Analysis of virus program source code examples-CIH virus[1]-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

Analysis of virus program source code examples-CIH virus[1]

黄舟

Jan 17, 2017 am 11:12 AM

CIH virus mainly infects executable programs of Windows 95/98/Me. When it attacks, it destroys the system program in the computer's Flash BIOS chip, causing damage to the motherboard and destroying data in the hard disk. When a virus attacks, the hard drive spins continuously, and the virus program writes junk data to the hard drive in units of 2048 sectors, starting from the main boot area of the hard drive until all the hard drive data is destroyed. All data on the hard disk (including the partition table) is destroyed and must be repartitioned to possibly save the hard disk. At the same time, motherboards from some brands, such as Gigabyte and MSI, will destroy the system program in the Flash BIOS, causing the system to become unresponsive after booting.
The CIH virus was introduced into the country from Taiwan in August 1998. There are five versions in total. Various versions have developed over time and been continuously improved. The development process is as follows:

(1 ) CIH virus version 1.0

The initial version 1.0 was only 656 bytes, and the prototype was relatively simple. There was not much improvement in structure from ordinary viruses. Its biggest feature is that it can infect Microsoft Windows PE executable files, the length of program files infected by them increases, and the CIH virus version 1.0 is not yet destructive.

　 (2) CIH virus version 1.1

When the CIH virus developed to version 1.1, the length of the virus was 796 bytes. This version of the CIH virus has the ability to determine Windows Once it is determined that the user is running Windows NT, the functions of the NT software will not take effect and will hide themselves to avoid generating error messages. At the same time, more optimized code is used to reduce its length.

Another improvement point of version 1.1 CIH virus is that it can take advantage of the "gaps" in the Windows PE class executable file, split itself into several parts as needed, and insert them into the PE class executable file respectively. The advantage of this is that it will not increase the file length when infecting most Windows PE files.

　 (3) CIH virus version 1.2

When the CIH virus developed to version 1.2, in addition to correcting some of the defects of version 1.1, it also added the ability to damage users The hard disk and the code of the user's machine BIOS program. This improvement makes it enter the ranks of malignant viruses. The CIH virus body length of version 1.2 is 1003 bytes.

　(4) CIH virus version 1.3

The biggest flaw of the CIH virus version 1.2 is that when it infects a ZIP self-extracting package file, it will cause the ZIP compressed package to The following error warning message appears during self-extraction:
　

　
　　WinZip Self-Extractor header corrupt.
　　Possible cause: disk or file transfer error.

Version 1.3 of the CIH virus appears to be in a hurry. Its improvement points are aimed at the above defects. Its improvement method is: Once it is determined that the opened file is WinZip Self-extracting programs of this type will not be infected. At the same time, this version of the CIH virus has modified the virus attack time from April 26 to June 26. The CIH virus version 1.3 is 1010 bytes long.

　 (4) CIH virus version 1.4

Version 1.4 CIH virus has improved the defects in previous versions and does not infect ZIP self-extracting package files. It also modifies The attack date was changed from June 26 to the 26th of each month, increasing the frequency of virus attacks. The copyright information in the virus was also modified (the copyright information was changed to: "CIH v1.4 TATUNG", the relevant information in the previous version was "CIH v1.x TTIT"), the length of the CIH virus version 1.4 is 1019 bytes.

As mentioned before, the CIH virus has created several firsts in the history of viruses and is very destructive. The outbreak of the virus has caused immeasurable losses to the world. So, how is code with such great "destructive" power written? Below, we take version 1.4 of the CIH virus as an example to analyze part of its core code.

The above is the content of virus program source code example analysis-CIH virus [1]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PM

Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-

cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AM

The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.

Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PM

Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>

12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PM

Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom

Discover File Downloads in Laravel with Storage::downloadMar 06, 2025 am 02:22 AM

The Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:

Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PM

Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo

PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PM

PHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot

How to Register and Use Laravel Service ProvidersMar 07, 2025 am 01:18 AM

Laravel's service container and service providers are fundamental to its architecture. This article explores service containers, details service provider creation, registration, and demonstrates practical usage with examples. We'll begin with an ove

See all articles