Emulation repair system

US 6,067,410 A
Filed: 02/09/1996
Issued: 05/23/2000
Est. Priority Date: 02/09/1996
Status: Expired due to Term

First Claim

Patent Images

1. A system for forming a clean host file from a host file infected with a computer virus, the system comprising:

a repair module including a foundation module including generic repair routines and an overlay module including a virus-specific repair routine, the repair module for repairing the virus infected host file;

a control program for loading a copy of the virus infected host file and the repair module into a virtual machine and passing control of the virtual machine to the overlay module;

wherein, according to instructions in the overlay module, the repair module (a) locates host bytes in the copy of the virus infected host file, (b) restores the host bytes to proper locations within the copy of the file, and (c) removes code of the computer virus from the copy of the file to form the clean host file; and

wherein the repair module is adapted to select between the virus-specific repair routine and the generic repair routines for repairing files infected by the computer virus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220") of the host file (220) in the virtual machine (216) are reflected to a back-up file (220'"'"') in the computer system (202).

154 Citations

22 Claims

1. A system for forming a clean host file from a host file infected with a computer virus, the system comprising:
- a repair module including a foundation module including generic repair routines and an overlay module including a virus-specific repair routine, the repair module for repairing the virus infected host file;
  
  a control program for loading a copy of the virus infected host file and the repair module into a virtual machine and passing control of the virtual machine to the overlay module;
  
  wherein, according to instructions in the overlay module, the repair module (a) locates host bytes in the copy of the virus infected host file, (b) restores the host bytes to proper locations within the copy of the file, and (c) removes code of the computer virus from the copy of the file to form the clean host file; and
  
  wherein the repair module is adapted to select between the virus-specific repair routine and the generic repair routines for repairing files infected by the computer virus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein, before the repair module locates the host bytes, instructions from the copy of the file are emulated until a static virus body is decrypted.
  - 3. The system of claim 1, wherein the repair module comprises instructions for locating a virus repair routine in the copy of the file and modifying the virus repair routine, and the virtual machine includes a local vector interrupt table which includes an interrupt for returning control of the virtual machine to the repair module after the virus repair routine has been emulated.
  - 4. The system of claim 1, wherein the virtual machine includes a local vector interrupt table which includes a write-through routine for reflecting changes to the copy of the file from inside the virtual machine to a back-up file outside the virtual machine.
  - 5. The system of claim 1, wherein the virtual machine includes a local vector interrupt table that provides interrupts which the repair module may implement in order to access and use generic repair routines from the foundation module, each generic repair routine being applicable to repair more than one virus.
  - 6. The system of claim 5, wherein the generic repair routines of the foundation module include a checksum routine for verifying identification of the virus.
  - 7. The system of claim 5, wherein the generic repair routines are adapted to be updatable.
  - 8. The system of claim 5, wherein the generic repair routines of the foundation module include a routine accessible via a local interrupt for copying bytes at a first location inside the virtual machine to a second location outside the virtual machine.
  - 9. The system of claim 1, further comprising a virus definition file, each entry in the virus definition file comprising a decryption-emulation-cap for specifying a maximum number of instructions to emulate when decrypting the virus.
  - 10. The system of claim 1, further comprising a virus definition file, each entry in the virus definition file comprising a repair-emulation-cap for specifying a maximum number of instructions to emulate when repairing the virus.

11. A method for repairing a computer file infected with a virus using a virtual machine, a foundation module including generic repair routines, and an overlay module including a virus specific repair routine, the method comprising:
- providing the virtual machine with decryption information on the infecting virus;
  
  when the infecting virus is encrypted, emulating the infected computer file until the infecting virus decrypts itself;
  
  loading the foundation and overlay modules into the virtual machine;
  
  passing control of the virtual machine to the overlay module;
  
  implementing repair routines from the overlay module, foundation module and the virus according to instructions in the overlay module, to repair the virus-infected computer file; and
  
  selecting between generic repair routines in the foundation module and virus-specific repair routines in both the overlay module and the virus.
- View Dependent Claims (12)
- - 12. The method of claim 11, wherein the implementing comprises:
    - locating the virus repair routine in the virus;
      
      modifying the virus repair routine to return control to the overlay module when the virus repair routine has run; and
      
      passing control of the virtual processor to the virus repair routine.

13. A computer readable storage medium on which is stored data for repairing a virus-infected computer file using a virtual machine, a foundation module including generic repair routines, and an overlay module including a virus specific repair routine, the data being suitable for implementation by a processor to perform the steps of:
- providing the virtual machine with decryption information on the infecting virus;
  
  when the infecting virus is encrypted, emulating the infected computer file until the infecting virus decrypts itself;
  
  loading the foundation and overlay modules into the virtual machine;
  
  passing control of the virtual machine to the overlay module;
  
  implementing repair routines from the overlay module, foundation module and the virus according to instructions in the overlay module, to repair the virus-infected computer file; and
  
  selecting between generic repair routines in the foundation module and virus-specific repair routines in both the overlay module and the virus.

14. A method for repairing a host file infected by a computer virus, the method using a virtual environment, a foundation module including generic repair routines, and an overlay module including virus specific repair routines, the method comprising:
- emulating the host file in the virtual environment to allow a decryption loop of the virus to decrypt a body of the virus;
  
  loading the foundation and overlay modules into the virtual environment;
  
  passing control of the virtual environment to the overlay module;
  
  identifying the virus with the overlay module;
  
  selecting a particular repair routine with the overlay module from a group of repair routines comprising the virus-specific repair routines in the overlay module and the generic repair routines in the foundation module;
  
  locating at least one host byte that was relocated during infection of the host file; and
  
  restoring the host byte to an original location in a virtual copy of the host file.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein emulating the virus continues until a virus signature is detected.
  - 16. The method of claim 14, further comprising:
    - confirming identification of the virus after identifying the virus.
  - 17. The method of claim 14, wherein a repair routine located in the virus is utilized for locating and restoring the host byte.
  - 18. The method of claim 17, wherein an interrupt instruction of the virtual environment is used to transfer control away from the repair routine located in the virus.
  - 19. The method of claim 14, wherein the virus-specific repair routines include a repair routine from the virus itself.
  - 20. The method of claim 14, further comprising:
    - creating a real copy of the host file outside the virtual environment.
  - 21. The method of claim 20, wherein an interrupt instruction in the virtual environment allows the real copy of the host file to be modified.

22. A computer readable storage medium on which is stored data for repairing a host file infected by a computer virus, the data using a virtual environment, a foundation module including generic repair routines, and an overlay module including virus specific repair routines, the data being suitable for implementation by a processor for performing the steps of:
- emulating the host file in the virtual environment to allow a decryption loop of the virus to decrypt a body of the virus;
  
  loading the foundation and overlay modules into the virtual environment;
  
  passing control of the virtual environment to the overlay module;
  
  identifying the virus with the overlay module;
  
  selecting a particular repair routine with the overlay module from a group of repair routines comprising the virus-specific repair routines in the foundation module and the generic repair routines in the foundation module;
  
  locating at least one host byte that was relocated during infection of the host file; and
  
  restoring the host byte to an original location in a virtual copy of the host file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey
Primary Examiner(s)
Teska, Kevin J.
Assistant Examiner(s)
DO, THUAN V

Application Number

US08/605,285
Time in Patent Office

1,565 Days
Field of Search

364/580, 364/550, 364/578, 380/4, 395/186, 395/187.01, 395/500, 395/527
US Class Current

703/28
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

Emulation repair system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

154 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Emulation repair system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links