rajat22
In the zone
Treating Infected Systems
While surfing, I read this wonderful article at *www.windowsecurity.com/ by Amit Zinman and
thought it to be extremely useful to Digit readers.
While surfing, I read this wonderful article at *www.windowsecurity.com/ by Amit Zinman and
thought it to be extremely useful to Digit readers.
About Amit Zinman
*www.windowsecurity.com/img/upl/headshot_75x1151113566762140.jpg
Currently working as Project Manager and Systems Consultant, heading and consulting on Exchange
and NT/Windows 2000 based migrations and deployments for large companies such as Checkpoint,
Comverse, Smarteam, Nice, Aladdin and leading Israeli Banks, Also involved in writing scripts and
custom solutions for clients based on ADSI, CDO and Visual Basic and teaching Windows 2000 and
Exchange 2000 in MSCE colleges and lecturing in Microsoft User Groups.
Most of us Windows users are by now painfully aware of what a computer infection looks like. It
now takes all shapes and forms and has different words that indicated how you got it, the level
of the risk, and how it can spread further. Some infections will produce annoyances such as
Internet Explorer home page hijacking and some will trash your files. The software infecting your
computer is now sometimes given the broad term "malware".
Network administrators today face the fact that their firewall will not protect them from
Trojans. Even patching all your machines might not protect a computer where a user decided to
download a malicious program. Nowadays, through group policy you can control more of the
computing environment but when you have diverse operating systems and laptops that go to people's
houses you might not have as much control as you would like to.
My article will provide you with several tools that can help you take care of such infections in
an infected machine should you come by one and provide an alternative to the "Format you hard
drive" method that works very well but might sometimes not be the best or even a viable option.
It can come real handy if, for example, your CEO can spare you her computer only for a an hour or
so before she flies off again, to fix those annoying IE pop-ups she is getting all the time.
Network Activity
One of the easiest ways to find out which file infected your computer is by identifying which
process tries to access the internet most. You should close all file sharing and other
applications to find this.
A handy freeware utility for doing is is TCPView from Sysinternals available here:
*www.sysinternals.com/ntw2k/source/tcpview.shtml
Running it shows a typical virus that you could find on any unpatched Windows XP or 2000 machine
moments after connecting to the Internet.
*www.windowsecurity.com/img/upl/image0021107965210031.jpg
You can also terminate a process by right click it and choosing "End Process" instead of using
the Windows Task Manager.
You can use the System Configuration Utility to stop the virus from running. Please note the
button allowing you to launch System Restore process. If you have a valid checkpoint which you
know to be before the infection you should use it to restore the registry and other important
files.
*www.windowsecurity.com/img/upl/image0041107965571437.jpg
*www.windowsecurity.com/img/upl/image0061107965571484.jpg
*www.windowsecurity.com/img/upl/image0081107965571500.jpg
Finally, you can delete the file itself from the hard drive.
*www.windowsecurity.com/img/upl/image0101107965571500.jpg
Note that some viruses use the system restore mechanism of Windows XP to re-infect the machine if
you delete their executable. To disable system restore in Windows XP you need to access Control
Panel -> System -> System Restore.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
*www.windowsecurity.com/img/upl/image0111107965571515.gif
As you can see this will delete the restore points so only do this if you do not want to use
system restore to return your system to a state it was prior to the infection.
Internet Explorer Hijacking
With Windows versions before XP SP2 and 2003 SP1 it was pretty easy to click something and get
all kind of Internet Explorer "add-ons" and other hidden utilities which change the default IE
search and home page, and hijack it again when you attempt to change it back. Resetting this
using IE's Internet Options might not help.
*www.windowsecurity.com/img/upl/image0141107965571531.jpg
If you install Windows XP SP2 you can manage IE add-ons using the new Add-On Manager. For more
information about this follow this link:
*www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx
If you have a previous version you can use ToolbarCop, a freeware utility available here:
*windowsxp.mvps.org/toolbarcop.htm
Like MSConfig, it can also delete processes that run when the operating system loads, but it can
also disable IE add-ons.
*www.windowsecurity.com/img/upl/image0161107966483640.jpg
Anatomy of an Infection
To prepare this article I installed Windows XP with SP1 and no patches. I surfed a few porn sites
(though, strictly speaking, I'm against porn), answered a few dialog boxes, and presto, as the
following screenshots show I had my IE hijacked and my computer infected with all kinds of pests.
*www.windowsecurity.com/img/upl/image0181107966483640.jpg
*www.windowsecurity.com/img/upl/image0201107966483671.jpg
TCPView showed a lot of network activity as well:
*www.windowsecurity.com/img/upl/image0221107966519468.jpg
So I ran Toolbar cop and found more than 12 components to delete.
*www.windowsecurity.com/img/upl/image0241107966519468.jpg
Most of these are Trojans. The difference between Trojans and viruses in this case is that seeing
that I specifically surfed to certain web sites and said "yes" on the download dialog boxes the
blame is on me unlike the previous example where the virus was using my unpatched Windows version
to propagate itself.
But, to be frank, at this point, trying to delete all these Trojans with ToolbarCop, or trying to
hunt for them through the registry becomes an impossibility. They work together, staying resident
in memory, so once you delete them you can count to five and back they are.
So to fight them you need a good anti-virus which knows how to handle Trojans as well.
As some of you might know there are some online anti-viruses available on the web. Here is a list
of a few of them:
*housecall.trendmicro.com/housecall/start_corp.asp
*www.pandasoftware.com/activescan/com/activescan_principal.htm
Today, almost every major anti-virus provider has one. These online anti-viruses work only with
Microsoft's Internet Explorer by downloading an ActiveX control to your computer, which is
essentially a program like any other which uses IE as its interface.
However when it comes to Trojans, my experience shows that these online anti-viruses cannot clean
them. The next screenshot shows such a failure. The cause is probably a limitation of ActiveX
technology.
*www.windowsecurity.com/img/upl/image0261107966519484.jpg
There are also free anti-viruses and Trojan busters available for download on the web. I
recommend starting with installing a good anti-virus. My personal favorite is AntiVir Guard from
H+BEDV Datentechnik, a German company. It is most suitable for treating a system which is already
infected because it about 5MB in size and downloads with the latest signature. Other anti-viruses
rely on connecting to the web right after installation. Some viruses and Trojans recognize this
and prevent this update from happening. AntiVir guard is also pretty good with handling Trojans
and is updated daily.
You can download the freeware version of AntiVir Guard here:
*www.avup.de/personal/en/avwinsfx.exe
To make sure AntiVir deleted all harmful components from your computer you should run its main
program and choose Options -> Configuration. The following screenshots show my recommended
configuration.
*www.windowsecurity.com/img/upl/image0281107966519500.jpg
*www.windowsecurity.com/img/upl/image0301107966553046.jpg
*www.windowsecurity.com/img/upl/image0321107966553109.jpg
*www.windowsecurity.com/img/upl/image0341107966553171.jpg
*www.windowsecurity.com/img/upl/image0361107966553187.jpg
You might have to run the program's scan a few times and perform a few restarts before the system
cleans.
*www.windowsecurity.com/img/upl/image0381107966926734.jpg
You can find other free antivirus on the Nonags web site:
*www.nonags.com/nonags/antivirus.html
Sometimes you need to use a combination of anti-viruses to really disinfect a system. To
complement your antivirus you can install the freeware Lavasoft Ad-aware SE which specifically
scans for Trojans, Adaware, Backdoors and Dialers. If you don't recognize all these terms, don't
worry. They are all basically words for a piece of harmful software that needs to be erased from
your computer.
*www.lavasoftusa.com/support/download/
*www.windowsecurity.com/img/upl/image0401107966926734.jpg
*www.windowsecurity.com/img/upl/image0421107966926734.jpg
*www.windowsecurity.com/img/upl/image0441107966926750.jpg
Another free Trojan remover is Spybot downloadable through this link:
*www.safer-networking.org/en/mirrors/index.html
As with the Anti-virus you might have to run these utilities a few times and do a couple of
reboots.
If you're having problems connecting to websites your hosts file might have been altered. This
files tells your machine where to find websites and ignore your ISP or internal DNS server.
This file is located on Windows NT/2000/XP/2003 machines at <Windows installation
directory>\system32\drivers\etc directory.
*www.windowsecurity.com/img/upl/image0461107966926765.jpg
To fix it simply delete all of its contents and leave it with the following default:
*www.windowsecurity.com/img/upl/image0481107966926765.jpg
Installing the latest service pack and updating through *windowsupdate.microsoft.com might
help prevent re-infections during the removal process.
If you find that Windows Update has been disabled by one of the Trojans or viruses you can
download Windows XP SP2 here:
*www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&dis
playlang=en
Another tool that can help you during an infection and can definitely be used as a preventive
tool is IE-SPYAD which blocks known sites which adds websites to your registry that are known
malware distributors and blocks them at the IE level. Download it here:
*netfiles.uiuc.edu/ehowes/www/resource.htm
Network wide infections
Fixing a single computer might take a lot of time, depending on the level and the type of
infection. Treating a lot of computers on a network can be quite costly seeing that the free
tools do not scan an entire network.
You could implement a network wide deployment of a professional tool such as WebRoot Spysweeper
Enterprise and deploy the latest service packs and patches using Microsoft Windows Update Server.
However, such a method might prove quite tasking on your hardware. I believe that an Anti-virus
should also filter out Trojans, Dialers, Backdoors, Adwares, and all other risks. A few good
professional packages out there do this quite nicely and are worth the money for the upgrade. You
check to see whether your Anti-virus package can deal with more than just viruses.
My favorite strategy for protecting a network is stopping Malware at the perimeter level and
implementing a complementing OS and Antivirus update mechanism at the client level.
If you're implementing a brand new network you might consider solutions from Fortinet. They have
hardware based Firewall which can handle all types of malware and Internet attacks and also
implement a combination VPN/Antivirus client at the workstation level. This keeps things nice and
easy for the network and security administrators. This type of solution eliminates the need to
worry about whether your Antivirus is fighting your Anti-Trojan package or your VPN solution,
whether all of them are updated properly and how much memory they are taking from you computers.
Conclusion
Removing malware from a computer is much trickier than protecting it properly, which should
preferably be done at the network level if possible.
With the right combination of tools you can find out and repair a single virus or Trojan. For
treating a computer infected with a combination of different Trojans, backdoors and viruses you
need to use a combination of anti-malware utilities, some of which are free for use on home
computers, but you've got to have patience. Windows infections have lots variations and sometimes
even a solid Anti-virus program will not be able to deal with a well infected computer by itself,
without some help and a lot of restarting.
