All leading antivirus companies have their own pages dedicated to hoaxes. And information can be found on the website. Virus Encyclopedia(http://www.viruslist.com/), Symantec ( http://www.symantec.com/avcenter/index.html) and McAfee ( http://vil.mcafee.com/hoax.asp).

And, of course, do not forget about Google - that's why it is a search engine to know everything!

Almost no conversation about computer viruses is complete without the term "Trojan" or "Trojan". How is this application different from a virus, what is its purpose and why is it dangerous? This category includes programs that perform unauthorized actions without the knowledge of the user. By the nature of its action, a Trojan resembles a virus: it can steal personal information (first of all, password files and mail databases), intercept data entered from the keyboard, and, more rarely, destroy important information or disrupt the computer's performance. A Trojan can be used to use the resources of the computer on which it is running for unseemly or criminal purposes: sending viruses and spam, conducting DDOS attacks (Distributed Denial of Service - distributed attacks aimed at disrupting network services).

Viruses can do this too. The difference is that the Trojan often looks like a completely normal program that performs useful functions. However, it also has a "second life", which the user does not know about, since some of the application's functions are hidden. A Trojan program differs from a virus in that it cannot propagate itself: it cannot copy itself to other computers, it does not destroy or change anything on the user's computer (except for the functions that are needed to run it). A Trojan can sneak up on an unsuspecting user under the guise of an Internet accelerator, a disk space cleaner, a video codec, a Winamp plug-in, or an executable file that has a double extension.

Note

Although, unlike a virus, a Trojan is not capable of self-replication, this does not make it any less dangerous.

In the latter case, you may receive a letter asking you to see the photo and the attached file like superfoto.bmp.exe(alternatively, after the BMP there may be a large number of spaces so that the user does not suspect anything). As a result, the recipient installs the malware himself. Hence the name of such applications: remember how the Achaeans captured Troy. The city was well fortified, the Achaeans could not take it for a long time and deceived the defenders. For the inhabitants of Troy, the horse was a symbol of peace, and the Achaeans, allegedly for reconciliation, built a wooden statue of a horse, inside which they planted their best warriors. Unsuspecting Trojans dragged the gift into the city, and at night the Achaeans got out of the statue, neutralized the guards and opened the gates, letting in the main forces.

The Trojan can be propagated by the user himself by copying it to his friends and colleagues. A variant is possible when the program enters the user's computer as a worm, and then works as a Trojan, providing the creator with the ability to remotely control the infected computer. Most often, such programs are still referred to as worms.

Once launched, the Trojan resides in the computer's memory and monitors programmed actions: it steals passwords for accessing the Internet, accesses websites, scaling up someone's counters (for which the user pays with extra traffic), calls paid, often expensive, telephone numbers, monitors actions and habits of the owner of the computer and reads his e-mail.

Modern Trojans, as a rule, no longer carry everything. They purposefully collect specific information. For example, "bank" spies steal credit card numbers and other banking data. With the growing popularity of online games, there has been an interest in stealing game items or characters, sometimes worth several thousand dollars, so theft of accounts for fraudsters is no less attractive than theft of banking attributes.

Separate mention should be made of Trojan-Downloader and Trojan-Dropper, which are used to install Trojans, adware, or pornographic (pornware) programs on computers. In addition, Trojans are often used to create Trojan proxy servers or even entire zombie networks to send spam or viruses.

How to determine that a Trojan has settled in the system? First, you must admit, it's strange when just installed plugin to Winamp is not found in the list. Secondly, during the installation of the Trojan, a message may be displayed, moreover, as if the installation was successfully completed (like Internet Explorer already patched), and vice versa, indicating that the utility is not installed because the system library is incompatible with the program version or the archive is damaged. You may also receive recommendations for correcting the error. After much torment, the user is unlikely to get the expected result, most likely, he will give up all attempts and will be confident that this is a useful program that simply did not start for unknown reasons. The Trojan, meanwhile, will register itself in autorun. For example, in Windows, you need to be attentive to the following registry branches:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunservicesOnce

It is possible to place a Trojan shortcut in a folder (this is very rare, since the presence of malware in this folder is easy to detect) or write to files autoexec.bat, win.ini, system.ini. Often, developers take steps to prevent the Trojan from being seen in the window. Task Manager displayed by pressing a keyboard shortcut Ctrl+Alt+Delete. The most sophisticated Trojans are able to update themselves via the Internet, hide from antiviruses and decrypt password files. There are several ways to control a Trojan, from connecting directly to a computer to checking a specific network resource to which the host sends e-mail, ICQ, and IRC commands.

A Trojan often consists of two parts: a client side installed on the host and a server side running on the victim's machine. Such programs are also called backdoor (secret passage). By running the client program, the attacker checks whether the server is on the network: if a response is received, then the remote computer can be controlled as if it were his own.

Given the inability of Trojans to spread on their own, a simple and effective rule to avoid infection is to download files only from trusted sources. Despite the fact that, unlike virus epidemics, no one has yet heard of Trojan epidemics, and it is unlikely that they will, given the inability of these programs to reproduce on their own, they are no less (and perhaps even more) dangerous than viruses. Indeed, such programs are often created for personal use, and therefore today's antiviruses cannot know about all of them. This means that a user can work on an infected machine for a long time without being aware of it. To find a Trojan application, you need special utilities and monitoring the computer's network activity using standard operating system tools and an installed firewall, which will be discussed in more detail in Chapter 4.

If the Trojans mentioned above can be detected with the help of system utilities, then representatives of this class can be detected only with the help of special utilities.

rootkits are a more advanced version of Trojan horses. Some antivirus companies do not separate rootkits and Trojans, placing them in the same category of malware. However, the Trojan hides on the computer, usually disguised as a known program (for example, Spymaster impersonates the MSN Messenger application), and rootkits use more advanced methods to disguise themselves, penetrating deep into the system.

Initially, the word "rootkit" denoted a set of tools that allows an attacker to return to a hacked system in such a way that the system administrator could not see him, and the system could not register. For a long time, rootkits were the privilege of Unix systems, but, as you know, good ideas do not just disappear, and at the end of the 20th century, rootkits designed for Microsoft Windows began to appear massively. They started talking about rootkits only when Sony was caught using them in their products. Today, experts predict a boom in this technology, and in the next two or three years, a massive increase in the number of rootkits is expected - up to 700% per year. The saddest thing is that they will be used not only by attackers: rootkits will be massively used in commercial products primarily to protect against piracy. For example, it was recently announced that Microsoft has created a rootkit that cannot be detected. It is possible that this invention will be found in new versions of Windows.

It doesn't make it any easier for the average user. Rootkit technology could potentially be used to create a new generation of spyware and worms that would be nearly impossible to detect once they had penetrated a computer.

Almost all modern versions of rootkits can hide files, folders and registry settings from the user, hide running programs, system services, drivers and network connections. The operation of rootkits is based on the modification of data and program code in the operating system memory. Depending on the area of ​​memory that rootkits work with, they can be divided into the following types:

Systems operating at the kernel level (Kernel Level, or KLT);

Systems operating at the user level (User Level).

The first known rootkit for the Windows system, NT Rootkit, was written in 1999 by security expert Greg Hoglund as a kernel-level driver. It hid all files and processes that contained the combination _root, intercepted information typed on the keyboard, and used other masking methods.

The most famous rootkit today is Hacker Defender. This program runs in user mode and is masked by intercepting some APIs. Hacker Defender can process network traffic before it is passed to the application, which means that any program running on the network can be used to interact with the attacker. A rootkit can hide files and processes, entries in the registry and open ports and may incorrectly show the amount of free disk space. It registers itself in autoload, leaving a back door for itself, and listens on all ports that are open and allowed by the firewall for a 256-bit key that will indicate which port to use for management. Hacker Defender intercepts the functions of starting new processes, which allows it to infect all programs launched by the user. It is polymorphic: the Morphine utility is usually used to encrypt rootkit executable files.

Note

All modern versions of rootkits can hide files, folders and registry settings from the user, hide programs, system services, drivers and network connections.

One of the most dangerous rootkits is FU, implemented partly as an application and partly as a driver. It does not engage in interceptions, but manipulates the objects of the system kernel, so it is very difficult to find such a pest.

Just because you've found a rootkit doesn't mean you can get rid of it. To protect against destruction by the user or antivirus, rootkits use several technologies that are already found in other types of malware. For example, two processes are launched that control each other. If one of them stops working, the second restores it. There is also a similar method using streams: remote file, registry setting, or killed process is restored after a while.

A popular way to block access to a file: the file is opened in exclusive access mode or blocked using a special function; it is impossible to delete such a file by standard methods. If you try to use a delayed deletion (during the next boot), for example, using a program like MoveOnBoot, then most likely the record of this operation will be deleted after a while or the file will be renamed.

An interesting method of protection is used by the Feebs worm. To fight against antiviruses, anti-rootkits and other utilities that try to destroy it, it exposes a decoy - a disguised process that is not visible on the tab Processes in the window Task Manager. Any application that attempts to access this process is killed. The program can be installed as an additional module to Internet browser Explorer that changes its functionality. Standard autorun type controls msconfig do not see these parameters, and the use of additional utilities to study the system requires a certain skill from the user, so the only really reliable way to destroy such a program is to format HDD and reinstall the operating system.

Unfortunately, today's specialized programs designed to detect rootkits and traditional antiviruses do not provide a 100% security guarantee. With the source code of these programs, you can create any modifications of rootkits or include part of the code in any spyware. The main skill of rootkits is not to firmly gain a foothold in the system, but to penetrate it, so the main rule for you should be maximum protection and caution.

If, after all that has been said in the previous chapters, you still have not lost the desire to work with a computer, you will be interested to know how various malicious programs can get into the system. This information may save you from the simplest mistakes and allow you to soberly assess the situation.

There are three reasons for the penetration of viruses:

Errors in software development;

Errors in the settings;

Impact on the user (social engineering).

It is impossible to describe all the options: technology does not stand still and attackers are constantly coming up with new methods. Let's dwell on the main points. If in the last two cases something depends on the actions of the user, then in the first case it can affect the course of events only partially. Software bugs can often frustrate a user's efforts to protect a system from malicious applications.

Some viruses and attacks reach their target without user intervention. Despite efforts, the intensity of remote attacks is not decreasing, and it is becoming increasingly difficult to repel them. How does it work? After all, in order for a program, even if it is malicious, to do something, it must be launched by someone or something. The analysis shows that the vast majority of attacks use buffer overflow errors, and this problem is paramount.

This vulnerability was first exploited in 1988 as a basis for attacks by the Morris worm. Since then, the number of such attacks has increased every year. Currently, it can be argued that buffer overflow vulnerabilities are dominant in remote attacks, where an ordinary user of the Network takes partial or complete control over the attacked. Approximately half of malware exploits this type of vulnerability.

In the article "Wikipedia" ( http://en.wikipedia.org) defines the vulnerability as follows: "A buffer overflow is a phenomenon that occurs when a computer program writes data beyond the bounds of a buffer allocated in memory."

Eric S. Raymond's The New Hacker's Dictionary states that "buffer overflows are what inevitably happen when you try to put more into a buffer than it can handle."

Imagine the following situation. The password change function can accept a password of up to 256 characters. Most often, no one uses passwords longer than 8–10 characters, so the developers did not provide for checking the data entry string. If you try to enter more than 256 characters, if there was a function return address behind the data, it will be overwritten and, at best, the program will terminate with an error. A hacker who has discovered such a vulnerable area is left to substitute the correct address as the return address, which will transfer control to any point in the program of his choice. As a result, any arbitrary code that the hacker placed in the specified memory area can be executed with the privileges that the current program is running with.

Such errors in software are found almost daily, but not always and not immediately eliminated. For example, you can view statistics on specialized sites. According to Secunia ( http://secuna.com) in Microsoft Windows XP Professional, 30 out of 201 vulnerabilities discovered from 2003 to early 2008, although having the status of highly critical (extremely dangerous), which allow remote code execution (that is, actually gaining access to the system), have not been fixed, this list already no. On average, three to four vulnerabilities are discovered per month.

In Internet Explorer 7, 7 out of 21 vulnerabilities found have not been fixed, and some of them have a highly critical status. On average, one or two vulnerabilities are discovered per month. Given all the vulnerabilities in which you can remotely execute code on the system, we can conclude that it is generally dangerous to access the Internet with this browser. Internet Explorer allows code execution while processing HTML Help ActiveX, HTA, SWF, ZIP, BMP and JPEG files, FTP archives, Cookies, IFRAME tag and pop-up windows, i.e. to enter the Trojan system, it is enough to visit the site and view/save pictures or ZIP archive.

Attention!

Found vulnerabilities are not always eliminated immediately, often they have been present for years.

In operating system windows code Many other applications also use Internet Explorer (Outlook Express, Windows Media Player etc.), which increases the likelihood of injury. For example, there is a JPEG exploit that uses a bug in the system library that occurs when processing JPEG image files. This error allows you to infect your computer through any program - Outlook Express or any other email client that displays JPEG images.

Attention should also be paid to the possibility of address bar Internet Explorer address that does not match the address of the downloaded site (this type of attack is called URL spoofing), and displaying pop-up windows that the user thinks belong to the page viewed in the browser, as well as modifying the title of the window or information in the status bar.

According to various sources, it is Internet Explorer that is the most popular web browser today, as it is integrated into Windows. So this program will attract the attention of attackers who want to realize their plans, because the probability that a user will come to a specially created resource with Internet Explorer remains the highest.

Let's see what we can say about the most famous of free browsers – Mozilla Firefox 2. 19 vulnerabilities were found in it, four of which have not been fixed. The most dangerous of them has the status less critical (below critical). Using these vulnerabilities, it is impossible to take full control of the computer, an attacker can only reveal some system information, so it should be recognized that the position of this browser is better than Internet Explorer.

Thus, the optimal solution would be to use alternative applications. Instead of Internet Explorer for surfing, you can use, for example, Mozilla Firefox, instead of Outlook Express - The Bat! etc. These programs have a better security situation.

You should also periodically install updates and use new versions of programs that fix old bugs (possible new bugs are another matter). True, the size of updates sometimes reaches several tens of megabytes, and in addition to Internet Explorer and Windows, other products need to be updated, therefore, traffic can be expensive for the budget. In this case, you should limit yourself to at least updates that eliminate critical errors.

Surely you are wondering: really, for so many years, no one has tried to deal with buffer overflows? Of course they tried. After all, the development of attacking programs over several decades has outgrown pure enthusiasm and has taken on a commercial basis, which indicates a growing danger.

Utilities such as, for example, Stack-Guard are aimed at combating this vulnerability. It was originally developed for Unix systems, but its counterpart is currently used by Microsoft Visual Studio.NET and IBM's ProPolice. Microsoft products, Windows XP SP2 and Server 2003 SP1 use DEP (Data Execution Protection), which makes the data section and stack non-executable, which should prevent this type of attack.

Some Intel and AMD processors have a special bit: in Intel - XD (eXecute Disable - prohibition of execution), in AMD - NX (No eXecute - no execution), which allows hardware implementation of DEP support.

If the computer does not support non-executable pages at the hardware level, Software-enforced DEP (forced software DEP) is used. DEP software protection is built in at compile time and therefore only works for DEP-enabled system libraries and applications.

There are also disadvantages to these tools. When using DEP technology, the issue of compatibility arose. Some applications require an executable stack (and there are many such: emulators, compilers, protection mechanisms, etc.), so protection is enabled by default only for system processes. Appearance new technology spurred on the hackers, and almost at the same time, methods were presented to bypass the protection. Attacking has become more difficult, but still possible.

The other mechanisms described allow protection from only one type of buffer overflow, and there are several types of them, so this cannot be considered a full-fledged protection.

I would like to reassure you a little: the presence of an error does not always allow the attack to be carried out in full: the buffer may be small for code injection (it is impossible to use null bytes), addresses system functions different versions may not match, and the person trying to exploit the vulnerability must have really deep knowledge.

Unfortunately, most users often create problems themselves. For example, the browser is often allowed running javascript, ActiveX, and other controls that make it easy to install spyware. Some email clients are able to process and display HTML content that allows you to perform any action. Due to incorrect settings of the mail program or existing errors in it, when viewing the contents of received letters, attachment files may automatically open. Sometimes the following technique is used: an executable file is attached to the message, and in the MIME header, which indicates the type transferred file, in field content-type indicates that this is a drawing. The mail client, when trying to download a picture, launches an executable file.

Note

MIME - Multipurpose Internet Mail Extension - Internet postal standard: encoding in one message textual and non-textual information (graphics, archives, etc.) for transmission by e-mail.

The danger lies not only in the sent EXE files. There is a little-known possibility of executing scripts in HLP- and CHM files, and these scripts allow you to run executable files, so you should beware of any unsolicited e-mails.

If you prefer to use Internet Explorer for surfing, set the security level to high. To do this, execute the menu command Tools > Internet Options, in the window that appears, go to the tab Safety, Select a category Internet, at the bottom of the window, click the button Another, in the opened window Security Options select from the list per level paragraph High and press the button OK.

Users often work on the Internet with administrator rights, respectively, an attacker who gains access to a computer through, for example, an attack on Internet Explorer, will receive the same rights, therefore, to work on the Internet, you should create a separate account, endowing it with minimal rights.

The Lovesan worm exploited a vulnerability in the Microsoft RPC (Remote Procedure Call) service. And although this vulnerability has been fixed, if you do not need the DCOM (Distributed Component Object Model) service, it is better to disable it, and along with other unnecessary services. To check the list of running services, execute the menu command Start > Run and in the window Program launch enter cmd. In the window that appears command line enter the command net start. On fig. 1.1 shows an example of a list of running services.

Rice. 1.1. Listing running services

To edit the list of automatically starting services, run the command Start > Control Panel, select a category Performance and maintenance, then Administration, then click on the label Services. Double-clicking on the selected service will display information about its assignment and allow you to change the startup status. If you are in doubt about the need for services, you can gradually disable them, observing the reaction of the system.

There are a sufficient number of guides on the Internet that describe in detail the purpose of Windows system services. One of them can be found at http://www.oszone.net/display.php?id=2357. It is desirable to disable the Null Session, which allows you to connect to a Windows NT-based system without entering a username and password. With the null session enabled, an anonymous user can get a lot of information about the system configuration that can be used in further actions (the list of resources provided for public access, the list of users, workgroups, etc.). The open port 139 belongs to the category of serious vulnerabilities. To disable a null session, you must execute the menu command Start > Run and type in line Open command regedit. In the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for Windows 2000/XP/2003, you need to set the parameter restrictanonymous meaning 2 (a type - REG_DWORD), for Windows NT3.5/NT4.0 – value 1 . For Windows 2000/XP/2003 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver must be set for the parameter RestrictNullSessionAccess meaning 1 (parameter type - REG_DWORD), and for Windows NT3.5/NT4.0 this can be done in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. If there are no such parameters, they must be created.

After making changes, you need to restart your computer.

You should also disable hidden resources C$, D$, ADMIN$. For this it is easier to use specialized utilities. For example, the LanSafety program allows you to do this with one click (Fig. 1.2).

Rice. 1.2. The working window of the LanSafety program

It is recommended to use file NTFS system, which will allow you to restrict access to the resources of your computer and complicate the process of local hacking of the SAM database.

Early versions of Microsoft Word and Microsoft Excel, along with opening a document, automatically launched scripts written in Visual language Basic for Application, which led to the infection of the computer with macro viruses. Latest Versions these applications ask the user for confirmation of running scripts.

These are not all the measures that need to be taken to improve the security level of working on a computer. Be sure to install an antivirus, enable a firewall and use other programs, which will be discussed in the following chapters.

It is widely believed among information security professionals that computer protection is a constant struggle with the stupidity of users and the intelligence of hackers. It follows that the most vulnerable link in the defense is a person. There are also system vulnerabilities that become the source of mass epidemics (suffice it to recall the Lovsan aka W32. Blaster worm, which exploited a vulnerability in RPC DCOM). Here, unfortunately, the user is powerless, and you can deal with this either by constantly installing all kinds of patches, or by changing the operating system to a safer one, and sometimes nothing will save you from the consequences of the user's actions.

Attention!

Often the user becomes the source of his own problems: be careful when working with letters from unknown senders, use an antivirus and a firewall.

Virus developers use the same techniques as marketers, and there will always be at least one person in a hundred who, despite warnings, considers an email received from an unknown person to be safe and opens it, relying on antivirus protection. To achieve their goal, virus writers (as well as other scammers, including those in the real world) use human weaknesses:

Insufficient preparation;

Desire to stand out;

Craving to instantly get rich or get something for nothing;

Pity and mercy;

Desire to see "interesting" pictures;

Interest in a product that is needed by a certain part of the population or which cannot be obtained;

Interest in getting rich quick methods using financial pyramids, super ideas for successful business or a win-win casino game;

Trust in patches allegedly sent to the user by a caring Microsoft employee.

Recently, false reports have begun to appear from an employee of an antivirus company about a virus allegedly found in a message sent by a user, or about the beginning of a new epidemic. To protect the user, the "well-wisher" attaches a file to the letter, with which this virus can be removed. After running this file, the Trojan will be installed on the computer. In order not to arouse the user's suspicion, the letter often refers to a completely different person. At the same time, the subject of the message may say that “a cool site was found that sells cheap goods”; photographs “from a student party” with a request “not to show to anyone” can be attached to the letter itself; the letter may contain a link to a “much needed program”, etc. This is done to convince the recipient that the letter came to him by accident, but the information may be interesting to him.

Perhaps the only way to spread viruses through ICQ is by transferring files, so you need to be very careful with offers to download a file from an outsider.

The operating system is not always able to correctly display information about the file being launched. By default, Microsoft Windows does not show registered name extensions. As a result, the file name photo.jpg.exe will be shown as photo.jpg. To mask the real expansion, a double expansion is used like xxx.jpg.exe(in this case it may help that some mail servers refuse to skip executable files), or a large number of spaces are added, causing the file name to be incompletely displayed.

Advice

Turn on the display of file extensions by running the command Service > Folder Options and clearing the Hide extension for known file types check box on the View tab.

Icons are a separate issue. Most users still think that it is the icon that determines which program they run. When they click on the calculator icon, they expect the calculator to launch, not some W32.Bagle-A. This is used by attackers: they send a file with a double extension like creditcard.doc.exe and an icon commonly used for Microsoft Word documents. The second extension is most often hidden, and the user has no doubt that it was a text document that came by mail.

In the near future, computer literacy is unlikely to reach a level where it will be possible to forget about the human factor, so the only advice that can be given is to be vigilant and attentive, be critical of various proposals and do not open suspicious letters.

3. Who writes viruses and why?

4. History of computer viruses - from antiquity to the present day

4.1. A bit of archeology

4.2. The beginning of the way

4.5. Beyond DOS

4.6. macro virus epidemic

4.7. Chronology of events

5.Classification of computer viruses

6. Prospects: what will happen tomorrow and the day after tomorrow

6.1. What will be tomorrow?

6.2. What will happen the day after tomorrow?

Introduction

Computer viruses. What is it and how to deal with it? Dozens of books and hundreds of articles have been written on this topic, hundreds (or thousands) of specialists in dozens (maybe hundreds) of companies are professionally engaged in the fight against computer viruses. It would seem that this topic is not so complex and relevant as to be the object of such close attention. However, it is not. Computer viruses have been and remain one of the most common causes of information loss. There are cases when viruses blocked the work of organizations and enterprises. Moreover, a few years ago, a case was recorded when a computer virus caused the death of a person - in one of the hospitals in the Netherlands, a patient received a lethal dose of morphine because the computer was infected with a virus and gave incorrect information.

Despite the enormous efforts of competing anti-virus firms, the losses caused by computer viruses do not fall and reach astronomical values ​​of hundreds of millions of dollars annually. These estimates are clearly underestimated, since only a fraction of such incidents become known.

It should be borne in mind that anti-virus programs and hardware do not provide a full guarantee of protection against viruses. Things are about the same bad on the other side of the human-computer tandem. Both users and professional programmers often do not even have the skills of "self-defense", and their ideas about the virus are sometimes so superficial that it would be better if they (representations) did not exist.

Things are a little better in the West, where there is more literature (as many as three monthly magazines devoted to viruses and protection against them are published), and fewer viruses (since "leftist" Chinese CDs do not particularly enter the market), and antivirus companies behave more actively (by holding, for example, special conferences and seminars for specialists and users).

With us, unfortunately, this is not entirely true. And one of the least "developed" items is the literature on the problems of combating viruses. To date, the printed anti-virus products available on store shelves are either outdated, or written by non-professionals, or authors like Khizhnyak, which is much worse.

A rather unpleasant moment is also the anticipatory work of the Russian computer "underground": in just two years, more than a dozen electronic issues of the magazine of virus writers "Infected Voice" were released, several BBS stations and WWW pages appeared, focused on the spread of viruses and related information.

All this served as an impetus to bring together all the material that I had accumulated over eight years of professional work with computer viruses, their analysis and the development of methods for detection and treatment.

As soon as I swallow something, as soon as

something interesting is happening. Let's see what

will be this time!

Lewis Carroll. "Alice in Wonderland"

1. Phenomenon of computer viruses

The 20th century is undoubtedly one of the turning points in the life of mankind. As one of the science fiction writers said, "humanity rushed forward like a spurred horse," and, having defined ourselves as a technocratic civilization, our grandfathers, fathers and we ourselves threw all our strength into the development of technology in its various guises - from medical devices to spacecraft, from agricultural combines to nuclear power plants, from transport to communication systems - the list is endless, since it is extremely difficult to name an area of ​​human activity that has not been affected by the development of technology. // What was the reason for such a large-scale and rapid development - the military confrontation of political systems, the evolutionary "wiseness" of a person or his pathological laziness (invent the wheel so as not to carry a mammoth on his shoulders) - is still unclear. Let us leave this riddle for the historians of subsequent centuries.

Mankind is captured by technology and is unlikely to give up the amenities provided by it (few people want to change a modern car for horse-drawn traction). Already very many have completely forgotten ordinary mail with its envelopes and postmen - instead of it came e-mail with its stunning delivery speed (up to several minutes, regardless of distance) and very high reliability. Can't imagine existence modern society without a computer capable of repeatedly increasing labor productivity and delivering any conceivable information (something like the principle “go there, I don’t know where, find that, I don’t know what”). We are no longer surprised by a mobile phone on the street - I myself got used to it in just one day.

The 20th century is also one of the most controversial, bringing many paradoxes to the history of mankind, the main of which, it seems to me, is the relationship of man to nature. Having ceased to live in friendship with nature, having conquered it and proving to himself that he could easily destroy it, man suddenly realized that he himself would perish - and the roles in the drama "Man-Nature" were reversed. Formerly man protected himself from nature, but now he more and more protects nature from himself. Another phenomenon of the 20th century is the relation of man to religion. Having become a technocrat, a person has not stopped believing in God (or his analogues). Moreover, other religions emerged and became stronger.

The main technical phenomena of the 20th century, in my opinion, include the appearance of man in space, the utilization of the atomic energy of matter, the tremendous progress in communication and information transmission systems, and, of course, the stunning development of micro and macro computers. And as soon as the mention of the phenomenon of computers appears, another phenomenon of the end of our century immediately appears - the phenomenon of computer viruses.

It may seem ridiculous or frivolous to many that the fact of the emergence of computer viruses is put on a par with the exploration of space, the atomic nucleus and the development of electronics. It is possible that I am wrong in my reasoning, but let me explain myself.

Firstly, computer viruses- this is a serious and quite noticeable problem, the occurrence of which no one expected. Even the all-seeing futurologists of the past do not say anything about this (as far as I know). In their numerous works, almost all the technical achievements of the present are predicted with varying accuracy (recall, for example, Wells with his idea of ​​flying from a cannon to the Moon and Martians armed with a kind of laser). If we talk about computers, then this topic is utterly polished - however, there is not a single prophecy dedicated to computer viruses. The theme of the virus in the works of writers appeared after the first real virus hit its first computer.

Secondly, computer viruses are the first completely successful attempt to create life. The attempt is successful, but it cannot be said that it is useful - modern computer "microorganisms" most of all resemble insect pests that bring only problems and troubles.

But still - life, because computer viruses have all the attributes of life - the ability to reproduce, adaptability to the environment, movement, etc. (of course, only within computers - just as all of the above is true for biological viruses within the cells of the body). Moreover, there are "bisexual" viruses (see RMNS virus), and an example of "multicellularity" can be, for example, macro viruses consisting of several independent macros.

And thirdly, the topic of viruses stands somewhat apart from all other tasks solved using a computer (let's forget about such specific tasks as breaking copy protection and cryptography). Almost all problems solved with the help of computer technology are a continuation of the purposeful struggle of man with the nature around him. Nature puts a long non-linear differential equation in three-dimensional space for a person - a person stuffs a computer with processors, memory, hangs it with dusty wires, smokes a lot and eventually solves this equation (or is in a state of confidence that he has decided). Nature gives a person a piece of wire with well-defined characteristics - a person comes up with algorithms for transmitting as much information as possible through this wire, torments it with modulations, compresses bytes into bits and patiently waits for superconductivity at room temperature. Nature (represented by IBM) gives a person another limitation in the form of another version of the IBM PC - and a person does not sleep at night, again smokes a lot, optimizing the codes of the next database in order to fit it into the resources of RAM and disk memory provided to him. Etc.

But the fight against computer viruses is the struggle of a person with the human mind (in a sense, it is also a manifestation of natural forces, although there is more than one opinion on this). This fight is a fight of minds, because the tasks facing virologists are set by the same people. They come up with a new virus - and we deal with it. Then they come up with a virus that is very hard to figure out - but we deal with it. And now, somewhere, a guy who is no more stupid than me is probably sitting at a computer, suffering from another monster, which I will have to figure out for a whole week, and then debug the antivirus algorithm for another week. By the way, why not the evolution of living organisms?

So, the emergence of computer viruses is one of the most interesting moments in the history of technological progress of the 20th century, and the time has come to end with near-philosophical reasoning and move on to specific issues. And the question of defining the term "computer virus" will come first.

So what is a computer virus?

There is a floppy disk on the mountain

She has a broken bottle

Through the hole in the envelope

Her viruses gnaw

(folklore)

2. What is a computer virus

There are several explanations of what a computer virus is. The simplest explanation is a household explanation for a housewife who has never seen a computer in her life, but knows that it exists and that Viruses are found in it. This explanation is fairly easy, which is not the case with the second explanation, which is intended for the software engineer. It is not yet possible for me to give an exact definition of a computer virus and draw a clear line between programs on the basis of the "virus - non-virus" principle.

2.1. Explanation for the housewife

The explanation will be given on the example of a clerk who works exclusively with papers. The idea of ​​such an explanation belongs to D.N. Lozinsky, one of the most famous "doctors".

Imagine a neat clerk who comes to work in his office and every day finds on his desk a stack of sheets of paper with a list of tasks that he must complete during the working day. The clerk takes the top sheet, reads the instructions of his superiors, follows them punctually, throws the "used" sheet into the trash can and moves on to the next sheet. Let us suppose that an intruder sneaks into an office and places a piece of paper on a pile of papers, on which is written the following:

"Rewrite this sheet twice and put the copies in the pile of neighbors' tasks"

What will the clerk do? Rewrite the sheet twice, put it on the neighbors' table, destroy the original and proceed to the execution of the second sheet from the stack, i.e. continue to do their real job. What will the neighbors, being the same neat clerks, do when they find a new task? The same as the first: they will rewrite it twice and distribute it to other clerks. In total, four copies of the original document are already roaming in the office, which will continue to be copied and distributed to other tables.

A computer virus works in much the same way, only the programs are the stacks of instructions, and the computer is the clerk. Just like a clerk, the computer accurately executes all program commands (task sheets), starting with the first one. If the first command sounds like "copy me into two other programs," then the computer will do just that - and the virus command gets into two other programs. As the computer proceeds to execute other "infected" programs, the virus will spread further and further throughout the computer in the same way.

In the above example about a clerk and his office, the leaf virus does not check whether the next task folder is infected or not. In this case, by the end of the working day, the office will be littered with such copies, and the clerks will only rewrite the same text and distribute it to their neighbors - after all, the first clerk will make two copies, the next victims of the virus will already be four, then 8, 16, 32 , 64, etc., i.e. the number of copies will be doubled each time.

If a clerk spends 30 seconds rewriting one sheet and another 30 seconds distributing copies, then in an hour more than 1,000,000,000,000,000,000 copies of the virus will "roam" around the office! Most likely, of course, there will not be enough paper, and the spread of the virus will be stopped for such a banal reason.

Ironically (although it was not at all funny to the participants in this incident), just such a case occurred in 1988 in America - several global information transmission networks turned out to be overflowing with copies of a network virus (Morris virus) that sent itself from computer to computer. Therefore, the "correct" viruses do this:

"Rewrite this sheet twice and put copies in the neighbors' task pile if they do not already have this sheet."

Problem solved - there is no "overpopulation", but each pile contains a copy of the virus, while the clerks still have time to cope with normal work.

"But what about data destruction?" - the well erudite housewife will ask. Everything is very simple - just add something like this to the sheet:

"1. Rewrite this sheet twice and put copies in the neighbors' task pile if they do not already have this sheet.

2. Look at the calendar - if today is Friday, falling on the 13th, throw all the documents in the trash"

This is approximately what the well-known "Jerusalem" virus (another name is "Time") does.

By the way, using the example of a clerk it is very clear why in most cases it is impossible to determine exactly where the virus came from in the computer. All clerks have the same (up to handwriting) COPIES, but the original with the attacker's handwriting has long been in the trash!

Here is a simple explanation of how the virus works. Plus, I would like to add two axioms to it, which, oddly enough, are not obvious to everyone:

Firstly, viruses do not appear by themselves - they are created by very evil and bad hacker programmers and then sent out over the data network or thrown on the computers of friends. A virus cannot appear on your computer by itself - either it was slipped on floppy disks or even on a CD, or you accidentally downloaded it from a computer data network, or the virus lived in your computer from the very beginning, or (what is the worst) programmer-hacker lives in your house.

Secondly, computer viruses infect only the computer and nothing else, so there is no need to be afraid - they are not transmitted through the keyboard and mouse.

2.2. An attempt to give a "normal" definition

The first studies of self-propagating artificial structures were carried out in the middle of this century. In the works of von Neumann, Wiener and other authors, a definition is given and a mathematical analysis of finite automata, including self-reproducing ones, is carried out. The term "computer virus" appeared later - it is officially believed that it was first used by an employee of the Lehigh University (USA) F. Cohen in 1984 at the 7th conference on information security held in the USA. Since then, a lot of time has passed, the severity of the problem of viruses has increased many times, but a strict definition of what a computer virus is has not been given, despite the fact that attempts to give such a definition have been made repeatedly.

The main difficulty that arises when trying to give a strict definition of a virus is that almost all the distinguishing features of a virus (introduction into other objects, secrecy, potential danger, etc.) are either inherent in other programs that are in no way viruses, or there are viruses. , which do not contain the above distinctive features (with the exception of the possibility of distribution).

For example, if stealth is taken as the distinguishing characteristic of a virus, then it is easy to give an example of a virus that does not hide its spread. Such a virus, before infecting any file, displays a message stating that there is a virus in the computer and this virus is ready to infect the next file, then displays the name of this file and asks the user for permission to inject the virus into the file.

If the ability to destroy programs and data on disks is given as a distinguishing feature of a virus, then as a counterexample to this distinguishing feature, dozens of completely harmless viruses can be cited, which, apart from their distribution, do not differ in anything else.

The main feature of computer viruses - the possibility of their spontaneous introduction into various objects of the operating system - is inherent in many programs that are not viruses. For example, the most common operating system MS-DOS has everything necessary to spontaneously install itself on non-DOS disks. To do this, it is enough to write the AUTOEXEC.BAT file on a bootable floppy disk containing DOS with the following content:

Modified in this way, DOS itself will become a real virus in terms of almost any existing definition of a computer virus.

Thus, the first of the reasons that do not allow a precise definition of a virus is the impossibility of unambiguously distinguishing distinctive features that would correspond only to viruses.

The second difficulty that arises in formulating the definition of a computer virus is that this definition must be tied to the specific operating system in which this virus is distributed. For example, theoretically, there may be operating systems in which the presence of a virus is simply impossible. An example of this would be a system where it is forbidden to create and modify areas of executable code, i.e. it is forbidden to modify objects that are either already running or can be run by the system under any conditions.

Therefore, it seems possible to formulate only required condition in order for some sequence of executable code to be a virus.

MANDATORY (NECESSARY) PROPERTY OF A COMPUTER VIRUS is the ability to create its own duplicates (not necessarily identical to the original) and inject them into computer networks and/or files, computer system areas, and other executable objects. At the same time, duplicates retain the ability to further distribution.

It should be noted that this condition is not sufficient (ie, final), since, following the above example, the MS-DOS operating system satisfies this property, but most likely is not a virus.

That is why there is still no exact definition of the virus, and it is unlikely that one will appear in the foreseeable future. Therefore, there is no precisely defined law by which "good" files can be distinguished from "viruses". Moreover, sometimes even for a particular file it is quite difficult to determine whether it is a virus or not.

Here are two examples: the KOH virus and the ALREADY.COM program.

Example 1. Is there a... virus? utility? with the name KOH. This program encrypts/decrypts disks only at the user's request. It is made in the form of a boot floppy disk - the boot-sector contains bootstrap loader KOH, and somewhere in other sectors lies the main KOH code. When booting from a floppy disk, KOH asks the user a question like: "Can I install myself on the hard drive?" (if he is already on the hard drive, he asks the same thing about the floppy disk). If yes, KOH moves itself from disk to disk.

As a result, KOH transfers (copies) itself from a floppy to a hard drive, and from a hard drive to floppy disks, but only with the permission of the computer owner.

Then KOH displays text about its hot-keys ("hot" keys), by which it encrypts / decrypts disks - it asks for a password, reads sectors, encrypts them and makes them inaccessible if you do not know the password. By the way, he has an uninstall key, by which he removes himself from the disk (having decrypted, of course, everything that was encrypted).

In total, KOH is a kind of utility for protecting information from unauthorized access. However, one feature has been added to it: this utility can copy itself from disk to disk (with the permission of the user). Is it a virus?.. Yes or no? Probably not...

And everything would be fine, and no one would call this utility named KOH a virus, but only the bootstrap loader of this KOH almost 100% coincides with the rather "popular" virus "Havoc" ("StealthBoot") ... "and everything - and a cover for the holiday. Virus! And the official name is - "StealthBoot.KOH".

Example 2. There is a certain program ALREADY.COM that copies itself to different subdirectories on the disk depending on the system date. Virus? Of course, yes - a typical worm virus that spreads itself across disks (including network ones). Yes Yes!

"You played - but did not guess a single letter!" This is not a virus, as it turned out, but a component from some software. However, if this file is pulled out of this software, then it behaves like a typical virus.

In total, two live examples were given:

1. non-virus - virus

2. virus is not a virus

An attentive reader who is not averse to arguing may object:

Stop. The name "viruses" in relation to programs came from biology precisely on the basis of self-reproduction. KOH meets this condition, therefore it is a virus (or a complex that includes a viral component) ...

In this case, DOS is a virus (or a complex containing a virus component) because it has a SYS and a COPY command. And if there is an AUTOEXEC.BAT file on the disk, given a few paragraphs above, then even user intervention is not required for reproduction. Plus, if we take the possibility of self-replication as a necessary and sufficient sign of a virus, then any program that has an installer is a virus. Total: the argument does not pass.

What if by a virus we mean not just "self-replicating code", but "self-replicating code that does not perform useful actions or even does harm, without involving / informing the user"...

The KOH virus is a program that encrypts disks with a password entered by the user. _All_ his actions KOH comments on the screen and asks the user's permission. Plus, it has an uninstaller - it decrypts disks and removes its code from them. However, it's still a virus!

If, in the case of ALREADY.COM, subjective criteria are involved (useful / not useful, included in the kit / independent, etc.), then perhaps this should not be called a virus / worm. But is it worth it to involve these very subjective criteria?

What are the objective criteria for a virus? Self-reproduction, secrecy and destructive properties? But after all, for each objective criterion, two counterexamples can be given - a) an example of a virus that does not fit the criterion, and b) an example of a non-virus that fits the criterion:

Self-reproduction:

1. Intended viruses that cannot replicate due to a large number of errors, or replicate only under very limited conditions.

2. MS-DOS and variations on SYS+COPY.

Stealth:

1. Viruses "KOH", "VirDem", "Macro.Word.Polite" and some others inform the user about their presence and reproduction.

2. Approximately how many (up to a dozen) drivers sit under standard Windows95? Secretly sits, by the way.

Destructive properties:

1. Harmless viruses, such as "Yankee", which perfectly live in DOS, Windows 3.x, Win95, NT and do not spoil anything anywhere.

2. Older versions of Norton Disk Doctor"a on a disk with long file names. Running NDD in this case turns Disk Doctor"a into Disk Destroyer"a.

Therefore, the topic of a "normal" definition of a computer virus remains open. There are only a few exact milestones: for example, the COMMAND.COM file is not a virus, but the infamous program with the text "Dis is one half" is a 100% virus ("OneHalf"). Anything in between may or may not be a virus.

Don't get excited, Shura, you haven't done time for the last case yet.

from Zhvanetsky

3. Who writes viruses and why?

I myself have not been involved in writing viruses, I rarely intersect with their authors, and, therefore, my thoughts on this matter can only be purely theoretical.

So who writes viruses? In my opinion, most of them are created by students and schoolchildren who have just learned assembly language, want to try their hand, but cannot find a more worthy application for them. It is gratifying that a significant part of such viruses is often not distributed by their authors, and the viruses "die" after a while along with the diskettes on which they are stored. Such viruses are most likely written only for self-affirmation.

The second group is also made up of young people (more often students) who have not yet fully mastered the art of programming, but have already decided to devote themselves to writing and distributing viruses. The only reason pushing such people to write viruses is an inferiority complex, which manifests itself in computer hooliganism.

From the pen of such "craftsmen" often come either numerous modifications of "classical" viruses, or extremely primitive viruses with a large number of errors (I call such viruses "student" ones). The life of such virus writers has become much easier after the release of virus constructors, with which you can create new viruses even with minimal knowledge of the operating system and assembler, or even having no idea about it at all. Their life has become even easier after the advent of macro viruses, because instead of the complex Assembly language, it is enough to learn a fairly simple BASIC to write macro viruses.

Having grown older and more experienced, but never matured, many of these virus writers fall into the third, most dangerous group that creates and releases "professional" viruses into the world. These very carefully designed and polished programs are created by professional, often very talented programmers. Such viruses often use quite original algorithms, undocumented and little-known ways to penetrate system data areas. "Professional" viruses are often made using stealth technology and (or) are polymorphic viruses that infect not only files, but also boot sectors of disks, and sometimes Windows and OS / 2 executable files.

Quite a significant part of my collection is occupied by "families" - groups of several (sometimes more than a dozen) viruses. Representatives of each of these groups can be distinguished by one distinctive feature, which is called "handwriting": several different viruses contain the same algorithms and programming techniques. Often all or almost all members of a family belong to the same author, and sometimes it's quite funny to follow the "development of the pen" of such an artist - from almost "student" attempts to create at least something that looks like a virus, to a fully functional implementation of a "professional" virus.

In my opinion, the reason forcing such people to direct their abilities to such meaningless work is still the same - an inferiority complex, sometimes combined with an unbalanced psyche. It is indicative that such virus writing is often combined with other addictions. So, in the spring of 1997, one of the world's most famous authors of viruses named Talon (Australia) died at the age of 21 from a lethal dose of heroin.

The fourth group of virus authors - "researchers" - stands out somewhat separately. This group consists of quite smart programmers who are inventing fundamentally new methods of infecting, hiding, counteracting antiviruses, etc. They also come up with ways to introduce them into new operating systems, virus constructors and polymorphic generators. These programmers write viruses not for the sake of viruses themselves, but rather for the sake of "exploring" the potentials of the "computer fauna".

Often the authors of such viruses do not put their creations into practice, but they actively promote their ideas through numerous electronic publications dedicated to the creation of viruses. At the same time, the danger from such "research" viruses does not fall - having fallen into the hands of "professionals" from the third group, new ideas are very quickly implemented in new viruses.

My attitude towards the authors of viruses is threefold. Firstly, everyone who writes viruses or contributes to their distribution is the "breadwinner" of the anti-virus industry, the annual turnover of which I estimate at least two hundred million dollars or even more (and do not forget that the losses from viruses amount to several hundred million dollars annually and many times more than the cost of anti-virus programs). If the total number of viruses is likely to reach 20,000 by the end of 1997, then it is easy to calculate that the anti-virus firms earn at least $10,000 annually from each virus. Of course, the authors of viruses should not rely on material rewards: as practice shows, their work was and remains free. In addition, today the supply (new viruses) quite satisfies the demand (the ability of antivirus firms to process new viruses).

Secondly, I feel sorry for the authors of viruses, especially "professionals". Indeed, in order to write such a virus, it is necessary: ​​a) to spend quite a lot of effort and time, and much more than it takes to understand the virus, enter it into the database or even write a special antivirus; and b) not to have another, more attractive, occupation. Consequently, virus writers - "professionals" are quite hardworking and at the same time toil from idleness - the situation, it seems to me, is very sad.

Heavy and unsightly

The life of a simple programmer

(folklore)

There is no limit to our integral.

(Folk wisdom)

4. History of computer viruses - from antiquity to the present day

4.1. A bit of archeology

There are a lot of opinions about the date of birth of the first computer virus. The only thing I know for sure is that Babbage's machine didn't have it, but the Univac 1108 and IBM-360/370 already had it ("Pervading Animal" and "Christmas tree"). Thus, the first virus appeared somewhere at the very beginning of the 70s or even at the end of the 60s, although no one has yet called it a "virus". On this conversation about extinct fossils, I propose to consider it completed.

4.2. The beginning of the way

Let's talk about recent history: "Brain", "Vienna", "Cascade" and beyond. Those who started working on the IBM-PC already in the mid-80s have not yet forgotten the epidemic of these viruses in 1987-89. Letters rained down on the screens, and crowds of users rushed to the display repair specialists (now the opposite is true: the hard drive has died of old age, and they blame it on a virus unknown to advanced science). Then the computer played the foreign anthem "Yankee Doodle", but no one rushed to fix the speakers - they quickly figured out that it was a virus, and not just one, but a dozen.

So viruses began to infect files. The "Brain" virus and the ball of the "Ping-pong" virus jumping across the screen marked the victory of the virus over the Boot sector as well. All this did not please the users of the IBM-PC, and antidotes appeared. The first antivirus I came across was the domestic ANTI-KOT: it was the legendary Oleg Kotik who released the first versions of his program, which destroyed as many as 4 (four) viruses (the American SCAN appeared in our country a little later). By the way, to everyone who has still kept a copy of this antivirus, I suggest that you immediately delete it (may Oleg Kotik forgive me!) As a harmful program and nothing but a waste of extra nerves and unnecessary phone calls that does not bring. Unfortunately, ANTI-KOT detects the "Time" ("Jerusalem") virus by the "MsDos" combination at the end of the file, and some other antiviruses carefully attach these same letters to all files with the COM or EXE extension.

It should be noted that the stories of the conquest of Russia and the West by viruses differ from each other. The first virus to spread rapidly in the West was the "Brain" boot virus, and only then did the "Vienna" and "Cascade" file viruses appear. In Russia, on the contrary, file viruses first appeared, and boot viruses appeared a year later.

Time passed, viruses multiplied. All of them were somewhat similar to each other, climbed into memory, clung to files and sectors, periodically killed files, floppy disks and hard drives. One of the first "revelations" was the "Frodo.4096" virus - the first file stealth virus known to me. This virus intercepted INT 21h and, when accessing infected files via DOS, changed the information in such a way that the file appeared before the user in an uninfected form. But it was only a virus add-on over MS-DOS. Less than a year later, electronic cockroaches crawled into the DOS kernel (the invisible virus "Beast.512"). The idea of ​​invisibility continued to bear fruit further: in the summer of 1991, the "Dir_II" virus swept through computers like a bubonic plague. "Yes-a-a!" said everyone who dug into it.

But it was quite simple to deal with the invisibles: I cleaned the RAM - and be calm, look for the bastard and treat him to health. More trouble brought self-encrypting viruses, which are sometimes found in the next arrivals in the collection. Indeed, to identify and remove them, it was necessary to write special subroutines and debug them. But no one paid attention to this then, until ... Until a new generation of viruses appeared, those that are called polymorphic viruses. These viruses take a different approach to invisibility: they encrypt (in most cases) and use commands in the decryptor that may not be repeated when infecting different files.

4.3. Polymorphism - mutation of viruses

The first polymorphic virus appeared in the early 90s - "Chameleon", but the problem of polymorphic viruses became really serious only a year later - in April 1991, when almost the entire world was covered by the epidemic of the polymorphic virus "Tequila" ( As far as I know, this epidemic practically did not affect Russia, and the first Russian epidemic caused by the polymorphic virus occurred three years later - the year 1994, it was the "Phantom1" virus).

The popularity of the idea of ​​self-encrypting polymorphic viruses resulted in the emergence of polymorphic code generators - in early 1992, the famous "Dedicated" virus appeared, based on the first known MtE polymorphic generator and opening a series of MtE viruses, and after a fairly short time, the polymorphic generator itself appeared . It is an object module (OBJ-file), and now in order to get a polymorphic mutant from the most ordinary unencrypted virus, it is enough to link their object modules - the OBJ-file of the polymorphic-generator and the OBJ-file of the virus. Now the author of the virus, if he wants to create a real polymorphic virus, will not have to pore over the codes of his own code/decoder. If desired, he can connect a polymorphic generator to his virus and call it from the codes of the virus.

Fortunately, the first MtE virus did not get into the "wildlife" and did not cause an epidemic, and the developers of anti-virus programs, accordingly, had some time to prepare to repel a new scourge.

Just a year later, the production of polymorphic viruses has already become a "craft", and in 1993 their "collapse" occurred. In the viruses entering the collection, the share of self-encrypting polymorphic viruses is becoming more and more. It seems that one of the main directions in the difficult task of creating viruses is the development and debugging of the polymorphic mechanism, and the competition among virus authors is not about which of them writes the coolest virus, but whose polymorphic mechanism turns out to be the coolest.

That's far from full list those that can be called 100% polymorphic (late 1993):

Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions).

To detect these viruses, one has to use special methods, which include emulation of virus code execution, mathematical algorithms for recovering code and data sections in a virus, etc. A dozen new viruses can be attributed to non-100% polymorphics (i.e., which encrypt themselves, but there are always constant bytes in the virus decryptor):

Basilisk, Daemaen, Invisible (two versions), Mirea (several versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly, Simulation.

However, they also require decryption of the code for their detection and recovery of affected objects, since the length of the permanent code in the decryptor of these viruses is too small.

In parallel with polymorphic viruses, polymorphic generators are being developed. Several new ones appear, using more complex methods of generating polymorphic code, they are distributed to BBS stations in the form of archives containing object modules, documentation and examples of use. At the end of 1993, seven polymorphic code generators were already known. This:

MTE 0.90 (Mutation Engine), four different versions of TPE (Trident Polymorphic Engine), NED (Nuke Encryption Device), DAME (Dark Angel's Multiple Encryptor)

Since then, new polymorphic generators have appeared several times a year, and it hardly makes sense to give a complete list of them.

4.4. Factory automation and virus constructors

Laziness is the driving force of progress. This folk wisdom needs no comment. But it was not until mid-1992 that progress in the form of industrial automation reached viruses. On July 5, 1992, the first virus code constructor for IBM-PC compatible computers, the VCL (Virus Creation Laboratory) package version 1.00, was announced for release.

This constructor allows you to generate source and well-commented virus texts (files containing assembler text), object modules, and directly infected files. The VCL is provided with a standard window interface. Using the menu system, you can select the type of virus, the objects to be affected (COM and / or EXE), the presence or absence of self-encryption, debugger resistance, internal text lines, connect up to ten effects that accompany the operation of the virus, etc. Viruses can use the standard way of infecting files at their end, or write themselves instead of files, destroying their original contents, or be satellite viruses (the international term is companion viruses).

And everything immediately became much simpler: if you wanted to harm your neighbor - sit down at the VCL and, in 10-15 minutes, having hacked 30-40 different viruses, run them on the enemy computer (s). Each computer - a separate virus!

Further more. On July 27, the first version of the PS-MPC constructor (Phalcon/Skism Mass-Produced Code Generator) appeared. This constructor does not contain a window interface and generates virus source texts from a configuration file. This file contains a description of the virus: the type of affected files (COM or EXE); residency (PS-MPC also creates resident viruses, which the VCL constructor does not allow); how to install a resident copy of the virus; the ability to use self-encryption; the possibility of defeating COMMAND.COM and a lot of other useful information.

Based on PS-MPC, the G2 constructor (Phalcon / Skism "s G2 0.70 beta) was created, which supports PS-MPC standard configuration files, but uses large quantity coding options for the same functions.

The G2 version I have is marked the first of January 1993. Apparently, the authors of G2 spent New Year's Eve at computers. It would be better if they drank champagne instead, although one does not interfere with the other.

So how did the virus constructors affect the electronic fauna? In the collection of viruses that is stored in my "warehouse", the number of "engineered" viruses is as follows:

based on VCL and G2 - several hundred each;

based on PS-MPC - more than a thousand.

This is how another trend in the development of computer viruses manifested itself: "designed" viruses begin to occupy an increasing part of the collections, and frankly lazy people begin to join the ranks of their authors, who reduce the creative and respected profession of virus writing to a very ordinary craft.

4.5. Beyond DOS

The year 1992 brought more than polymorphic viruses and constructor viruses. At the end of this year, the first virus for Windows appeared, thus opening a new page in the history of virus writing. A small size (less than 1K), completely harmless and non-resident virus, quite competently infected executable files of the new Windows format (NewEXE) and, with its appearance, broke a window into the Windows world for viruses.

Some time later, viruses for OS/2 appeared, and in January 1996, the first virus for Windows95 appeared. To date, not a week goes by without the appearance of new viruses infecting non-DOS systems, and, apparently, the problem of non-DOS viruses will soon come to the fore, blocking the problem of DOS viruses. Most likely, this will be equivalent to the gradual death of DOS and the spread of new operating systems and programs for them. As soon as all existing DOS applications are replaced by their counterparts for Windows, Win95 and OS/2, the DOS virus problem will come to naught and leave behind only a theoretical interest for the computer community.

In the same 1993, the first attempt to write a virus that works in protected mode appeared. Intel processor 386. It was a "PMBS" boot virus, named after a line of text inside its code. When booted from an infected disk, the virus switched to protected mode, installed itself as a system supervisor, and then loaded DOS in V86 virtual window mode. Fortunately, this virus turned out to be "not a tenant" - its second generation completely refused to multiply due to several errors in the virus code. In addition, it "hung" the system if any of the programs tried to go beyond V86, for example, to determine the presence of extended memory.

This unsuccessful attempt to write a supervisor virus remained the only known one until the spring of 1997, when a Moscow craftsman released the "PM.Wanderer" virus - a completely "successful" implementation of a virus that works in protected mode.

It is not yet clear whether supervisory viruses will become a real problem for users and developers of antivirus programs in the future. Most likely not, since such viruses should "fall asleep" during the operation of new operating systems (Windows, Win95 / NT, OS / 2), which allows them (viruses) to be easily detected and removed. However, a full-fledged stealth virus supervisor can bring a lot of trouble to users of "pure" DOS, because it is not possible to detect such a stealth virus under DOS.

4.6. macro virus epidemic

Year 1995, August. All progressive mankind, Microsoft and Bill Gates personally celebrate the release of the new Windows95 operating system. Against the backdrop of a noisy celebration, the message about the appearance of a virus that uses fundamentally new methods of infection, a virus that infects Microsoft Word documents, went almost unnoticed.

To be honest, this was not the first virus to infect Word documents. Up to this point, anti-virus firms already had the first prototype of a virus that rewrote itself from document to document. However, no one paid serious attention to this not entirely successful experiment. As a result, almost all antivirus firms turned out to be unprepared for the subsequent development of events - the macro-virus epidemic - and began to hastily take half-measures. For example, several companies almost simultaneously released anti-virus documents that acted on approximately the same principles as a virus, but destroyed it instead of reproducing.

By the way, I had to hurriedly correct the anti-virus literature - after all, it had previously answered the question "Is it possible to infect a computer when reading a file?" answered "Definitely - no!" and gave lengthy proofs of it.

And the virus, which by that time had received the name "Concept", continued its victorious movement around the planet. Appearing most likely in some of the divisions of Microsoft, "Concept" in the blink of an eye took over thousands (if not millions) of computers. This is not surprising, because the transfer of texts in MS Word format has become de facto one of the standards, and in order to become infected with a virus, you just need to open an infected document, and all other documents edited in an infected Word "e also become infected. In As a result, having received an infected file via the Internet and read it, the user, without knowing it himself, turned out to be a "carrier of infection", and all his correspondence (if, of course, it was conducted using MS Word) also turned out to be infected! Word, multiplied by the speed of the Internet, has become one of the most serious problems in the history of viruses.

Less than a year later, in the summer of 1996, the "Laroux" ("Laru") virus appeared, infecting MS Excel spreadsheets. As in the case of the "Concept" virus, the new macro virus was discovered "in nature" almost simultaneously in different companies. By the way, in 1997 this virus caused an epidemic in Moscow.

In the same 1996, the first constructors of macro viruses appeared, and in early 1997, the first polymorphic macro viruses for MS-Word and the first viruses for MS Office97 appeared. Plus, the number of various macro-viruses was constantly growing, reaching several hundred by the summer of 1997.

Opening a new leaf in August 1995, based on all the experience gained by virus writing over almost a decade of continuous work and improvement, macro viruses are perhaps the biggest problem of modern virology.

4.7. Chronology of events

It's time to move on to a more detailed description of events. Let's start from the very beginning.

late 1960s - early 1970s

On the mainframes of this time, programs appeared periodically, which were called "rabbit" (the rabbit). These programs cloned themselves, occupied system resources and thus reduced system performance. Most likely, the "rabbits" were not transmitted from system to system and were purely local phenomena - errors or pranks of system programmers who serviced the computer. The first incident that can be safely called an epidemic of a "computer virus" occurred on a Univax 1108 system. The virus, called "Pervading Animal", appended itself to executable files - doing almost the same thing that thousands of modern computer viruses do.

first half of 1970s

The "The Creeper" virus was created for the Tenex operating system, which used global computer networks to spread. The virus was able to independently enter the network via modem and transmit its copy to the remote system. To combat this virus, "The Reeper" was created - the first known anti-virus program.

Early 1980s

Computers are becoming more and more popular. More and more programs appear, the authors of which are not software companies, but individuals, and these programs have the ability to freely circulate on various public access servers - BBS. The result of this is the emergence of a large number of various "Trojan horses" - programs that, when launched, cause some harm to the system.

Epidemic of boot virus "Elk Cloner" on Apple II computers. The virus was written to the boot sectors of the floppy disks that were accessed. He showed himself very versatile - turned the screen, made the text on the screen blink and displayed a variety of messages.

Pandemic of the first IBM-PC virus "Brain". The virus that infects a 360Kb floppy disk quickly spread all over the world. The reason for this "success" was most likely the unpreparedness of the computer society to meet such a phenomenon as a computer virus.

The virus was written in Pakistan by brothers Basit and Amjad Farooq Alvi who left in the virus text message, containing their names, address, and telephone number. As the authors of the virus claimed, they were the owners of a company selling software products and decided to find out the level of piracy in their country. Unfortunately, their experiment went beyond the borders of Pakistan.

Interestingly, the "Brain" virus was also the first stealth virus - when trying to read an infected sector, it "substituted" its uninfected original.

Also in 1986, a programmer named Ralf Burger discovered that a program could make copies of itself by adding its own code to DOS executable files. His first virus, called "VirDem", demonstrated this capability. This virus was announced in December 1986 at the computer "underground" forum - hackers who specialized at that time in hacking VAX/VMS systems (Chaos Computer Club in Hamburg).

The emergence of the "Vienna" virus. A copy of this virus falls into the hands of the same Ralph Burger, who disassembles the virus and places the result in his book "Computer Viruses: A High Tech Desease" Burger's book popularized the idea of ​​writing viruses, explained how it happened, and thus served as an impetus for the writing of hundreds or even thousands of computer viruses, partly using the ideas from this book.

In the same year, several more viruses for the IBM-PC appeared independently of each other. These are the famous "Lehigh" in the past, which infects only COMMAND.COM, "Suriv-1" (another name is "April1st"), which infects COM files, "Suriv-2", which infects (for the first time) EXE files, and "Suriv -3", which infects both COM and EXE files. There are also several boot viruses ("Yale" in the US, "Stoned" in New Zealand and "PingPong" in Italy) and the first self-encrypting file virus "Cascade".

Non-IBM computers were not left out either: several viruses were found for the Apple Macintosh, Commodore Amiga and Atari ST.

In December 1987, the first known epidemic of the Christmas Tree network virus, written in the REXX language and propagating itself in the VM/CMS operating environment, occurred. On December 9, the virus was launched into the Bitnet network at a West German university, penetrated through a gateway into the European Academic Research Network (EARN) and then into the IBM VNet. Four days later (December 13) the virus paralyzed the network - it was clogged with copies of it (see the example about the clerk a few pages above). When launched, the virus displayed an image of a New Year (or rather, Christmas) tree on the screen and sent copies of itself to all network users whose addresses were present in the corresponding system files NAMES and NETLOG.

On Friday, May 13, 1988, several firms and universities from several countries of the world at once "got acquainted" with the "Jerusalem" virus - on this day the virus destroyed files when they were launched. This is perhaps one of the first MS-DOS viruses that caused a real pandemic - reports of infected computers came from Europe, America and the Middle East. By the way, the virus got its name from the place of one of the incidents - the university in Jerusalem.

Together with several other viruses ("Cascade", "Stoned", "Vienna"), the "Jerusalem" virus spread to thousands of computers without being noticed - antivirus programs were not yet as widespread at that time as they are today, and many users and even professionals did not yet believe in the existence of computer viruses. Indicative is the fact that in the same year, computer guru and legendary man Peter Norton spoke out against the existence of viruses. He declared them a non-existent myth and compared them to fairy tales about crocodiles living in the sewers of New York. This incident, however, did not prevent Symantec from starting its own anti-virus project - Norton Anti-Virus.

Knowingly false reports about computer viruses began to appear, containing no real information, but causing panic in orderly ranks. computer users. One of the first such "evil jokes" (the modern term is "virus hoax") belongs to a certain Mike RoChenle (a pseudonym similar to "Microchannel"), who sent out a large number of messages on the BBS station about an allegedly existing virus that is transmitted from modem to modem and uses 2400 baud for this. Ironically, many users abandoned the standard of those days of 2400 and reduced the speed of their modems to 1200 baud. Similar "hoaxes" appear even now. The most famous today are GoodTimes and Aol4Free.

November 1988: Morris network virus (also known as Internet Worm) outbreak. The virus infected more than 6,000 computer systems in the US (including the NASA Research Institute) and practically paralyzed their work. Due to an error in the virus code, it, like the "Christmas Tree" worm, sent copies of itself to other computers on the network indefinitely and, thus, completely took over its resources. The total losses from the Morris virus were estimated at $96 million.

The virus used for its reproduction errors in the operating room Unix system for VAX and Sun Microsystems. In addition to bugs in Unix, the virus used several other original ideas, such as guessing user passwords. You can read more about this virus and the related incident in a rather detailed and interesting article by Igor Moiseev in ComputerPress magazine, 1991, N8,9.

December 1988: Worm season continues, this time on DECNet. The HI.COM worm would display a Christmas tree on the screen and notify users to "stop computing and have a good time at home!!!"

New antivirus programs are emerging, for example, Dr.Solomon's Anti-Virus Toolkit, which is one of the most powerful antiviruses today.

New viruses appear - "Datacrime", "FuManchu" and entire families - "Vacsina" and "Yankee". The first had an extremely dangerous manifestation - from October 13 to December 31, he formatted the hard drive. This virus broke free and caused a general hysteria in the funds mass media in the Netherlands and the UK.

September 1989: Another anti-virus program, IBM Anti-Virus, enters the market.

October 1989: Another "WANK Worm" worm outbreak is detected on DECNet.

December 1989: "Aids" Trojan horse incident. 20,000 copies were sent out on floppy disks labeled "AIDS Information Diskette Version 2.0". After 90 downloads of the system, the Trojan encrypted the names of all files on the disk, made them invisible (the "hidden" attribute) and left only one readable file on the disk - an invoice for $189, which should have been sent to PO Box 7, Panama. The author of the "Trojan" was caught and sentenced to prison.

It should be noted that 1989 was the beginning of a general epidemic of computer viruses in Russia - all the same "Cascade", "Jerusalem" and "Vienna" viruses flooded the computers of Russian users. Fortunately, Russian programmers quickly figured out the principles of their work and almost immediately several domestic antidotes-antiviruses appeared.

My first encounter with a virus (it was the "Cascade" virus) happened in October 1989 - the virus was found on my work computer. This was the impetus for my professional reorientation to the creation of antivirus programs. By the way, I cured that first virus with Oleg Kotik's popular anti-virus program ANTI-KOT at that time. A month later, the second incident (the "Vacsina" virus) was closed with the first version of my anti-virus -V (which was renamed AVP - AntiViral Toolkit Pro a few years later). By the end of 1989, about a dozen viruses were already grazing in Russia (listed in the order of their appearance): two versions of "Cascade", several viruses "Vacsina" and "Yankee", "Jerusalem", "Vienna", "Eddie", "PingPong ".

This year has brought some pretty notable events. The first of these is the appearance of the first polymorphic viruses "Chameleon" (other names are "V2P1", "V2P2" and "V2P6"). Up to this point, anti-virus programs used so-called "masks" - pieces of virus code - to scan for viruses. After the appearance of "Chameleon" viruses, anti-virus software developers were forced to look for other methods of detecting them.

The second event was the appearance of the Bulgarian "virus factory": a huge number of new viruses were of Bulgarian origin. These were entire families of viruses "Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"), new modifications of the Eddie virus, etc. Some Dark Avenger was especially active, releasing a year several new viruses that used fundamentally new algorithms for infecting and hiding themselves in the system. In Bulgaria, the first BBS appeared for the first time, focused on the exchange of viruses and information for virus writers.

In July 1990 there was an incident with the computer magazine PC Today (Great Britain). It contained a floppy disk infected with the "DiskKiller" virus. Over 50,000 copies of the magazine have been sold.

In the second half of 1990, two stealth monsters appeared - "Frodo" and "Whale". Both viruses used extremely complex stealth algorithms, and the nine-kilobyte "Whale" also used several levels of encryption and anti-debugging techniques.

The first domestic viruses known to me also appeared: "Peterburg", "Voronezh" and Rostov "LoveChild".

The population of computer viruses is constantly growing, already reaching several hundred. Anti-virus activity is also growing: two software monsters (Symantec and Central Point) are releasing their own anti-virus programs - Norton Anti-Virus and Central Point Anti-Virus. Lesser-known antiviruses from Xtree and Fifth Generation follow.

In April, a real epidemic of the file-boot polymorphic virus "Tequila" broke out, and in September a similar "story" occurred with the "Amoeba" virus. These events practically did not affect Russia.

Summer 1991: "Dir_II" virus epidemic, which used fundamentally new ways of infecting files (link-virus).

In general, the year 1991 was quite calm - a kind of calm before the storm that broke out in 1992.

Viruses for non-IBM-PC and non-MS-DOS are almost forgotten: "holes" in global networks close, the bugs are fixed, and network worms are no longer able to spread. File, boot and file-boot viruses for the most common operating system (MS-DOS) on the most popular computer (IBM-PC) are beginning to become more and more important. The number of viruses is growing exponentially, various incidents with viruses occur almost daily. Various anti-virus programs are being developed, dozens of books and several regular magazines devoted to viruses are being published. Against this backdrop, several key points stand out:

Early 1992: the first polymorphic generator MtE, on the basis of which, after a while, several polymorphic viruses appear at once. MtE was also the prototype of several subsequent polymorphic generators.

March 1992: "Michelangelo" ("March6") virus epidemic and associated hysteria. This is probably the first known case when antivirus companies fanned the hype around a virus, not in order to protect users from any danger, but in order to draw attention to their product, i.e. for commercial purposes. So one American anti-virus company said that on March 6th information on more than five million computers will be destroyed. As a result of the hype that followed, the profits of various anti-virus firms increased several times, and only about 10,000 machines were actually affected by the virus.

July 1992: the appearance of the first VCL and PS-MPC virus constructors, which increased the already considerable flow of new viruses and, like MtE in its field, pushed virus writers to create other, more powerful constructors.

Late 1992: The first virus for Windows that infects the executable files of this operating system opened a new page in virus writing.

Virus writers set to work seriously: in addition to hundreds of ordinary viruses that do not fundamentally differ from their counterparts, in addition to a number of new polymorphic generators and constructors, in addition to new electronic publications There are more and more viruses that use extremely unusual methods of infecting files, penetrating the system, and so on. The main examples are:

"PMBS" running in protected mode on an Intel 80386 processor.

"Strange" (or "Hmm") - a solo performance on the topic "stealth virus", but performed at the level of hardware interrupts INT 0Dh and INT 76h.

"Shadowgard" and "Carbuncle", which greatly expanded the range of companion virus algorithms;

"Emmie", "Metallica", "Bomber", "Uruguay" and "Cruncher" - the use of fundamentally new methods of "hiding" their code in infected files.

In the spring of 1993, Microsoft released its own antivirus, MSAV, based on Central Point's CPAV.

The problem of viruses on CDs is becoming increasingly important. Quickly becoming popular, these disks proved to be one of the main ways for viruses to spread. Several incidents have been recorded when a virus got onto the master disk while preparing a batch of CDs. As a result, rather large runs (tens of thousands) of infected disks were released to the computer market. Naturally, there is no need to talk about their treatment - they will simply have to be destroyed.

At the beginning of the year, two extremely complex polymorphic viruses appeared in the UK - "SMEG.Pathogen" and "SMEG.Queeg" (until now not all anti-virus programs are able to achieve 100% results in their detection). The virus author placed infected files on BBS stations, which caused a real epidemic and panic in the media.

Another wave of panic was caused by the message about the supposedly existing "GoodTimes" virus, which spreads itself over the Internet and infects the computer upon receipt of e-mail. No such virus actually existed, but after a while a regular DOS virus with the text "Good Times" appeared, this virus was called "GT-Spoof".

Are activated law enforcement: In the summer of 1994, the author of SMEG was "discovered" and arrested. Around the same time, a whole group of virus writers calling themselves ARCV (Assotiation for Really Cruel Viruses) was arrested in the same UK. Some time later, another virus author was arrested in Norway.

Several new rather unusual viruses appear:

January 1994: "Shifter" is the first virus to infect object modules (OBJ files). "Phantom1" - the epidemic of the first polymorphic virus in Moscow.

April 1994: "SrcVir" is a family of viruses that infect program source code (C and Pascal).

June 1994: "OneHalf" - the beginning of a general epidemic of the virus, which is still the most popular virus in Russia.

September 1994: "3APA3A" is an outbreak of a file-boot virus that uses a highly unusual way to inject into MS-DOS. Not a single antivirus turned out to be ready to meet this type of monster.

In 1994 (spring), one of the anti-virus leaders of that time, Central Point, ceased to exist. It was purchased by Symantec, which had already swallowed up several small anti-virus companies - Peter Norton Computing, Certus International and Fifth Generation Systems.

Nothing really noticeable in the area of ​​DOS viruses, although there are some rather complex monster viruses like "NightFall", "Nostradamus", "Nutcracker" and such funny viruses as the "bisexual" virus "RMNS" and the BAT virus "Winstart ". "ByWay" and "DieHard2" viruses have become widespread - messages about infected computers have been received from almost all over the world.

February 1995: There was an incident with Microsoft: a "Form" virus was found on a disk containing a demo version of Windows95. Microsoft sent copies of this disk to beta testers, one of whom was not too lazy to check the disk for viruses.

Spring 1995: an alliance of two anti-virus companies is announced - ESaSS (ThunderBYTE anti-virus) and Norman Data Defense (Norman Virus Control). These companies, producing fairly strong antiviruses, joined forces and started developing a unified antivirus system.

August 1995: one of the turning points in the history of viruses and antiviruses: the first virus for Microsoft Word ("Concept") is discovered "live". Literally in a month, the virus "circled" the entire globe, flooded the computers of MS-Word users and firmly took first place in statistical studies conducted by various computer publications.

January 1996: two rather notable events - the first virus for Windows95 ("Win95.Boza") appeared and the epidemic of the extremely complex polymorphic virus "Zhengxi" in St. Petersburg.

March 1996: First virus outbreak for Windows 3.x. His name is "Win.Tentacle". This virus infected a computer network in a hospital and several other institutions in France. The interesting thing about this event was that it was the FIRST Windows virus to break free. Until that time (as far as I know) all Windows viruses lived only in the collections and electronic journals of virus writers, and only boot, DOS and Macro viruses were found in "live form".

June 1996: "OS2.AEP" is the first virus for OS/2 that correctly infects OS/2 EXE files. Prior to this, OS/2 had only encountered viruses that were written instead of a file, destroying it or acting in the "companion" method.

July 1996: "Laroux" - the first virus for Microsoft Excel, moreover, caught in a "live form" (almost simultaneously in two oil companies in Alaska and South Africa). Like MS-Word-viruses, the principle of operation of "Laroux" is based on the presence in the files of the so-called macros - programs in the Basic language. Such programs can be included in Excel spreadsheets in the same way as in MS-Word documents. As it turned out, the Basic language built into Excel also allows you to create viruses. The same virus in April 1997 caused an epidemic in computer companies in Moscow.

December 1996: "Win95.Punch" is the first "resident" virus for Win95. It is loaded into the system as a VxD driver, intercepts access to files and infects them.

In general, the year 1996 can be considered the beginning of a large-scale attack of the computer underground on the Windows32 operating system (Windows95 and Windows NT) and applications. Microsoft Office. During this and the following year, several dozen viruses for Windows95/NT and several hundred macro viruses appeared. In many of them, virus writers used completely new infection techniques and methods, added stealth and polymorphic mechanisms, and so on. Thus, computer viruses entered a new round of their development - to the level of 32-bit operating systems. Over the course of two years, viruses for Windows32 repeated approximately all the same stages that DOS viruses had gone through exactly 10 years earlier, but at a completely new technological level.

February 1997: "Linux.Bliss" is the first virus for Linux (a kind of Unix). So viruses have occupied another "biological" niche.

February-April 1997: Macro-viruses also got into Office97. The first of them turned out to be just macro-viruses for Word 6/7 "converted" into the new format, but almost immediately there appeared viruses oriented only to Office97 documents.

March 1997: "ShareFun" is a macro virus that infects MS Word 6/7. For its reproduction, it uses not only the standard features of MS Word, but also sends its copies by e-mail MS-Mail.

April 1997: "Homer" is the first network worm to replicate using the File Transfer Protocol (ftp).

June 1997: The first self-encrypting virus for Windows95 appears. A virus of Russian origin was sent to several BBSs in Moscow, causing an epidemic.

November 1997: "Esperanto" virus. An attempt to create (fortunately, unsuccessful) a multi-platform virus that works not only under DOS and Windows, but is also able to infect Mac OS (Mac) files.

December 1997: A new form of the virus, mIRC worms, is introduced. It turned out that the most popular Windows IRC (Internet Relay Chat) utility, known as mIRC, contained a "hole" that allowed virus scripts to transmit themselves over IRC channels. In the next version of IRC, the hole was closed, and mIRC worms sank into oblivion.

The main anti-virus event in 1997 was, of course, the separation of the anti-virus division of KAMI into an independent company, Kaspersky Lab, which has established itself today as a recognized technical leader in the anti-virus industry. Since 1994, the company's flagship product, the AntiViral Toolkit Pro (AVP), has consistently shown high results in numerous tests conducted by various test labs around the world. The division into an independent company made it possible at first for a small group of developers to become the first important anti-virus company in the domestic market and quite a prominent figure in the global market. In a short time, versions for almost all popular platforms were developed and released, new anti-virus solutions were proposed, and a network of international distribution and technical support was created.

In October 1997, an agreement was signed to license AVP technologies by the Finnish company DataFellows for use in their new development FSAV (F-Secure Anti-Virus). Prior to this, DataFellows was known as the manufacturer of F-PROT antivirus.

The year 1997 is also notable for several scandals that erupted between major antivirus manufacturers in the US and Europe. At the beginning of the year, McAfee announced that its specialists had discovered a "bug" in the programs of one of its main competitors - Dr.Solomon's antivirus. A statement from McAfee said that if Dr.Solomon antivirus detects several viruses during a scan various types, then its further work occurs in enhanced mode. That is, if under normal conditions on uninfected computers, Dr.Solomon's antivirus works in normal mode, then when testing virus collections, it switches to enhanced mode (according to McAfee's terminology "cheat mode" - "cheat mode"), which allows detecting viruses invisible to Dr. .Solomon when scanning normally. As a result, when testing on uninfected disks, Dr.Solomon's antivirus shows good speed results, and when testing virus collections, it shows good detection results.

Some time later, Dr.Solomon struck back at McAfee's misguided advertising campaign. Specifically, claims were made against the text "The Number One Choice Worldwide. No Wonder The Doctor" s Left Town ". At the same time, McAfee was in legal battle with another antivirus company Trend Micro over patent infringement for scanning data transmitted over the Internet and e-mail Symantec was also involved in the same conflict with Trend Micro, and Symantec then sued McAfee for using Symantec codes in McAfee products. Well, etc.

The year ended with another notable event associated with the McAfee name: McAfee Associates and Network General announced that they had merged into a single company, Network Assotiates, and positioned their efforts not only in the field of anti-virus protection, but also in the development universal systems computer security, encryption and network administration. From now on, McAfee's virus and antivirus history should be read as NAI.

The virus attack on MS Windows, MS Office and network applications continues unabated. Viruses are emerging that use ever more complex methods of infecting computers and new methods of penetrating computer networks. In addition to viruses, numerous Trojans that steal Internet access passwords and several hidden administration utilities also enter the arena. Incidents with infected CDs have been recorded: several computer magazines distributed disks with programs infected with Windows-viruses "CIH" and "Marburg" on their cover.

Beginning of the year: An epidemic of a whole family of "Win32.HLLP.DeTroie" viruses, not only infecting Windows32 executable files, but also capable of transmitting information about the infected computer to their "owner". Due to the use of specific libraries found only in French Windows versions, the epidemic affected only French-speaking countries.

February 1998: Another type of virus is discovered that infects Excel spreadsheets - "Excel4.Paix" (or "Formula.Paix"). This type of macro-virus, for its introduction into Excel spreadsheets, does not use the macro area common for viruses, but formulas, which, as it turned out, can also contain self-replicating code.

February-March 1998: "Win95.HPS" and "Win95.Marburg" are the first polymorphic Windows32 viruses, which were also discovered "in live form". The developers of anti-virus programs had to hastily adapt to the new conditions the methods for detecting polymorphic viruses, which had previously been designed only for DOS viruses.

March 1998: "AccessiV" - the first virus for Microsoft Access. It didn't cause the hype, as was the case with the "Word.Concept" and "Excel.Laroux" viruses, because everyone is already used to the fact that MS Office applications fall one after another.

March 1998: The "Cross" macro virus is the first virus to infect two different MS Office applications: Access and Word. Following it, several more macro viruses appeared, transferring their code from one Office application to another.

May 1998: "RedTeam" virus. It infects Windows EXE files, sends infected files using Eudora e-mail.

June: "Win95.CIH" virus epidemic, which became first mass, then global, and then general - reports of infection of computer networks and home personal computers numbered in the hundreds, if not thousands. The beginning of the epidemic was registered in Taiwan, where an unknown hacker sent infected files to local Internet conferences. From there, the virus made its way to the United States, where, due to an oversight, several popular Web servers were infected at once - they distributed game programs infected with the virus. Most likely, it was these infected files on game servers that caused the general epidemic of the virus, which did not weaken throughout the year. According to the "popularity" ratings, the virus "pushed" such viral superstars as "Word.CAP" and "Excel.Laroux". You should also pay attention to the dangerous manifestation of the virus: depending on the current date, the virus erased the Flash BIOS, which in some cases could lead to the need to replace the motherboard.

August 1998: the appearance of the sensational "BackOrifice" ("Backdoor.BO") - a utility for hidden (hacker) administration of remote computers and networks. Following "BackOrifice", several other similar programs appeared: "NetBus", "Phase" and others.

Also in August, the first virus appeared that infects Java executable modules - "Java.StangeBrew". This virus did not pose any danger to Internet users, since it is impossible to use the functions necessary for reproduction on a remote computer. However, he illustrated the fact that applications that are actively used when browsing Web servers can also be attacked by viruses.

There have also been significant shifts in the antivirus world. In May 1998, Symantec and IBM announced that they were joining forces on the anti-virus front: the joint product is distributed by Symantec under the same Norton Anti-Virus brand, and IBM Anti-Virus (IBMAV) ceases to exist. The main competitors immediately reacted to this: Dr.Solomon and NAI (formerly McAfee) immediately issued press releases with offers to give former IBMAV users a discount with their own antiviruses.

Less than a month later, Dr.Solomon himself ceased to exist. It was bought by NAI (McAfee) for $640 million in a stock swap. This event caused a shock in the antivirus world: the conflict between the two largest players in the antivirus business ended in a buy/sell, as a result of which one of the most visible and technologically strong manufacturers of antivirus software disappeared from the market.

Everything in the world should happen slowly and

wrong, so that a person cannot become proud,

to make a person sad and confused.

(Venedict Erofeev. "Moscow - Petushki")

5.Classification of computer viruses

Viruses can be divided into classes according to the following main features:

" habitat;

"operating system (OC);

"features of the algorithm of work;

destructive possibilities.

By HABITAT, viruses can be divided into:

" file;

" boot;

"network.

File viruses either infiltrate executable files in various ways (the most common type of viruses), or create twin files (companion viruses), or use the peculiarities of the file system organization (link viruses).

Boot viruses write themselves either to the disk boot sector (boot sector), or to the sector containing the hard drive bootloader (Master Boot Record), or change the pointer to the active boot sector.

Macro viruses infect document files and spreadsheets of several popular editors.

Network viruses use the protocols or commands of computer networks and e-mail to spread.

There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex algorithm of work, often use original methods of penetrating the system, use stealth and polymorphic technologies. Another example of such a combination is a network macro virus that not only infects edited documents, but also sends copies of itself by e-mail.

The infected OPERATING SYSTEM (or rather, the OS whose objects are susceptible to infection) is the second level of division of viruses into classes. Each file or network virus infects files of one or more OS - DOS, Windows, Win95/NT, OS/2, etc. Macro viruses infect Word, Excel, Office97 files. Boot viruses are also focused on specific formats for the location of system data in the boot sectors of disks.

Among the FEATURES of the WORKING ALGORITHM of viruses, the following points stand out:

" residency;

"use of stealth algorithms;

" self-encryption and polymorphism;

using unconventional methods.

When a virus infects a computer, a RESIDENT virus leaves its resident part in RAM, which then intercepts the operating system's calls to infected objects and injects itself into them. Resident viruses reside in memory and are active until the computer is turned off or the operating system is restarted. Non-resident viruses do not infect computer memory and remain active for a limited time. Some viruses leave small resident programs in RAM that do not spread the virus. Such viruses are considered non-resident.

Macro-viruses can be considered resident, since they are constantly present in the computer's memory for the entire time the infected editor is running. In this case, the role of the operating system is assumed by the editor, and the concept of "rebooting the operating system" is interpreted as exiting the editor.

In multitasking operating systems, the "lifetime" of a resident DOS virus can also be limited to the moment the infected DOS window is closed, and the activity of boot viruses in some operating systems is limited to the moment the OC disk drivers are installed.

The use of STEALTH algorithms allows viruses to completely or partially hide themselves in the system. The most common stealth algorithm is to intercept OC read/write requests for infected objects. At the same time, stealth viruses either temporarily cure them, or “substitute” uninfected pieces of information in their place. In the case of macro viruses, the most popular method is to disable calls to the macro view menu. One of the first file-based stealth viruses was "Frodo", the first boot stealth virus was "Brain".

SELF-ENCRYPTING and POLYMORPHICITY are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses (polymorphic) are rather hard-to-detect viruses that do not have signatures, i.e. not containing a single constant piece of code. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program.

Various NON-STANDARD TECHNIQUES are often used in viruses to hide themselves as deeply as possible in the OC kernel (as the "3APA3A" virus does), to protect its resident copy from detection ("TPVO", "Trout2" viruses), to make it difficult to treat the virus (for example, by placing your copy in Flash-BIOS), etc.

According to their DESTRUCTIVE CAPABILITIES, viruses can be divided into:

"harmless, i.e. not affecting the operation of the computer in any way (except for reducing free disk space as a result of its distribution);

" benign, the effect of which is limited to a decrease in free disk space and graphic, sound, etc. effects;

" Dangerous viruses that can cause serious computer malfunctions;

"very dangerous, whose operation algorithm is deliberately based on procedures that can lead to the loss of programs, destroy data, erase the information necessary for the operation of the computer recorded in system memory areas, and even, as one of the unverified computer legends says, contribute to the rapid wear of moving parts of mechanisms - to enter into resonance and destroy the heads of some types of hard drives.

But even if no branches that damage the system are found in the virus algorithm, this virus cannot be called harmless with full confidence, since its penetration into a computer can cause unpredictable and sometimes catastrophic consequences. After all, a virus, like any program, has errors, as a result of which both files and disk sectors can be corrupted (for example, the seemingly harmless "DenZuk" virus works quite correctly with 360K floppy disks, but can destroy information on larger floppy disks). volume). Until now, there are viruses that define "COM or EXE" not by the internal file format, but by its extension. Naturally, if the format and extension of the name do not match, the file becomes inoperable after infection. It is also possible to "jam" a resident virus and the system when using new versions of DOS, when working in Windows or with other powerful software systems. Etc.

6. Prospects: what will happen tomorrow and the day after tomorrow

6.1. What will be tomorrow?

What to expect from the computer underground in the coming years? Most likely the main problems will remain: 1) polymorphic DOS viruses, to which will be added polymorphism problems in macro viruses and viruses for Windows and OS/2; 2) macro-viruses that will find more and more methods of infection and hiding their code in the system; 3) network viruses that use the protocols and commands of computer networks for their distribution.

Item 3) is still only at a very early stage - viruses are making their first timid attempts to independently distribute their code via MS Mail and using ftp, but still ahead.

It is possible that other problems will appear that will bring a lot of trouble to users and a sufficient amount of after-hours work for anti-virus software developers. However, I look to the future with optimism: all the problems that have ever arisen in the history of the development of viruses have been solved quite successfully. Most likely, future problems, which are still only ideas in the inflamed minds of virus writers, will be solved just as successfully.

6.2. What will happen the day after tomorrow?

What will happen the day after tomorrow and how long will viruses exist in general? In order to answer this question, it is necessary to determine where and under what conditions viruses are found.

The main nutrient medium for the mass spread of a virus in a computer, in my opinion, must contain the following necessary components:

operating system (OS) insecurity;

"the presence of a diverse and fairly complete documentation on OC and hardware";

"the widespread use of this OS and this hardware."

It should be noted that the concept of an operating system is quite extensible. For example, for macro viruses, the operating system is word editors and Excel, since it is editors, not Windows, that provide macro viruses (ie BASIC programs) with the necessary resources and functions.

If the operating system contains elements of information protection, as is done in almost all operating systems, it will be extremely difficult for a virus to hit its targets, since this will require (at least) cracking the system of passwords and privileges. As a result, the work required to write a virus will only be done by high-level professionals (the Morris virus for VAX is an example of this). And for professionals, in my opinion, the level of decency is still much higher than among consumers of their products, and, consequently, the number of created and launched in great life viruses will be further reduced.

Mass production of viruses also requires a sufficient amount of information about their environment. What percentage of the number of system programmers working on mini-computers in UNIX operating systems, VMS, etc. knows the process control system in RAM, full formats executable files and boot records on disk? (i.e. the information needed to create a virus). And therefore, what percentage of their number is able to grow a real full-fledged beast? Another example is the Novell NetWare operating system, which is quite popular but extremely poorly documented. As a result, I am not yet aware of a single virus that has affected Novell NetWare executable files, despite numerous promises from virus writers to release such a virus in the near future.

Well, about the wide distribution of the OS as necessary condition for a viral invasion, I’m tired of talking: for 1000 programmers, only 100 are able to write a virus, for this hundred there is one who will bring this idea to completion. Now we multiply the resulting proportion by the number of thousands of programmers - and we get the result: on the one hand, 15,000 or even 20,000 fully IBM-compatible viruses, on the other, several hundred viruses for Apple-Macintosh. The same mismatch of proportions is also observed in the comparison of the total number of viruses for Windows (several dozen) and for OS/2 (several pieces).

Several operating systems (including editors) produced by Microsoft (DOS, Windows, Win95 / NT and Word, Excel, Office97) satisfy the above three conditions for the "flourishing" of computer viruses, which provides fertile ground for the existence of a wide variety of file and macro viruses. . The standards for partitioning hard disks also satisfy the above conditions. The result is a variety of boot viruses that infect the system at the time of its boot.

In order to estimate the duration of the invasion of computer viruses in any OC, it is necessary to estimate the time of coexistence of the above necessary conditions.

It is pretty clear that IBM and Apple are not going to give up the mass market to their competitors for the foreseeable future (to the delight of Apple and IBM programmers), even if these firms have to join forces to do this. It is also not possible to truncate the flow of information on the most common systems, as this will affect the number of applications for them, and, consequently, their "marketability". There is only one thing left - OS protection. However, the security of the OS requires the execution of certain rules (passwords, etc.), which leads to a number of inconveniences. Therefore, it seems unlikely to me that such operating systems will become popular among ordinary users - secretaries, accountants, on home computers, etc., etc., or the protection functions will be disabled by the user when the OS is installed.

Based on the foregoing, we can draw the only conclusion: viruses have successfully infiltrated everyday computer life and are not going to leave it in the foreseeable future.

Computer viruses - myth and reality?

I often hear questions from computer users - “My computer is broken. Burned out , etc. They told me it was a virus. It's true? ” Such a question usually makes me smile and the short answer is “it’s over, it’s not true.”
Strange as it may seem, but the majority of computer users believe that computer viruses can do anything, even steal a computer from an apartment, is it a joke, of course?

Therefore, various myths are created, and usually spread by various imaginary "computer masters" who only yesterday learned how to drive a mouse.

And their standard response to any breakdown is “Yes, it’s probably a virus that burned yours” or “I can’t do it, apparently some kind of virus is in the way.” In general, if he does not know what is broken and how to fix it, then his standard phrase is “It's a virus”. Well, then word of mouth works from a person, information is transmitted to a person about terrifying viruses that burn hundreds of computers in a couple of seconds.

Yes, of course, Hollywood tried again here with its films in which computer viruses blow up the computers of innocent users, in general, do not believe everything that is shown in the movies.

The main myths about computer viruses and some humor

This is not true, a computer virus cannot cause any physical damage to your components. Of course, it is theoretically possible to make changes, for example, to video cards. But in 99% of cases, the user himself is guilty, who tried to overclock the video card or flash it, and not the mythical virus.

Personally, I have never met with cases of breakdown (burning) of components due to viruses.

2. A computer virus interferes.

Also complete nonsense. Since viruses only work in the operating system environment, that is, when running windows. Yes, and after formatting the hard drive when installing Windows, all data, including viruses, is completely erased.

3. Viruses do their dirty work even when the computer is turned off.

No, viruses cannot work when the computer is turned off, because a virus is also a program.

4. The computer was infected with viruses and it does not turn on.

Because of viruses, Windows may not start, but it cannot be that the computer does not turn on at all because of them.

5. Yes! Viruses blow up computers, eat holes in video cards and other components, multiply in the warm environment of a processor radiator and build their own statehood.

Of course, this point is a joke, viruses are incapable of this. I just can't write this article without humor and a smile. Remembering the statements and questions of some users that are listed in this paragraph.

What can viruses do?

Yes, viruses are very dangerous and annoying. But what I described above they cannot do. The most nasty are those viruses that delete information from your disk, infecting various files. That is, they do not delete them, but the antiviruses that detected them in this file.
In general, viruses are mostly capable of doing little dirty tricks. Although there are more serious brothers, they still cannot burn the computer.

The main thing to remember is that a virus is the same program that copies (replicates) on its own and aims to harm other programs. But since this is a program, it cannot go beyond the functions of programs.

I would be glad if in the comments you express people's comical beliefs about what viruses can do.

Viruses. Myths and reality

Virus classification

The following classification, we hope, will help you navigate the diversity and characteristics of viruses. It is based on the original classification of viruses by Kaspersky Lab.

By habitat, viruses can be divided into:

- file viruses that inject into executable files (COM, EXE, SYS, BAT, DLL);

- bootable, which are embedded in the boot sector of the disk (Boot-sector) or in the sector containing the hard drive system loader (Master Boot Record);

- macro viruses that are introduced into systems that use so-called macros during operation (for example, Microsoft Word or Microsoft Excel).

There are also combinations. For example, viruses that infect both files and boot sectors. As a rule, they have a rather complex algorithm of work, often use original methods of penetrating the system, and they are more difficult to detect.

Classification of viruses according to the methods of infection.

- Resident viruses - when infecting a computer, they leave their resident part in RAM, which then intercepts the operating system's access to infected objects and infiltrates them. Resident viruses reside in memory and remain active until the computer is turned off or restarted.

– Non-resident viruses do not infect computer memory and are active only for a limited time.

According to their destructive capabilities, viruses can be divided into:

- harmless, that is, not affecting the operation of the computer in any way (except for reducing free disk space as a result of its distribution);

– non-hazardous, the impact of which is limited by the reduction of free disk space and graphic, sound and other effects;

- dangerous - viruses that can lead to serious malfunctions;

- very dangerous - capable of leading to loss of programs, destruction of data, information necessary for the operation of the computer, information recorded in system memory areas, etc.

The classification of viruses according to the features of the algorithm is as follows.

– “Companion” viruses – the algorithm of their work is that they create satellite files for EXE files that have the same name, but with the COM extension. When running such a file, MS-DOS will first detect and execute the COM file, that is, the virus, which will then run the EXE file.

- Viruses - "worms" (worm) - a variant of the "companion" viruses. Worms do not associate their copies with any files. They create copies of themselves on disks and in folders on disks without modifying other files in any way and without using the som-exe technique described above.

– “Student” viruses are extremely primitive, often non-resident and containing a large number of errors.

- "Stealth" viruses (stealth viruses) are very advanced programs that intercept MS-DOS calls to affected files or disk sectors and "substitute" uninfected pieces of information instead. In addition, when accessing files, such viruses use rather original algorithms that allow them to bypass resident anti-virus monitors.

– “Polymorphic” viruses (self-encrypting, or “ghost” viruses, polymorphic) are quite difficult to detect viruses that do not contain a single permanent code section. In most cases, two samples of the same "polymorphic" virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program.

– Macro viruses – viruses of this family use the capabilities of macro languages ​​(such as Word Basic) built into data processing systems (text editors, spreadsheets, etc.). Currently, macro viruses that infect Microsoft Word text editor documents and Microsoft Excel spreadsheets are widespread.

– Network viruses (network "worms") - viruses that spread in a computer network and, like "companion" viruses, do not change files or sectors on disks. They penetrate into the memory of a computer from a computer network, calculate the network addresses of other computers and send copies of themselves to these addresses. Such viruses sometimes create working files on system disks, but may not access computer resources at all (with the exception of RAM).

Ways of infection

The most popular infection methods are as follows.

– Through the Internet, in the so-called “voluntary” way: when a user downloads something from the Web. Very often, a real WIN95 can sit under a harmless browser accelerator. CIH (WIN95. CIH, or "Chernobyl", flashes the computer's BIOS).

- Through the Internet by "push" method: due to the illiterate settings of the browser, you are offered (at best) to download JavaScript, ActiveX, etc. as a signed element. The result of such a download may be open ports (a port is a communication channel between two or more computers) for further attack, data deletion or file theft. The fact is that web pages include not only text, graphics, music and animation (that is, data), but also active content, which includes Java applets and ActiveX controls. So, these objects are program code running on the user's computer. What prevents a malicious user from writing such code that would format the disk? Of course, Internet Explorer security settings. Therefore, in the security settings of the Internet browser, it is necessary to disable the download of unsigned ActiveX controls and the use of ActiveX controls that are not marked as safe, or even better, set the security level to high.

A virus from the Internet can penetrate your computer on its own - all you need to do is to be connected to the Internet. The well-known MSBlast, as well as a number of others, is distributed through this mechanism. Here is one example of a breach propagation algorithm: using a breach in the DCOM RPC service, the worm checks port 135 of machines hanging on the network. If the test results are favorable, port 4444 is opened to wait for further commands. Next, port 69 UDP is opened, after which the worm downloads the media file to the computer. Therefore, it is necessary that new updates are downloaded to the operating system, otherwise worms may be the last code that it processes.

– The most common way of infection is the spread of viruses through e-mail. Despite numerous warnings and precautions, it is progressing. Therefore, be careful and never open the attached files that came with a message from a stranger.

- Through a floppy disk or CD - also a fairly common way of infection. Statistically, users check floppy disks more often than disks, to say the least: CDs are usually not checked at all. However, it is pirated discs (no one will deny that we have the majority of them) that play a significant role in the spread of viruses. Why, when the Chernobyl virus swept over Europe and Asia, it turned out that about a million cars were infected, and only 10,000 in the USA? Because it was distributed through illegal software copied onto CDs. Therefore, make it a rule to check removable drives anti-virus program and regularly update anti-virus databases.

Sometimes a virus can be disguised as a joke program that mimics a virus, although both Kaspersky 5.0 and Panda Platinum define it as a real virus. The ingenuity of the creator of the virus in this case knows no bounds: the name of such a "joke" can be: Not virus! Joke! Ensure objectivity antivirus check is possible only by disassembling such a program. Sometimes viruses can even be in the antivirus program code.

Viruses, which have become widespread in the computer environment, have excited the whole world. Hacking networks, robbing banks and stealing intellectual property - all this has long been no longer a myth, but a harsh reality. The annual losses caused by the consequences of viral activity amount to billions of dollars.

The vast majority of viruses are programs that are essentially harmless, limiting the field of their activity to text, sound and video effects. Written by amateurs, most of them contain errors in the code, which does not allow them to fully cause harm. In addition to such common troubles as, for example, formatting a system disk, viruses can damage the hardware component, burn out the monitor's phosphor, and even affect health (the sensational 777 virus). You have probably already heard that viruses mainly infect EXE and COM files. That was the case until recently. To date, you will not surprise anyone with infected documents created in Office. More recently, cases of viruses spreading through JPEG files have been reported.

However, even if the computer runs smoothly and does not show any signs of virus activity, this does not mean at all that the system is not infected. Some system folders may contain a Trojan horse that sends its owner passwords from your e-mail or, even worse, from payment system webmoney.

In some cases, most users do not even suspect that they are the objects of control.

Software can be different: useful and not very useful. In the latter case, we are talking about the notorious computer viruses. Computer virus - malware, which can reproduce copies of itself and independently penetrate (embed copies of itself) into the code of other programs, databases, boot sectors of a hard disk, etc. Moreover, this type of software is not limited to “penetration”. The ultimate goal of most computer viruses is to cause some harm to the recipient. The harmfulness of computer viruses comes down to deleting files, capturing part of the computer's disk space, blocking the work of its users, hacking personal data, etc.

Oh, but not all computer viruses so hostile. Some of them simply display harmless messages of humorous, advertising or political content on the monitor screen. There is no harm to the computer in this case. What can not be said about the user, whose nervous system is subjected to a certain test. A test that not all of us can handle. Torn off mice, mutilated keyboards and broken monitors in commercials are a vivid confirmation of this.

As you probably already guessed, our today's conversation will go about the history of computer viruses.

Why "virus"?

I'll start my excursion into history with the origin of the name "computer virus". Why "virus" and not, say, "illness" or "injury"? The answer is simple - it's all about the striking similarity of the distribution mechanism of biological and computer viruses. Just as a biological virus takes over a cell of an organism, reproduces itself in it, and then occupies a new cell, so does a computer virus. Having penetrated into one or another program, having created a certain number of copies of itself, malicious software begins to take over other areas of the computer, and then moves to the next device. Agree, the analogy is more than obvious. Actually, that's why the "virus". True, not biological, but computer.

It is not known for certain who and when was the first to use this phrase. Therefore, without claiming to be the ultimate truth, I will voice the name of the person who is most often mentioned in this context. This (pictured on the right) is an astrophysicist and, in combination, a science fiction writer from the USA. Many believe that it is in his story "The Scarred Man"(1970) the word "virus" was first used in relation to a computer program.

No theory - no viruses!

As is often the case, words and deeds diverge noticeably in time. In our case, this can be confirmed by the fact that the substantiation of the theoretical foundations for the creation and functioning of self-reproducing computer programs(viruses) took place decades before the phrase itself.

As early as 1949 at the University of Illinois, an American mathematician of Hungarian origin John von Neumann taught a course of lectures on the topic "Theory and organization of complex automatic devices." Subsequently, the famous scientist summarized his lecture materials and published in 1951 a scientific work with a similar title "Theory of self-reproducing automatic devices." In his work, John von Neumann described in detail the mechanism for creating a computer program that, in the process of functioning, could reproduce itself.

Von Neumann's scientific research served as the main impetus for the practical creation of computer viruses in the future, and the scientist himself is rightfully considered the father of the theoretician of computer virology.

Developing the theory of the American, the German researcher Veith Rizak in 1972 publishes the article "Self-reproducing automatic devices with minimal exchange of information. In it, the scientist describes the mechanism of operation of a full-fledged virus written in Assembly language for the SIEMENS 4004/35 computer system.

Another important scientific work in this area is the diploma of a graduate of the University of Dortmund Jürgen Kraus. In 1980, in his final work"Self-reproducing programs" the young researcher opened the questions of the theory, described the self-reproducing programs for the SIEMENS computer that already existed at that time and was the first to focus on the fact that computer programs are similar to biological viruses.

The observant reader may notice that the scientific research mentioned above concerned the development of exclusively "peaceful" computer programs capable of reproducing themselves. Theorists did not even think about the harmfulness of their "patients". It was done for them by other people who recognized in time the huge potential of this kind of programs for “damaging” computers and other equipment. But that was later, but for now let's move on from theory to practice.

The first swallows

They have what John von Neumann spoke and wrote about, a group of employees of an American company Bell Laboratories created an original game for the IBM 7090 computers in 1961 Darwin. During this game, a certain number of assembler programs ("organisms") were loaded into the computer's memory. The organisms belonging to one player were supposed to absorb the organisms of another player, taking up more and more of the playing space in the process. The victory was celebrated by the player whose organisms captured the entire game memory.

Those of you, dear readers, who want to get acquainted in detail with the chronology of the occurrence of known computer viruses on the planet, I can recommend in English. There you will find numerous interesting facts about "proto-viruses" (say Jerusalem/1987 or Morris worm/1988) and update your knowledge about fresh malware (eg Game Over/2013 Trojan horse). Of course, if with English you are on you.

Virus to virus - discord!

Over the years that have passed since the appearance of the first computer virus, the main types (types) of malicious software have been formed. I will briefly dwell on each of them.

Classification of computer viruses:

• network worm- a type of "hostile" software that is able to independently spread using local or global computer networks. The first representative is the already mentioned Morris worm.


• Trojan horse, trojan- a type of computer virus distributed (loaded into a PC) directly by a person. Unlike a worm, a Trojan cannot spontaneously take over a particular computer. The first Trojan horse was the AIDS computer virus in 1989.


• Polymorphic computer virus- malware that has an increased level of protection against detection. In other words, it is a computer virus created using a special programming technique that allows it to remain undetected for a longer time. The first polymorphic virus was Chameleon (1990).


• stealth virus- a computer virus that can partially or completely hide its presence at the place of download and activation. In fact, this is an invisible virus, the key difference of which from a polymorphic virus is the method of masking. The mechanism for concealing the presence of a stealth virus is to intercept calls to the operating system by anti-virus software. Frodo (1990) is considered to be the progenitor of this group of computer viruses.

If something is being done, then someone needs it

What are the goals of the creators of computer viruses? Yes, very different. For the most part, according to Western analysts, we are talking about the destruction of the computer equipment of competitors/enemies or the theft of funds that belong to persons attacked by the virus.

At the same time, there are other, sometimes quite amusing, reasons for the development of computer viruses. Some figures spread political information through the virus. Others, full of concern for others, use it to point out the vulnerability of certain software. There are even people who, watching the consequences of a virus attack, get perverted human pleasure. Have fun, in a word.

It is also impossible to discount the role of developers in the creation and distribution of computer viruses. One might ask: how is that? But like this! Every year, losses from virus attacks in the world are estimated at billions of US dollars. The capitalization of the international market for paid anti-virus software is also estimated in billions. You can come to a simple thought: this is an inexhaustible gold mine. First, the virus is created (albeit with the help of intermediaries), and then it is effectively treated by the customer. For money.

There is nothing new in this. Especially if you remember what not indifferent activists reproach transnational pharmaceutical companies. Then in my conjectures you can find a healthy grain. And not even one.

In short, the whole history of the emergence of computer viruses. Be careful and may happiness, health and three bags of money be with you.