Win32 Pe File Virus Detection Methods Of Research

Today, with the growing popularity of Internet, computer and network technologybring a great convenience for people s daily life and work, but at the same time, thereare also a variety of security risks and threats. Computer virus is the most serious issuesin these threats. Windows operating system is the PC operating system most widelyused and the PE file is a file format most used on Windows. computer virus infecting PEfiles is the most influential document virus on the platform.To deal with PE viruses, people has developed a number of anti-virus technology,such as signature detection technology, heuristic detection technology, virtual machinetechnology, as well as active defense technology. The virus signature detectiontechnology is the most widely used technology and the most effective way for PE filevirus detection. But it can not detect unknown viruses effectively, and need updating itsvirus databases frequently. On the other hand, the work of extracting the signature ofviruses can not complete automatically. Therefore, the rate of extracting the virussignatures lags far behind the development of PE viruses.The dissertation studies issues about PE file viruses in this background. Firstly, weintroduce the knowledge of the computer virus, including the definition of virus,principle and mechanism of spreading of the virus, the virus trigger mechanism anddamage mechanism. secondly, the dissertation analysis the same things about PE fileviruses more in-depth, and then sum up the advantages and disadvantages of currentdetecting method, for example: signature detection technology, virtual machinedetection technology etc. To solve the problem of detecting unknown PE file viruseswhich can not be detected by the existing mainstream tools, the dissertation design asystem based on process behavior and file signatrue. The process behavior analysissubsystem which is bases on the dynamic behavior of the PE file virus during infectingPE files, and the file signature analysis subsystem which bases on abnormalcharacteristics of PE files which have been infected. Finally, we test the system by someviruses which contain unknown viruses. The results of these tests show that the systemcan detect known and unknown PE file virus effectively.