Emulation repair system
First Claim
1. A system for forming a clean host file from a host file infected with a computer virus, the system comprising:
- a repair module including a foundation module including generic repair routines and an overlay module including a virus-specific repair routine, the repair module for repairing the virus infected host file;
a control program for loading a copy of the virus infected host file and the repair module into a virtual machine and passing control of the virtual machine to the overlay module;
wherein, according to instructions in the overlay module, the repair module (a) locates host bytes in the copy of the virus infected host file, (b) restores the host bytes to proper locations within the copy of the file, and (c) removes code of the computer virus from the copy of the file to form the clean host file; and
wherein the repair module is adapted to select between the virus-specific repair routine and the generic repair routines for repairing files infected by the computer virus.
2 Assignments
0 Petitions
Accused Products
Abstract
An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220") of the host file (220) in the virtual machine (216) are reflected to a back-up file (220'"'"') in the computer system (202).
154 Citations
22 Claims
-
1. A system for forming a clean host file from a host file infected with a computer virus, the system comprising:
-
a repair module including a foundation module including generic repair routines and an overlay module including a virus-specific repair routine, the repair module for repairing the virus infected host file; a control program for loading a copy of the virus infected host file and the repair module into a virtual machine and passing control of the virtual machine to the overlay module; wherein, according to instructions in the overlay module, the repair module (a) locates host bytes in the copy of the virus infected host file, (b) restores the host bytes to proper locations within the copy of the file, and (c) removes code of the computer virus from the copy of the file to form the clean host file; and wherein the repair module is adapted to select between the virus-specific repair routine and the generic repair routines for repairing files infected by the computer virus. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for repairing a computer file infected with a virus using a virtual machine, a foundation module including generic repair routines, and an overlay module including a virus specific repair routine, the method comprising:
-
providing the virtual machine with decryption information on the infecting virus; when the infecting virus is encrypted, emulating the infected computer file until the infecting virus decrypts itself; loading the foundation and overlay modules into the virtual machine; passing control of the virtual machine to the overlay module; implementing repair routines from the overlay module, foundation module and the virus according to instructions in the overlay module, to repair the virus-infected computer file; and selecting between generic repair routines in the foundation module and virus-specific repair routines in both the overlay module and the virus. - View Dependent Claims (12)
-
-
13. A computer readable storage medium on which is stored data for repairing a virus-infected computer file using a virtual machine, a foundation module including generic repair routines, and an overlay module including a virus specific repair routine, the data being suitable for implementation by a processor to perform the steps of:
-
providing the virtual machine with decryption information on the infecting virus; when the infecting virus is encrypted, emulating the infected computer file until the infecting virus decrypts itself; loading the foundation and overlay modules into the virtual machine; passing control of the virtual machine to the overlay module; implementing repair routines from the overlay module, foundation module and the virus according to instructions in the overlay module, to repair the virus-infected computer file; and selecting between generic repair routines in the foundation module and virus-specific repair routines in both the overlay module and the virus.
-
-
14. A method for repairing a host file infected by a computer virus, the method using a virtual environment, a foundation module including generic repair routines, and an overlay module including virus specific repair routines, the method comprising:
-
emulating the host file in the virtual environment to allow a decryption loop of the virus to decrypt a body of the virus; loading the foundation and overlay modules into the virtual environment; passing control of the virtual environment to the overlay module; identifying the virus with the overlay module; selecting a particular repair routine with the overlay module from a group of repair routines comprising the virus-specific repair routines in the overlay module and the generic repair routines in the foundation module; locating at least one host byte that was relocated during infection of the host file; and restoring the host byte to an original location in a virtual copy of the host file. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer readable storage medium on which is stored data for repairing a host file infected by a computer virus, the data using a virtual environment, a foundation module including generic repair routines, and an overlay module including virus specific repair routines, the data being suitable for implementation by a processor for performing the steps of:
-
emulating the host file in the virtual environment to allow a decryption loop of the virus to decrypt a body of the virus; loading the foundation and overlay modules into the virtual environment; passing control of the virtual environment to the overlay module; identifying the virus with the overlay module; selecting a particular repair routine with the overlay module from a group of repair routines comprising the virus-specific repair routines in the foundation module and the generic repair routines in the foundation module; locating at least one host byte that was relocated during infection of the host file; and restoring the host byte to an original location in a virtual copy of the host file.
-
Specification