This invention relates to a virus extermination method, an information processing apparatus and a computer-readable recording medium with a virus extermination program recorded thereon suitable for use to effect virus extermination when a computer is infected with a computer virus particularly with a computer virus of the type (system infection type) which infects and is resident in a system or of the memory infection type.
A computer virus of the system infection type causes a destructive program (virus) to be resident in a system area (boot area or IPL (Initial Program Loading) area) of a computer and effects destruction and infection to another system area. Computer viruses of the system infection type occupy a ratio of approximately 70 to 80% of computer viruses which have been discovered or whose appearance has been confirmed till now.
Computer viruses of the system infection type described above in almost all cases have a memory resident character. A virus of the memory resident type does not directly cause information from an infected medium to another medium, but becomes resident once in a main memory (hereinafter referred to simply as memory) of a computer started using an infected medium, monitors commands of a BIOS (Basic I/O System) or a DOS (Disk Operating system) from within the memory in which the virus is resident and infects, at a point of time when another file is accessed, the accessed file.
Further, in computers in recent years including notebook type personal computers, since a module which constructs an OS or application software has a large capacity, a resume function is used so that, even if the power supply is disconnected, information in the memory is maintained without being erased to allow a continued operation to be performed immediately even if the power supply is connected again, thereby to reduce the time required for the startup of the computer.
Also a personal computer (so-called green PC) has been developed which is constructed so as to operate, almost similarly to the resume function mentioned above, with an auxiliary power supply such as a battery or with a minimum power supply while the personal computer is not used.
If a computer, a green PC or a like apparatus having the resume function mentioned above is infected with computer viruses of the memory resident type described above, then it sometimes occurs that, even if the power supply is disconnected intending elimination of the viruses, the stored contents of the memory remain as they are and some of the viruses in the memory remain resident, and although it is anticipated that the viruses have been exterminated, actually the viruses have not been exterminated as yet.
Further, as described above, almost all of viruses of the system infection type and the memory resident type are of the type which infects a medium of a destination of an access at a point of time when a storage apparatus is accessed.
Therefore, when a computer is rendered operative by executing a program stored in a storage apparatus such as a hard disk under environment wherein the system area of the storage apparatus is infected with a virus, if another auxiliary storage apparatus (floppy disk drive or the like) is accessed during execution of the program, then the access acts as a trigger to infection to a medium (for example, a floppy disk) of the auxiliary storage apparatus of the destination of the access.
More particularly, if a virus is present in the memory, the virus handles an interruption or the like using a file access of a BIOS as a trigger so that the system area of an auxiliary storage apparatus as a medium of the destination of the access is infected by the virus.
In other words, in order to access a medium such as an auxiliary storage apparatus, execution of a program in the system area must be involved, and if the system area is infected with a virus, then also the system area of a medium of the destination of the access becomes infected with the virus.
In order to exterminate such a virus as described above, various virus check programs have been developed for different types of viruses. However, although ordinary virus check programs can detect that the memory is infected with a virus, they cannot exterminate the virus, but merely notify whether or not a virus has been detected after a search of the system area. Accordingly, in order to exterminate a virus resident in the memory, there is no countermeasure other than to clear the memory.
Furthermore, even if an extermination program is executed when a virus is resident in the memory, since the virus re-infects a file through a BIOS when the file is accessed, infection still occurs even after the extermination.
In particular, if a program for checking a virus is read in from, for example, a floppy disk and is operated, then a virus which is resident in a disk apparatus or the like can be removed. However, since a virus remains in the memory, the virus re-infects a file (program data for checking a virus stored on the floppy disk) through a BIOS when the file is accessed.
In short, even if a program is operated in order to exterminate a virus in a disk, after extermination of the virus in the disk, the disk is infected with a virus again from a virus in the memory which remains without being exterminated.
In other words, it sometimes occurs that, when to read out a virus check program from a floppy disk in order to detect a virus of the system infection type, an erroneous operation is performed to start up a boot of an infected medium.
In this instance, a system is started from the floppy disk whose boot area is infected with a virus. Therefore, if the virus check program is started, then the virus infects the memory and is thereafter resident in the memory.
Therefore, in order to exterminate a virus which infects the system area in a storage apparatus such as a hard disk in a personal computer or the like of the pre-install type wherein, for example, software for starting a computer is built in the hard disk in advance, a virus extermination program must be executed after the computer is started up, after the memory is cleared, from an external medium in which a system program (boot or IPL) and an operating system (OS) which are not infected with a virus are stored.
In particular, if a personal computer or the like which is of the pre-install type or has a resume function is infected with a computer virus of the system infection type, the computer virus of the system infection type is exterminated, for example, by a procedure which includes the following steps 1 to 4.
1 All power supplies are disconnected and also an auxiliary power supply and so forth for realizing a resume function are physically removed to cut electric energy supplied to the memory to remove a virus from the memory.
2 The computer is started up with an operating system (for example, a DOS) which is stored on a floppy disk or the like and constructed at least from the minimum program necessary for the startup.
3 A virus extermination program is executed under operation environment of the started up operating system to remove a virus which is resident in a storage apparatus or the like whose data are not erased even if the power supply to it is cut, thereby to restore the original environment wherein the computer is not infected with a virus.
As an alternative, necessary data stored on the storage apparatus are saved or copied one by one onto an external storage apparatus such as a floppy disk, and then, physical formatting (operation to delete all stored contents of a hard disk) is performed to place the disk into a state wherein the disk allows operation of an operating system which is not infected with a virus.
Thereafter, an operating system which is not infected with a virus is installed again as system startup software from the outside, and the necessary data which have been saved or copied onto the floppy disk or the like as described above are copied back to restore the original environment wherein the computer is not infected with a virus.
4 It is confirmed again whether extermination of a virus has been performed successfully, and the extermination operation is ended when the success of extermination is conformed.
However, where such a virus extermination procedure as described above is used to perform virus extermination, there is a subject in that a user may possibly operate in error or may be subject to a heavy operation burden because the user itself must perform operations for virus extermination in accordance with the procedure.
Particularly in a personal computer or the like of the pre-install type, a medium such as a floppy disk or a CD-ROM on which a system which is not infected with a virus is stored, a driver for the medium and so forth must be prepared separately. However, some models of personal computers or the like of the type mentioned do not include such a medium as just mentioned in a commodity package, and such a burden as to newly purchase an OS which is not infected with a virus is imposed on users of the models.
Further, also the number of types of viruses exhibits an increase in recent years, and also the number of patterns for extermination increases every time the number of types of viruses increases. As the number of types of viruses increases, also virus extermination programs developed for them become heavier programs which require larger storage capacities, and consequently, a sufficient area to build in a system and such software for virus termination as just described cannot be assured on a floppy disk.
Furthermore, some virus cannot be exterminated by any existing virus check program, and if infection with a virus of the type just mentioned occurs, then physical formatting of a storage apparatus such as a disk apparatus is required. Therefore, the user must usually create backup copies of data stored in the storage apparatus and so forth. In this manner, much time is required for operation for prevention of virus infection.