LESSON 6 MALWARE part II

6.1.2.1 Boot Sector Viruses
The boot sector virus was the first type of virus created. It hides itself in the executable
code at the beginning of bootable disks. This meant that in order to infect a machine, you
needed to boot from an infected floppy disk. A long time ago, ( 15 years or so ) booting
from floppy was a relatively regular occurrence, meaning that such viruses were actually
quite well spread by the time that people figured out what was happening. This virus ( and
all other types ) should leave a signature which subsequent infection attempts detect, so
as not to repeatedly infect the same target. It is this signature that allows other software
( such as Anti-Virus-software ) to detect the infection.

 

6.1.2.1 开机病毒

开机病毒是第一种病毒。它藏在启动盘的执行程序上。也就是说，为了感染这台机器，你要启动受感染了的软盘。

大约15年前，通过启动软盘感染病毒是很常见的事。这说明了在那个时候，这种病毒在人们还没意识到怎么回事

的时候就疯狂传播了。这种病毒带有一个标记，没被感染的机子尽力的识别这些标记，以防被感染。其它的防病毒

软件也是通过识别这种标记来监测病毒的。

 

6.1.2.2 The Executable File Virus
The Executable File virus attaches itself to files, such as .exe or .com files. Some viruses
would specifically look for programs which were a part of the operating system, and thus
were most likely to be run each time the computer was turned on, increasing their
chances of successful propagation. There were a few ways of adding a virus to an

executable file, some of which worked better than others. The simplest way ( and the least
subtle ) was to overwrite the first part of the executable file with the virus code. This meant
that the virus executed, but that the program would subsequently crash, leaving it quite
obvious that there was an infection – especially if the file was an important system file.

 

6.1.2.2 可执行文件病毒

可执行文件病毒寄生在文件上，譬如.exe或者.com文件。一些病毒会特意的找操作系统的部分程序来寄生，因为

那样在电脑每次开机的时候都可能运行，提高繁殖的机会。有几种将病毒种入可执行文件的方法，有几种方法非常

好用。最简单的方法就是用病毒代码改写可执行文件的开头部分。这意味着病毒会执行，该程序最后会执行出错，

很容易会发现有病毒-特别是当这个文件是一个很重要的系统文件时。

 

6.1.2.3 The Terminate and Stay Resident (TSR) Virus
TSR is a term from DOS where an application would load itself into memory, and then
remain there in the background, allowing the computer to run as normal in the
foreground. The more complex of these viruses would intercept system calls that would
expose them and return false results - others would attach themselves to the 'dir'
command, and then infect every application in the directory that was listed – a few even
stopped ( or deleted ) Anti-Virus software installed onto the systems.

 

6.1.2.3 终止并驻留病毒

TSR是DOS系统上的一个术语，DOS系统让应用程序装载到存储器上，然后停留在后台，让电脑在前台正常运行。

这种病毒中较复杂的会拦截系统呼叫，这样便会暴露行踪，返回错误的结果-其他的会寄生在‘dir’命令上，然后感染

该文件夹下列出来的所有应用-一些病毒甚至删除防毒软件，安装到系统中。

 

6.1.2.4 The Polymorphic Virus
Early viruses were easy enough to detect. They had a certain signature to identify them,
either within themselves as a method to prevent re-infection, or simply that they had a
specific structure which it was possible to detect. Then along came the polymorphic virus.
Poly – meaning multiple and morphic – meaning shape. These viruses change themselves
each time they replicate, rearranging their code, changing encryption and generally
making themselves look totally different. This created a huge problem, as instantly there
were much smaller signatures that remained the same – some of the “better” viruses were
reduced to a detection signature of a few bytes. The problem was increased with the
release of a number of polymorphic kits into the virus writing community which allowed
any virus to be recreated as a polymorph.

 

6.1.2.4 变体病毒

早期的病毒很容易被检测。它们的标记容易被发现，因而有时候会用来防止再次感染。它们还可能有一种

很容易被识别的特殊的结构。然后随着发展变体病毒出现了。Poly-意味着多样的，morphic-意思是形态。

这些病毒每次复制的时候都会改变自己，重新组织自己的编码，重新加密，变成另外一个样子。这给防病毒

技术造成了很大的障碍，因为越来越少的标志保持一样-一些感染能力更强的病毒的检测标记减少到只有

几个字节。随着一些变体病毒代码在一些社区被公布，让这一问题变得更棘手，因为这些公布的代码能

够让任何一种病毒带有变体功能。

 

6.1.2.5 The Macro Virus
The Macro Virus makes use of the built-in ability of a number of programs to execute
code. Programs such as Word and Excel have limited, but very powerful, versions of the
Visual Basic programming language. This allows for the automation of repetitive tasks, and
the automatic configuration of specific settings. These macro languages are misused to
attach viral code to documents which will automatically copy itself on to other
documents, and propagate. Although Microsoft has turned off the feature by default now
on new installations, it used to be that Outlook would automatically execute certain code
attached to e-mails as soon as they were read. This meant that viruses were propagating
very quickly by sending themselves to all of the e-mail addresses that were stored on the
infected machine.

 

6.1.2.5 宏病毒

宏病毒利用一些程序的嵌入性能执行代码。像Word和Excel这些程序限制了Visual Basic 编程语言。这样

可以使重复作业自动化，并自动配置一些设置。 这种宏语言会被误用于将病毒代码复制到文件夹中，

受感染的文件夹会自动复制给其他的文件夹繁殖。尽管现在微软通过更换新的设置关闭了这种由于错误产生

的特性， 但以前Outlook收到带病毒的邮件后，一旦邮件被读，Outlook就会自动执行病毒程序。这意味着

被感染病毒机子会自动向机子上所有的email地址发送邮件，这样会导致病毒疯狂的繁殖。