CN1801033A - Computer virus checking and killing method based on data stream - Google Patents

Computer virus checking and killing method based on data stream Download PDF

Info

Publication number
CN1801033A
CN1801033A CN 200510101378 CN200510101378A CN1801033A CN 1801033 A CN1801033 A CN 1801033A CN 200510101378 CN200510101378 CN 200510101378 CN 200510101378 A CN200510101378 A CN 200510101378A CN 1801033 A CN1801033 A CN 1801033A
Authority
CN
China
Prior art keywords
virus
killing
file
data stream
checking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200510101378
Other languages
Chinese (zh)
Other versions
CN100422900C (en
Inventor
戴光剑
赵闽
王陈
姚辉
蔡山枫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Conew Network Technology Beijing Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Beijing Cheetah Mobile Technology Co Ltd
Beijing Cheetah Network Technology Co Ltd
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Kingsoft Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Kingsoft Software Co Ltd filed Critical Zhuhai Kingsoft Software Co Ltd
Priority to CNB2005101013781A priority Critical patent/CN100422900C/en
Publication of CN1801033A publication Critical patent/CN1801033A/en
Application granted granted Critical
Publication of CN100422900C publication Critical patent/CN100422900C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)

Abstract

The invention discloses a checking and diminishing method of computer virus in the computer appliance domain, which is characterized by the following: basing on computer virus checking and diminishing method of data flow through matching the virus feature data with the checked and diminished data flow (internal memory mode or file generation data flow); containing internal memory checking and diminishing virus method and file checking and diminishing virus method; providing the identification of new variant of known virus or partial new virus without updating or less updating; analyzing and extracting binary code of known virus as virus feature to find new variant of virus or new virus in the internal memory mode or file; extracting the file feature automatically (if the internal memory mode corresponds to the file)to generate new file virus feature; updating the virus database automatically; finishing checking and diminishing task through scanning the new variant of known virus and partial new virus and other all duplicates.

Description

A kind of computer virus checking and killing method based on data stream
Technical field
The present invention relates to computer application field, relate in particular to a kind of checking and killing method of computer virus.
Background technology
In recent years, computing machine has obtained widely to use in every field, but thing followed computer virus has brought threat to its practical application.Add latency, infectiousness, the destructiveness of computer virus, make the prevention work of virus complicated more.Current computer virus has automatically updating function usually, the method that the virus author is accustomed to using and adds shell, recompiles, viral engineering is revised is among a small circle emitted virus mutation rapidly, and the mode that adopts multiple shared virus module to reconfigure makes new virus, thereby makes the antivirus software killing less than the virus after changing.The method that present computer virus checking and killing method generally uses inlet to add skew is located virus signature, if after virus adopts above-mentioned variation, just changed virus signature fully, causing can not killing.The checking and killing virus method of present stage can only be come this viroid of killing by the method for timely upgrade feature.
Summary of the invention
The present invention has overcome shortcoming of the prior art, and a kind of identification of finishing known viruse mutation or part new virus under the situation of virus base of not upgrading or upgrade less is provided.
In order to solve the problems of the technologies described above, be achieved through the following technical solutions:
A kind of computer virus checking and killing method based on data stream, feature by the virus characteristic storehouse mates to come killing virus with the data stream that needs killing (becoming to give birth to data stream by memory modules or file), comprise internal memory killing virus method and file killing virus method, described virus characteristic is the binary code of virus.
Described internal memory killing poison method comprises following process:
A, existing virus is extracted viral common feature, be made into feature database;
B, traversal internal memory all process modules, with each process module as data stream, and filtering characteristic storehouse;
C, judge whether the process module is virus document;
D, to be virus the pairing file of module extract feature automatically;
E, all viral copies of the complete killing of traversal disk.
Described file killing poison method comprises following process:
A, existing virus is extracted virus characteristic, be made into feature database;
B, traversal need the file of killing poison, and file is carried out pre-service, generate data stream, and the filtering characteristic storehouse;
C, judge whether this document is virus document;
D, to be virus file carry out killing virus.
Compared with prior art, the invention provides a kind of identification of under the situation of virus base of not upgrading or upgrade less, finishing the new variant or the part new virus of known viruse.The present invention searches the new variant of virus or the memory modules or the file of new virus by the general character binary code is extracted in the analysis of known viruse as virus characteristic, then this document (if memory modules then is the pairing file of memory modules) being carried out automated characterization extracts, generate new file virus feature, virus database is upgraded automatically.With new variant and part new virus and all copies thereof of killing known viruse, finish checking and killing virus.
Description of drawings
Fig. 1 is an internal memory killing virus method flow diagram of the present invention;
Fig. 2 is a file killing virus method flow diagram of the present invention.
Embodiment
The present invention is described in detail below in conjunction with accompanying drawing.
A kind of computer virus checking and killing method based on data stream, feature by the virus characteristic storehouse mates to come killing virus with (being generated by memory modules or the file) data stream that needs killing, comprise internal memory killing virus method and file killing virus method, described virus characteristic database can upgrade automatically.
See also shown in Figure 1ly, internal memory killing poison method comprises following process:
A, existing virus extracted the common feature of virus;
B, build library, all characteristic sets are got up, be made into the virus characteristic storehouse;
C, all process modules of traversal internal memory are regarded each process module as blocks of data stream;
D, judge whether the data stream that is not filtered as yet, if having then continue by feature database matched data stream, otherwise the killing poison finishes, and quits a program;
If the match is successful by feature database for certain process module of E, think that then this process module space is viral space, the pairing file of this process module is a virus document, turns to step F, otherwise judges that this process module is not a virus, turns to step D;
F, scan module extract automatically this virus document are extracted a file characteristic as virus characteristic, and described file characteristic is the data in binary code of this document;
G, travel through full disk, in order to killing should virus all copies;
H, finishing killing should virus, turns to step D.
See also shown in Figure 2ly, file killing poison method comprises following process:
A, existing virus extracted the common feature of virus;
B, build library, all characteristic sets are got up, be made into the virus characteristic storehouse;
C, traversal need the file of killing poison;
D, file is carried out pre-service, generate data stream;
E, judge whether the data stream that is not filtered as yet, if having then continue by the feature database configuration data stream, otherwise the killing poison finishes, and quits a program;
The match is successful by feature database for F, event data stream, thinks that then this document is a virus document, turns to step G, otherwise judge that this process module is not a virus, turns to step e;
G, presents is carried out killing virus, turn to step e.
Described process module refers to the data space after single program enters internal memory, only corresponding usually file, and described viral copy is meant virus document copy and the pairing file of process module that does not have execution.
Method below by case introduction killing virus of the present invention:
Mytob and Mydoom are the different virus of similar performance, and Mytob is the mutation of Mydoom, and they have all utilized identical viral code, as: the engine of posting a letter, leak attack code.But owing to the mode of other function combinations, the mode reason of compiling, the two does not have coincidence on binary features place was lost efficacy the existing virus characteristic of existing anti-viral software, can't find Mytob virus under the situation of known Mydoom virus.And, at first extract the common feature viral code (engine of posting a letter, leak attack code) of this viroid according to killing virus method provided by the invention, and such characteristic set is got up, be made into the virus characteristic storehouse, use for scan module.When scan module is looked into poison, dispose each (generating) data stream by the virus characteristic storehouse by memory modules or file, the match is successful if certain data stream is by feature database, thinks that then this document (if memory modules then is the pairing file of memory modules) is virus document.For internal memory killing poison, scan module can extract a file characteristic to this virus document automatically, and travels through full disk, in order to this Mytob virus copy that killing is not carried out, finally finishes the killing poison.Equally, Troj.QQmsgBook, this virus has automatically updating function, and viral author utilizes the internet can allow the virus renewal of upgrading every day, its method that adopts mostly be heavily to add shell, multilayer adds shell and virus mutation.Virus base updating speed near anti-viral software.Its purpose is to change the binary features of oneself, and the existing virus characteristic of anti-viral software was lost efficacy.And find the common feature of this viroid by the inventive method, also can realize killing its heavyly add shell, multilayer adds the virus after shell and the mutation.
The present invention searches the new variant of virus or the memory modules or the file of new virus by the general character binary code is extracted in the analysis of known viruse as virus characteristic, then this document (if the memory modules side is the pairing file of memory modules) being carried out automated characterization extracts, generate new file virus feature, virus database is upgraded automatically.With new variant and part new virus and all copies thereof of killing known viruse, finish checking and killing virus.
Above step is the unrestricted technical scheme of the present invention in order to explanation only.Any modification or partial replacement that does not break away from spirit and scope of the invention all should be encompassed in the middle of the claim scope of the present invention.

Claims (8)

1, a kind of computer virus checking and killing method based on data stream, feature by the virus characteristic storehouse with need the data stream of killing to mate to come killing virus, comprise internal memory killing virus method and file killing virus method, it is characterized in that described virus characteristic is the binary code of virus.
2, computer virus checking and killing method according to claim 1 is characterized in that, described data stream is generated by memory modules or file.
3, computer virus checking and killing method according to claim 1 is characterized in that, described internal memory killing poison method comprises following process:
A, existing virus is extracted viral common feature;
B, build library, all characteristic sets are got up, be made into the virus characteristic storehouse;
C, all process modules of traversal internal memory are regarded each process module as blocks of data stream;
D, judge whether the data stream that is not filtered as yet, if having then continue by the feature database configuration data stream, otherwise the killing poison finishes, and quits a program;
If the match is successful by feature database for certain process module of E, think that then this process module space is viral space, the pairing file of this process module is a virus document, turns to step F, otherwise judges that this process module is not a virus, turns to step D;
F, this virus document is extracted a file characteristic;
G, travel through full disk, should the virus copy in order to killing;
H, finishing killing should virus, turns to step D.
4, computer virus checking and killing method according to claim 3 is characterized in that, the only corresponding file of described process module.
5, according to claim 3 or 4 described computer virus checking and killing methods, it is characterized in that the extraction document feature is extracted automatically by scan module in the step F.
According to claim 3 or 4 described computer virus checking and killing methods, it is characterized in that 6, described viral copy is meant the virus document copy that all have been carried out and have not had to carry out.
According to claim 3 or 4 described computer virus checking and killing methods, it is characterized in that 7, described file characteristic is the binary code feature of this document.
8, computer virus checking and killing method according to claim 1 is characterized in that, described file killing poison method comprises following process:
A, existing virus is extracted virus characteristic;
B, build library, all characteristic sets are got up, be made into the virus characteristic storehouse;
C, traversal need the file of killing poison;
D, file is carried out pre-service, generate data stream;
E, judge whether the data stream that is not filtered as yet, if having then continue by the feature database configuration data stream, otherwise the killing poison finishes, and quits a program;
The match is successful by feature database for F, event data stream, thinks that then this document is a virus document, turns to step G, otherwise judge that this process module is not a virus, turns to step e;
G, presents is carried out killing virus, turn to step e.
CNB2005101013781A 2005-11-17 2005-11-17 Computer virus checking and killing method based on data stream Active CN100422900C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005101013781A CN100422900C (en) 2005-11-17 2005-11-17 Computer virus checking and killing method based on data stream

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005101013781A CN100422900C (en) 2005-11-17 2005-11-17 Computer virus checking and killing method based on data stream

Publications (2)

Publication Number Publication Date
CN1801033A true CN1801033A (en) 2006-07-12
CN100422900C CN100422900C (en) 2008-10-01

Family

ID=36811077

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005101013781A Active CN100422900C (en) 2005-11-17 2005-11-17 Computer virus checking and killing method based on data stream

Country Status (1)

Country Link
CN (1) CN100422900C (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102073815A (en) * 2010-12-27 2011-05-25 奇瑞汽车股份有限公司 Vehicle-mounted antivirus system and antivirus method
CN101373502B (en) * 2008-05-12 2012-06-20 公安部第三研究所 Automatic analysis system of virus behavior based on Win32 platform
CN102945342A (en) * 2012-09-29 2013-02-27 北京奇虎科技有限公司 Method, device and terminal equipment for progress identification
CN101599947B (en) * 2008-06-06 2014-04-23 盛趣信息技术(上海)有限公司 Trojan horse virus scanning method based on WEB page
CN111191233A (en) * 2019-07-31 2020-05-22 腾讯科技(深圳)有限公司 Macro virus processing method, macro virus processing device and storage medium
CN112149115A (en) * 2020-08-28 2020-12-29 杭州安恒信息技术股份有限公司 Method and device for updating virus library, electronic device and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6006329A (en) * 1997-08-11 1999-12-21 Symantec Corporation Detection of computer viruses spanning multiple data streams
CN1282083C (en) * 2001-09-14 2006-10-25 北京瑞星科技股份有限公司 Computer memory virus monitoring method and method for operation with virus
CN1284089C (en) * 2003-08-22 2006-11-08 童勤业 Virus-preventive, software and hardware realizing method for structure-variable structure

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373502B (en) * 2008-05-12 2012-06-20 公安部第三研究所 Automatic analysis system of virus behavior based on Win32 platform
CN101599947B (en) * 2008-06-06 2014-04-23 盛趣信息技术(上海)有限公司 Trojan horse virus scanning method based on WEB page
CN102073815A (en) * 2010-12-27 2011-05-25 奇瑞汽车股份有限公司 Vehicle-mounted antivirus system and antivirus method
CN102073815B (en) * 2010-12-27 2013-11-20 奇瑞汽车股份有限公司 Vehicle-mounted antivirus system and antivirus method
CN102945342A (en) * 2012-09-29 2013-02-27 北京奇虎科技有限公司 Method, device and terminal equipment for progress identification
CN102945342B (en) * 2012-09-29 2015-08-05 北京奇虎科技有限公司 Progress recognizing method, device and terminal device
CN111191233A (en) * 2019-07-31 2020-05-22 腾讯科技(深圳)有限公司 Macro virus processing method, macro virus processing device and storage medium
CN111191233B (en) * 2019-07-31 2024-05-24 腾讯科技(深圳)有限公司 Macro virus processing method, device and storage medium
CN112149115A (en) * 2020-08-28 2020-12-29 杭州安恒信息技术股份有限公司 Method and device for updating virus library, electronic device and storage medium

Also Published As

Publication number Publication date
CN100422900C (en) 2008-10-01

Similar Documents

Publication Publication Date Title
US9715588B2 (en) Method of detecting a malware based on a white list
Bayer et al. Scalable, behavior-based malware clustering.
CN101923617B (en) Cloud-based sample database dynamic maintaining method
Bayer et al. Improving the efficiency of dynamic malware analysis
CN1801033A (en) Computer virus checking and killing method based on data stream
RU2607231C2 (en) Fuzzy whitelisting anti-malware systems and methods
RU2580036C2 (en) System and method of making flexible convolution for malware detection
Ackling et al. Evolving patches for software repair
US8352484B1 (en) Systems and methods for hashing executable files
US20110154495A1 (en) Malware identification and scanning
US10191726B2 (en) Biosequence-based approach to analyzing binaries
US11522885B1 (en) System and method for information gain for malware detection
US11574054B2 (en) System, method and apparatus for malicious software detection
US8473461B1 (en) File infection removal by differential copy
CN109583201A (en) The system and method for identifying malice intermediate language file
CN1178131C (en) Modular system and method of updating application software in execution
Shi et al. Quality-score guided error correction for short-read sequencing data using CUDA
CN1743990A (en) Transplatform virus detecting and killing method
CN102982043A (en) Processing method and device for portable execute (PE) files
EP2819054B1 (en) Flexible fingerprint for detection of malware
CN103501294B (en) The determining program whether method of malice
Mokhov et al. File type analysis using signal processing techniques and machine learning vs. file unix utility for forensic analysis
RU101224U1 (en) SYSTEM OF IDENTIFICATION AND MINIMIZATION OF RISK OF FALSE WORKS
CN103106366A (en) Dynamic maintenance method of sample database based on cloud
RU2614561C1 (en) System and method of similar files determining

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee
CP01 Change in the name or title of a patent holder

Address after: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Lianshan Jida Zhuhai city in Guangdong Province

Patentee after: Zhuhai Kingsoft Software Co.,Ltd.

Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Lianshan Jida Zhuhai city in Guangdong Province

Patentee before: Zhuhai Kingsoft Software Co.,Ltd.

ASS Succession or assignment of patent right

Owner name: ZHUHAI JUNTIAN ELECTRONICS TECHNOLOGY CO., LTD.

Free format text: FORMER OWNER: ZHUHAI KINGSOFT SOFTWARE CO., LTD.

Effective date: 20110426

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 519015 KINGSOFT COMPUTER BUILDING, NO. 8, LIANSHAN LANE, JINGSHAN ROAD, JIDA, ZHUHAI CITY, GUANGDONG PROVINCE TO: 519015 KINGSOFT COMPUTER BUILDING, NO. 8, LIANSHAN LANE, JINGSHAN ROAD, JIDA, ZHUHAI, GUANGDONG

TR01 Transfer of patent right

Effective date of registration: 20110426

Address after: 519015 Guangdong Zhuhai, Jingshan Hill Road, Lane 8, Jinshan building computer Lianshan

Patentee after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd.

Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Lianshan Jida Zhuhai city in Guangdong Province

Patentee before: Zhuhai Kingsoft Software Co.,Ltd.

ASS Succession or assignment of patent right

Owner name: BEIKE INTERNET (BEIJING) SECURITY TECHNOLOGY CO.,

Free format text: FORMER OWNER: ZHUHAI JUNTIAN ELECTRONICS TECHNOLOGY CO., LTD.

Effective date: 20140704

Owner name: BEIJING GOLDEN HILL NETWORK TECHNOLOGY CO., LTD. K

Effective date: 20140704

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 519015 ZHUHAI, GUANGDONG PROVINCE TO: 100041 SHIJINGSHAN, BEIJING

TR01 Transfer of patent right

Effective date of registration: 20140704

Address after: 100041 Beijing, Shijingshan District Xing Xing street, building 30, No. 3, building 2, A-0071

Patentee after: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY Co.,Ltd.

Patentee after: BEIJING KINGSOFT NETWORK TECHNOLOGY Co.,Ltd.

Patentee after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

Patentee after: CONEW NETWORK TECHNOLOGY (BEIJING) Co.,Ltd.

Patentee after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd.

Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Lianshan Jida Zhuhai city in Guangdong Province

Patentee before: Zhuhai Juntian Electronic Technology Co.,Ltd.

CP01 Change in the name or title of a patent holder

Address after: 100041 A-0071, 2nd floor, No. 3 Courtyard, 30 Shixing Street, Shijingshan District, Beijing

Co-patentee after: Beijing Cheetah Network Technology Co.,Ltd.

Patentee after: Beijing Cheetah Mobile Technology Co.,Ltd.

Co-patentee after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

Co-patentee after: CONEW NETWORK TECHNOLOGY (BEIJING) Co.,Ltd.

Co-patentee after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd.

Address before: 100041 A-0071, 2nd floor, No. 3 Courtyard, 30 Shixing Street, Shijingshan District, Beijing

Co-patentee before: BEIJING KINGSOFT NETWORK TECHNOLOGY Co.,Ltd.

Patentee before: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY Co.,Ltd.

Co-patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

Co-patentee before: CONEW NETWORK TECHNOLOGY (BEIJING) Co.,Ltd.

Co-patentee before: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20181226

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100041 A-0071, 2nd floor, No. 3 Courtyard, 30 Shixing Street, Shijingshan District, Beijing

Co-patentee before: Beijing Cheetah Network Technology Co.,Ltd.

Patentee before: Beijing Cheetah Mobile Technology Co.,Ltd.

Co-patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

Co-patentee before: CONEW NETWORK TECHNOLOGY (BEIJING) Co.,Ltd.

Co-patentee before: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd.