I. Principles and phenomena of local area network virus
In general, the basic composition of the computer network includes a network server and a network node station (including the disc workstation, a diskless workstation, and a remote workstation). Computer virus generally first enters the disc workstation through various channels, and then enters the network, then starting on the Internet. Specifically, its propagation method has several.
(1) The virus copies directly from the workstation to the server or spreads in the network through the mail;
(2) The virus first infects the workstation, and is transmitted to the server when the workstation memory resides, etc.
(3) The virus first infects the workstation, resides in the workstation, and is transmitted directly to the server directly at the virus.
(4) If the remote workstation is invaded by viruses, the virus can also enter the network server through data exchange.
Once the virus enters the file server, it can be quickly transmitted to each computer across the network. For diskless workstations, due to its "no disk" (its disk is a network disk), when it runs a poison program on the network disk, it is transmitted to the program or Since the image path is transmitted to other files of the server, the diskless workstation is also a spools of the virus. It can be seen from the propagation method of the above virus on the network. In the network environment, network viruses have some new features in addition to the commonality of computer viruses such as propagation, executability, and destructive. (1) The infection speed is fast in a single-machine environment, and the virus can only be brought from one computer to another, while in the network, it can be quickly spread through the network communication mechanism. According to the measurement, in the normal working conditions, as long as one workstation has a virus, hundreds of computers on the Internet can be infected with hundreds of computers in dozens. (2) Diffusion Dunition is wide because the virus diffuses very fast in the network, the spread range is very large, not only quickly transmits all the computers in the LAN, but also spread the virus to a thousand miles in an instant through the remote workstation. (3) The form of complex and diverse computer viruses generally spread through the "Workstation" to "Server" to "Workstation", but now the virus technology has made a lot of complexity. (4) It is difficult to completely remove computer viruses on a single machine to be solved by poisoning documents. A low-level formatting hard drive and other measures can completely remove the virus. As long as there is a workstation in the network, it is possible to re-enrolled the entire network, and even a workstation that has just completed the anti-virus work, it is possible to be infected by another poison workstation on the Internet. Therefore, only anti-virus of the workstation does not solve the dangers of the virus on the network. (5) Destructive large network viruses will directly affect the work of the network, reduce the speed, affect work efficiency, and make network crashes, destroy server information, so that many years is destroyed once. (6) The conditions of excited network virus excitation are diversified, which can be internal clocks, the date and user name of the system, or a network of communication, etc. A virus program can use the viral designer to excite and issue an attack on a workstation. (7) Once the potential network is infected, the potential risk is also huge even if the virus has been removed. According to statistics, the virus is cleared on the network, and the 85% network will be infected again in 30 days. For example, the Nimda virus will search for the file sharing of the local network, whether the file server is still a terminal client, once found, install a hidden file, named riched20.dll to each containing "DOC" and "EML" files In the catalog, when the user opens "DOC" and "EML" documents via Word, Word, Outlook, these applications will execute the Riched20.dll file, allowing the machine to be infected, and the virus can also infect the remote server started. file. Email with Nimda virus, no need to open the attachment, just read or preview the virus-free mail, continue to send a poison message to your address book. Second, the local area network virus prevention method takes "Nima" virus as an example, the personal user is infected with the virus, using a single anti-virus software to clear; however, in the enterprise, one machine is infected with "Nima", virus It will be automatically copied and sent and used for other users in cross-infecting local domain networks.
