1. Technical Field
The present invention relates to the detection of computer viruses and, more particularly, to the detection of computer viruses stored in container formats.
2. Description of the Related Art
Computers are commonly used to perform various tasks and/or engage in certain pastimes. Many of these tasks and pastimes involve the use of the Internet and/or transmission and receipt of electronic mail messages. There are various complications associated with the use of computers and, in particular, the Internet. Malicious computer programs can be created to covertly infiltrate a user's computer to damage or perform actions beyond a user's control. These programs are commonly known as viruses, worms, Trojan horses, etc. (collectively “computer virus” hereinafter).
A computer virus is a program that can severely damage a user's computer by, for example, erasing all the data from a mass storage device such as a magnetic or optical drive. A computer virus can also take limited, or full, control of a computer and perform functions that are not approved by, or unknown to, the user. For example, a computer virus can send electronic mail messages (e.g., email) to the addresses stored in the user's email program. Computer viruses can be transferred in various ways, but are commonly transferred through electronic mail messages and/or executable program files. Under certain conditions, the executable program files can be attached to electronic mail messages. Additional examples of various modes of transferring computer viruses include program files, data files, and web pages that have been infected.
To prevent a virus from harming a user's computer, various steps may be taken to detect and, where possible, remove the computer virus. This task has proven to be increasingly difficult as computer viruses become more sophisticated and difficult to detect. In certain situations, it is possible to detect, but not remove the virus.
Various techniques have been created to detect computer viruses in electronic mail messages. Such techniques may involve, for example, scanning (i.e., examining) the contents of an electronic mail message using a virus detection program to identify potential computer viruses. Conventional virus detection programs have used a signature based detection method to identify computer viruses contained in electronic mail messages.
FIG. 6A is block diagram conceptually illustrating the configuration of an electronic mail message 500. The electronic mail message includes an envelope (or header) 510 that stores, for example, address information such as origination and destination. The envelope 510 may also contain optional information such as a subject line, priority, etc. The electronic mail message 500 could also include a message portion 512 that contains a letter, note, memo, or other type of information being transferred from a sender to a recipient. Certain electronic mail messages 500 can further include an attachment section 514 that contains one or more files 516 (i.e., attachments). The files 516 can be in the form of executable programs, data, pictures, etc. On certain occasions, however, a computer virus can attach itself to an electronic mail message 500.
FIG. 6B illustrates an exemplary attachment file 516 that has been infected with a computer virus 520. The computer virus 520 is an executable program that can perform certain malicious acts to the user's computer. The attachment file 516 is viewed as a textual representation 518 of the binary data that is executed by the computer. In order to detect the computer virus, a virus scanner would attempt to identify certain phrases (or signatures) within the textual representation. For example, the signature of the computer virus shown in FIG. 6B is SFQFAFADFWEFWE. Accordingly, the textual representation 518 of the binary data includes the virus signature 520. Upon scanning the attachment file 516, the virus checker would identify the virus signature 520 and alert the user that a computer virus has been detected.
Recently, computer viruses have become more advanced and, consequently, more difficult to detect. For example, certain computer viruses exist in the form of a container, or archive, format (e.g., .CAB, ZIP, etc.). Container and archive files often include their payload in the form of compressed data. An electronic mail message would contain a file attachment in the container format. When a user opens the electronic mail message to read its content, the computer transparently opens the container file without the user's knowledge. The virus is then free to infect and/or damage the user's computer.
Computer viruses stored in container files are often difficult to identify because the data compression routine can sometimes mask the virus signature. In order to detect such a computer virus, a virus detection program must examine the contents of the archive to determine whether the expanded (i.e., uncompressed) textual representation contains the virus signature. This can pose certain problems for identifying a computer virus before it has an opportunity to infect a user's computer.
More recently, container files are being created with encryption keys that prevent access to the constituent files stored therein. In such situations, the encryption key is also necessary to decrypt (or unlock) the container file. The electronic mail message can sometimes include a password in the message section that can be used by the user to unlock the container file. Once the container file is unlocked and opened, the computer virus infects the user's computer before being detected.
Based on the foregoing, it would be beneficial to provide a virus detection program that is capable of addressing at least some of the problems associated with detecting computer viruses. It would also be beneficial to provide an ability to detect viruses that are stored in encrypted container files.