Abstract

Information pertaining to the verification of the identity of, and reversal of, a transformation of computer data is derived automatically based on a set of samples. The most important class of transformations is computer viruses. The process extracts this information for a large, fairly general class of viruses. Samples consisting of host programs infected with the virus and sample pairs consisting of an infected host and the corresponding original, uninfected host are obtained. A description of how the virus attaches to the host program, including locations within uninfected host of components of both the original host and the virus is generated. Viral code is matched across samples to obtain a description of "invariant" regions of the virus. Host bytes embedded within the virus are located. A description of the original host locations permits ant-virus software on a user's machine to restore the bulk of a program that has been infected. Characterization of the correspondence between invariable portions of the virus and destroyed parts of the host enables anti-virus software to complete the repair.

Other References

• Chess, David, "Virus Verification and Removal--Tools and Techniques", Virus Bulletin, dtd Nov. 1991, pp. 1-