high-tech zones and development zones
- How to strengthen the cultural construction of the military at the grassroots level
- What kind of clean government culture connotation does bamboo have?
- The key formula of driving test subjects in summer vacation