Most users at least once in their life came across the concept of computer viruses. True, not many people know that the classification of threats basically consists of two large categories: non-resident and resident viruses. Let us dwell on the second class, since it is precisely its representatives that are the most dangerous, and sometimes undeletable, even when formatting a disk or logical partition.
What are resident viruses?
So what is the user dealing with? For a simplified explanation of the structure and principles of operation of such viruses, for a start it is worth stopping at an explanation of what a resident program is in general.
It is believed that this type of program includes applications that work constantly in monitoring mode, without explicitly displaying their actions (for example, the same standard anti-virus scanners). As for the threats that penetrate computer systems, they not only hang constantly in the computer's memory, but also create their own duplicates. Thus, copies of viruses constantly monitor the system and move around it, which makes it difficult to find them. Some threats can also change their own structure, and their detection based on generally accepted methods becomes almost impossible. A little later, we will consider how to get rid of viruses of this type. In the meantime, we dwell on the main varieties of resident threats.
DOS threats
Initially, when there was no mention of Windows- or UNIX-like systems, and the user interacted with the computer at the command level, the DOS "OS" appeared, which lasted quite a long time at the peak of popularity.
And it was for such systems that non-resident and resident viruses began to be created, the action of which was first aimed at disrupting the system’s performance or deleting user files and folders.
The principle of operation of such threats, which, by the way, is widely used to this day, is that they intercept file access and then infect the called object. However, most of the threats known today work precisely on this type. But viruses infiltrate the system either by creating a resident module in the form of a driver, which is specified in the Config.sys system configuration file, or by using the special KEEP function to track interrupts.
The situation is worse when resident viruses of this type use the allocation of areas of system memory for themselves. The situation is such that at first the virus “cuts off” a piece of free memory, then marks this area as occupied, and then saves its own copy in it. What is most sad, there are cases when copies are found in video memory, in areas reserved for the clipboard, in tables of interrupt vectors, and in DOS work areas.
All this makes copies of virus threats so tenacious that they, in contrast to non-resident viruses, which work while some program is running or the operating system is functioning, are able to reactivate even after a reboot. In addition, when accessing an infected object, the virus is able to create its own copy even in RAM. As a result, the computer instantly freezes up. As already clear, the treatment of viruses of this type should be carried out using special scanners, and preferably not stationary, but portable or those that can boot from optical disks or USB-carriers. But more on that later.
Boot threats
Boot viruses enter the system using a similar method. They just behave, as they say, in a subtle way, first “eating” a piece of system memory (usually 1 KB, but sometimes this figure can reach a maximum of 30 KB), then registering there own code in the form of a copy, and then starting to demand a reboot. This is fraught with negative consequences, since after the restart the virus restores the reduced memory to its original size, and its copy is outside the system memory.
In addition to tracing interrupts, such viruses can write their own codes in the boot sector (MBR record). BIOS and DOS hooks are used less frequently, and the viruses themselves are loaded once, without checking for their own copy.
Windows viruses
With the advent of Windows-based systems, virus development has reached a new level, unfortunately. Today, it is Windows of any version that is considered the most vulnerable system, despite the efforts made by Microsoft specialists in the development of security modules.
Viruses designed for Windows operate on the principles similar to DOS threats, but there are much more ways to get into a computer. Of the most common, three main ones are distinguished, according to which the virus can register its own code in the system:
- registering the virus as the application currently running;
- allocation of a memory block and recording of its own copy in it;
- work in the system under the guise of a VxD driver or disguise as a Windows NT driver.
In principle, infected files or areas of system memory can be cured using standard methods that are used in anti-virus scanners (detection by virus mask, comparison with signature databases, etc.). However, if simple free programs are used, they may not detect the virus, and sometimes even give a false positive. Therefore, it’s better to use portable utilities like Doctor Web (in particular, Dr. Web CureIt!) Or Kaspersky Lab products. However, today you can find quite a few utilities of this type.
Macro viruses
Before us is another kind of threat. The name comes from the word "macro", that is, the executable applet or add-on used in some editors. It is not surprising that the virus starts at the time the program starts (Word, Excel, etc.), the opening of the office document, its printing, calling up menu items, etc.
Such threats in the form of system macros are kept in memory during the whole time the editor works. But in general, if we consider the question of how to get rid of viruses of this type, the solution is quite simple. In some cases, even the usual disabling of add-ons or running macros in the editor helps, as well as activating the antivirus protection of applets, not to mention the usual quick scan of the system with antivirus packages.
Viruses based on stealth technology
Now let's look at camouflaged viruses, because it is not for nothing that they got their name from an invisible plane.
The essence of their functioning lies precisely in the fact that they impersonate a system component, and identifying them in the usual way is sometimes quite difficult. Among such threats, one can find macro viruses, boot threats, and DOS viruses. It is believed that stealth viruses are not yet developed for Windows, although many experts claim that this is just a matter of time.
File varieties
In general, all viruses can be called file viruses, since they somehow affect the file system and affect files, either by infecting them with their own code, or by encrypting, or by making them inaccessible due to corruption or deletion.
The simplest examples are modern ransomware viruses (ransomware), as well as the infamous I Love You. With them, without special decryption keys, treating viruses is not only difficult, but often impossible at all. Even leading anti-virus software developers shrug their hands, because, unlike modern AES256 encryption systems, AES1024 technology is used here. You understand that decryption can take more than a dozen years, based on the number of possible key options.
Polymorphic threats
Finally, another kind of threat in which the phenomenon of polymorphism is applied. What does it consist of? The fact is that viruses constantly change their own code, and this is done on the basis of the so-called floating key.
In other words, it is impossible to determine the threat by the mask, because, as we see, not only its structure on the basis of the code changes, but also the key to decryption. To combat such problems, special polymorphic decoders (decoders) are used. True, as practice shows, they are able to decrypt only the simplest viruses. More complex algorithms, alas, in most cases are not amenable to their influence. Separately, it is worth mentioning that a change in the code of such viruses accompanies the creation of copies with a reduced length, which can differ quite significantly from the original.
How to deal with resident threats
Finally, we turn to the issue of combating resident viruses and protecting computer systems of any complexity. The easiest way to protect yourself is to install a standard anti-virus package, but it’s better not to use free programs, but at least shareware (trial) versions from developers like Doctor Web, Kaspersky Anti-Virus, ESET NOD32 or programs like Smart Security, if the user is constantly working with the Internet.
However, in this case, no one is safe from the fact that the threat does not penetrate the computer. If this situation has occurred, portable scanners should be used first, but it is better to use the Rescue Disk utilities. With their help, you can load the program interface and scan before the start of the main operating system (viruses can create and store their own copies in the system and even in RAM).
And one more thing: it is not recommended to use software like SpyHunter, otherwise then it will be problematic to get rid of an uninitiated user from the package itself and its associated components. And, of course, do not immediately delete infected files or try to format the hard drive. It is better to leave the treatment to professional antiviral products.
Conclusion
It remains to add that the above are considered only the main aspects relating to resident viruses and methods of combating them. After all, if you look at computer threats, so to speak, in a global sense, every day there is such a huge number of them that the developers of security tools just do not have time to come up with new methods to combat such misfortunes.