Virus Hunting
I recently spent several hours ridding a computer of a virus which had managed to avoid virus scanners. The experience was interesting and quite exhilarating. I am sharing my learnings with the hope that you might find it worth your while and might have some of your own to share. If you find it useful, let me know :-).
The Infected
It was a Windows computer (of course ;-)), the Windows 98 kind and it belonged to someone who had a lot of confidential data - financial and otherwise - on his computer. I suspect he accessed a site which ran some malicious code which downloaded the virus and installed it. AVG was the installed virus scanner, and believe me although its a good piece of software and manages to prevent most viruses, it failed in this case. His machine began freezing up and he could no longer access Yahoo! or Google or other sites.The Hunt
Hosts
check the hosts file, you say? and you would be right.It had several entries covering all the popular search engines, mail sites, and other popular web-sites. Interestingly, this virus made a backup of the original hosts file and called hosts.sam in the same directory [talk about being nice]. Well, that explained why he was complaining about not being able to connect to Yahoo!.
Trying to overwrite, modify or do anything to the hosts file resulted in it being rewritten almost instantly. Until then, I had no idea how frustrating it can be to not have access to any of the web's search engines. Does anyone know how to make Windows not use the hosts file?
Ok, so obviously there is a malicious program resident in memory that is monitoring changes to this file. So the next step is to prevent this program from executing.
Cleaning up the registry
Perhaps the most common mechanism to hijack a Windows machine is to install the virus in one of the Run registry keys. So the next step was to remove everything unrecognizable from the following keys -
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Relapse
Back to the story :-). There was a suspicious entry for Explorer.exe and when that was removed, the hosts file could be restored. Internet access was available again. So, gullible me, restored the registry to its older setup minus the malicious Explorer entry. Everything seemed ok for a while and then again the legitimate explorer started to freeze and took the OS with it.
File Times
I have had considerable success with locating malicious programs by doing a search for all files that were modified/created recently in the WINNT directory. A careful analysis of this output seemed to indicate various programs created on the day of the attack and all of the same size. All the programs had very legitimate sounding names like dialer32.exe, system32.dll, wintime.exe, etc. There were about 5 such files that I could locate with the same size and creation date. Comparing with another computer that he had which ran the same OS, these files were not part of the Windows installation. Another way of finding out if a program is legitimate is to simply type its name in Google. You will have links to sites that list all well-known programs or suspected viruses and will be able to provide detailed information on your queried file.
After I deleted all these files, the computer was restored to its original healthy state. I hadn't expected multiple entries in the registry. However, I do suspect that there were perhaps two different viruses because this one didn't seem to touch the hosts file.
Psychological Stuff
I recently had to clean my own computer of a nasty little virus that kept trying to download itself and execute although AVG wouldn't let it. For me, since I am just a lowly programmer with nothing of any value other than code on my computer, it was nothing more than an irritant. However, for someone who uses his computer for his business and stores all his personal data, financial statements it was such a gross violation of his personal space - it was as if, his house had been broken into.
No comments:
Post a Comment