tailieunhanh - the giant black book of computer viruses phần 4

Bạn sẽ tìm hiểu cách thức các nhà văn viruse sử dụng khai thác lỗi trong chương trình như Outlook Express - để có được mã của họ để thực hiện mà không có sự đồng ý của bạn. Bạn sẽ tìm hiểu vchương trình này rất tương tự như chương trình Windows, | 194 The Giant Black Book of Computer Viruses The MP as a Boot Sector Virus MP is a multi-sector boot sector virus similar to the BBS. When loaded from a boot sector it goes resident by reducing the amount of memory allocated to DOS by manipulating the memory size at 0 413H. When the boot sector is executed MP tries to infect the hard disk replacing the original master boot sector with its own and placing the body of its code in Track 0 Head 0 Sectors 2 through VIR_SIZE 1. The original master boot sector is then put in Sector VIR_SIZE 2. When Military Police goes resident it hooks Interrupt 13H and infects floppy disks as they are accessed. On floppies it places its code in a free area on the diskette and marks the clusters it occupies as bad. So far MP is similar to BBS. Where it departs from BBS is that it will if it can turn itself into an ordinary TSR program and it will also infect EXE files while it s in memory. The MP Turns TSR A boot sector virus which goes resident by adjusting the memory size at 0 413H may work perfectly well but going resident in that manner is easily detected and an alert user should be able to pick up on it. For example running the CHKDSK program when such a virus is resident will reveal that not all of the expected memory is there. On a normal system with 640K memory CHKDSK will report memory something like this 655 360 total bytes memory 485 648 bytes free If the total bytes memory suddenly decreases a virus is a likely cause. There is no reason however that a boot sector virus has to stay in this memory area indefinitely. If it can survive a DOS boot-up Multi-Partite Viruses 195 then it can integrate itself into DOS and disappear into the woodwork so to speak. The MP virus does exactly this. It grabs a time stamp from the system clock at 0 46CH and then waits DELAYCNT seconds set to 30 here . As soon as Interrupt 13H is called after this delay the virus installs an Interrupt 21H hook. One purpose of this Interrupt 21H hook is to .

TỪ KHÓA LIÊN QUAN