Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
1997-10-10
2004-10-05
Lee, Thomas (Department: 2787)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S025000, C714S028000, C714S039000
Reexamination Certificate
active
06802028
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the detection and removal of undesirable programs from computer systems.
TECHNICAL BACKGROUND OF THE INVENTION
Many computer users have encountered computer viruses, sometimes with painful results. Computer viruses can cause unrecoverable errors, delete files, create intermittent problems and otherwise cause individuals and businesses much frustration and other damage. As used herein, “computer virus” or “virus” means a computer program that is unauthorized and undesired, and which operates or propagates surreptitiously.
Some viruses can make copies of themselves. Some viruses can modify their own code, making them harder to identify and remove. A distinction is sometimes made between self-replicating viruses and another threat to system security, known as a “Trojan Horse.” However, for purposes of this discussion a Trojan Horse program is considered to be a virus because it operates surreptitiously. A Trojan Horse is a program that has been designed or modified to perform some hostile act but is disguised as a familiar or non-threatening program. All viruses are capable of wasting time or otherwise adversely affecting the operation of an infected subject computer system. Certain viruses, known as “stealth viruses”, hide behind a facade. That is, they manipulate an infected system to hide their presence by redirecting commands, relocating system structures, overwriting signatures, or other means.
An Overview of Computer Components and the Boot Process
Many computer viruses exploit the underlying mechanisms of the computer operating system. A better understanding of the ways viruses operate and propagate can be gained by considering the basic steps performed in starting a computer.
Computers include hardware, such as a keyboard, screen, memory, and disk drives. They also include system software, such as boot software, operating system software, and file system software. Boot software includes non-volatile programs used to load the initial program or operating system. Operating system software includes a wide variety of routines for tasks such as launching programs, managing memory, displaying windows, and enforcing security. File system software includes routines for organizing and accessing data on a disk or other persistent storage medium.
An interface is often provided between the hardware and the system software to enable programmers or users to program their machines with less detailed knowledge of a particular hardware device. In many personal computers, for example, a BIOS (Basic Input/Output System) disk module permits a programmer to operate a floppy disk drive (or a hard disk drive) without a thorough knowledge of the specific brand of drive hardware being used. Thus, a number of drives designed and manufactured by different companies can be used in the system. This not only lowers the cost of the system, but permits a user to choose from a number of drives with equal facility. The BIOS is typically stored in memory chips, such as read-only memory chips (“ROM”).
The process of starting a computer is called “bootstrapping”, often shortened to “booting”, because a small piece of computer code is read and then used to load a larger program, which in turn loads additional programs. In a figurative way, the computer pulls itself up by its own bootstraps.
To start a computer, a small boot program stored in ROM is first executed. The ROM boot program contains at least three critical pieces of information, namely, the location on disk of a Master Boot Record (“MBR”), the starting address at which the MBR should be copied into memory, and instructions for making a copy of the MBR contents in memory and passing control of the processor to that copy. The MBR contains a disk boot program that will load the operating system code and eventually pass control to the command interpreter or other user interface. In theory, the ROM boot program and the disk boot program could be consolidated and stored in ROM, but this requires more expensive hardware and makes the computer less flexible. Indeed, the entire system software could be stored in ROM (at considerable expense) but any updates to the system software would require swapping in different ROM chips.
As used here, “boot sector” refers generally to the Master Boot Record or another location in persistent storage which contains at least part of the information used to boot the computer. Architectures other than IBM-PC-compatible architectures may use other names for the MBR, the BIOS, and other computer system components discussed here; the role played by a component is more important than the component's name. A boot sector is typically stored on a persistent medium, such as a hard disk or a floppy disk, at a fixed location such as the first, last, or middle sector of an entire disk or a disk partition. The boot sector may contain boot code, or it may refer to another location which contains boot code.
In some cases, a distinction is made between the MBR and other sectors that contain information used during the boot process. As used herein, the term “virus targets” refers to the MBR, to various boot sectors, and to other parts of a computer system which may be targeted by a virus. In general, virus targets contain low-level system information such as boot information, but some viruses target word processor macros or other information that is closer to the user/application level.
An Overview of Virus Methods
Viruses generally move from computer to computer using an infected portable storage medium, such a floppy disk or a removable hard drive, but they may also enter a system when code is downloaded over the Internet or another network. Viruses try to penetrate computers during the boot process, at or below the system software level, because that gives the viruses greater access to disks and other system resources and because anti-virus measures may not yet be running if the boot process has not finished.
Viruses try to penetrate the boot process in various ways. Stealth virus invasions modify operating system file access procedures by intercepting the procedure call and passing back incorrect information when the correct information would reveal the virus' presence. For instance, a virus can install itself in the Master Boot Record and then modify attempts to read the MBR so it appears that no virus is present. A virus may also create a facade MBR at a location other than the fixed location of the MBR, and fill the facade with the contents of the original MBR. Any anti-virus checks on the MBR to determine its integrity through checksums or data values will be intercepted and performed on the facade instead of the actual modified MBR, so the invasion will go undetected.
A similar trick may be performed on other boot sectors or even on sectors that contain macros created by a user. That is, one or more of the virus target sectors are modified and copies of the original sectors are stored elsewhere. Legitimate calls to read or write a sector are intercepted, and passed to the facade sector to avoid detection of the unauthorized modifications.
Because working portions of the BIOS or references to the BIOS are often stored in modifiable random access memory (“RAM”), another virus method alters the copy of BIOS or BIOS reference in RAM. A virus may also intercept parameters which specify BIOS activities and pass back false information.
An Overview of Virus Detection and Removal
Many methods have been developed to discover and remove viruses. Three of the most common methods currently employed to protect against viruses are known as “scanner”, “self-test”, and “vaccination” methods.
Scanner methods check for known viruses by looking for identifying sections of virus code in system files, in boot sectors, and in memory. Although scanning works well on some known viruses, it is less effective or even useless on viruses that modify their own code because the scanner will not find the modified code fragments. Scanning also becomes less effective as time passes and the pool of
Raymond Robert S.
Ruff Eric J.
Cao Chun
PowerQuest Corporation
Thorpe North & Western LLP
LandOfFree
Computer virus detection and removal does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Computer virus detection and removal, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Computer virus detection and removal will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3294581