Script viruses than dangerous. We pump a viral script for a set of FREE Subscribers

Macro viruses (Macro Viruses) are languages \u200b\u200b(macro-language) embedded in some data processing systems (text editors, spreadsheets, etc.), as well as script languages, such as VBA (VISUAL BASIC FOR Applications) , Js ( Java script.). For its reproduction, such viruses use the capabilities of macro-languages \u200b\u200band with their help transfer themselves from one infected file (document or table) to others. Macro viruses received the greatest distribution for Microsoft Office.. There are also macro viruses that infect AMI Pro documents and databases. For the existence of viruses in a specific system (editor), it is necessary to build a built-in macro-language with capabilities:

1. Binding programs on macro-language to a specific file;
2. Copy macroprograms from one file to another;
3. The ability to receive a macro program without user intervention (automatic or standard macros).

These conditions satisfy editors Microsoft Word., Office and Amipro, as well as an Excel spreadsheet and base microsoft data Access. These systems contain macro languages: Word - Word Basic; Excel, Access - VBA. Wherein:

1. Macrograms are tied to a specific file (AMIPRO) or are inside the file (Word, Excel, Access);
2. Macro-language allows you to copy files (AMIPRO) or move macrograms to system service files and editable files (Word, Excel);
3. When working with a file under certain conditions (opening, closing, etc.), macro programs are called (if any), which are defined in a special way (AMIPRO) or have standard names (Word, Excel).

This macro-language feature is intended for automatic data processing in large organizations or in global networks and allows you to organize the so-called "automated document management". On the other hand, the capabilities of macro-language such systems allow the virus to transfer their code to other files, and thus infect them. Viruses receive control when opening or closing an infected file, intercept standard file functions and then infect files to which in any way appeal. By analogy with MS-DOS, we can say that most macro viruses are resident: they are active not only at the time of opening / closing the file, but as long as the editor itself is active.

Word / Excel / Office Viruses: General Information

The physical location of the virus inside the file depends on its format, which in the case of Microsoft products is extremely complicated - each word file documentThe Excel table is a sequence of data blocks (each of which also has its own format), combined with a large number of service data. This format is called Ole2 - Object Linking and Embedding.

The Word, Excel and Office file structure (OLE2) resembles a complicated file system of the disks: the "root directory" of the document file or table indicates the main subdirectories of various data blocks, several FAT tables contain information about the location of the data blocks in the document, etc. Moreover, the Office Binder system supporting Word and Excel standards allows you to create files that simultaneously contain one or more documents in Word format and one or more tables in excel format. At the same time, Word viruses are able to hit Word documents, and Excel viruses are Excel tables, and all this is possible within one disk file. The same is true for Office. Most of the well-known viruses for Word are incompatible with national (including Russian) versions of Word, or vice versa - are designed only for localized Word versions and do not work under the English version. However, the virus in the document remains active and can infect other computers with the corresponding version of Word installed on them. Word viruses can infect computers of any class. Infection is possible if this computer A text editor is set fully compatible with Microsoft Word version 6 or 7 or higher (for example, MS Word for Macintosh).

The same is true for Excel and Office. It should also be noted that the complexity of Word document formats, Excel tables and especially Office has the following feature: in file files and tables are "unnecessary" data blocks, i.e. The data that is not related to the editable text or tables is either randomly discussed there with copies of other file data. The cause of such data blocks is the cluster data organization in OLE2 documents and tables - even if only one text symbol is entered, then one or even several data clusters are allocated. When saving documents and tables in clusters that are not filled with "useful" data remains "garbage", which enters the file with other data. The number of "garbage" in files can be reduced by the cancellation of the Word / Excel "Allow Fast Save" configuration item, but it only reduces the total number of "garbage", but does not remove it completely. The consequence of this is the fact that when editing a document, its size changes, regardless of the actions produced with it - when adding a new text, the file size may decrease, and when the part of the text is deleted, it is possible to increase.

The same with macro viruses: when file infected, its size can decrease, increase or remain unchanged. It should also be noted the fact that some versions of Ole2.dll contain a small defects, as a result of which when working with documents Word., Excel and especially Office in the "garbage" blocks can get random data from the disk, including confidential ( remote files, catalogs, etc.). These blocks can also get the virus teams. As a result, after the treatment of infected documents, the active virus code is removed from the file, but part of its commands can remain in the "garbage" blocks. Such traces of the presence of the virus are sometimes visible with text editors And even can cause the reaction of some antivirus programs. However, these virus remains are completely harmless: Word and Excel do not pay any attention to them.

Word / Excel / Office Viruses: Work Principles

When working with a document Word versions 6 and 7 or higher performs various actions: opens the document, saves, prints, closes, etc. At the same time, Word is looking for and performs the corresponding "built-in macros" - when saving a file on the File / Save command, the FILESAVE macro is called, while saving the File / Saveas command - Filesaveas, when printing documents - FilePrint, etc., if, of course, such Macros are defined. There are also several "auto-macros", automatically caused under different conditions. For example, when opening a Word document checks for the AUTOOPEN macro. If such a macro is present, then Word performs it. When closing the Word document executes the AutoClose macro, the AUTOEXEC macro is called when the WORD is started, upon completion of operation - AUTOEXIT, when creating a new document - AutoNew.

Similar mechanisms (but with other macros and functions) are used in Excel / Office, in which the role of auto and embedded macros perform auto and embedded functions that are present in any macro or macros, and several embedded can be present in one macro. and auto functions. Automatically (i.e. without user participation), macros / functions are also performed, associated with any key or time or date, i.e. Word / Excel cause a macro / function when you press any specific key (or a key combination) or when any time reaches. In Office, the ability to intercept the events are somewhat expanded, but the principle is used the same.

Macro-viruses that affect Word, Excel or Office files are usually used by one of the three methods listed above - in the virus or there is an auto-macro (auto-function), or one of the standard system macros (associated with a menu item) is overdeveloped Or the virus macro is automatically called when you click on any key or key combination. There are also semi-viruses that do not use all these techniques and multiply only when the user independently launches them to execute. Thus, if the document is infected, when opening a Word document, an infected AutoPen automatic macro (or autoclose when closing a document) and, thus, starts the virus code, if this is not prohibited by the DISABLEAUTOMACROS system variable. If the virus contains macros with standard names, they receive control when calling the corresponding menu item (File / Open, File / Close, File / Saveas). If any keyboard symbol is overridden, the virus is activated only after pressing the corresponding key.

Most macro viruses contain all their functions in the form of standard Word / Excel / Office macros. There are, however, viruses that use receptions of hiding their code and storing their code in the form of not macros. There are three such receptions, they all use the ability to create, edit and execute other macros. As a rule, similar viruses have a small (sometimes polymorphic) macro of the virus, which causes the built-in macro editor, creates a new macro, fills it with the basic code of the virus, performs and then, as a rule, destroys (to hide the traces of the virus presence). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or stored in the document variables or in the AUTO-TEXT area.

Algorithm work Word. Macro viruses

Most of the well-known Word viruses are started to transfer their code (macros) to the area of \u200b\u200bglobal document macros ("General" macros), for this they use macrocopy macroscopy commands, organizer.copy macros or using the macro editor - the virus causes it, creates a new macro , inserts its code into it, which saves in the document. When you exit Word global macros (including virus macros) are automatically recorded in a DOT file of global macros (usually the file is Normal.dot). Thus, the next time you start mS-WORD editor The virus is activated at the moment when WINWORD ships global macros, i.e. Immediately. Then the virus redefines (or already contains in itself) one or more standard macros (for example, FileOpen, FileSave, Filesaveas, FilePrint) and intercepts, so commands for working with files. When you call these commands, the virus infects the file to which the appeal is. For this, the virus converts the file to the Template format (which makes it impossible to further change the file format, i.e. converting to any template format) and records its macros to the file, including AUTO macro. Thus, if the virus intercepts the FILESAVEAS macro, then each DOC file is infected, saved through the macro intercepted by the virus. If the FileOpen macro is intercepted, the virus is written to the file when reading it from the disk.

The second way to implement the virus is used much less often - it is based on the so-called "add-in" files, i.e. files that are service add-ons to Word. In this case, Normal.dot does not change, and Word, when startup, loads the virus macros from the file (or files) defined as "Add-in". This method almost completely repeats the infection of global macros with the exception that the macros of the virus is not stored in Normal.dot, but in any other file. It is also possible to implement the virus to the files located in the Startup directory - Word automatically loads files-templates from this catalog, but such viruses have not yet met. The methods discussed above are some analogue of resident dos viruses. Analogue of non-resident are macro viruses that do not tolerate their code to the system macros area - to infect other document files, they are either looking for them using files embedded in Word, or refer to the list of last edited files (Recently Used File List) . Then such viruses open a document, infect it and closed.

Algorithm excel works Macro viruses

Excel virus reproduction methods are generally similar to Word virus methods. Differences are to copy macros (for example, sheets.copy) and in the absence of Normal.dot - its function (in a viral sense) execute files in the Excel StartUp directory. It should be noted that there are two possible options for the location of the macro viruses in excel tables. The overwhelming majority of such viruses record their code in VBA format (Visual Basic For Applications), however there are viruses that store their code in the old Excel version 4.0 format. Such viruses do not differ in essence from VBA viruses, with the exception of differences in the location format of the virus codes in Excel tables. Despite the fact that in the new versions of Excel (from version 5), more advanced technologies are used, the ability to execute macros of old Excel versions was left to maintain compatibility. For this reason, all macros written in Excel 4 format are fully gained in all subsequent versions, despite the fact that Microsoft does not recommend using them and does not include the required documentation for Excel's delivery.

Virus Algorithm for Access

As ACCESS is part office package Pro, then viruses for Access are the same macros in the language of Visual Basic, like other viruses infecting Office applications. However, in this case, instead of auto-macros, the system contains automatic scripts that are called by the system at various events (for example, AUTOEXEC). These scripts can then cause various macroprograms. Thus, when infecting bases access data The virus must be replaced by any auto script and copy their macros to the contamorated base. Infection of scripts without additional macros is not possible, since the script language is quite primitive and does not contain the necessary functions for this.

It should be noted that in terms of Access scripts are called macros (Macro), and the macros - modules (module), however, the unified terminology will be used - scripts and macros. Access database treatment is a more complex task than the removal of other macro viruses, since in the case of Access, it is necessary to negotiate not only viral macros, but also auto scripts. And so much of the Access work is assigned to scripts and macros, the incorrect removal or deactivation of any element can lead to the impossibility of operations with the database. The same also for viruses - the incorrect replacement of auto scripts can lead to a loss of data stored in the database.

Amipro-viruses

When working with any document, the AMIPRO editor creates two files - directly the text of the document (with the extension of the SAM name) and an additional file containing the macros of the document and, possibly, other information (name - SMM). The format of both files is quite simple - they are an ordinary text file, in which both editable text and control commands are present in the form of conventional text strings. The document can be put in line with a macro from the SMM file (Assignmacrotofile command). This macro is an analogue of AUTOOPEN and AutoClose in MS Word and is called by the AMIPRO editor when opening or closing a file. Apparently, in amipro there is no possibility to place macros in the "general" area, so viruses for Amipro can infect the system only when opening an infected file, but not when loading the system, as is happening with MS-WORD after infection of the Normal.dot file. Like MS Word, Amipro allows you to override system macros (for example, Saveas, Save) with the ChangeMenUAction command. When calling overridden functions (menu commands), the control is obtained by infected macros, i.e. Virus code.

Stealth Viruses

Representatives of this class use various means to mask their presence in the system. This is usually achieved by intercepting a number of system functions responsible for working with files. Stels - technology make it impossible to detect the virus without a special toolkit. The virus masks and increments the length of the affected object (file), and its body in it, "substituting" instead of "healthy" part of the file.

During the test of the computer, anti-virus programs read the data - files and system areas - from hard drives and diskettes using means operating system and BIOS. Stealth - viruses, or invisible viruses, after launching leave in random access memory Computer Special modules, intercepting programs to the computer's disk subsystem. If this module detects that the user program is trying to read the infected file or the system area of \u200b\u200bthe disk, it replaces the readable data on the go and thus remains unnoticed by deceiving antivirus programs.

Also stealth - viruses can hide in the form of streams in systemic and other processes, which also makes it difficult to identify them. Such stealth viruses cannot even be seen in the list of all running, at the moment, in the process system.

There is a simple way to disable the mechanism of the masking of stealth - viruses. It is enough to download the computer with an unreleased system floppy disk and check the computer with an antivirus program, not running programs from a computer disk (they may be infected). In this case, the virus will not be able to manage and install a resident module that implements the stealth algorithm in the RAM, the antivirus will read the information really recorded on the disk, and will easily detect "bacillus".

Most antivirus programs counteract the attempts of stealth viruses to remain unnoticed, but in order not to leave them a single chance, before checking the computer, the computer should be downloaded from a diskette to write and antivirus programs. Many antiviruses are so successfully opposed to stealth - viruses that they find them when trying to disguise. Such programs read the program's checked files from the disk using for this several various methods - For example, using the operating system and through the BIOS: if discrepancies are detected, then the conclusion is made that in RAM, it is likely to be stealth - the virus.

Polymorphic viruses

The polymorphic viruses include those of which the detection of which is impossible (or extremely difficult) with the help of so-called viral signatures - sections of a constant code specific to a particular virus. This is achieved by two main ways - encryption of the basic virus code with a non-permanent key and a random set of a decryr command or a change in the very virus code. There are also other, fairly exotic examples of polymorphism - the DOS virus "BOMBER", for example, unencrypted, but the sequence of commands that transmits the virus code control is completely polymorphic.

The polymorphism of varying degrees of complexity is found in all types of viruses - from boot and file DOS viruses to Windows viruses and even macro viruses.

Most of the issues are associated with the term "polymorphic virus". This type of computer viruses seems to date the most dangerous.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two instances of the same virus may not coincide in any batch.

Such viruses not only encrypt their code using various encryption paths, but also contain code generation code and decryr, which distinguishes them from conventional encryption viruses, which can also encrypt the sections of their code, but have a permanent encrypter code and decoder.

Polymorphic viruses are viruses with self-modifying decryptors. The purpose of such encryption: having an infected and original files You still will not be able to analyze its code using conventional disassembly. This code is encrypted and is a meaningless set of commands. The decoding is done by the virus itself directly during execution. At the same time, options are possible: it can decipher himself just immediately, and can perform such decryption "in the course of the case," can again encrypt the sections. All this is done for the difficulty of analyzing the virus code.

Polymorphic decoders

Polymorphic viruses use complex algorithms for generating the code of their decoders: instructions (or their equivalents) are rearranged by places from infection to infection, they are diluted with nothing changing commands of type NOP, STI, CLI, STC, CLC, DEC unused register, Xchg unused registers, etc. d.

The full polymorphic viruses use even more complex algorithms, as a result of which the SUB, Add, XOR, ROR, ROL and other in arbitrary quantities can meet in the virus decoder. Loading and changing keys and other encryption parameters is also made by an arbitrary set of operations in which almost all instructions may come. intel processor (Add, Sub, Test, Xor, OR, SHR, SHL, ROR, MOV, XCHG, JNZ, PUSH, POP ...) with all possible addressing modes. Polymorphic viruses also appear, the decoder of which uses instructions down to Intel386, and in the summer of 1997, a 32-bit polymorphic virus, infecting EXE files of Windows95 detected. Now there are already polymorphic viruses that can also use various teams of modern processors.

As a result, at the beginning of the file infected with such a virus, there is a set of meaningless instructions, and some combinations that are fully workable are not taken by branded disassemblers (for example, a combination of CS: CS: or CS: NOP). And among this "porridge" from commands and data occasionally slip MOV, XOR, LOOP, JMP - instructions that are really "workers".

Polymorphism levels

There is a division of polymorphic viruses on levels depending on the complexity of the code, which is found in decryptors of these viruses. Such a division was first suggested Dr.. Alan Solomon, after a while Vesselin Bonchev expanded him.

Level 1: Viruses that have some set of decryptors with a constant code and when infected are chosen one of them. Such viruses are "floor-polymorphic" and also worn the name "oligomorphic" (Oligomorphic). Examples: "Cheeba", "Slovakia", "Whale".
Level 2: The virus decrypt contains one or more permanent instructions, its main part is inconstant.
Level 3: The decrypter contains unused instructions - "trash" of type NOP, CLI, STI, etc.
Level 4: In the decrypter, interchangeable instructions are used and the change in the order follows (mixing) instructions. The decryption algorithm does not change.
Level 5: All the above methods are used, the decryption algorithm is inconspicuous, it is possible to re-encrypt the virus code and even partial encryption of the code of the decrypter itself.
Level 6: Permutating viruses. The main code of the virus is subject to change - it is divided into blocks that are rearranged in an arbitrary order. The virus remains operational. Such viruses can be unencrypted.

The above division is not free from deficiencies, since it is produced by a single criterion - the ability to detect the virus on the decoder code using the standard reception of viral masks:

Level 1: To detect the virus, it is enough to have several masks

Level 2: Mask Detection using "Wildcards"

Level 3: Detection on a mask after removing instructions "garbage"

Level 4: The mask contains several options for the possible code, i.e. It becomes algorithmic
Level 5: the inability to detect the mask virus

The insufficiency of this division is demonstrated in the virus of the 3rd level of polymorphicity, which is called - "Level3". This virus, being one of the most complex polymorphic viruses, according to the above division, falls in level 3, since it has a permanent algorithm of incision, before which it is worth a large number of teams "garbage". However, in this virus, the "garbage" generation algorithm has been brought to perfection: in the executer code, almost all instructions of the I8086 processor can meet.

If you are divided into levels from the point of view of antiviruses using the automatic decryption system of the virus code (emulators), the division at levels will depend on the complexity of the virus code emulation. It is possible to detect the virus and other techniques, for example, decoding with elementary mathematical laws, etc.

Therefore, it seems to me more objective division, in which other parameters are also involved in the criterion of viral masks:

The degree of complexity of the polymorphic code (the percentage of all the instructions of the processor that can meet in the framework code)
Use anti-emulator receptions
Constancy of the decoder algorithm
Constancy of the length of the decoder

Changing the code executed

Most often, a similar method of polymorphism is used by macro viruses, which when creating their new copies randomly change the names of their variables, insert empty strings or change their code in any other way. Thus, the virus algorithm remains unchanged, but the virus code is almost completely changing from infection with infection.

Less often this method is applied by complex bootable viruses. Such viruses are introduced into the boot sectors only a sufficiently short procedure, which reads the main code of the virus from the disk and transmits controls to it. The code of this procedure is selected from several different options (which can also be diluted with "empty" commands), the commands are rearranged by each other, etc.

Even less often, this reception is found in file viruses - because they have to fully change their code, and for this it requires quite complex algorithms. To date, only two such viruses are known, one of which ("plry") randomly moves its commands on their body and replaces them to JMP or Call commands. Another virus ("TMC") uses more complicated way - Each time an infection, the virus changes the blocks of its code and data in places, inserts the "garbage", in its assembler instructions sets new values \u200b\u200bof offset for data, changes constants, etc. As a result, although the virus does not encrypt its code, it is a polymorphic virus - there is no permanent set of commands in the code. Moreover, when creating its new copies, the virus changes its length.

Viruses of destructive action

According to destructive actions, viruses can be divided into three groups:

Information Viruses (First Generation Viruses)

The so-called first generation viruses are all currently existing viruses whose actions are aimed at destruction, modification or theft of information.

Hardware viruses (second generation viruses)

This type of viruses is able to deal with the hardware of the computer. For example, erase the BIOS or spoil it, disrupt the logical structure of the hard fiscause in such a way that it will be possible to restore it only low-level formatting (and not always). The only representative of this species is the most dangerous of all ever existed, Win95.cih virus "Chernobl". At one time, this virus disabled millions of computers. He washed a program from the BIOS, thereby putting out the computer, and the same destroyed all the information with hard disk So, it was almost impossible to restore it.

Currently, "wild" hardware viruses have not been detected. But now experts predict the emergence of new similar kinds of viruses that can affect BIOS. Protection against such viruses is planned to be done on each motherboard Special jumpers that will block the entry in the BIOS.

Psychotropic viruses (third generation viruses)

These viruses are able to kill a person by affecting it through a monitor or a computer column. Reproducing certain sounds, a given frequency or a certain flickering of various colors on the screen, psychotropic viruses are able to cause an epileptic attack (people who are prone to it), or a heart stop, hemorrhage into the brain.

Fortunately, today it is not known about the real existence of such viruses. Many experts questioned in general the existence of a similar type of viruses. But one thing can be exactly. Psychotropic technologies have long been invented on the influence of a person through sound or image (not to be confused with 25 frames). The epileptic attack cause a person prone to this is very simple. A few years ago, the hype was broken in some media about the appearance of a new virus called "666". This virus after every 24 frames gives a special color combination to the screen capable of changing the vital activity of the viewer. As a result, a person covers a hypnotic trans, the brain loses control over the work of the body, which can lead to a painful state, changing the mode of operation of the heart, blood pressure, and the like. But the color combinations today are not prohibited by law. Therefore, they can appear on the screens perfectly, although the results of their impact may be disastrous for all of us.

An example of such an impact can serve as a cartoon "Pokemon", after showing one of the episodes in Japan, hundreds of children got into hospitals with terrible headache, brain hemorrhage. Some of them died. In the cartoon there were frames with bright generation of a certain palette of colors, as a rule, these are red flashes on a black background in a specific sequence. After this incident, this cartoon to the show in Japan was banned.

You can give another example. Everyone will surely remember what was happening in Moscow after broadcasting the match of our football team with the Japan national team (if I'm not mistaken). But by big Screen Everything was only demonstrated by a roller, as a man with a bat crumbled the car. It is also a psychotropic impact, seeing the "People" roller began to destroy everything on their way and everything.

Materials and data were taken from resources:
http://www.stopinfection.narod.ru.
http://hackers100.narod.ru.
http://broxer.narod.ru.
http://www.viruslist.com.
http://logic-bratsk.ru.
http://www.offt.ru.
http://www.almanet.info.

To post comments, please login or register

Before you begin writing this article, I met with one of the founders of the Domestic Anti-virus industry by Evgeny Kaspersky, who informed me some figures about the state of the Russian and global anti-virus market. I also talked with a representative of the famous Dialognauka anti-virus company, a manager of working with large clientsMaxim Skida. From the conversation, I learned a curious fact - it turns out that the antivirus industry is about to celebrate its first decade.

Of course, antiviruses appeared more than ten years ago. However, at first they applied as a free antidote. There was no due service supportSince projects were non-profit. As the industry of the creation and provision of antivirus programs, the Creation and Provision of Anti-Virus Programs subsided in approximately 1992, not earlier, and therefore will soon notice its decade. Ten years for the birth and development of the whole industry, with a turnover of hundreds of millions of dollars, the term is very small. During this time, a completely new market emerged, a certain list of products was formed, such a number of new terms appeared that they would have enough for a whole encyclopedia. It should be noted that the inexperienced user sometimes even difficult to distinguish the scientific term from the commercial name. Of course, in order to use antivirus programs, it is not necessary to know all the details of the structure and behavior of viruses, but have general ideas about which major groups of viruses have formed today, what principles are laid in algorithms malicious programs And as divided by the world and Russian anti-virus market, it will be useful enough in a wide circle readers to whom this article is addressed.

Ten years of development of the antivirus market in Russia

As already noted, the antivirus market lives on the eve of its decade. It was in 1992 that AOZT "Dialognauk" was created, which put the beginning to actively promotion to the domestic market of the famous program of the Lozinsky AidStest; From this time, AidStest began to spread on a commercial basis. At about the same time, Evgeny Kaspersky organizes a small commercial department within the framework of Kami, in which three people initially worked. Also in 1992, the American market quickly conquers the McAfee VirusScan program. In Russia, the market was developed quite slowly, and at least 1994 (Fig. 1), the picture looked around as follows: Dialognaucke (about 80%) was the dominant position, Kaspersky Anti-Virus belonged to less than 5% of the market, everything else - Another 15% of the market. In 1995, Evgeny Kaspersky postponed his antivirus on 32-bit Intelovsky windows platforms, Novell NetWare and OS / 2, as a result, the product began to actively move to the market.

A variety of dual-purpose programs are behavioral blocks that analyze the behavior of other programs and are blocked by suspicious actions.

From the classic antivirus with the anti-virus core, "recognizing" and attending from viruses, which were analyzed in the laboratory and to which the treatment algorithm was registered, behavioral blocks are not able to treat from viruses, because they do not know anything about them. This property of blocks is useful in that they can work with any viruses, including those with unknown. This is today particularly relevant, since the distributors of viruses and antiviruses use the same data channels, that is, the Internet. At the same time, the virus always has some odds (delay time), since the antivirus company always needs time to get the virus itself, analyze it and write the appropriate therapeutic modules. Programs from a dual-purpose group just allow you to block the spread of the virus until the company writes the therapeutic module.

Algorithm "checksum"

The algorithm of the checksum assumes that the actions of the virus change the checksum. However, synchronous changes in two different segments may lead to the fact that check sum will remain unchanged when changing the file. The main task of constructing the algorithm is to make changes in the file guaranteed to change the checksum.

Methods for determining polymorphic viruses

In fig. 6 shows the operation of a program infected with the virus (A), and a program infected with an encrypted virus (b). In the first case, the diagram of the virus works as follows: the program is running, at some point the virus code begins and then the program is performed again. In the case of an encrypted program, everything is more complicated.

The program is running, then the decoder is included, which decrypts the virus, then executes the virus and again follows the execution of the coder of the main program. The virus code in each case is encrypted differently. If in the case of an uninfootted virus, the reference comparison allows you to "find out" the virus along a certain constant signature, then in the encrypted form, the signature is not visible. At the same time, it is almost impossible to search for an decoder, because it is very small and detect such a compact element is useless, because the number of false positives increases dramatically.

Before you begin writing this article, I met with one of the founders of the Domestic Anti-virus industry by Evgeny Kaspersky, who informed me some figures about the state of the Russian and global anti-virus market. I also talked with a representative of the famous Dialognauca anti-virus company, a work manager, a maximum skid. From the conversation, I learned a curious fact - it turns out that the antivirus industry is about to celebrate its first decade.

Of course, antiviruses appeared more than ten years ago. However, at first they applied as a free antidote. There was no proper support for the service, since the projects were non-commercial. As the industry of the creation and provision of antivirus programs, the Creation and Provision of Anti-Virus Programs subsided in approximately 1992, not earlier, and therefore will soon notice its decade. Ten years for the birth and development of the whole industry, with a turnover of hundreds of millions of dollars, the term is very small. During this time, a completely new market emerged, a certain list of products was formed, such a number of new terms appeared that they would have enough for a whole encyclopedia. It should be noted that the inexperienced user sometimes even difficult to distinguish the scientific term from the commercial name. Of course, in order to use antiviral programs, it is not necessary to know all the details of the structure and behavior of viruses, however, have general ideas about which major viruse groups have been formed today, which principles are laid in malware algorithms and as divided by the world and Russian anti-virus market. It will be useful to a wide wide range of readers to which this article is addressed.

Ten years of development of the antivirus market in Russia

As already noted, the antivirus market lives on the eve of its decade. It was in 1992 that AOZT "Dialognauk" was created, which put the beginning to actively promotion to the domestic market of the famous program of the Lozinsky AidStest; From this time, AidStest began to spread on a commercial basis. At about the same time, Evgeny Kaspersky organizes a small commercial department within the framework of Kami, in which three people initially worked. Also in 1992, the American market quickly conquers the McAfee VirusScan program. In Russia, the market was developed quite slowly, and at least 1994 (Fig. 1), the picture looked around as follows: Dialognaucke (about 80%) was the dominant position, Kaspersky Anti-Virus belonged to less than 5% of the market, everything else - Another 15% of the market. In 1995, Evgeny Kaspersky postponed his antivirus on 32-bit Intel platforms Windows, Novell NetWare and OS / 2, as a result, the product began to actively move to the market.

A variety of dual-purpose programs are behavioral blocks that analyze the behavior of other programs and are blocked by suspicious actions.

Algorithm "checksum"

The algorithm of the checksum assumes that the actions of the virus change the checksum. However, synchronous changes in two different segments may lead to the fact that the checksum will remain unchanged when the file is changed. The main task of constructing the algorithm is to make changes in the file guaranteed to change the checksum.

Methods for determining polymorphic viruses

In fact, Macroviruses are not an independent "species", but just one of the varieties of a large family of malicious programs - script viruses. Their separation is connected except with the fact that it was Macrovirus that marked the beginning of this family, besides, viruses, "sharpened" under microsoft programs Office, got the greatest distribution from the entire clan. It should also be noted that the script viruses are a subgroup of file viruses. These viruses are written on various scripts languages \u200b\u200b(VBS, JS, BAT, PHP, etc.).

The overall feature of the script viruses is a binding to one of the "built-in" programming languages. Each virus is attached to a specific "hole" in the protection of one of windows programs And it is not an independent program, but a set of instructions that are forced in a generally innocuous "engine" program to make not destructive action.

As in the case of Word documents, the use of firmware (scripts, java applets, etc.) is not a crime, - most of them work quite peacefully, making the page more attractive or more convenient. Chat, guestbook, voting system, counter - all these amenities our pages are required by firmware- "scripts". As for Java applets, their presence on the page is also reasonable - they allow, for example, to display a convenient and functional menu that unfolds under the mouse cursor ...

Amenities amenities, but do not forget, all these applets and scripts are the most real, full-fledged programs. And many of them are launched and do not work somewhere there, on an unknown server, but directly on your computer! And by binding the virus in them, page creators will be able to access the contents of your hard disk. The consequences are already known - from a simple storage of the password to formatting hard disk.

Of course, with the "killer scripts" you will have to face a hundred times less often than with ordinary viruses. By the way, there is little hope for ordinary antiviruses in this case, however, the malicious program opens together with the page should overcome the protection of the browser itself, the creators of which are well aware of such things.

Let's return for a minute to the settings Internet Explorer.- namely in the menu Service / Observer Properties / Security. Internet Explorer offers us several security levels. In addition to the standard level of protection (zone the Internet) We can strengthen (zone Limit) or weaken your vigilance (zone Reliable knots). Press the button OtherWe can manually adjust the browser protection.

However, most of the script viruses extends via email (such viruses are more often called "Internet worms"). Perhaps the brightest representatives of this family are viruses Loveletter. and Anna. Kournikova.The attacks of which came to the season 2001-2002 Both of these viruses were used by the same admission, based not only on the weak protection of the operating system, but also on the naivety of users.

We remember that the carriers of viruses in most cases are messages emailcontaining nested files. Remember both that the virus can penetrate the computer either through programs (executable files with the * .exe, * .com extension.), Or through Microsoft Office documents. Remember the fact that on the side of the pictures or sound Files It seems to us any trouble like to threaten. And therefore, the excavator is unexpectedly mailbox A letter with attached to it (judging by the name of the file and expansion) picture, immediately launch it with it ... And we discover it, the malicious viral "script" was hiding under the picture. It is good that we discover immediately, and not after the virus managed to completely destroy all your data.

The cunning of the creators of the virus is simple - the file that seemed to us by the picture, had a double extension! For example, Annakournikova.. jpg.. vBS.

That is the second expansion and is the true type of file, while the first is just part of his name. And since the VBS Windows extension is well acquainted, she, no longer thinking, hides it from the eye of users, leaving only the name on the screen Annakournikova.. jpg.

And Windows enters it with all registered file types: the resolution is discarded and the file type should indicate the icon. To which, alas, we rarely pay attention.

The trap is good, but it is easier to distinguish it easier: the focus with the "double extension" does not pass, if we activate the display of file types in advance. You can do it using the menu Folder properties on the Control panelsWindows: Click on this icon, then open the bookmark View and remove the checkbox from the line Hide extensions for registered file types.

Remember: As an "attachment", only several types of files are allowed in the letter. Relatively secure TXT, JPG, GIF, TIF, BMP, MP3, WMA files.

But the list is unconditionally dangerous File types:

Actually, a list of potential "viruses" includes not yet one dozen file types. But these are more often found.

I recently happened to work with the fashionable now the script to attract subscribers due to the viral effect.

The idea of \u200b\u200bthe script to the genius is simple. You attract subscribers and get a delicious bun instead. But I decided to modify a little script to achieve even more effect.

The article provides code and of course demonstration of innovations.

I liked the fact that the script works with any newsletter service. Without tosing to Smartroveder, which is sharpened initially.

I used the service of Oleg Hotly, Justclick. He is now rapidly developing and completely free, if not carrying out sales through it. It does not allow you to get a subscriber ID, so instead of it in the affiliate link we used email.

Hence the first innovation occurred.

Add a short link

Secondly, not everyone wants to shine your email. Thirdly, a short link is more convenient. And finally, fourth, due to the use of the postal address in the role of the identifier, some socialists incorrectly handle the link.

For example, Twitter does not understand where the diabert symbol (@) can take place in the address of the page and the link breaks.

Therefore, the simplest and most convenient solution is to use the API of one of the links to reduce links and generate short links on the machine. It is easy to do with Tinyurl.com, which allows you to get a shortened link using the usual GET request.

So, insert the function into the code.

fUNCTION GETTINYURL ($ URL)
{
$ TinyURL \u003d File_Get_Contents ("http://tinyurl.com/api-create.php?url\u003d". $ URL);
Return $ Tinyurl;
}

It remains only to cause a function ($ TinyURL \u003d GettinyURL ($ Link)) and substitute new link in the right places.

Increase efficiency due to partners

I wanted not only to launch the virus, but also increase its effect. Therefore, I decided to combine viral and affiliate traffic. Using processing with FREE Subscribers, Free Subscribers has learned to work on partners.

Earlier partners did not make sense to give you new subscribers, as they receive a commission only from sales. And the database increases in any way. On the contrary, partners are not even profitable for the spread of the virus, as he takes their bread.

Now the partner is beneficial to distribute the virus. After all, if the virus is running through the affiliate link, then all subsequent links will also be partners.

That is, you can make a newsletter on your own base (or give advertising) and give a referral link to the page with a proposal. And all subsequent users will become your referrals, as the script will distribute your affiliate link.

In short, using the virus you can gain a huge number of referrals, with the subsequent sales of which you will receive your commission. Partnership Cookies usually live at least a year.

How to do it? Very simple. I will show on the example of the service with which I worked. This E-AutoPay is probably the cheapest version of the organization of sales and affiliate program.

V.htaccess file at the root of his site add a partner identifier to the GET parameter.

RewriteEngine ON.
Rewriterule ^ (+) $ http: //$1.id .e-autopay.com ? partner \u003d $ 1
Rewriterule ^ (+) / (+) $ http: //$2.$1.id .e-autoPay.com ? partner \u003d $ 1

The red is part that will change for you. And the part is highlighted the part that I added to the usual condition.

Then in the cookie_set.php file, we put the partner's bunch if the partner parameter is transmitted.

If (ISSET ($ _ Get ['Partner']) &&! Empty ($ _ Get ['Partner']))
{
Setcookie ("Partner", $ _get ["Partner"], Time () + 9999999);
}

And in the index.php of the Free Subscribers script add a condition to generate links:

if (ISSET ($ _ cookie ["Partner"]) &&! Empty ($ _ cookie ["Partner"])) (
$ Link \u003d "http: //". $ _Server ["http_host"]. "/". $ _Cookie ["Partner"]. "? id \u003d". $ ID;
}
ELSE (
$ Link \u003d link_subscribe. "? id \u003d". $ ID;
}

A new link must not be forgotten inserting in all the places where it is necessary. And do not forget about the form of sending letters. There you need to add a hidden field with a partner identifier, and in the handler also insert the link to generate reference.

Example

How without Example? Of course he is. After all, I don't think of my articles from the ceiling, but I take them from practice. The script-improved by me was used to launch a campaign