1983165438+1October 3rd, American computer experts first put forward the concept of computer virus and verified it. 1987 computer viruses are mainly boot viruses, which means that there are "small ball" and "stone" viruses. At that time, computers had less hardware and simple functions, and generally needed to be started by floppy disks before they could be used. Bootable virus works by using the startup principle of floppy disk. They modify the boot sector of the system, gain control first when the computer starts, reduce the system memory, modify the disk read-write interrupt, and affect the system work efficiency. 1989, which can lead the virus to infect the hard disk. The typical example is that "Stone 2" appeared executable file virus in the DOS executable stage (1989). They use the mechanism of loading and executing files in DOS system, represented by "Jerusalem" and "Sunday" viruses. The virus code gains control when the system executes the file, modifies the DOS interrupt, is infected when the system calls, and attaches itself to the executable file, thus increasing the file length. 1990, developed into a composite virus, which can infect com and EXE files. Accompanying, in the batch processing stage of 1992, accompanying viruses appear, and they work by using the priority order of loading files in DOS. On behalf of the virus is "golden cicada", when infected with EXE file, it generates a companion with the same name as EXE but the extension of COM; When it infects a file, it changes the original COM file into an EXE file with the same name, and then produces a satellite with the same name. The file extension is COM. In this way, when DOS loads the file, the virus gains control. This virus is characterized by not changing the content, date and attributes of the original file, and only deleting its satellite when removing the virus. In the non-DOS operating system, some associated viruses work by using the description language of the operating system. Typical is the "Pirate Flag" virus. When executing, it will ask for the user name and password, then return an error message and delete itself. Batch virus is a virus that works under DOS, similar to "flag stealing" virus. Ghost, polymorphic stage 1994, with the development of assembly language, the same function can be completed in different ways, and the combination of these ways makes a seemingly random code produce the same operation result. Ghost virus takes advantage of this feature, and each infection will produce different codes. For example, "semi-"virus is to generate a piece of data with hundreds of millions of possible decoding algorithms. The virus body is hidden in the data before decoding, and it is necessary to decode this piece of data to find out this kind of virus, which increases the difficulty of virus detection. Polymorphic virus is a comprehensive virus, which can infect boot area and program area. Most of them have decoding algorithms, and a virus often needs more than two subprograms to be removed. Generator, variant machine stage 1995, in assembly language, some data operations are put in different general registers, and the results can also be calculated, and some empty operations and irrelevant instructions are randomly inserted without affecting the operation results. In this way, the generator can generate a decoding algorithm. When the result generated by the generator is a virus, this complex "virus generator" is produced, and the mutation machine only increases the complexity of decoding. The typical representative of this stage is the "virus maker" VCL, who can make thousands of different viruses in an instant. Traditional feature recognition methods can't be used in search, so it is necessary to analyze the instructions macroscopically and search for viruses after decoding. Network, worm stage 1995, with the popularity of the network, viruses began to spread through the network, which is only the improvement of previous generations of viruses. In non-DOS operating system, "worm" is a typical representative. It does not occupy any resources except memory, does not modify disk files, uses network functions to search network addresses, and propagates itself to the next address, and sometimes exists in network servers and startup files. In the period of Windows 1996, with the increasing popularity of Windows and Windows95, viruses working with Windows began to develop. They modify (NE, PE) files, and the typical representative is DS.3873, which has a complicated mechanism. They use protected mode and API to call the interface to work, and the removal method is also complicated. 1996 macro virus stage, with the enhancement of the function of Windows Word, you can also use the macro language of Word to write viruses. This virus uses a language similar to Basic, which is easy to write and will infect files such as Word documents. Viruses with the same working mechanism in Excel and AmiPro also belong to this category. Because the format of Word document is not public, it is difficult to detect this virus. 1997 in the internet stage, with the development of the internet, various viruses began to spread through the internet, and more and more data packets and emails carrying viruses. If these emails are accidentally opened, the machine may be poisoned. Java, mail bomb stage 1997 With the popularity of Java on Wold World Wide Web, viruses that use Java language to spread and obtain information begin to appear, the typical representative is JavaSnake virus, and some viruses that use mail servers to spread and destroy, such as mail bomb virus, will seriously affect the efficiency of the Internet.

Ten most harmful viruses

1.CIH (1998) infected the feasibility document in Win95/98. This kind of virus spreads in Windows environment, which is particularly real-time and concealed. This variant can rewrite the BIOS. It caused losses of about $20 million to $80 million worldwide.

2. Melissa (1999) is a macro virus that spreads very fast. It is spread as an email attachment. Melissa virus will not destroy files or other resources, but it may stop the operation of enterprises or other mail server programs, because it sends out a large number of mails and forms a huge e-mail information flow. 1999 broke out on March 26th, infecting 15%-20% of commercial computers, resulting in a loss of $30 million to $60 million.

3. "Love You" (2000) is spread by e-mail just like Melissa, but it is much more destructive than Melissa. It can delete some local pictures and words, resulting in a loss of about10 to15 million dollars.

4. Red Team (200 1) is a worm virus, which spreads through the server's port 80 by using buffer overflow attack in essence. Port 80 is the channel for information exchange between the Web server and the browser. Unlike other viruses, Code Red does not write virus information into the hard disk of the attacked server, but only resides in the memory of the attacked server. It caused a loss of about $2.8 million worldwide.

5.SQL Slammer (2003) is a DDOS malicious program. It infects the server by using distributed denial of service attack through a brand-new infection way. It takes advantage of the weakness of SQL Server, attacks 1434 port and infects the SQL Server in memory, and then spreads a large number of denial-of-service attacks and infections through the infected SQL Server, resulting in the failure or downtime of the SQL Server and the internal network congestion. Like Code Red, it only exists in the memory of the attacked server, causing about 500,000 servers in the world to crash and the whole network in Korea to be paralyzed 12 hours.

6.Blaster, 2003) Shock wave virus is spread by using the RPC vulnerability published by Microsoft on July 2 1 that year. As long as there is RPC service on the computer and there is no security patch, the virus will infect the system, resulting in the following phenomena: the system resources are heavily occupied, and sometimes the RPC service termination dialog box pops up, and the system restarts repeatedly, resulting in the inability to send and receive mail, the file can not be copied normally, the webpage can not be browsed normally, the copy and paste operation is seriously affected, and the DNS and IIS services are illegally rejected. This virus should be a familiar virus that has a wide influence in China recently. It caused a loss of about $2 million to10 million, but in fact thousands of computers were affected.

7. Big commitment. F (Sobig。 F, 2003) This is the fifth variant of Sobig worm, which has very strong infection ability, so it will cause huge mail transmission, which will lead to the collapse of mail servers all over the world, and because of its characteristics, it will also reveal local data extremely dangerously. It caused a loss of about $5 million to10 million, and more than10 million computers were infected.

8.Bagle, 2004) Bagle, also known as Beagle, is a worm spread by email. It accesses the website remotely, spreads through the e-mail system, and establishes the back door in the Windows system. So far, this worm is probably the most serious and widespread worm, and its influence is still rising. At present, it has caused tens of millions of dollars in losses, and it is still continuing.

9.MyDoom (2004) This virus is a combination of virus and spam, which can spread rapidly in the enterprise e-mail system, resulting in a sharp increase in the number of emails, thus blocking the network. Either virus or spam has caused enough troubles to users last year, but now the combination of the two is more fierce, and most users don't know about it, which makes the spread speed of this virus break through the original spread speed of various viruses. According to the data of MessageLabs research company, at the peak of MyDoom virus outbreak, one in every 10 mail was infected by this virus, and one in every 17 mail was infected by Sobig virus which was rampant in the previous year. At the worst of its outbreak, the global network speed dropped sharply.

10.Shockwave (Sasser, 2004) the shockwave virus will automatically search for computers with loopholes in the system on the network and directly guide these computers to download virus files and execute them, so there is no need for human intervention in the whole spread and attack process. As long as these users' computers are not patched and connected to the internet, they may be infected. This kind of attack is very similar to the shock wave of that year, which will crash the system files and cause the computer to restart repeatedly. At present, it has caused tens of millions of dollars in losses.