Computers Windows Internet
Expand
home

What files infect macro. Which files infect macro viruses. How does it spread

Macro viruses are potentially unwanted programs that are written in macro languages ​​embedded in text or graphic data processing systems. The most common versions of viruses are for Microsoft Word, Excel and Office 97. Since creating a macro virus is easy, they are quite common. You should be very careful when downloading questionable documents from the Internet. Many users underestimate the capabilities of these programs, making a huge mistake.

How does a macro virus infect a computer

Due to the simple method of reproduction, macro viruses are able to infect a large number of files in the shortest possible time. Using the capabilities of macrolanguages, when opening or closing an infected document, they easily penetrate into all programs that, one way or another, are accessed. That is, if you open an image using a graphical editor, then the macro virus will spread through files of this type. And some of the viruses of this type can be active as long as a graphic or text editor is open, or even until the personal computer is turned off.

The action of macro viruses occurs according to the following principle: when working with a Microsoft Word document, it reads and executes various commands that are given in the macro language. First of all, the malware will try to penetrate the main document template, thanks to which all files of this format are opened. At the same time, the macro virus creates a copy of its code into global macros (macros that provide access to key parameters). And when you exit the program used, it is automatically saved to a dot file (used to create new documents). The virus then invades the file's standard macros in order to intercept commands sent to other files, thus infecting them too.

Infection with a macrovirus occurs in one of four cases:

  1. If there is an auto macro in the virus (it is executed automatically when the program is started or shut down).
  2. The virus contains the main system macro (usually associated with menu items).
  3. The virus is activated automatically when you press a certain key or combination.
  4. The reproduction of the virus occurs only when it is directly launched.

Macro viruses can damage all files that are linked to a program in a macro language.

What harm do macro viruses do?

In no case should you underestimate macro viruses, since they are the same full-fledged viruses and can cause no less harm to a personal computer. Macro viruses are quite capable of deleting, editing or copying files containing personal information and transfer it to another person via e-mail. And stronger programs can generally format the hard drive and take control of your computer. So the opinion that macro viruses are dangerous only for text editors is erroneous, because Word and Excel often come into contact with a huge number of different programs when working.

How to recognize an infected file

It is usually quite easy to identify files affected by a macro virus, because they do not work like other programs of the same format.

The presence of macroviruses can be determined by the following signs:

  1. Word document is not saved to another format (using the "save as..." command)
  2. the document cannot be moved to another folder or drive
  3. inability to save changes to the document (using the "save" command)
  4. frequent occurrence of system error messages about the program operation with the corresponding code
  5. unusual document behavior
  6. most macro viruses can be detected visually, as their creators often like to include information such as program name, subject, category, author name, and comments in the Summary tab (opened from the context menu).

How to remove a virus-infected file from a computer

First of all, if you find a suspicious document or file, scan it with an antivirus. Almost always, antiviruses, when a threat is detected, will try to cure the file or completely block access to it. In more severe cases, when the entire computer is already infected, use an emergency installation disk containing an antivirus with an updated database. It will scan the hard drive and neutralize the malware it finds. In the event that the antivirus is powerless, and there is no emergency disk at hand, use the "manual" treatment method:

  1. In the "View" tab, uncheck the "Hide extension for all registered file types" checkbox.
  2. find the infected file and change the extension from .doc to .rtf
  3. delete the Normal template. dot
  4. change the file extension back and restore the original parameters

As a result of these actions, we removed the virus from the infected document, but this does not mean that it could not remain in the computer system, therefore, at the first opportunity, scan all objects on your PC with an antivirus.

How to protect yourself from macro viruses

Treating a computer for macro viruses can be quite difficult, so it's best to prevent infection. To do this, make sure that your antivirus is updated regularly. Before copying files from other media or from the Internet, carefully check them for malware. If you have a weak antivirus or none at all, save documents in .rtf format, so the virus cannot penetrate them.

Macroviruses are an infection that poisons the life of any user. Even if you are a system programmer at least three times, she still has a good chance of fighting you. Many simply underestimate this category of viruses and in vain, they are not as harmless as they seem. In terms of survivability, they can be compared with rats and cockroaches - they adapt to everything and very rarely die. It's time to deal with macroinfection once and for all.

Macrovirus architecture

At the beginning, a clear definition: a macrovirus is a virus that can reproduce and store itself (without the intervention of a user), using a macro language. It follows from the definition that macro viruses can live not only in Word documents, but in ANY office document that implements macro language functions such as copying macros and saving them. Here is an almost complete list of applications susceptible to the macro infection threat: Word ( any), Excel, AmiPro (this is such a text editor), MS Visio, PowerPoint, MS Access and 1C. As you can see, the number of such programs is quite large, and on the Internet you can often find articles that define macro viruses like this:
"viruses that infect document files in the format
WinWord". Some idiots wrote!

Now let's talk about the structure of the macro virus under Word (as the most relevant). So. There is such a thing as standard macros. These include: AutoOpen, AutoClose, AutoExec, AutoExit, AutoNew. The prefix auto- means that the action is performed automatically, without user intervention (although this depends on the set security level, but we will talk about this later). That is, by adding an infection to a macro with this name, you can "revive" it. Also, each standard action has its own standard macro. For example, to print a FilePrint, to save a FileSave, to save in a different format, or with a different name FileSaveAs. And these macros can be infected.

The ultimate goal of any macroasshole is to have a normal.dot (that's where all template settings are stored). Then all opened files will be infected and your texts will go to hell.
Word provides several levels of security: high, medium, and low. It also contains a built-in protection mechanism against macroinfection. This, according to the developers' intention, should act on macro viruses, like silver on evil spirits. It may be that it works, if not for one "but". It is because of him that I will not delve into the differences between security levels and into Word's internal settings. But the point is that ALL internal security parameters can be easily CHANGED through the registry. Fortunately, macro languages ​​​​allow this
make. I will not prescribe a specific path (where to look for something), so as not to seduce your playful hands. Those who are especially gifted can contact me by soap - I will let you know, but "only for the purpose of getting acquainted with this software vulnerability, in order to eliminate them" 🙂

To summarize, the structure of a macrovirus is as follows:

1. We redefine any standard or automatic useful macro so that it disables protection and corrects the security level.
2. We add an infection there.
3. We check that this macro is in demand, and the infection multiplies and must be registered in Normal.dot

Everything is quite simple - it is because of this that there are so many different variations of macrocreatures.

I'll kill with my bare hands!

There are several folk ways to destroy macros in already infected Word documents. Here they are almost all:

1. Create your own macro with this code:
Sub Main
DisableAutoMacros
end sub
You save this miracle under the name AutoExec and thus become invulnerable to auto macros.

2. You manipulate with protection levels - then Word will ask permission when executing macros.

3. Do not use the doc format. After all, everything can be placed in RTF - the same fonts, design, tables, graphics ... And RTF does not contain macros by definition. Everything would be perfect, but there is a minus: when saving information in rtf-format, all pictures are auto-converted to bmp-format. This graphic format weighs so much that you wouldn't wish it on your enemy. As a result, even after archiving, the loss in the size of the resulting file may lead to the fact that it simply does not fit on a floppy disk (depending, of course, on the number of pictures). True, if there are no graphics, then rtf is ideal.

Heavy artillery

It's time to muster up the courage to kill the macrocreatures once and for all. The task is not so difficult to perform: you need an uninfected computer and the latest distribution kit of Kaspersky Anti-Virus. A few years ago, Kaspersky Lab developed a module called Office Guard. We'll talk about him.

Typically, Office Guard is not included in pirated distributions, but with some skill you can find it. What is this thing? Here's what the creators have to say about it:
"Office Guard is a fundamentally new technology for protecting against macro viruses and macro Trojans. Designed for advanced users, Office Guard implements a revolutionary approach to anti-virus security based on the principles of a behavioral blocker. Unlike the "classic" anti-virus protection schemes used , built on the basis of conventional contextual search, Office Guard solves the problem comprehensively, excluding the very possibility of macro viruses functioning on a protected computer.Office Guard distinguishes macro viruses not by external signs (the presence of a particular sequence of characters), but by their behavior, which is determined by the capabilities of the programming language VBA (Visual Basic for
application)."

The coolest feature is that it doesn't need to be updated! However, its use is fraught with many pitfalls:

1. It should be installed on a non-infected machine.
2. If you had Word installed, then you installed Office Guard, and then installed Excel, then only Word will be protected. Draw your own conclusions.
3. Office Guard catches viruses, but DOES NOT CURE.

To solve the last problem, just need a virus scanner. Thus, AVP-scanner + Office Guard provide complete protection against macro viruses. If you want to treat documents, then from time to time you will have to download an update for
AVP.

However, let's be fair - you can't drag the blanket towards Kaspersky Lab, otherwise there will be conversations like:
"And how much did you get paid to promote the product?"

Any updated antivirus gives good, almost 100%,
protection against macrogads. It's just that each of them uses different technologies for this. For example, DrWeb uses signature search and heuristic analyzer,
what we talked about with its creators:

Your antivirus kit does not include a separate module for fighting macro viruses. Why? Do you think that a resident monitor guarantees security against macro viruses?

Tools for detecting and fighting macro viruses are an integral part of the DrWeb core. And since the kernel is used by both the scanner and the monitor, all macro viruses are detected and treated equally well in both cases.

The WUA includes a separate module against macro viruses in MS Office. The developers claim that this module is based on a behavioral blocker that analyzes the actions of the patient program. As a result, this product is 100% free from macro viruses until a new version of VBA is released. Those. the macro virus is not searched for by signatures. The advantage of such
approach is that by installing such a module once, it does not need to be updated. Now the questions: DrWeb searches for macro viruses by signatures?

DrWeb searches for macro viruses both by signatures and using the built-in
original powerful heuristic analyzer. Macro search and analysis engine
implemented at several levels: the binary code of macros is also scanned,
their compiled and source code. This allows you to detect known viruses,
their modifications, as well as unknown macro-viruses. Thus,
it becomes possible not only not to depend on the version of the installed
MS Office package (the ability to intercept running macros appeared
only in Office 2000 and absent in previous versions), but generally from
the presence of MS Office on the computer on which the scan is performed
files -- for example, on a corporate Internet gateway.

In addition, with the help of a heuristic
analyzer, DrWeb is able to detect unknown Trojans,
backdoors, internet worms, irc, batch (bat) and script
(vbs/vbe) viruses.

Your personal opinion: can a WUA module provide 100% safety against macroinfection?

The current situation is such that in order to effectively fight viruses, any modern
the anti-virus product must be updated in a timely manner. Unfortunately,
creation of "absolute" antivirus is impossible.

Questions were answered
Sergei Yurievich Popov
Andrey Vladimirovich Basharimov

Developers of anti-virus programs of the Dr.WEB family.

Macro viruses are programs in languages ​​(macro-languages) built into some data processing systems (text editors, spreadsheets, etc.). For their reproduction, such viruses use the capabilities of macro languages ​​and with their help transfer themselves from one infected file (document or table) to others.

For the existence of viruses in a particular system (editor), it is necessary to have a macro language built into the system with the following capabilities:

1. binding a program in a macro language to a specific file;

2. copy macro programs from one file to another;

the ability to gain control of the macro program without user intervention (automatic or standard macros).

Network computer viruses .

Network viruses include viruses that actively use the protocols and capabilities of local and global networks for their spread. The main principle of a network virus is the ability to independently transfer its code to a remote server or workstation. At the same time, network viruses also have the ability to run their own code on a remote computer or push the user to run an infected file.

There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex algorithm of work, often use original methods of penetrating the system, use stealth and polymorphic technologies. Another example of such a combination is a network macro virus that not only infects edited documents, but also sends copies of itself by e-mail.

Operating system to be infected(more precisely, the OS whose objects are susceptible to infection) is the second level of division of viruses into classes. Each file or network virus infects files of one or more operating systems.

Macro viruses infect Word, Excel, Office files. Boot viruses are also focused on specific formats for the location of system data in the boot sectors of disks.

Features of the work algorithm computer viruses:

1. Residence.

2. Use of stealth algorithms.

3. Self-encryption and polymorphism.

4. Use of non-standard techniques.

Under the term residency refers to the ability of viruses to leave their copies in system memory, intercept certain events (for example, access to files or disks) and, in doing so, call procedures for infecting detected objects (files and sectors). Thus, resident viruses are active not only while the infected program is running, but also after the program has finished its work. Resident copies of such viruses remain viable until the next reboot, even if all infected files are destroyed on the disk. It is often impossible to get rid of such viruses by restoring all copies of files from distribution disks or backup copies. The resident copy of the virus remains active and infects newly created files. The same is true for boot viruses - formatting a drive while there is a resident virus in memory does not always cure the drive, as many resident viruses re-infect the drive after it has been formatted.

Non-resident Viruses, on the other hand, are active for a rather short time, only when the infected program is launched. For their distribution, they look for uninfected files on the disk and write to them. After the virus code transfers control to the host program, the effect of the virus on the operation of the operating system is reduced to zero until the next launch of any infected program.

Stealth viruses in one way or another hide the fact of their presence in the system.

To polymorphic viruses include those whose detection is impossible (or extremely difficult) using the so-called virus masks - sections of a permanent code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself.

Various non-standard tricks often used in viruses to hide themselves as deep as possible in the OC kernel.

Destructive possibilities viruses can be divided into:

1. Harmless , which do not affect the operation of the computer in any way (except for the reduction of free disk space as a result of its distribution).

2. Non-hazardous , the influence of which is limited to a decrease in free disk space and graphic, sound and other effects.

In particular, about those representatives of this numerous family that affect documents Word.

The characteristic signs of presence are:

1) impossibility to save the infected document Word to another format (on command Save as…);

2) the impossibility of writing the document to another directory or to another disk with the command Save as…;

3) the inability to save the changes made to the document (command Save);

4) inaccessibility of the tab Security level(menu Service - Macro - Security…);

5) since many viruses are written with errors (or do not work correctly in different versions of the package Microsoft Office), then the corresponding messages with an error code may appear;

6) other "strangeness" in the behavior of documents Word;

7) can often be detected visually. The fact is that most virus writers are distinguished by vanity: in the file properties Word(window Properties called on right click - choose from Properties) on the tab Summary fill in the input fields ( Name, Subject, Author, Category, Keywords and

Macro viruses (macro viruses) are programs in languages ​​(macrolanguages) built into some data processing systems (text editors, spreadsheets, etc.), as well as in scripting languages ​​such as VBA (Visual Basic for Applications) JS (Java Script). For their reproduction, such viruses use the capabilities of macrolanguages ​​and with their help transfer themselves from one infected file (document or table) to others. Macro-viruses for Microsoft Office are the most widespread. There are also macro viruses that infect Ami Pro documents and databases. For the existence of viruses in a particular system (editor), it is necessary to have a macro language built into the system with the following capabilities:

1. binding a program in a macrolanguage to a specific file;
2. copying macro programs from one file to another;
3. the ability to gain control of the macro program without user intervention (automatic or standard macros).

These conditions are met by editors Microsoft Word, Office and AmiPro, as well as an Excel spreadsheet and a Microsoft Access database. These systems contain macro languages: Word - Word Basic; Excel, Access - VBA. Wherein:

1. Macro programs are tied to a specific file (AmiPro) or are inside a file (Word, Excel, Access);
2. macro language allows you to copy files (AmiPro) or move macro programs to system service files and editable files (Word, Excel);
3. when working with a file under certain conditions (opening, closing, etc.), macro programs (if any) are called, which are defined in a special way (AmiPro) or have standard names (Word, Excel).

This feature of macro languages ​​is designed for automatic data processing in large organizations or global networks and allows you to organize the so-called "automated workflow". On the other hand, the capabilities of the macro languages ​​of such systems allow the virus to transfer its code to other files, and thus infect them. Viruses take control when opening or closing an infected file, intercept standard file functions, and then infect files that are accessed in some way. By analogy with MS-DOS, we can say that most macro viruses are resident: they are active not only at the time of opening/closing a file, but as long as the editor itself is active.

Word/Excel/Office viruses: general information

The physical location of the virus inside the file depends on its format, which in the case of Microsoft products is extremely complex - each Word document file, Excel spreadsheet is a sequence of data blocks (each of which also has its own format), interconnected using a large amount of service data . This format is called OLE2 - Object Linking and Embedding.

The structure of Word, Excel, and Office (OLE2) files resembles a sophisticated disk file system: the "root directory" of a document file or table points to the main subdirectories of various data blocks, several FAT tables contain information about the location of data blocks in a document, and so on. Moreover, the Office Binder system, which supports the Word and Excel standards, allows you to create files that simultaneously contain one or more Word documents and one or more Excel spreadsheets. At the same time, Word viruses can infect Word documents, and Excel viruses can infect Excel spreadsheets, and all this is possible within a single disk file. The same is true for Office. Most known viruses for Word are incompatible with national (including Russian) versions of Word, or vice versa - they are designed only for localized versions of Word and do not work under the English version. However, the virus in the document is still active and can infect other computers with the corresponding version of Word installed on them. Viruses for Word can infect computers of any class. Infection is possible if a text editor is installed on this computer that is fully compatible with Microsoft Word version 6 or 7 or higher (for example, MS Word for Macintosh).

The same is true for Excel and Office. It should also be noted that the complexity of Word document formats, Excel spreadsheets and especially Office has the following peculiarity: there are "extra" data blocks in document files and tables, i.e. data that is not related to the edited text or tables in any way, or are copies of other data in the file that happened to be there. The reason for the occurrence of such data blocks is the cluster organization of data in OLE2 documents and tables - even if only one character of text is entered, then one or even several data clusters are allocated for it. When saving documents and tables in clusters that are not filled with "useful" data, "garbage" remains, which gets into the file along with other data. The amount of "garbage" in files can be reduced by deselecting the Word/Excel "Allow Fast Save" option, but this only reduces the total amount of "garbage", but does not remove it completely. The consequence of this is the fact that when editing a document, its size changes regardless of the actions performed with it - when adding new text, the file size may decrease, and when deleting part of the text, it may increase.

It is the same with macro viruses: when a file is infected, its size may decrease, increase, or remain unchanged. It should also be noted that some versions of OLE2.DLL contain a small flaw, as a result of which, when working with Word, Excel, and especially Office documents, random data from the disk, including confidential data (deleted files, directories, etc.) .d.). Virus commands can also get into these blocks. As a result, after disinfection of infected documents, the active code of the virus is removed from the file, but some of its commands may remain in the "garbage" blocks. Such traces of the presence of a virus are sometimes visible with text editors and may even cause some antivirus programs to react. However, these remnants of the virus are completely harmless: Word and Excel do not pay any attention to them.

Word/Excel/Office viruses: how they work

Performs various actions when working with a Word document versions 6 and 7 or higher: opens the document, saves, prints, closes, etc. At the same time, Word searches for and executes the corresponding "built-in macros" - when saving a file with the File / Save command, the FileSave macro is called, when saving with the File / SaveAs command - FileSaveAs, when printing documents - FilePrint, etc., if, of course, there are macros are defined. There are also several "auto macros" that are automatically called under various conditions. For example, when you open a document, Word checks it for the presence of the AutoOpen macro. If such a macro is present, then Word executes it. When the document is closed, Word executes the AutoClose macro, when Word starts, the AutoExec macro is called, when it closes, AutoExit, and when creating a new document, AutoNew.

Similar mechanisms (but with different names of macros and functions) are used in Excel/Office, in which the role of auto- and built-in macros is performed by auto- and built-in functions present in any macro or macros, and several built-in functions can be present in one macro. and auto functions. Automatically (i.e. without user intervention) macros/functions associated with any key or time or date are also executed, i.e. Word/Excel calls a macro/function when a specific key (or key combination) is pressed, or when a certain point in time is reached. In Office, the possibilities for intercepting events are somewhat expanded, but the principle is the same.

Macro viruses that infect Word, Excel or Office files usually use one of the three methods listed above - either an auto-macro (auto-function) is present in the virus, or one of the standard system macros is redefined (associated with some menu item) , or the virus macro is called automatically when you press any key or key combination. There are also semi-viruses that do not use all these tricks and multiply only when the user independently launches them. Thus, if the document is infected, when the document is opened, Word calls the infected AutoOpen macro (or AutoClose when the document is closed) and thus runs the virus code, unless it is prohibited by the DisableAutoMacros system variable. If the virus contains macros with standard names, they are controlled by calling the corresponding menu item (File/Open, File/Close, File/SaveAs). If any keyboard symbol is redefined, then the virus is activated only after pressing the corresponding key.

Most macro viruses contain all their functions as standard Word/Excel/Office macros. There are, however, viruses that use tricks to hide their code and store their code as non-macros. Three such techniques are known, all of them use the ability of macros to create, edit and execute other macros. As a rule, such viruses have a small (sometimes polymorphic) virus loader macro that calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes and then, as a rule, destroys it (to hide traces of the presence of the virus). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or is stored in the document variables area or in the Auto-text area.

Algorithm of work of Word macro-viruses

Most of the well-known Word viruses, when launched, transfer their code (macros) to the global macros area of ​​the document ("general" macros), for this they use the commands to copy macros MacroCopy, Organizer.Copy or using the macro editor - the virus calls it, creates a new macro , inserts its code into it, which it saves in the document. When you exit Word, global macros (including virus macros) are automatically written to the global macros DOT file (typically NORMAL.DOT). Thus, the next time you start the MS-Word editor, the virus is activated at the moment when WinWord loads global macros, i.e. straightaway. Then the virus redefines (or already contains) one or more standard macros (for example, FileOpen, FileSave, FileSaveAs, FilePrint) and thus intercepts file manipulation commands. When these commands are called, the virus infects the file being accessed. To do this, the virus converts the file into the Template format (which makes it impossible to change the file format further, i.e. converting to any non-Template format) and writes its macros to the file, including the Auto-macro. Thus, if a virus intercepts the FileSaveAs macro, then every DOC file saved through the macro intercepted by the virus is infected. If the FileOpen macro is intercepted, the virus writes itself to the file when it is read from disk.

The second method of introducing a virus into the system is used much less often - it is based on the so-called "Add-in" files, i.e. files that are service additions to Word. In this case, NORMAL.DOT is not changed, and Word loads the virus macros from the file (or files) specified as "Add-in" on startup. This method almost completely repeats the infection of global macros, with the exception that virus macros are stored not in NORMAL.DOT, but in some other file. It is also possible to inject a virus into files located in the STARTUP directory - Word automatically loads template files from this directory, but such viruses have not yet been encountered. The above methods of introduction into the system are some analogue of resident DOS viruses. An analogue of non-residency are macro viruses that do not transfer their code to the area of ​​system macros - to infect other document files, they either look for them using the file functions built into Word, or refer to the list of recently edited files (Recently used file list) . Then such viruses open the document, infect it and close it.

Algorithm of work of Excel macro-viruses

The propagation methods of Excel viruses are generally similar to those of Word viruses. The differences are in macro copy commands (for example, Sheets.Copy) and in the absence of NORMAL.DOT - its function (in the viral sense) is performed by files in the Excel STARTUP directory. It should be noted that there are two possible options for the location of the macro virus code in Excel spreadsheets. The vast majority of these viruses write their code in the VBA (Visual Basic for Applications) format, but there are viruses that store their code in the old Excel version 4.0 format. Such viruses are essentially no different from VBA viruses, except for differences in the format of the location of virus codes in Excel spreadsheets. Although newer versions of Excel (since version 5) use more advanced technologies, the ability to run macros from older versions of Excel has been retained to maintain compatibility. For this reason, all macros written in the Excel 4 format are fully functional in all subsequent versions, despite the fact that Microsoft does not recommend their use and does not include the necessary documentation with Excel.

Virus algorithm for Access

Because Access is part of the Office Pro package, Access viruses are the same macros in Visual Basic as other viruses that infect Office applications. However, in this case, instead of auto-macros, the system has automatic scripts that are called by the system on various events (for example, Autoexec). These scripts can then call various macro programs. Thus, when infecting Access databases, the virus needs to replace some auto-script and copy its macros into the infected database. Infection of scripts without additional macros is not possible, since the scripting language is quite primitive and does not contain the functions necessary for this.

It should be noted that in terms of Access, scripts are called macros (macro), and macros are called modules (module), however, in the future, unified terminology will be used - scripts and macros. Cleaning Access databases is a more difficult task than removing other macro viruses, because in the case of Access, it is necessary to neutralize not only virus macros, but also auto-scripts. And since a significant part of the work of Access is assigned just to scripts and macros, then incorrect deletion or deactivation of any element can lead to the impossibility of operations with the database. The same is true for viruses - incorrect substitution of auto-scripts can lead to loss of data stored in the database.

AmiPro viruses

When working with a document, the AmiPro editor creates two files - the text of the document itself (with the SAM name extension) and an additional file containing document macros and, possibly, other information (name extension - SMM). The format of both files is quite simple - they are a plain text file, in which both editable text and control commands are present in the form of ordinary text lines. A document can be associated with any macro from an SMM file (AssignMacroToFile command). This macro is analogous to AutoOpen and AutoClose in MS Word and is called by the AmiPro editor when opening or closing a file. Apparently, AmiPro does not have the ability to put macros in the "general" area, so viruses for AmiPro can infect the system only when an infected file is opened, but not when the system boots, as happens with MS-Word after infecting the NORMAL.DOT file. Like MS Word, AmiPro allows you to override system macros (eg SaveAs, Save) with the ChangeMenuAction command. When calling overridden functions (menu commands), infected macros take control, i.e. virus code.

Stealth viruses

Representatives of this class use various means to mask their presence in the system. This is usually achieved by intercepting a number of system functions responsible for working with files. "Stealth" technologies make it impossible to detect a virus without special tools. The virus masks both the length increment of the affected object (file) and its own body in it, "substituting" the "healthy" part of the file for itself.

During a computer scan, anti-virus programs read data - files and system areas - from hard drives and floppy disks using the operating system and BIOS. Stealth - viruses, or invisible viruses, after launching, leave special modules in the computer's RAM that intercept programs' access to the computer's disk subsystem. If such a module detects that a user's program is trying to read an infected file or system area of ​​a disk, it replaces readable data on the fly and thus remains unnoticed, deceiving anti-virus programs.

Also, stealth viruses can hide in the form of streams in system and other processes, which also makes their detection much more difficult. Such stealth viruses cannot even be seen in the list of all currently running processes in the system.

There is an easy way to turn off the stealth virus masking mechanism. It is enough to boot the computer from an uninfected system diskette and scan the computer with an anti-virus program without running programs from the computer disk (they may turn out to be infected). In this case, the virus will not be able to gain control and install a resident module in the RAM that implements the stealth algorithm, the antivirus will read the information actually written on the disk and easily detect the "bacillus".

Most anti-virus programs counteract the attempts of stealth viruses to go unnoticed, but in order not to leave them a single chance, before checking the computer with an anti-virus program, the computer should be loaded from a floppy disk, on which anti-virus programs should also be written. Many antiviruses are so successful in resisting stealth viruses that they detect them when they try to disguise themselves. Such programs read the program files to be checked from the disk, using several different methods for this - for example, using the operating system and through the BIOS: if mismatches are found, then it is concluded that there is probably a stealth virus in the RAM.

Polymorphic viruses

Polymorphic viruses include those whose detection is impossible (or extremely difficult) using the so-called virus signatures - sections of a permanent code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself. There are also other rather exotic examples of polymorphism - the "Bomber" DOS virus, for example, is unencrypted, but the sequence of commands that transfers control to the virus code is completely polymorphic.

Polymorphism of varying degrees of complexity is found in viruses of all types - from boot and file DOS viruses to Windows viruses and even macro viruses.

Most of the questions are related to the term "polymorphic virus". This type of computer virus is by far the most dangerous.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two instances of the same virus may not match in one bit.

Such viruses not only encrypt their code using different encryption paths, but also contain the generation code of the encryptor and decryptor, which distinguishes them from ordinary encryption viruses, which can also encrypt parts of their code, but at the same time have a constant code of the encryptor and decryptor.

Polymorphic viruses are viruses with self-modifying decoders. The purpose of such encryption is that if you have an infected and original file, you will still not be able to analyze its code using conventional disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself at run time. At the same time, options are possible: it can decrypt itself all at once, or it can perform such a decryption "on the go", it can again encrypt already worked out sections. All this is done for the sake of making it difficult to analyze the virus code.

Polymorphic decryptors

Polymorphic viruses use complex algorithms to generate the code of their decryptors: instructions (or their equivalents) are swapped from infection to infection, diluted with commands that do not change anything like NOP, STI, CLI, STC, CLC, DEC unused register, XCHG unused registers, etc. d.

Full-fledged polymorphic viruses use even more complex algorithms, as a result of which the virus decryptor may encounter the operations SUB, ADD, XOR, ROR, ROL, and others in an arbitrary number and order. Loading and changing keys and other encryption parameters is also performed by an arbitrary set of operations, in which almost all Intel processor instructions can occur (ADD, SUB, TEST, XOR, OR, SHR, SHL, ROR, MOV, XCHG, JNZ, PUSH, POP . ..) with all possible addressing modes. Polymorphic viruses also appear, the decryptor of which uses instructions up to Intel386, and in the summer of 1997 a 32-bit polymorphic virus was discovered that infects Windows95 EXE files. Now there are already polymorphic viruses that can also use various commands of modern processors.

As a result, at the beginning of a file infected with such a virus, there is a set of seemingly meaningless instructions, and some combinations that are quite efficient are not taken by proprietary disassemblers (for example, the combination CS:CS: or CS:NOP). And among this "porridge" of commands and data, MOV, XOR, LOOP, JMP occasionally slip through - instructions that are really "working".

Levels of polymorphism

There is a division of polymorphic viruses into levels depending on the complexity of the code that is found in the decoders of these viruses. This division was first proposed by Dr. Alan Solomon, after some time Vesselin Bonchev expanded it.

Level 1: viruses that have a certain set of decryptors with a permanent code and select one of them when infected. Such viruses are "semi - polymorphic" and are also called "oligomorphic" (oligomorphic). Examples: "Cheeba", "Slovakia", "Whale".
Level 2: The virus decoder contains one or more permanent instructions, but the main part of it is not permanent.
Level 3: The decryptor contains unused instructions - "garbage" like NOP, CLI, STI, etc.
Level 4: The decryptor uses interchangeable instructions and reordering (shuffling) instructions. The decryption algorithm does not change.
Level 5: all of the above tricks are used, the decryption algorithm is unstable, it is possible to re-encrypt the virus code and even partially encrypt the decryptor code itself.
Level 6: permutating viruses. The main code of the virus is subject to change - it is divided into blocks, which are rearranged in an arbitrary order during infection. The virus remains active. Such viruses may be unencrypted.

The above division is not free from shortcomings, since it is made according to a single criterion - the ability to detect a virus by the decryptor code using the standard virus mask technique:

Level 1: to detect a virus, it is enough to have several masks

Level 2: mask detection using "wildcards"

Level 3: mask detection after removal of garbage instructions

Level 4: The mask contains several possible code options, i.e. becomes algorithmic
Level 5: inability to detect the virus by mask

The insufficiency of such division was demonstrated in the virus of the 3rd level of polymorphism, which is called "Level3". This virus, being one of the most complex polymorphic viruses, falls into Level 3 according to the above division, since it has a constant decryption algorithm, which is preceded by a large number of "garbage" commands. However, in this virus, the "garbage" generation algorithm has been brought to perfection: almost all i8086 processor instructions can be found in the decryptor code.

If we divide into levels in terms of antiviruses that use systems for automatic decryption of the virus code (emulators), then the division into levels will depend on the complexity of emulating the virus code. It is also possible to detect a virus by other methods, for example, decryption using elementary mathematical laws, etc.

Therefore, it seems to me a more objective division, in which, in addition to the criterion of virus masks, other parameters also participate:

The degree of complexity of the polymorphic code (the percentage of all processor instructions that can be found in the decryptor code)
Using anti-emulator tricks
Persistence of the decryptor algorithm
Decoder length constancy

Changing the executable code

Most often, such a method of polymorphism is used by macro viruses that, when creating new copies of themselves, randomly change the names of their variables, insert empty lines, or change their code in some other way. Thus, the algorithm of the virus remains unchanged, but the code of the virus almost completely changes from infection to infection.

Less commonly, this method is used by complex boot viruses. Such viruses inject into the boot sectors only a fairly short procedure that reads the main code of the virus from the disk and transfers control to it. The code for this procedure is selected from several different options (which can also be diluted with "empty" commands), the commands are rearranged among themselves, and so on.

This technique is even rarer for file viruses, because they have to completely change their code, and this requires rather complex algorithms. To date, only two such viruses are known, one of which ("Ply") randomly moves its commands around its body and replaces them with JMP or CALL commands. Another virus ("TMC") uses a more complicated method - each time it infects, the virus swaps blocks of its code and data, inserts "garbage", sets new offset values ​​for data in its assembler instructions, changes constants, etc. As a result, although the virus does not encrypt its code, it is a polymorphic virus - there is no permanent set of instructions in the code. Moreover, when creating new copies of itself, the virus changes its length.

Viruses by type of destructive actions

By the type of destructive actions, viruses can be divided into three groups:

Information viruses (viruses of the first generation)

The so-called first-generation viruses are all currently existing viruses whose actions are aimed at destroying, modifying or stealing information.

Hardware viruses (viruses of the second generation)

This type of virus can damage the computer hardware. For example, erase the BIOS or corrupt it, break the logical structure of the hard disk in such a way that it will be possible to restore it only by low-level formatting (and even then not always). The only representative of this type is the most dangerous of all that ever existed, the Win95.CIH "Chernobl" virus. At one time, this virus disabled millions of computers. He erased the program from the BIOS, thereby disabling the computer, and the same one destroyed all the information from the hard drive so that it was almost impossible to restore it.

Currently, no "wild" hardware viruses have been found. But even now, experts are predicting the emergence of new viruses of this kind that can infect the BIOS. To protect against such viruses, it is planned to make special jumpers on each motherboard that will block writing to the BIOS.

Psychotropic viruses (third generation viruses)

These viruses are able to kill a person by influencing him through the monitor or computer speakers. By reproducing certain sounds, a given frequency, or a certain flickering of various colors on the screen, psychotropic viruses can cause an epileptic seizure (in people prone to this), or cardiac arrest, cerebral hemorrhage.

Fortunately, the real existence of such viruses is not known to date. Many experts question the general existence of this type of virus. But one thing is for sure. Psychotropic technologies have long been invented to influence a person through sound or image (not to be confused with frame 25). It is very easy to cause an epileptic seizure in a person prone to this. A few years ago, there was a buzz in some media about the emergence of a new virus called "666". This virus, after every 24 frames, displays a special color combination on the screen that can change the life of the viewer. As a result, a person goes into a hypnotic trance, the brain loses control over the work of the body, which can lead to a painful condition, a change in the mode of operation of the heart, blood pressure, etc. But color combinations today are not prohibited by law. Therefore, they can appear on the screen quite legally, although the results of their impact can be disastrous for all of us.

An example of such an impact is the cartoon "Pokemon", after showing one of the series in Japan, hundreds of children ended up in hospitals with a terrible headache, cerebral hemorrhage. Some of them have died. There were frames in the cartoon with a bright generation of a certain palette of colors, as a rule, these are red flashes on a black background in a certain sequence. After this incident, this cartoon was banned from showing in Japan.

One more example can be given. Everyone probably remembers what happened in Moscow after the broadcast of the match between our football team and the Japanese team (if I'm not mistaken). But on the big screen, everything was just a video showing how a man with a bat crushed a car. This is also a psychotropic effect, seeing the video "people" began to destroy everything and everyone in their path.

Materials and data were taken from the resources:
http://www.stopinfection.narod.ru
http://hackers100.narod.ru
http://broxer.narod.ru
http://www.viruslist.com
http://logic-bratsk.ru
http://www.offt.ru
http://www.almanet.info

  • To post comments, please login or register


Did not find an answer to your question? Look at here
Tcpdump - a useful guide with examplesTcpdump - a useful guide with examples
Key management Key distribution involving a key distribution centerKey management Key distribution involving a key distribution center
Which files infect macro virusesWhich files infect macro viruses