Generic disinfection of programs infected with a computer virus

US 5,613,002 A
Filed: 11/21/1994
Issued: 03/18/1997
Est. Priority Date: 11/21/1994
Status: Expired due to Fees

First Claim

Patent Images

1. For a program initially having a non-infected state that subsequently attains an infected state as a result of infection with a computer virus, a method for restoring the computer program from the infected state to the non-infected state, comprising:

(a) storing, in a computer memory, electrical signals representing a plurality of parameters of the program in the non-infected state, the parameters comprising;

i. the length, in bytes, of the program in the non-infected state;

ii. a checksum of the program in the non-infected state;

iii. information pertaining to bytes in the program in the non-infected state, near the beginning of the program in the non-infected state, designated BeginInfo;

iv. information pertaining to bytes in the program in the non-infected state near the end of the program, designated EndInfo;

(b) scanning the program in the infected state for a first sequence of bytes characterized by BeginInfo, and for a second sequence of bytes characterized by EndInfo;

(c) generating one or more trial program reconstructions, based upon byte sequences found in the program in the infected state;

(d) computing a checksum of each trial program reconstruction;

(e) comparing the checksum of the each trial program reconstruction with the checksum of the program in the non-infected state;

(f) using the trial program reconstruction possessing a checksum equal to the checksum of the program in the non-infected state, if it exists, restoring the program from the infected state to the non-infected state.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for restoring a computer program infected with a computer virus to its non-viral condition. The method uses certain information about an uninfected host program recorded prior to infection without relying upon pre-existing knowledge of the computer virus. The method includes: recording a checksum of the uninfected original program, the length of the program, and information pertaining to bytes located near the beginning and end of the original program; and, subsequent to any modification of the original program that is deemed suspicious, generating one or more trial reconstructions based on the recorded information and information contained in the modified file; comparing a checksum of each generated trial reconstruction with the checksum of the original program stored in the database; and outputting a trial reconstruction as the original uninfected program if its checksum matches that of the original program.

119 Citations

34 Claims

1. For a program initially having a non-infected state that subsequently attains an infected state as a result of infection with a computer virus, a method for restoring the computer program from the infected state to the non-infected state, comprising:
- (a) storing, in a computer memory, electrical signals representing a plurality of parameters of the program in the non-infected state, the parameters comprising;
  
  i. the length, in bytes, of the program in the non-infected state;
  
  ii. a checksum of the program in the non-infected state;
  
  iii. information pertaining to bytes in the program in the non-infected state, near the beginning of the program in the non-infected state, designated BeginInfo;
  
  iv. information pertaining to bytes in the program in the non-infected state near the end of the program, designated EndInfo;
  
  (b) scanning the program in the infected state for a first sequence of bytes characterized by BeginInfo, and for a second sequence of bytes characterized by EndInfo;
  
  (c) generating one or more trial program reconstructions, based upon byte sequences found in the program in the infected state;
  
  (d) computing a checksum of each trial program reconstruction;
  
  (e) comparing the checksum of the each trial program reconstruction with the checksum of the program in the non-infected state;
  
  (f) using the trial program reconstruction possessing a checksum equal to the checksum of the program in the non-infected state, if it exists, restoring the program from the infected state to the non-infected state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The method of claim 1, wherein the checksum of the program in the non-infected state is a cyclical redundancy check.
  - 3. The method of claim 1, wherein BeginInfo includes an initial number HeaderLength of bytes of the program in the non-infected state, where HeaderLength is a chosen non-negative constant.
  - 4. The method of claim 3, wherein BeginInfo further includes:
    - (a) BeginTag, wherein BeginTag represents the result of applying a function BeginTagFunction to a contiguous region comprising a number BeginTagLength bytes following the initial number HeaderLength of bytes of the program in the non-infected state, where BeginTagLength is a chosen constant;
      
      (b) an offset of BeginTag from the beginning of the program in the non-infected state.
  - 5. The method of claim 4, wherein the contiguous region of bytes is the first contiguous region of BeginTagLength bytes that follows the initial number HeaderLength of bytes of the program in the non-infected state in which not all of the bytes have the same value.
  - 6. The method of claim 5, wherein the information BeginInfo includes BeginRepeated-Byte, the value of the first byte within the first contiguous region of BeginTagLength bytes in which not all of the bytes have the same value.
  - 7. The method of claim 4, wherein the function BeginTagFunction of the contiguous region of bytes is the identity.
  - 8. The method of claim 4, wherein the function BeginTagFunction of the contiguous region of bytes consists of a checksum of the contiguous region of bytes.
  - 9. The method of claim 8, wherein the checksum is a cyclical redundancy check.
  - 10. The method of claim 3, wherein:
    - (a) BeginInfo further includes;
      
      (i) BeginTag, wherein BeginTag represents the result of applying a function BeginTagFunction to a contiguous region comprising a number BeginTagLength bytes following the initial number HeaderLength of bytes of the program in the non-infected state, where BeginTagLength is a chosen constant;
      
      (ii) an offset of BeginTag from the beginning of the program in the non-infected state;
      
      (b) EndInfo includes;
      
      (i) EndTag, where EndTag represents the result of applying a function EndTagFunction to a contiguous region comprising a number EndTagLength of bytes near the end of the program, wherein EndTagLength is a chosen constant;
      
      (ii) an offset of EndTag from the end of the program in the non-infected state.
  - 11. The method of claim 10, further comprising:
    - (a) computing an offset of BeginTag from the program in the infected state, comprising the steps of;
      
      (i) computing a function BeginTagFunction of each contiguous region comprising a number BeginTagLength of bytes in the program in the infected state;
      
      (ii) comparing the function BeginTagFunction with BeginTag;
      
      (iii) recording in a list BeginOffList an offset of any contiguous region from the beginning of the program in the infected state for which the function BeginTagFunction equals BeginTag;
      
      (b) Computing an offset of EndTag from the end of the program in the infected state, comprising the steps of;
      
      (i) computing a function EndTagFunction of each contiguous region of EndTagLength bytes in the program in the infected state;
      
      (ii) comparing the function EndTagFunction with EndTag;
      
      (iii) recording in a list EndOffList an offset EndOffset of any contiguous region from the end of the program in the infected state for which the function EndTagFunction equals EndTag.
  - 12. The method of claim 11, in which BeginTagFunction is a checksum computed via linear modular-arithmetic, in which the checksums of successive byte sequences in the program in the infected state are computed from previous checksums.
  - 13. The method of claim 12, in which the checksum is a cyclical redundancy check, and the checksums of successive byte sequences in the program in the infected state are computed from previous checksums as follows:
    - space="preserve" listing-type="equation">CRC(Bβ
      
      )=Rem[Shift[CRC[α
      
      B]]]⊕
      
      CRC[β
      
      ]⊕
      
      CRC[α
      
      0.sup.TagLength ]
      where B represents a sequence of bytes, α and
      
      β
      
      are single bytes, and 0^TagLength represents a sequence of zeros.
  - 14. The method of claim 11, in which EndTagFunctionB is a checksum computed via linear modular-arithmetic, in which the checksums of successive byte sequences in the program in the infected state are computed from checksums computed for preceding byte sequences, i.e., from previous checksums.
  - 15. The method of claim 14, in which the checksum is a cyclical redundancy check, and the checksums of successive byte sequences in the program in the infected state are computed from previous checksums as follows:
    - space="preserve" listing-type="equation">CRC(Bβ
      
      )=Rem[Shift[CRC[α
      
      B]]]⊕
      
      CRC[β
      
      ]⊕
      
      CRC[α
      
      0.sup.TagLength ]
      where B represents a sequence of bytes, α and
      
      β
      
      are single bytes, and 0^TagLength represents a sequence of zeros.
  - 16. The method of claim 11, in which the step of generating one or more trial reconstructions comprises, for each possible pair of BeginOffset (from BeginOffList) and EndOffset (taken from EndOffList)(a) appending to the bytes of a header contained in a portion of BeginInfo designating a header for the program in the non-infected state a byte sequence BeginSection of length BeginSectionLength starting at offset BeginOffset in the program in the infected state, followed by a byte sequence EndSection of length EndSectionLength ending at offset EndOffset in the program in the infected state;
    - (b) generating a first trial reconstruction with BeginSectionLength of maximal length, and EndSectionLength being of such length that the total length of the trial reconstruction equals the difference in length between the program in the infected and non-infected states;
      
      (c) generating successive trial reconstructions such that the last byte of the previous trial reconstructions'"'"' BeginSection is removed, and the previous trial reconstruction EndSection is extended backwards to pick up another byte in the program in the infected state.
  - 17. The method as recited in claim 11, wherein the step of generating one or more trial reconstructions comprises, for each possible pair of BeginOffset (from BeginOffList) and EndOffset (from EndOffList) satisfying the condition that they are separated by the same distance as in the program in the non-infected state:
    - (a) generating a first trial reconstruction comprising all of the bytes of the program in the infected state from BeginOffset to EndOffset, inclusive, except that the first portion is overwritten by a header contained in a portion of BeginInfo designating a header for the program in the non-infected state;
      
      (b) generating a series of trial reconstructions, each of which replaces the value of particular bytes in the first trial reconstruction with an estimate of the value of the particular bytes in the program in the non-infected state.
  - 18. The method as recited in claim 17, wherein the location of bytes to be replaced in the trial reconstruction is determined in part by searching for regions of repeated bytes or groups of bytes, and the estimate of the value of the bytes in the program in the non-infected state is made by extending a pattern representing the regions of repeated bytes or groups of bytes.
  - 19. The method as recited in claim 18, wherein an end of a region of bytes to be replaced is a byte immediately preceding a region of repeated bytes.
  - 20. The method as recited in claim 19, wherein, for each successive trial reconstruction, a beginning of the region of bytes to be replaced is extended towards the beginning of the program in the infected state.
  - 21. The method as recited in claim 18, wherein a beginning of the region of bytes to be replaced is a byte immediately following a region of repeated bytes.
  - 22. The method as recited in claim 21, wherein, for each successive trial reconstruction, the end of the region of replaced bytes is shifted towards the beginning of the program in the infected state.
  - 23. The method of claim 1, wherein EndInfo includes:
    - (a) EndTag, where EndTag is the result of applying a function EndTagFunction to a contiguous region comprising a number EndTagLength of bytes near the end of the program, and where EndTagLength is a chosen constant;
      
      (b) an offset of EndTag from the end of the program in the non-infected state.
  - 24. The method of claim 23, wherein the contiguous region of bytes near the end of the program in the non-infected state is the last EndTagLength bytes of the program in the non-infected state.
  - 25. The method of claim 23, wherein the contiguous region of bytes near the end of the program in the non-infected state is that which is closest first contiguous region comprising a number BeginTagLength of bytes in which all of the bytes have the same value.
  - 26. The method of claim 25, wherein the information EndInfo includes EndRepeatedByte, the value of the last byte in the contiguous region of EndTagLength bytes closest to the end of the program in which not all of the bytes have the same value.
  - 27. The method of claim 23, wherein the function EndTagFunction of the contiguous region of bytes is the identity.
  - 28. The method of claim 23, wherein the function EndTagFunction of the contiguous region of bytes consists of a checksum of the contiguous region of bytes.
  - 29. The method of claim 28, wherein the checksum is a cyclical redundancy check.
  - 30. The method of claim 1, in which the checksum of each successive trial reconstruction is computed from that of a preceding reconstruction.
  - 31. The method of claim 30, in which the checksum is a cyclical redundancy check, and the checksum of each successive trial reconstruction is computed from that of the preceding reconstruction as follows:
    - space="preserve" listing-type="equation">CRC[Aβ
      
      B]=CRC[Aα
      
      B]⊕
      
      Rem[Mult[ω
      
      (n), (α
      
      ⊕
      
      β
      
      )]]
      where Aα
      
      is a beginning section of a first trial reconstruction, B is an end section of the first trial reconstruction, A is a beginning section of a second trial reconstruction, β
      
      B is an end section of the second trial reconstruction, n is the number of bytes in B, ω
      
      (n)=CRC[10ⁿ ], and α and
      
      β
      
      are single bytes.

32. For a program capable of having a non-infected state, and an infected state in which the program is infected with a computer virus, a method, when the program is suspected of being in the infected state, for determining when the program has attained the infected state, comprising:
- (a) storing, in a memory, electrical signals representing a plurality of parameters of the program in the non-infected state, the parameters comprising;
  
  i. the length of the program in bytes;
  
  ii. a checksum of the program;
  
  iii. information pertaining to bytes in the program near the beginning of the program, designated BeginInfo;
  
  iv. information pertaining to bytes in the program near the end of the program, designated EndInfo;
  
  (b) scanning the program suspected of being in the infected state for a first sequence of bytes characterized by BeginInfo and EndInfo;
  
  (c) generating one or more trial program reconstructions of the program in the non-infected state, based upon byte sequences found in the program in the infected state;
  
  (d) computing a checksum of each trial program reconstruction;
  
  (e) comparing the checksum of the each trial program reconstruction with the checksum of the program in the non-infected state;
  
  (f) if any trial program reconstruction possessing a checksum equal to the checksum of the program in the non-infected state can be found, outputting an indication that the computer program is in the infected state.
- View Dependent Claims (33, 34)
- - 33. The method as recited in claim 32, wherein the output indication is provided in a form suitable for alerting a user of a computer system.
  - 34. The method as recited in claim 32, wherein the output indication is provided in a form suitable to be used by an automatic procedure, such as anti-virus software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo Singapore Pte Limited (Lenovo Group Ltd.)
Original Assignee
International Business Machines Corporation
Inventors
Kephart, Jeffrey O., Sorkin, Gregory B.
Primary Examiner(s)
Tarcza, Thomas H.
Assistant Examiner(s)
SAYADIAN, HRAYR

Application Number

US08/342,520
Time in Patent Office

848 Days
Field of Search

380/2, 380/4, 380/30, 380/49, 380/9, 380/44, 380/46, 380/25, 395/183.15, 395/575, 395/600, 395/700, 395/186, 395/187.01, 395/188.01, 395/183.14, 395/183.12, 364/285.4, 364/286.4
US Class Current

726/24
CPC Class Codes

G06F 21/565 by checking file integrity

G06F 21/568 eliminating virus, restorin...

Generic disinfection of programs infected with a computer virus

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Generic disinfection of programs infected with a computer virus

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links