Generic disinfection of programs infected with a computer virus
First Claim
1. For a program initially having a non-infected state that subsequently attains an infected state as a result of infection with a computer virus, a method for restoring the computer program from the infected state to the non-infected state, comprising:
- (a) storing, in a computer memory, electrical signals representing a plurality of parameters of the program in the non-infected state, the parameters comprising;
i. the length, in bytes, of the program in the non-infected state;
ii. a checksum of the program in the non-infected state;
iii. information pertaining to bytes in the program in the non-infected state, near the beginning of the program in the non-infected state, designated BeginInfo;
iv. information pertaining to bytes in the program in the non-infected state near the end of the program, designated EndInfo;
(b) scanning the program in the infected state for a first sequence of bytes characterized by BeginInfo, and for a second sequence of bytes characterized by EndInfo;
(c) generating one or more trial program reconstructions, based upon byte sequences found in the program in the infected state;
(d) computing a checksum of each trial program reconstruction;
(e) comparing the checksum of the each trial program reconstruction with the checksum of the program in the non-infected state;
(f) using the trial program reconstruction possessing a checksum equal to the checksum of the program in the non-infected state, if it exists, restoring the program from the infected state to the non-infected state.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for restoring a computer program infected with a computer virus to its non-viral condition. The method uses certain information about an uninfected host program recorded prior to infection without relying upon pre-existing knowledge of the computer virus. The method includes: recording a checksum of the uninfected original program, the length of the program, and information pertaining to bytes located near the beginning and end of the original program; and, subsequent to any modification of the original program that is deemed suspicious, generating one or more trial reconstructions based on the recorded information and information contained in the modified file; comparing a checksum of each generated trial reconstruction with the checksum of the original program stored in the database; and outputting a trial reconstruction as the original uninfected program if its checksum matches that of the original program.
119 Citations
34 Claims
-
1. For a program initially having a non-infected state that subsequently attains an infected state as a result of infection with a computer virus, a method for restoring the computer program from the infected state to the non-infected state, comprising:
-
(a) storing, in a computer memory, electrical signals representing a plurality of parameters of the program in the non-infected state, the parameters comprising; i. the length, in bytes, of the program in the non-infected state; ii. a checksum of the program in the non-infected state; iii. information pertaining to bytes in the program in the non-infected state, near the beginning of the program in the non-infected state, designated BeginInfo; iv. information pertaining to bytes in the program in the non-infected state near the end of the program, designated EndInfo; (b) scanning the program in the infected state for a first sequence of bytes characterized by BeginInfo, and for a second sequence of bytes characterized by EndInfo; (c) generating one or more trial program reconstructions, based upon byte sequences found in the program in the infected state; (d) computing a checksum of each trial program reconstruction; (e) comparing the checksum of the each trial program reconstruction with the checksum of the program in the non-infected state; (f) using the trial program reconstruction possessing a checksum equal to the checksum of the program in the non-infected state, if it exists, restoring the program from the infected state to the non-infected state. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. For a program capable of having a non-infected state, and an infected state in which the program is infected with a computer virus, a method, when the program is suspected of being in the infected state, for determining when the program has attained the infected state, comprising:
-
(a) storing, in a memory, electrical signals representing a plurality of parameters of the program in the non-infected state, the parameters comprising; i. the length of the program in bytes; ii. a checksum of the program; iii. information pertaining to bytes in the program near the beginning of the program, designated BeginInfo; iv. information pertaining to bytes in the program near the end of the program, designated EndInfo; (b) scanning the program suspected of being in the infected state for a first sequence of bytes characterized by BeginInfo and EndInfo; (c) generating one or more trial program reconstructions of the program in the non-infected state, based upon byte sequences found in the program in the infected state; (d) computing a checksum of each trial program reconstruction; (e) comparing the checksum of the each trial program reconstruction with the checksum of the program in the non-infected state; (f) if any trial program reconstruction possessing a checksum equal to the checksum of the program in the non-infected state can be found, outputting an indication that the computer program is in the infected state. - View Dependent Claims (33, 34)
-
Specification