Difference between revisions of "Viruses and malware"
|Line 102:||Line 102:|
* Much better write up: http://vil.nai.com/vil/content/v_148955.htm
* Much better write up: http://vil.nai.com/vil/content/v_148955.htm
* Spreads through USB/firewire/flash drives.
* Spreads through USB/firewire/flash drives.
Revision as of 15:58, 26 March 2009
A lot of problems are assumed to be virus problems but actually are hardware, software, or user issues.
Symptoms of infection
Not all complaints mean that a computer is infected. Keep reading.
- Pop-up ads: Particularly watch out for popups from an unfamiliar program warning you that your computer is infected with viruses; the popup is fake and malicious.
- Error messages mentioning filenames that look fake or suspicious.
- Bluescreening, freezing, slowness, or crashes can be the result of hardware problems just as easily as viruses. Do some Hardware Diagnostics to determine whether your computer has a hardware problem.
- Mouse moves on its own: someone has infected and hijacked the computer. Ensure it's disconnected from the network before taking any other steps; then either do a very thorough clean, or just wipe the system.
- Computer is slow: When is it slow? Slowness can result from too many autostarted programs, old hardware, or even Windows updates. If a virus infection is causing slowness, it is severe enough that you will see other clear symptoms of an infection as well.
- "Memory at <hex code> cannot be referenced": This is more likely a problem with a specific program (see Known Image Issues), a problem with the RAM or hard disk problem. Try switching out the memory card(s) or run diagnostics on the memory.
Using Autoruns to detect malware
- Get autoruns from http://live.sysinternals.com/autoruns.exe
- Run it and accept license agreement.
- Hit escape to cancel initial scan
- Under "View", select "Hide Microsoft Entries" (malware cannot sign itself as a Microsoft product). This cuts down the list to a manageable size.
- Refresh (F5) to rescan
- Look near the bottom, under WinLogon or WinNotify, or LSA. See something oddly named? Does it list a company? What does google say when you enter a search for the filename?
Dealing with malware (malicious software) and viruses is no easy task. Please read carefully to understand a little about how viruses work.
Viruses can change their filenames to avoid detection
A programmer can design a virus (let's call the virus "trojan2k7") to do various things: infect computers, corrupt files, record user's keystrokes, display ads, et cetera. The virus is inside an .exe or .dll file whose name can change over time. On one computer the file might be called
abc567.exe, and on another it might be called
mra128.exe. The virus merely needs to give instructions to the Windows registry to start the program when Windows starts; the program's name can be anything possible as long as the registry instructions reflect that.
While we count on Symantec to find a lot of viruses, Symantec and other virus scan programs have a MAJOR weakness: they look for viruses by their filename. Antivirus programs are fighting an uphill battle because they rely on specific filenames to keep track of viruses. When the name changes, Symantec's database needs to be updated, telling it to look for that virus, before it will detect new threats. So even if your security software is up to date, you are never fully protected and scanning an infected machine will always miss some viruses. So if you're really bent on cleaning a machine without reinstalling the OS, you'll need to put on your sleuth hat and do the work yourself.
The programs you use in the cleaning steps below basically give you a list of lots of programs on your computer. Your job is to go through the list and decide whether each item is valid or dangerous, spot the malware, and remove it. Some of the programs are obviously harmless (Yahoo Messenger, Intel drivers); others are unfamiliar but important (ctfmon.exe? ImScInst.exe?). Most of the ones you don't immediately recognize as safe, you'll search for by name on Google. If the name is associated with a valid program and there are millions of results, the exe is probably valid. If the name is associated with suspicious activity and there are less results, it's likely malware and should be removed. After going through this process a couple times, you get a sense of what programs are familiar and what might be dangerous.
An unorthodox parallel: The Mothership
Ever notice that even when you delete an infectious EXE file, it reappears the next day? Read Petar's trippy metaphor to get a sense of how viruses reproduce.
- The WinLogon and LSA sections can be thought of as the MOTHERSHIP (ever seen the move Independence Day?).
- So until you kill the mothership, it will keep sending nasty malware to the system.
- In the movie Independence Day, the nations of Earth sent nukes, conventional bombs, helicopters, fighters, etc at the malicious atackers, but none of the methods proved useful, as the MOTHERSHIP was protecting the attackers. Similarly, the malicious executables in the WinLogon and LSA sections protect the malware. You can try nuking them (with antivirus programs, spybot, adaware, malware bytes, and any other automated programs), but just trying to nuke rarely works.
- In the aforementioned movie, two individuals infiltrated the mothership and thus disabled the defenses. Similarly, you will need to infiltrate the WinLogon and LSA sections to disable the malware there. The easiest way to do this is to boot into Bart, or connect the infected hard disk through a USB adapter. Then look for the executables you saw in the Winlogon and LSA sections (typically in windows\system32).
- A more advanced way to infiltrate the WinLogon and LSA sections is to boot in safe mode, use autoruns, write down the name and location of the BAD files in the WinLogon and LSA sections. Then use http://live.sysinternals.com/procexp.exe to kill the smss.exe process, then the winlogon.exe process, then the lsass.exe process. After these are killed, open a command line window and use the del command to delete the files that you found were bad. You will need to hold down the power button to shut down the computer. After you've deleted the BAD files in the WinLogon and LSA sections, you can use Symantec, AdAware, Spybot, Malware Bytes, and whatnot to do a full system scan and NUKE any leftover malware.
Manually clean viruses and malware
- Remember that we do not do malware cleanup for customers.
- The "supported" way of cleaning out malware is backing up files and reinstalling the OS (reimaging if possible).
Nevertheless, if you NEED to remove malware from a machine without reinstalling Windows, this page explains how. I think you'll see why we've stopped supporting malware cleanup. Please be familiar with the "Understanding Viruses" section above.
This is guaranteed to not remove all viruses from a system. But these steps get most viruses, and if a user is unwilling to reimage a computer, you can direct them to take these steps to get some measure of safety.
- Back up all documents & personal files.
- Install SAV, Spybot, and MalwareBytes. Ensure these are all updated.
- Reboot in Safe Mode (press F8 on boot).
- Open SAV and do a full scan. SAV can miss some infections and focuses more on viruses than on spyware but it's a great place to start.
- Run Spybot and do a full scan.
- Run MalwareBytes and do a complete scan.
Uninstall unsafe programs
Some programs are particularly linked to viruses and should be removed to avoid reinfection.
- Uninstall AIM. Some viruses change the away messages; people click the malicious links in away messages and get reinfected.
- Uninstall all P2P filesharing programs - including but not limited to Kazzaa, mIRC, LimeWire etc. People use P2P applications and get reinfected.
Use HijackThis to find suspicious programs
HijackThis is an awesome program that lists every single program that starts up when your computer starts. It's not a pretty program, it's actually pretty plain, and it just puts the programs in a long list showing just their name, what they are, and where they are located.
- Download and install HijackThis from Trend Micro.
- Restart in SAFE MODE (press F8 on boot), then open HijackThis.
- In HijackThis, run a scan and save a logfile for future reference.
- Go through and check each HijackThis entry. If it's an Internet Explorer item, ensure that the associated website or file is valid. If you are unsure about a strange filename, check it on Google. Look through the Google search results for information saying that the file is valid and what it is for. If you don't find any such explanation, the file is suspicious. Check it for deletion.
- Once you've gone through the list, try to find the location of each suspicious file in Windows Explorer and change the file extension to .BAD or something other than .exe or .dll - that way the program is permanently paralyzed. Be aware that some programs also make backups / copies elsewhere; if the program reappears when you do a second scan, it may be because another copy of the program (or a "mother" program) helped it respawn.
- Then delete the checked (suspicious) entries in HijackThis for good measure; HijackThis makes a backup of all entries deleted, so you can always get it back later.
- (Optional) Locate the logfile you saved from earlier and submit it to one of the HijackThis online forums, such as hijackthis.de. This will give a second opinion on what items are suspicious and what are safe.
- Once you've gone through all items in the list, RESTART the computer again into safe mode. Then run HijackThis again and go through to make sure that the items you deleted did not reappear on the list. If they did reappear, you've probably missed an important file somewhere on the list.
Manually check system folders
In Windows Explorer, check C:\WINDOWS and C:\WINDOWS\system32 for suspicious files:
- In Details view, sort files by date modified. Look around the month that the problems started appearing. Generally, only DLL and EXE files are dangerous.
- Show the Comments and Company Info columns. Malware often has no details entered in here (although they could easily do so).
- Scan filenames for gibberish or "unprofessional" names. Much malware can be spotted by an obvious filename.
Check what programs are running
You need to restart into normal Windows, not Safe Mode, to do these steps effectively.
- Download and run TCPView from Sysinternals. TCPView will detect every application trying to access the internet.
- Check through the list of processes listed in TCPView. As with HijackThis, google the filename of any unfamiliar or suspicious processes; if it looks like malware, search the computer to locate and delete or disable the file (by renaming the extension to .BAD).
- Download and run Process Explorer from Sysinternals. As before, go through the list checking for suspicious or unknown programs; remove any dangerous ones you find.
- Check for rootkits: Sysinternals Rootkit Revealer
- DO A FINAL SCAN with HijackThis now. This is important because malware may have reproduced in the meantime.
Notes on specific viruses
Phishing program: "Antivirus XP 2009"
This program goes by multiple names, such as Antivirus XP 2008 and System Protect 2009. Symptoms:
- The user did not voluntarily install it.
- It pops up at random times looking like an authoritative virus scanner, rapidly detecting many serious threats and listing them for you. (The threats are made up names; they point to nonexistent files.)
- It tells you your computer is seriously infected (which it is by this point) and offers to clean the threats for you if you upgrade to the full version of the program.
Multiple people have been tricked into purchasing the full version of this program, which provides no real protection, actually installs more viruses on your system, and may possibly inject pop-up ads and keyloggers as well. This malware is very difficult to remove (MalwareBytes may be able to uninstall it) and it may be better just to reimage a system that has this infection on it.
- Much better write up: http://vil.nai.com/vil/content/v_148955.htm
- Spreads through USB/firewire/flash drives.