Briefly describe the similarities and differences between viruses and trojans, and the representative events of viruses and trojans.
Trojan horses, like viruses, worms and backdoor programs, are subordinate programs of malicious programs.
Difference:
Computer virus has the following characteristics: infectivity, concealment, latency, triggering, derivation and destructiveness.
Viruses are the earliest malicious computer programs.
So we compare this virus with other types of malicious programs to understand the difference.
The first is the Trojan horse you care about:
Trojan horses are not contagious. Trojans do not turn normal files into trojans, but viruses can infect normal files, making them the media of viruses or virus transmission.
Trojan horses are not hidden and lurking. The Trojan Project is visible to us, and they will not hide themselves. They will not carry out regular attacks through other mechanisms such as system interruption or virus. Trojan horse is just disguised as the normal program you want to use, and even has all the functions of the normal program. When you use these normal functions, the Trojan horse will attack at the same time.
Trojan horses are not destructive. Pure Trojan aims at stealing user data and obtaining user information, and will not destroy the user system.
From the above points, you can clearly see the difference between Trojan horse and virus.
Worms do not infect, hide or destroy computers. They cause instability or even collapse of the system by blocking the network or maliciously occupying user resources.
The backdoor program itself is a normal program, or because of some malicious design or negligence, these normal programs have left loopholes that may be used to destroy computers, and they have become backdoor programs ... The storm video backdoor incident that was heated up some time ago was a backdoor induced by commercial interests, and finally it was used by hackers, causing great damage.
Although there are differences, these differences are only theoretical definitions. Trojan horse manufacturers don't make trojans that destroy computers, just because trojans don't destroy computers by definition. In fact, there is such a Trojan horse now. This Trojan horse is actually a mixture of Trojan horse and virus. Similarly, there are mixtures of worms and viruses. There are backdoors, Trojans and viruses that form an automatic download attack program chain to work together. So these differences can only be understood, and the boundaries between them are gradually blurred ~
As for the representative event
The traditional classification of computer viruses is based on infection types. The following is a brief introduction of each type:
Open machine type
Michelangelo virus, lurking for a year, is very difficult (I don't understand this)
list files of type
(1) Non-resident type
Data Crime II Data Blackie-Low-level formatted hard disk, highly destructive data
(2) Types of residents
Friday 13 Black (No.13) Friday-"Bright" gives details.
multiple
Flip flip-the screen handstand performance starts at 4 pm on time.
Stealth aircraft type
Frodo virus-"poison" clock file configuration table
Smoke and mirrors
PE _ Marburg —— Set off a global "war game"
File macro
Taiwan Province 1 document macro virus-a big test of mathematical ability
Trojan horse virus on computer worms
"Explorezip Adventure Bug" has the ability of "regeneration after startup" and "immediate chain destruction".
computer virus
Nimda went through the back door, hacked letters and paralyzed the Internet.
Understand computer viruses and hackers
2. 1 boot sector virus:
Boot virus is the first sector hidden in disk or hard disk. Due to the architecture design of DOS, viruses can be loaded into the memory before the operating system is loaded every time it is turned on. This feature enables the virus to completely control various interruptions of DOS, and has stronger infection and destruction ability. @ instance
Michelangelo Michelangelo virus-lurking for a year, "hard" is a must.
Date of onset: March 6.
Discovery date: 199 1.3
Origin: Sweden (also known as Taiwan Province Province).
Symptoms: Michelangelo is a typical boot virus. He is best at invading the hard disk partition table and boot sector of computer hard disk and the boot sector of floppy disk, and will stay in the memory of computer system, waiting for an opportunity to infect the floppy disk you use. In fact, there is only one way to infect Michelangelo virus, that is, improper boot. If the disk happens to be infected with Michelangelo, then the terrible Michelangelo virus has taken the opportunity to enter the hard disk of your computer system, regardless of whether the boot is successful or not. Usually, it seems that the computer is quite normal. If there is a black screen when the user turns on the computer on March 6, it means that the hard disk information has told you goodbye.
Historical significance: before the file macro virus made its fortune, it won the throne of the most destructive poison king for several years in a row.
top
2.2 file virus:
File viruses are usually parasitic in executable files (such as *. COM,*。 EXE etc. ). When these files are executed, the virus program is executed. File viruses are divided into non-resident and resident types according to different infection modes:
(1) Non-memory resident virus:
Non-resident viruses are parasitic in files of *. COM,*。 When these programs are executed, they will try to infect another file or files.
@ Example:
Data Crime II Data Blackie-Low-level formatted hard disk, highly destructive data
Date of onset: 10, from 12 to 12,312.
Date of discovery: 1989.3
Origin: Netherlands
Symptoms: Every year between 65438+1October 12 and 65438+February 3 1, except Mondays, data crime II:* data crime II virus * will be displayed on the screen.
Then, after low-level formatting the format of magnetic column 0 (CYLINDER0 from head 0 to head 8) on the hard disk, you will hear a beep and crash, which can never be recovered.
Historical significance: Although it is called a killer, it is almost extinct.
(2) Virus residing in memory:
Resident viruses are hidden in memory and behave as if they are parasitic on various low-level functions (such as interrupts). Therefore, resident viruses usually do more damage to disks. Once the resident virus enters the memory, it will be infected as long as the execution file is executed, and the effect is very remarkable. The only way to get it out of memory is cold start (completely shut down and then turn it on).
@ Example:
Friday 13 Black (No.13) Friday-"Bright" gives details.
Date of onset: every Friday 13.
Date of discovery: 1987
Origin: South Africa
Symptom: When Friday 13 arrives, Black Friday virus will delete any poisoned files you want to execute. The virus infects quite quickly, and the only symptom of the disease is a: the light on the disk drive will always be on. On Friday 13, there are registered variants of virus b, such as Edge, Friday 13 -540c, Friday 13 -978, Friday 13 -B, Friday 13 -c, Friday. The nature of the infection is almost the same, including Friday 13 -C virus. When it infects the file, a line of polite words will be displayed on the screen: "We hope we didn't infect you".
Historical significance: Add more black components to the legend of 13 Friday.
top
2.3 Multi-party virus:
Composite virus has the characteristics of both open virus and file virus. They can infect *. COM,*。 EXE files, but also infected the boot sector of the disk. Because of this feature, this virus is quite contagious. Once the disease occurs, the degree of harm will be very considerable!
@ Example:
Flip flip-the screen handstand performance starts at 4 pm on time.
Date of onset: 2nd of each month.
Date of discovery: 1990.7
Origin: Switzerland (also known as West Germany)
Symptoms: On the 2nd of every month, if you use a parasitic disk or hard disk to boot, the screen will rotate horizontally between 16 and 16: 59.
Historical significance: the first virus with special functions
top
2.4 Invisible virus:
Stealth aircraft virus is also called interrupt interceptor. As the name implies, it "pseudo-restores" all infected files by controlling the interrupt vector of DOS, and then throws "seemingly identical" files back to DOS.
@ instance
Frodo Frodo-"Poison" clock file configuration table
Nickname: 4096
Discovery date: 1990. 1
Date of onset: September 22nd-65438+February 3rd1.
Origin: Israel
Symptoms: 4096 virus likes to infect. COM,。 EXE and. OVL file. As the name implies, the length of the infected file will increase by 4,096 bytes. It will infect data files and executable files (including: COM,. Exe) and overlay files, such as. OVL。 When the infected file is executed, it will be found that it will be much slower because the FAT (file configuration table) is destroyed. In addition, September 22nd-65438+February 3rd1will cause the system to crash.
Historical significance: Even if you use the DIR command to check the infected file, its length and date have not changed. It is really the originator of the camouflage show.
top
Two thousand five hundred face human virus (polymorphic/mutant virus):
The terrible thing about the virus is that it will spread to other places with different virus codes every time it breeds. Every poisoned file contains different virus patterns, which is undoubtedly a severe test for antivirus software that scans fixed virus patterns! Some tall viruses have thousands of faces and can hardly find the same virus code.
@ instance
PE _ Marburg —— Set off a global "war game"
Date of onset: not necessarily (3 months after poisoning)
Date of discovery: 1998.8
Origin: England
Symptoms: If the execution time of the application software infected with Marburg virus is completely consistent with the initial infection time (for example, the poisoning time is1September 51am, and if the application software is1February 65438 165438 am), Marburg virus will be infected for three days.
Historical significance: popular computer CD games were singled out and poisoned. 1998 The most popular MGM /EA War Game spread rapidly in August because one of its files was accidentally infected with Marburg virus.
Three months after being infected with PE_ Marburg virus, there will be a bunch of "X" symbols in any order on the desktop.
2.6 Macro virus:
Macro virus mainly uses the macro ability provided by the software itself to design viruses, so any software with macro ability may have macro viruses, such as Word, Excel, AmiPro and so on.
@ Example:
Taiwan Province 1 document macro virus-a big test of mathematical ability
Date of onset: every month 13 days.
Date of discovery: 1996.2
Origin: Taiwan Province Province.
Symptom: There is a mathematical multiplication problem that is difficult for the computer to calculate, and the correct answer is required. Once the answer is wrong, 20 files will be opened automatically and the next question will be continued. Until the system resources are exhausted.
Historical significance: 1. A file macro virus in Taiwan Province Province. 2. 1996 Heizai kicked off Michelangelo in March of 1997 and ascended the throne of poison king. 3. It is listed in the "wild" virus database of ICSA (International Computer Security Association). Anyone who is difficult to tame and vicious will be included in this blacklist. )
2.7 Trojan Horse Virus and Computer Worm
There is a certain degree of dependence between Trojans and computer worms, and more and more viruses combine the destructive power of these two virus types at the same time, reaching twice the destructive power.
The disguise of the Trojan horse plan
Trojan virus is a new variety emerging in recent years. In order to help readers understand the true face of this kind of virus, let's first look at a short story of "Trojan horse massacre":
It is said that the romantic Prince of Troy was unable to extricate himself after meeting a beautiful married woman, the Greek Queen, and kidnapped her back to Troy, which triggered the Trojan War for ten years. However, after nine years of war, why did the last year fall on the Trojan horse? It turned out that seeing that Troy could not be attacked for a long time, the Greeks made a huge Trojan horse and planned to "kill the city with a Trojan horse"! In Trojan horse, the Greeks carefully arranged a group of desperate warriors to retreat after defeat as an excuse to lure the enemy into the bait. Sure enough, Troy, who was delirious by the good news of the enemy's retreat, didn't know that this was a plan, so he pulled Troy into the city that night and planned to have a joyous celebration dinner. I don't know, just as everyone was drinking and celebrating happily, the elite generals of Trojan horse had secretly opened the gate and attacked from the inside out. Suddenly, a beautiful city turned into a pile of rubble and scorched earth and disappeared from history.
Later, we called those programs that disguised as some kind of application to attract users to download or execute, and then destroyed users' computer data, caused inconvenience to users or stole important information "Trojan horse" or "Trojan horse" virus.
Trojan horse programs don't infect other files like traditional computer viruses. Trojan horse programs usually enter the user's computer system in some special ways, and then wait for opportunities to perform their malicious behaviors, such as formatting disks, deleting files, stealing passwords, and so on.
Computer worms crawl in the network.
Computer worms may not be familiar to everyone in the past, but in recent years, we should often hear about computer worms. As the name implies, it refers to some malicious program codes crawling in the computer network, from one computer to another, through local area network or e-mail. The most famous case of computer worm is "ILOVEYOU- love worm". For example, "MELISSA- Melissa" is a combination of "computer virus" and "computer worm". This vicious program will not only infect Word's Normal.dot (a computer virus feature), but also spread widely through Outlook e-mail (a computer worm feature).
In fact, there are fewer and fewer malicious programs of a single type in the real world. Many malicious programs not only have the characteristics of traditional viruses, but also combine "Trojan horse programs" and "computer worms", resulting in greater impact. A well-known case is "ExploreZip". Explorers will overwrite important files in remote computers on the local area network (this is a Trojan feature) and install themselves on remote computers through the local area network (this is a computer worm feature).
@ Example:
"Explorezip Adventure Bug" has the ability of "regeneration after startup" and "immediate chain destruction".
Date of onset: not necessarily
Date of discovery: 1999.6. 14
Origin: Israel
Symptoms: Trojan virus spreads through e-mail system. Unlike Melissa virus, this virus is destructive in addition to spreading. After the computer is infected, other users send emails to the infected users. The infected computer will automatically send the virus "zipped_files.exe" as an email attachment to the user who sent the letter to this computer without the user's knowledge, using the MAPI function of Microsoft. The contents of the letter received by the other party are as follows: Hi