Archive for June, 2010

Although this might seem like a silly question, “How to prevent a virus?”, some people really have no clue how and why we should protect against malware and other technological parasites.

Why Protect?

Let us assume “malware” is an all-inclusive term that includes, but is not limited to, worms, viruses, grayware, riskware, scareware, and trojans. Why on Earth would we protect our computers from these little bits of code that could possibly have no adverse effect on our systems? Well, you always must think to yourself, “what if?”

What if you did visit a website or opened an email attachment and you did get malware from this malicious website or email attachment. What if this malware took over your computer and copied itself into hundreds of directories and was secretly logging every keystroke you made on your computer. This malware could potentially have banking usernames and passwords, credit card information, or other personal information that is sent over the internet.

What if malware took over your computer and began deleting critical system files and folders? It would be annoying to have to reinstall your operating system because malware hijacked your computer. But this doesn’t happen with ever infection; we need to weigh the pros and cons of both sides.

As wonderful as these arguments are, it is still better to have anti-virus than to not have it. When surfing the world wide web, you never know what your system might catch. Even if you visit a website that you know is malware-free, it still could give you malware. Malicious code writes are always coming up with better ways to infect systems and steal information or cause a nuisance.

What Programs to Use

It is a well know fact that there are a billion different anti-viral, anti-adware,and anti-malware programs. Not to mention email filters, spam filters, and popup blockers.

This begs the question, “What program should I use?” In my opinion, the best option is always the free option. This will save you money and will suffice in most cases. Great free programs are the following:

• AVG Free
• Avast Free
• Threat Fire Free
• Avira Free

There are other paid options, however. According to CNET ( a widely respected and well known technology-based website), the top paid anti-viral programs were the following:

http://us.trendmicro.com/us/home/

To see the full list the CNET’s reviews, check out this link for the full list.

Personally, my favorite antivirus is free and it worked wonderfully. Download Microsoft Security Essentials for free and be protected from viruses and other malware. This software works very well and AomicPages strongly recommends this program.

Whether you wish to prevent having a virus or malware or if you suspect your system to be infected, here we will be going over some tools and utilities that can be used to prevent malware or to clean your system.

Disclaimer: This is merely for instructional purposes. I am not responsible for any mishaps that may overcome you and your system while executing some of the techniques covered in this tutorial.

Symptoms

Is your system showing signs of an infection? You should ask yourself these questions if you are unsure:

• Do programs take longer to load?
• Do popups plague me when surfing the web?
• Does it seem like the hard drive is doing an awful lot for a simple task?
• Do programs that once worked give strange error messages?
• Is there less memory available than before?
• Is there less space on the hard drive available than before?
• Do files often become corrupted?
• Does Windows hang before going to the desktop?
• Can I access task manager? 1
• Are there strange process running?
• Can I access Run? 1
• Has my internet browser home page changed?
• Am I able to access other windows utilities? 1
• Can I visit anti-virus websites like www.mcafee.com or www.kaspersky.com? 1
• Can I access System Restore? 1

If some of these questions is “yes” then the chances your system is infected with a virus is high. (See below)

1 If you answered “no” to these questions the chances your system is infected with a virus is high.

Note: not all of these questions will mean that your system is infected. It may be an insufficient memory problem, other non-viral software problem, or hardware conflict.

Tools

If you answered “no” to the following questions:

• Can I not access task manager?
• Can I not access Run?
• Can I access System Restore?
• Can I visit anti-virus websites like www.mcafee.com or www.kaspersky.com?

Then you more than likely have an infected system and should be taken off a network immediately. If you cannot access task manager and you suspect there is a malicious process running that needs to be terminated, there are a few options.

First, the malware needs to be found. This can often be tricky if the malware or virus is one that is hidden in the system32 folder or in hidden folders within Windows.

If you are using Windows Vista or Windows 7, open task manager first and look for any malicious processes (see first solution below).

Go to Control Panel > Appearance and Personalization > Folder Options > Click on the view tab and select view hidden files, folders, and drives.

Task Manager

If you have access to task manager then this is the solution to see if you have any malicious processes. If you do not have access, see more solutions below.

Open task manager by pressing CTRL+SHIFT+ESC or CTRL+ALT+DELETE to bring up task manager. Click on the processes tab to view the running processes. Look for any processes that seem malicious by checking the amount of CPU and RAM the processes are using. Malicious processes are not named very intuitively. They generally contain random numbers and letters or there are several instances of the same process running.

This images show several instances of the same process running. This is an easy example that shows poorly names processes and the redundancy of the process. Observe the amount of RAM and CPU usage each instance uses.

If you are using Windows Vista or Windows 7, right click on the process and select Open File Location and then process to end any malicious processes. If you are using Windows XP then the malicious or infect file will need to be found manually which be covered later on.

To end a process, simply click on the process you wish to end and click on end process or you may right click and select end process.

DOS

If you have access to run/command prompt, but not task manager, this is the option for you. If you do not
have access to run/command prompt, see more solutions below.

Note: If you are using Windows Vista or Windows 7, launch DOS in administrative mode by right clicking on command prompt and selecting “Run as Administrator”, respond to the UAC box.

Killing and process in dos does not require any special knowledge of DOS but it does require two main commands: tasklist and taskkill.

Tasklist shows us all services and console processes that are running on the system. We are particularly interested in the console processes. Our command in the command prompt would look like the following:

We don’t need any special switches for this DOS command. Remember that we’re looking for console [processes]. Look for console processes that have random number and/or letters. If there are multiple instances of such a process then it might be malicious.

In this instance, the process called 16af79bhdf.exe is likely to be a malicious process. Let us assume that this malicious code is blocking our access to task manager. We cannot find the source of the process from DOS we can, however, kill the process and the search for it manually. There are a few things we should do first:

1. Write down the process name 16af79bhdf.exe
2. Document how much RAM the process is using
3. Document the PID of the Process
4. Go to your favorite search engine and search for the process in question. Look on websites to see if this process is malicious.

Assuming that the process is indeed malicious, we will not kill the task!

Note: taskkill is a very powerful command and will terminate core system processes without any hesitation. Be sure you have the image name or PID entirely correct before you terminate a process.

In addition to stopping a difficult process, if you regularly use task manager to stop a process that is freezing your system, you may use the taskkill command as an alternative.

For the example provided above, since there are multiple instances of the malicious program and we’re assuming that they all need to be terminated, we will use the image name switch: /im. We also want to be sure the process will actually end and we will not get a error message, use the /f for forceful termination of the process.

This lick of DOS code will kill the task (process) with the image name of 16af79bhdf.exe in a foruceful manner. If there are multiple instances of a single process and you happen to know which processes are malicious, there is an alternative to ending individual processes.

This will allow us to select each individual process we wish to end via the Process Identifier (ID). We must use the switch, /pid at every single instance that we wish to kill.

Windows Powershell

If you do not have access to Run or DOS, there is an alternative method that we can use: Windows Powershell. Windows Powershell is a task-based command-line shell and scripting infrastructure designed for system administration. IT Professionals might use Windows Powerhshell to accomplish everday tasks.

The beauty of Powershell is that it will also take some DOS commands and execute them exactly as DOS would. If malicious software blocks access to task manager, run, and command prompt, but not Powershell, we can view running processes and kill any malicious processes within Powershell like we could with DOS.

The environment is slightly different and a little bit more colorful. We can enjoy a medium blue background with the same raster-based text of DOS. To view the running processes we can use tasklist and to terminate malicious processes we can use taskkill.

Remember, there are things to ask yourself before you killing processes:

1. Write down the process name 16af79budf.exe
2. Document how much RAM the process is using
3. Document the PID of the Process
4. Go to your favorite search engine and search for the process in question. Look on websites to see if this process is malicious.

If you find that a process might be malicious, proceed with further instructions to kill the process.

This lick of DOS code will kill the task (process) with the image name of 16af79budf.exe in a foruceful manner. If there are multiple instances of a single process and you happen to know which processes are malicious, there is an alternative to ending individual processes.

This will allow us to select each individual process we wish to end via the Process Identifier (ID). We must use the switch, /pid at every single instance that we wish to kill.

Process Hacker

If you have no access to task manager, Run, DOS, or Windows Powershell, there still is hope out there! There are programs that exist like task manager that can run completely locally. This means that no install is required in order for the program to run and it can be stored on a USB Drive, SD Card, or other hot-swappable portable devices. Be sure to visit http://processhacker.sourceforge.net/ to download the program.

If you wish for it to run locally, download the binary zip file and save to desktop or other convenient location. If you wish to install the program then click on the download button.

If you’re running the program locally, create a new folder called process hacker and put the .zip file inside the folder. Once the .zip file is inside the folder, extract to the same location in which the zip file is located.

There will be 10 files one of which will be called ProcessHacker.exe. Double click on ProcessHacker.exe and the program will launch. Since it’s running locally, give it a moment to fully propagate all of the processes that are running on your system. When it’s complete it will look like the following:

Process Explorer

Process Explorer is an alternative to Process Hacker if you do not have access to task manager, run, DOS, or powershell. Both Process Explorer and Process Hacker have the ability to run locally, however; Process Explorer will only run locally and has no installation .exe available.

Final Thought

Whether you’re preventing an infection or dealing with one, keeping Process Hacker and/or Process Explorer is always something to keep handy. This will help you extinguish malicious software very quickly after your system is infected and you are denied access to task manager. Having a Graphical User Interface (GUI) makes life a lot easier and is definitely more appealing than straight DOS.

Things to consider:

• If you don’t already, get some anti-virus software like kaspersky, bitdefender, notron, mcafee, etc.
• Consider investing in anti-malware software like malwarebytes
• Do not visit shady websites and always have your firewall on
• Use a popup blocker
• Filter your webmail with a spam filter
• Backup your data regularly
• Enable Parental Controls on a wireless router or by using third-party software such as Net Nanny or Cyber Patrol to prevent children from accidentally infecting a computer with malware.

Is your computer running awfully slow and is sluggish? Does a mysterious program keep popping up on your desktop every 10 seconds? Do you get a lot of popups while browsing the web, random error messages, or the Blue Screen of Death (BSOD)?

If so, then I’ve got some bad news for you. There is a probable chance that your system is infected. In order to understand the infection, we need to be able to identify the characteristics of infections. There are many types of infections and they all have different characteristics.

• Malware
• Trojan
• Virus
• Grayware
• Spyware
• Worm

Malware

Malware is a broad term meaning malicious software including, but not limited to, trojans, worms, viruses, logic bombs, and spyware.

Malware isn’t simply poorly coded software that causes memory leaks and other issues with Operating Systems; this software is created solely with the intent of collecting information, annoying the user, and causing mild to severe harm to a user’s Operating System and sometimes hardware.

Since we’ve gone over the broad umbrella of Malware, let us delve into the specifics.

Spyware

Spyware does exactly as its name implies. Spyware is used to collect bits of information about a user when the computer is being used. This is done without the users knowledge and is done in the background without the users knowledge.

Spyware is known the change computer settings, install programs, changing internet settings, change internet homepages, slow connection speeds, and other types of things that can invade a users privacy.

Spyware can lead to identity theft, credit card fraud, stealing of banking information, and password that gain access into encrypted content. A popular spyware program is called a keylogger which literally logs every keystroke to a remote location via browser exploitation and the internet.

Yet another form of spyware is called scareware which is design specifically to get a user to buy a product. This type of spyware will often have messages claiming a users computer to be infected and in order to remove said infections a full version will need to be purchased. This can lead to credit card fraud since they usually require payment by credit card.

Traits

Spyware has specific traits to it, however. This will allow you to identify a spyware infected computer.

• Slow system performance
• Significant decrease in connection speed
• Random programs being installed without your knowledge or consent
• Background has changed and will not change back
• Popups claiming that your web browser is out of date or system is infected
• Not able to uninstall programs

These are some symptoms of Spyware; How to prevent spyware will be covered later on in the article.

---




Trojan Horse

Named after the Trojan Horse in which Greek solders housed themselves in for a surprise attack in Troy. This Trojan Horse was intended to deceive the Troy solders, making them think it was a gift of peace rather than a surprise attack.

A computer infection called a Trojan or Trojan Horse is no different. These trojans have hidden agendas and hidden functionality.

A trojans sole purpose is to acquire information about a users, initiate distributed denial of service attacks on web server, data theft, deleting files, installing unsolicited programs, etc.

Sometimes trojans can be relatively harmless and other times they can infect the master boot record (mbr) or partition tables which will cause a critical failure of a users operating system. This will crash the computer and essentially render the computer unusable unless the OS is reinstalled.

Especially dangerous Trojans will allow a hacker to physically hijack a users computer. Depending on the complexity and severity of the trojan, the hacker can disable the keyboard, mouse, monitor, change the desktop background, access the administrator command prompt, access the registry, and delete critical OS files.

---

Traits

The traits of a torjan are similar to spyware since a trojan is basically a form of spyware. They do, however, differ from spyware.

• Desktop has changed and cannot be changed back
• Mouse pointer moves itself
• Mouse pointer disappears
• Cannot access run or task manager
• Windows start bar/button goes missing
• Computer shuts down and starts up by itself
• Documents and files are printed by themselves

---




Worms

Worms are unlike a Torjan Horse or Spyware. Worms are self-replicating programs that uses a network to send copies of itself to other computers. Worms are specifically target computers with unencrypted internet access, weak network passwords, weak computer passwords, and computers with out-dated antivirus software.

Perhaps one of the worst worms ever in the history of technology is the ILOVEYOU worm which arrived in email boxed in early May of 2004. This internet worm contained the text, “ILOVEYOU” as the subject line and the content of the email. There was also an attachment called “LOVE-LETTER-FOR-YOU.TXT.vbs”. This visual basic extension was hidden from unsuspecting users to see and tricked users into thinking it was a mere text file with more lovely words. However wonderful as it was, upon opening the .txt file the worm automatically sent a copy of the email to everyone in the users windows address book with the users email address. The worm also made malicious changes to the Windows Operating System and replicated itself throughout the registry. The worm estimated $5.5 billion damage and infected 50 million systems.

Bad worms can infect a computer and render it basically unusable. Worms can literally hijack a users computer and use the system as a zombie computer where it send copies of the worms to anyone and everyone.

---

Traits

• Slow internet connection
• Dramatic loss of hard drive space
• Denial of Service attacks
• Web Server being brought down

Worms are somewhat tricky to detect since they depend heavily on a network connection to work. The majority of the worms out there don’t contain payloads or additional code to seriously harm a system. They’re mainly implemented to see how many systems can be infected, to bring down a website, or to cause a nuisance.

---




Grayware

Grayware is a different form of malware and is solely intended to make a user bang their head against their monitor. They also harm a system but it’s done in a highly obnoxious fashion. Popups, banner ads on websites, remote access tools, dialers, and irksome jokes are embedded in grayware.

Grayware can cause serious security holes in a system and it can also introduce more severe infections like spyware, viruses, and logic bombs.

---

Traits

• Annoying popups on your desktop
• Cannot access task manager
• Cannot access Run
• Cannot System Restore
• Cannot visit certain websites like mcafee.com or kaspersky.com

---




Virus

Viruses are in their own category at times. Some consider a virus to not be a form of malware and some do.

A virus will attach itself to a program of file and will begin to copy itself. These file transfers will cause the virus to spread as it is passed through one computer to the next. Viruses might change data, corrupt data, or degrade the performance of a users system by taking up memory and disk space.

Viruses have for main categories, they are the following:

• Boot Sector Virus
• Master Boot Record (MBR) Virus
• File Infecter Virus
• Macro Viruses

Boot Sector Virus

A boot sector virus infects the boot records on a hard drives and also floppy disks. Once the users boots the computer the virus will be saved in the boot record and infect other types of media as data is written to them.

MBR Virus

MBR viruses infect the Master Boot Record of a hard disk which is the first of a hard drive. The MBR contains the partition table, bootstrapping files to load the OS after the POST has run, and a unique digital signature to identify the disk media.

The virus will fester on the mbr upon successful boot and will infect other files and may even corrupt a users partition table and critical system files that load the OS.

File Infecter Virus

A file infecter virus will infect files that contain .exe and .com files. Sometimes these viruses will remain in the memory and infect other files and applications. This type of virus will only infect files as they are executed.

Macro Virus

Macro viruses will infect certain data files and most notably, Microsoft Office Files such as, Word documents, Excel spreadsheets, Power Point presentations, and Access databases.

A macro virus may also share the traits of a worm and spread themselves across a network.

---

Traits

• Slows system performance
• Dramatically slows web browser
• Sluggish internet connection
• Random error messages
• Blue Screen of Death (BSOD)
• Not able to access run
• Not able to access task manager
• Processes running with random characters and/or numbers
• No access to System Restore
• Blocked access to certain or all applications
• Unable to access anti-virus websites e.g. mcafee.com or kaspersky.com