Modern types of computer viruses.
Currently, all we can observe General Informatization of our society. Where not long ago the work was done the old-fashioned method (piles of papers, bills, calculators), today more and more we see computers. The number of computers increases, they are United in a local network and over time, usually connected to the global Internet (or at least some of its services, such as e-mail). However, the people with a fait accompli that they must do their work using advanced technology of computers, have not the slightest experience with computers. And if the immediate job they are somehow at the very least learning to do (remembering what buttons and in what order to push), then all their lurking dangers don't have the slightest idea.Hence all our troubles: thousands of users, which are forced to put the keyboard, does not teach properly how to use it. So, for example, might know about viruses or security vulnerabilities Internet Explorer a female accountant potencialnogo age, who all his life used the oldest computer accounts.
During the long years of work in the field of antivirus security experts the Ukrainian Antivirus Center (www.unasoft.com.ua) is derived rule: if the organization uses computers (not necessarily even connected to a local network) actively used the Internet (or even email) and do not apply anti-virus tools (or updated anti-virus products) that with 99% confidence we can say - you have a virus. And may from time to time they did not show, but it's a bomb. And sooner or later this bomb will explode.
Actually in the last 2 years, the greatest source of computer viruses is the Internet. From it to the users enter a minimum of 95% of all malware.
By definition, viruses are programs that have the ability to create copies of itself, which in turn retain the ability to reproduce (reproduction is the main feature of the virus). But this definition of virus in the narrow sense of the word. In a broad sense we call viruses are actually viruses and Internet worms, network worms, Trojans, stealth utility admin.
Viruses
Viruses in the narrow sense of the word was previously the most widespread type of malware. The most common ones today: Win95.CIH, Win32.Funlove, Win32.Elkern. But now they lost their popularity. This is connected primarily with the fact that these viruses are transferred from computer to computer through executable files. Today users rarely rewrite each other's programs. More likely to change compact discs or references all in the same global network. Though naturally all this class of malware is not dead, from time to time we hear about infected computers all the same Chernobyl (WinCIH) or something painfully familiar.
In addition, there is a huge legacy of tens of thousands of viruses written for the operating system MS DOS. Most of these viruses are unable to exist in modern versions of Windows, and yet remains a threat that someone accidentally or purposely activates a computer virus, thereby causing irreparable harm.
Internet worms
The most common type of viruses in the last two years are Internet worms. They represent a major threat for all Internet users. Almost all Internet worms - email worms, and only a small fraction is non-mail worms that use software vulnerabilities (usually a server). Examples of non-mail Internet worms: IIS-Worm.CodeRed, IIS-Worm.CodeBlue Worm.SQL.Helkern
Mail worms can be divided into subclasses in different ways, but for end users, they are divided into two main classes:
Worms that run themselves (without your knowledge);
Worms that aktiviziruyutsya only if the user will remain attached to the letter file and start it.
The first type are worms that exploit vulnerabilities (error) mail clients. Most of these errors are in the Outlook Inbox, or even in it, and in the Internet browser Internet Explorer. The fact that MS Outlook creates an email in HTML pages and display these pages, it uses the functions of Internet Explorer.
The most common vulnerabilities used by worms, bug, IFRAME. Applying the appropriate code, the virus has the ability when viewing emails save automatically attached to the email the file to disk and run it. The most annoying is that the vulnerability is discovered more than two years ago. Then Microsoft released patches for all versions of Internet Explorer that corrects this error. Nevertheless, worms that use this vulnerability are still the most common (I-Worm.Klez, I-Worm.Avron, I-Worm.Frethem I-Worm.Aliz).
Mail worms of the second type is designed so that the user, for whatever reasons, he will run the program attached to the letter. In order to push the user to run an infected file, worms authors apply a variety of psychological moves. The most common technique is to give your file some important document, a picture or a useful program (I-Worm.LovGate generates a response to the letters contained in the mail database; I-Worm.Ganda disguised as information about the fighting in Iraq). Worms almost always apply double extensions. In this case, the attached file has a name like: Doc1.doc.pif, pict.jpgcom. This principle relies on the fact that email clients do not display the full file name (if it is too long), and the user will not see the second extension, which is the real. That is, the user thinks that the file is a document or a picture, and that is actually an executable file with an extension like EXE, COM, PIF, SCR, BAT, CMD, etc. If such a file is open, the body of the worm aktiviziruyutsya.
In addition to the basic function of reproduction, the worms have almost always had a combat load. Indeed, why write a worm and release it live without first laying a bomb. Nested functions are extremely diverse. For example, very often mail worms are designed to install on your computer Trojan is a program or tool covert administration and to provide the address of the computer the Creator of the worm. Not seldom simply destroy the information or simply make it impossible to continue the work on the computer. So the worm I-Worm.Magistr performs the same actions as infamous WinCIH - washed the contents of the FLASH BIOS and reinstall the garbage data information to the hard disk.
In any case, regardless of the presence or absence of a malicious function and danger mail worms are harmful because they exist. This is because when breeding they load up channels of communication and often so that completely paralyze the work of a person or an organization.
Macro viruses
The second most common in the wild are macro viruses. These viruses are macros stored in external files software (Microsoft Office, Autocad, CorelDRAW, etc.) and when you open a document executed internal shells of these programs. The wide distribution they received due to the immense capabilities of the interpreter language Visual Basic integrated into Microsoft Office.
A favorite habitat of these viruses are offices with high-volume. In these organizations, people working at computers (secretaries, accountants, computer operators) have no time to deal with such things as computer viruses. Famously documents are transferred from computer to computer, without any control (especially in the presence of a local network).
Unfortunately, people tend not to be taken seriously macro viruses, but in vain. Actually a macro written in VBA and integrated into the document the same Word or Excel, has all the same functionality as a normal application. It may format Your hard drive or simply delete information, steal some files, or passwords and send them via e-mail. In fact, viruses of this class capable of paralyzing the whole office and even not one.
The danger of macro viruses is that the virus is spread entirely in the source text. If a person got a virus, more or less able to write in Visual Basic, it will easily be able to modify the virus to attach your function and make it invisible to antiviruses. Don't forget that the authors of viruses have the same antivirus programs and modified viruses as long as they do not cease to be detected by antiviruses. Actually, born this way new modification of known viruses, but in order for this virus was detected by antivirus, it first needs to get the anti-virus lab and only then will it be added features detection and neutralization of new modifications. So the specialists of the Ukrainian anti-virus Center there are more than 100 modifications of the virus Macro.Word97.Thus, more than 200 modifications Macro.Word97.Marker and more than 50 modifications of the Macro.Word97.Ethan (here we are talking about versions significantly different from each other, which requires the addition of additional modules for the detection and treatment of these modifications of viruses).
Trojan horses and covert administration utilities
The next most common are Trojan and Backdoor programs. The difference between these two types of programs is that the Trojan performs active actions (destruction of data, collecting data and sending via the Internet, performing any action at a certain time), while the Backdoor-programs open remote access to your computer and await instructions of the attacker. For simplicity, we call both of these classes with Trojans.
The main difference between Trojans from all of the above are creations of the human mind is that Trojans do not reproduce themselves. They are one-time installed on your computer for a long time (usually either to the moment of detection, or to reinstall your operating system for any reason) to perform its functions. In this case the Trojan horse is unable to move independently from one computer in a local network to another.
So why Trojans are so widespread. The reason lies in the fact that they are the most useful and invisible. Often they are companions of the network or mail worms. So, post worm I-Worm.LovGate in contact with computer sets in backdoor module that provides access to the computer via TCP/IP and sends the developer of the worm letter, which indicates the user name, computer name and network address of the infected computer.
All Trojans can be divided into three main classes to perform the actions of:
Logical (temporary) bomb programs, various methods of removing/modifying information in a specified time or on some condition.
Spyware collects information (names, passwords, keystrokes) and storing it in a certain way, and not rarely, and sending the collected data via email or other method.
Actually BackDoor programs - remotely control a computer or to receive commands from the attacker (LAN/WAN, email, in files from other applications, such as those of worms or viruses).
Equally dangerous to all three types of programs. Each of them is able to either destroy data, or steal valuable information (at least the same names and passwords for access to various resources).
It is worth noting that many Trojans are constantly being updated, there are new and new modifications. Given that the Trojan can't get to you randomly, the attacker carefully chooses a: what Trojan you install. It is very likely that he will go to the Internet and pump out something fresh. It is therefore necessary to regularly update the antivirus database product.
In conclusion, I would like to say: the development of viruses and antiviruses - this ongoing war of technology. Regularly viruses implemented original ideas that requires adequate action from anti-virus developers. Therefore, average user it is recommended to follow the news on the websites of antivirus companies and listen to the advice of experts on information security to update software (not only antivirus) or performing specific actions to improve the security of your PC.
Damn - I venturino. I had to do. Nothing worked = open Desk - and advertising-not to clean and nothing to do. Itself was established. I recovery Windows with drive done = it seems to have disappeared. I have Kaspersky is. They are the same. Have hatelos first someone to hit the very.
guys tell me how the virus is less productive to deliver..worth Kasperych...I hate blocks...too many pop-UPS..and from Trojans, he did not defend...tell me what=))??
The strongest computer virus - Flame. More information can be found on the website http://www.pcs-service.ru/silnejshij-kompyuternyj-virus/
Once I bought a computer 2 years ago, I was baltali in addition to take the Kaspersky anti-virus and shorter hardship to him is blocking a program and some Internet retards, made gave it to a friend he immediately virus the pornographer fucking schA seven she downloaded a normal anti-virus from Microsoft with continuously updated database of virus free. But sometimes slip but when testing is removed.
About Microsoft I do not know. Is AVG - antivirus so-so, but the fact of rootkits can understand.
VITYA_KOLYADENKO
Same crap. The virus has infected everything .exe files, while Kaspersky wrote that everything is clean. Kaspersky just cured system.
A good Symantec antivirus.
The virus has infected everything .exe files
If he had infected files antivirus, you can hang yourself. But the normal antivirus are not supposed to give this to.
About the example of the action of the virus.
Who knows if any prog like AVZ mostly show on the. exe file, they are rubbish type say PE DLL-file can detect? An example of the actions of such crappy:
vcmgcd32.dll decrypts the ID from its body (uses the decoding algorithm for the code offset value XOR 66h) and sets it into memory. Thus, if the specified identifier is present in memory, this indicates a system infection and the dropper component of the virus does not produce the re-installation of the Main component in the system. If the identifier in the memory is absent, then the dropper code is producing is already known the procedure to install and run the file vcmgcd32.dll.
Actually like the thing my AVG sees only in rare cases because the file has the following properties:
When infected file, the virus appends its encrypted body to the end. For this vcmgcd32.dll reads the complete virus code from the body of the last of the running infected files, the location of this file is the dropper component reports component vcmgcd32.dll in a variable and keeps it in memory. The virus then reads the latest 20480 bytes already infected a program and copies them to the reserved space of the current infected file, and then adjusts its heading: change entry point (the place in the code header file, which is read start address of the program and starts its execution), replacing the original starting address (previously remembers it) with a reference to the starting address of the dropper code, which is about a few hundred bytes from the beginning of virus body in the infected file. Then vcmgcd32.dll records in the first few hundred bytes of code in the virus body infected program (in the bytes located before the code the dropper component) of the original (source) starting address of the program. After that vcmgcd32.dll encrypts polymorphic-crypt algorithm, all of 20480 bytes of the virus body in the infected file (except for code section 1.5-2 KB from the dropper component to it, the virus uses polymorphic-crypt-method). Only after all these manipulations vcmgcd32.dll completes the editing of already infected file, pesapoint it with all the changes and assigns the initial attributes, and the date and time of modification before infection. As a result, outwardly, the infected file differs from the original only by increasing the size of on size of 20480 bytes.
More advanced version do the following steps additionally:
If the OS version is Windows 2K/XP or above, the virus decrypts and extracts from his body another component, which writes as
%windir%\System32\drivers\%name%.sys,
where %name% is the name in the form of a combination of lowercase Latin letters. Examples of such names: ggpnhn.sys, knknln.sys, qrnti.sys etc. This combination of characters and their number in the name of the. SYS file is generated depending on the name of the computer; as a result, on a specific machine, the name will always be the same.
Is a rootkit (rootkit) that is used by the virus to hide their addresses in the external network, and spurious traffic from protective firewalls and filters firewalls. When creating this file it is assigned the attribute archive, and the time and creation date correspond to the real-time recording a file on disk. The virus checks for the presence and originality of this component 2 times per second.
Because the virus doesn't register itself in atsigrezk system, he can gain control after a system restart only if any of the infected files will be executed.
[HKEY_LOCAL_MACHINE\SYSTEM\%\%\ SafeBoot\]
[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Ext\Stats\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Explorer\Browser Helper Objects\]
[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\]
Of these sections deletes all subkeys with all values (in given branches of the key portions of some of the routes replaced for security reasons by the character %). As a result, the system will never be able to load in Safe mode; on subsequent starts of the system will no longer boot any components of the user's contents of all autorun, driver, safety, etc. programs will be disabled all integrated in Web-browser programs and add-ons; some others things.
Actually finding files %windir%\System32\drivers\%name%.sys (also in the%windir % \System32\ and for example D&S\Chef\LocalSettings\Temp and their counterparts in other versions of Windows) too with fresh creation date is the point in that case clearly shows that there is a problem.
PS. Registry path with spaces is a GHG cuts long words.
I recently found about the virus one.
Before the attack on the infected computer, dropper malware checks the infected system. On the basis of the serial number of the system partition CLSID is generated and verified by its presence in the system registry: if the branch
•HKLM\Software\Classes\CLSID
there is no corresponding section, the infection continues.
Operating systems Windows Vista and Windows 7 Trojan attempts to increase their own rights, ie continually restarts itself with request for elevation of privileges. However, this process can be completed in task Manager.
The dropper carries the 32-bit and 64-bit driver capable of booting the main functionality of this malware. Depending on the bitness of the custom OS on the disk remains the appropriate driver, which can be written as in the beginning of the disc (to the first active partition), if there is enough space, and in the end. However, if the boot partition will be not the first, the Trojans, the driver may overwrite the random data of any partition to boot, since the recording position is selected randomly within the free sectors.
Only after this, the infected VBR (Volume Boot Record). Another prerequisite for infection - the file system partition must be NTFS. Analyzing the boot record, the Trojan finds a convenient place for its location and overwrites the existing code. The original code is Packed with aplib library and is appended behind the virus. The number of the starting sector previously posted on the driver disk and its size stitched in the body of the infected VBR.
Note that the considered BOOT sector is the first sector of the VBR, which occupies, for example, to NTFS 16 sectors. Thus, the classic test only boot sector cannot detect a malicious object because it is further inside VBR.
After infecting the system Trojan.Mayachok.2 flushes to the disk a small application designed to automatically restart the system. Similarly behave and other bootkit Trojan.Hashish. In concluding its work, the Trojan tries traces and remove yourself.
Having received management, the virus loader operates on classical MBR/BOOT viruses scheme. Bites a small piece of system memory, moves itself there and intercepts int 13h to view the content read from the disc sectors. Then it completely loads the disk driver and unpack to the same place of the original VBR code. Control returns to the bootloader.
Next comes a series of removals/installations interceptions in the loadable modules, such as ntldr, bootmgr, osloader.exe, winload.exe etc., depending on the operating system loader. It should be noted that in addition to the usual interceptions (splicing) in the key bridges using the hardware debug registers (dr0-dr7) and the trace (step) code. This gives versatility to the Trojan and is also a natural way to bypass integrity protection some boot modules. In the end, a memory kernel mode (kernelmode memory) is loaded and ready to go viral driver.
Exit viral the driver called twice because of the close work and the infected VBR driver. Since the code is only viral VBR 2078 bytes, part of the functionality, the authors decided to move into the body of the driver. When you first call it adds itself to the list of LOADER_PARAMETER_BLOCK in:
•LoadOrderList like a copy of the first module in the list (which is the OS kernel);
•BootDriverList, as a boot driver, allegedly written in the \Registry\Machine\System\ CurrentControlSet\Services\null.
Thus, the malicious program imitates his boot as a normal boot-driver.
The second time the driver is called by the operating system that sure I uploaded it. These manipulations lead to some side effects.
For example, the system gets the Null driver, but upon closer examination it appears that it was created by kernel (ntoskrnl.exe).
At the same time among the loaded modules, there is another core, with the parameters of the DllBase and SizeOfImage belonging to the malicious driver.
Check the system for the presence or absence of infection, you can use a simple command echo hello >nul, which on an uninfected system succeeds, and infected issues an error message.
The task of the driver is to inject (Vnedrenie) its code into running processes.
Code injection is the usual setting of notification via the functions PsCreateProcessNotifyRoutine and PsCreateProcessNotifyRoutine with a subsequent call to the asynchronous function through the mechanism of APC. During the study it became clear that 64-bit driver bear on Board two libraries. In this case the payload is only one of them, and the second, apparently, is the future.
echo hello >nul it does not want my system to do, writes that cannot find the echo what to do?
Lexx77
It is probably in the command prompt, you need to write. I have any nonsense, no reaction, so I don't know what's the catch.
In the registry there is a parameter equal to the Root\LEGACY_NULL\0000 in the venue HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\services\Null\Enum. It remains to see that there should be proper Windows.
VITYA_KOLYADENKO
Operating systems Windows Vista and Windows 7 Trojan attempts to increase their own rights, ie continually restarts itself with request for elevation of privileges. However, this process can be completed in task Manager.
I've had recently.But no antivirus,no task is not saved.The system moved.
Dovakin997
And no methods of boot disk antivirus wasn't trying to use? Antivirus what and what was he trying to do?
VITYA_KOLYADENKO
The antivirus AVG.I just deleted it endlessly,and he constantly appeared and asked for run as administrator.