Resident viruses: what it is and how to destroy it. Computer viruses

Most users have ever experienced the concept of computer viruses. True, not many people know that the classification of threats in its core consists of two large categories: non-resident and resident viruses. We will stop at the second class, because it is its representatives that are the most dangerous, and sometimes even unprofitable, even when the disk or logical partition is formatted.

What are resident viruses?

So, what does the user have to deal with? For a simplified explanation of the structure and principles of the operation of such viruses, it is necessary to start with an explanation of what a resident program is all about.

It is believed that such a type of programs include applications that run continuously in monitoring mode, explicitly not showing their actions (for example, the same regular anti-virus scanners). As for threats penetrating into computer systems, they not only hang constantly in the computer's memory, but create their own duplicates. Thus, copies of viruses constantly monitor the system, and move around it, which makes it very difficult to find them. Some threats are also capable of changing their own structure, and their detection based on common methods becomes practically impossible. A little later, we'll look at how to get rid of viruses of this type. In the meantime, let us dwell on the main types of resident threats.

DOS Threats

Initially, when Windows- or UNIX-like systems were still not there, and the user's communication with the computer occurred at the command level, there appeared the "DOS" operating system, which for a long time lasted at the peak of popularity.

And it was for such systems that non-resident and resident viruses began to be created, the actions of which were first directed at breaking the system's performance or deleting user files and folders.

The principle of such threats, which, incidentally, is widely used so far, is that they intercept file accesses, and then infect the called object. However, most of today's known threats work on this type. But viruses penetrate the system either by creating a resident module in the form of a driver, which is indicated in the Config.sys system configuration file, or through the use of a special KEEP function for tracing interrupts.

The situation is worse when resident viruses of this type use allocation of system memory areas. The situation is that first the virus "cuts off" a piece of free memory, then marks this area as busy, and then retains its own copy in it. What is most sad, there are cases when copies are located in video memory, in areas reserved for the clipboard, and in the tables of interrupt vectors, and in DOS workspaces.

All this makes copies of virus threats so tenacious that they, unlike non-resident viruses that work while a certain program is running or the operating system is running, are able to be activated again even after a reboot. In addition, when accessing an infected object, the virus is able to create its own copy even in RAM. As a consequence, the computer immediately hangs. As already understood, treatment of viruses of this type should be performed with the help of special scanners, preferably not stationary ones, but portable ones or those that can be loaded from optical disks or USB-carriers. But more about this later.

Boot Threats

Boot viruses penetrate the system in a similar way. But they behave, as they say, delicately, first "eating" a piece of system memory (usually 1 KB, but sometimes this figure can reach a maximum of 30 KB), then registering its own code as a copy, after which it starts demanding a reboot. This is fraught with negative consequences, since after restarting the virus restores the reduced memory to the original size, and its copy is outside the system memory.

In addition to monitoring interrupts, such viruses are able to prescribe their own codes in the boot sector (MBR record). The BIOS and DOS interceptions are used less frequently, and the viruses are downloaded only once, without checking the presence of a copy of it.

Viruses under Windows

With the advent of Windows-based systems, virus development has reached a new level, unfortunately. Today it is Windows of any version that is considered the most vulnerable system, despite even the efforts made by Microsoft specialists in the field of security modules development.

Viruses designed for Windows, work on principles similar to DOS-threats, but there are much more ways to penetrate the computer. Of the most common, there are three main ones, according to which the virus can prescribe its own code in the system:

• Registering the virus as a currently running application;
• Allocation of the block of memory and record in it own copy;
• Work in the system under the guise of a VxD driver or disguise as a Windows NT driver.

Infected files or areas of system memory, in principle, can be cured by standard methods that are used in antivirus scanners (detection by virus mask, comparison with signature databases, etc.). However, if unpretentious free programs are used, they can not detect the virus, and sometimes even give a false trigger. Therefore, the ray uses portable utilities such as Doctor Web (in particular, Dr. Web CureIt!) Or products of Kaspersky Lab. However, today you can find quite a lot of utilities of this type.

Macro viruses

Before us is another kind of threat. The name comes from the word "macro", that is, the executable applet or add-on that is used in some editors. It is not surprising that the virus is launched when the program is started (Word, Excel, etc.), opening an office document, printing it, calling up menu items, and so on.

Such threats in the form of system macros are in memory for the entire duration of the editor's work. But in general, if we consider the question of how to get rid of viruses of this type, the solution is quite simple. In some cases, even the usual disabling of add-ons or executing macros in the editor itself helps, as well as the use of antivirus protection for applets, not to mention the usual rapid scanning of the system by anti-virus packages.

Viruses based on stealth technology

Now let's look at masking viruses, because they knowingly received their name from an invisible aircraft.

The essence of their functioning is precisely that they pretend to be a system component, and to define them by usual methods is sometimes quite a complicated matter. Among such threats can be found and macro viruses, and boot threats, and DOS-viruses. It is believed that for Windows, stealth viruses are not yet developed, although many experts say that this is just a matter of time.

File Types

In general, all viruses can be called file systems, because they somehow affect the file system and affect the files, either infecting them with their own code, whether encrypting, or making them unavailable due to corruption or deletion.

The most simple examples are modern cryptographic viruses (extortionists), as well as the notorious I Love You. With them without special decryption keys, the treatment of viruses is not something that is difficult, but often impossible. Even leading anti-virus software developers are helplessly bred, because, unlike modern AES256 encryption systems, AES1024 technology is used here. You understand that decoding can take more than a dozen years, based on the number of possible options for the key.

Polymorphic Threats

Finally, another type of threat, in which the phenomenon of polymorphism is applied. What does it consist of? The fact that viruses constantly change their own code, and this is done on the basis of the so-called floating key.

In other words, you can not define a threat by mask, because, as you can see, not only its code-based structure is changed, but also the key to decryption. To deal with such problems, special polymorphic decoders (decrypters) are used. However, as practice shows, they are able to decipher only the most simple viruses. More complex algorithms, alas, in most cases, their effects do not lend themselves. Separately it is necessary to say that changing the code of such viruses accompanies the creation of copies with a reduced length, which may differ from the original quite significantly.

How to deal with resident threats

Finally, we turn to the issue of dealing with resident viruses and protecting computer systems of any complexity. The simplest method of protection is the installation of a full-fledged antivirus package, only use not free programs, but at least trial versions from developers like Doctor Web, Kaspersky Anti-Virus, ESET NOD32 or programs like Smart Security, If the user is constantly working with the Internet.

However, in this case, no one is immune from the fact that the threat does not penetrate the computer. If this is the case, first you need to use portable scanners, and better use disk utilities Rescue Disk. With their help, you can download the program interface and scan before the start of the main operating system (viruses can create and store their own copies in the system and even in RAM).

And more: it is not recommended to use software like SpyHunter, and then it will be problematic to get rid of the package itself and its accompanying components to the uninitiated user. And, of course, do not immediately delete infected files or try to format the hard drive. Better leave the treatment to professional anti-virus products.

Conclusion

It remains to add that only the main aspects concerning resident viruses and methods of combating them are considered above. After all, if you look at computer threats, so to speak, in a global sense, every day there is such a huge number of them that the developers of security tools just do not have time to come up with new methods to combat such misfortunes.