Posted: 11 Jun 2007 04:22 PM CDT

Virus Attack! Everyone knows that there viruses can cause an awful lot of damage to your system. Sure, there are some viruses out there that will cause silly pop-ups to show on your screen and nothing else but there are many more out there that just want to cause serious harm to your system and others.

Because of this, we put a lot of effort into keeping viruses off our systems. We install antivirus programs. We keep virus signatures up to date. We perform regular scans of systems in case something may have snuck in. We monitor files, e-mails, systems in realtime to try and prevent viruses before they hit our systems. We create policy to prevent people from bringing in CDs, DVDs, USB drives that may be infected. We install systems to monitor for suspicious activity that could indicate a zero-day attack. We lock down systems so that applications can not run as administrator. We prohibit users from installing applications. We disable the ability for remote users to access non-authorized networks.

And yet, we still get viruses.

But what do you do when you suddenly realize that the unimaginable has happened? What do you do when a virus hits?

I have put together a few steps that I typically follow whenever the unthinkable happens that may be of benefit to you.

Disconnect from the Network and/or Internet

This is the very first thing that you need to do! And I don’t mean going an disabling the network card. I mean physically go and pull the network cable from the network card or the phone cable from the modem. This is one of the few ways of guaranteeing that there is no connection between the virus and the rest of the network.

Why is this so important? There are several reasons:

It stops the virus from propagating. If there is no connection, the virus cannot replicate itself to other systems on the Internet or on your network.
Prevents data from leaving the system. Many trojans are designed to transmit user information and files to other systems. If the trojan can’t connect to these other systems, then your data can’t leave your system.
Prevents access to your system through back doors. Other trojans create a connection between your system and some system on the Internet. The owner of the remote system can then get in to your system and basically work on it as if s/he were on your system locally. This means they can move files, make system changes, or even move the mouse and use the keyboard. By unplugging your system from the network, this breaks this connection.

Perform a Manual Virus Scan

This is your first attempt to determine whether or not your system is truly infected. Do a deep scan of every single file and folder on the system. This may take several hours but it is necessary to determine whether or not your system is infected.

If it does not come up with a virus, then run a second scan with another antivirus program that can be run from read-only media. Many antivirus programs allow you to create a CD that you can run the program on.

Note: It is very important that you only use read-only media on this system until you are certain that it is not infected or that you have eradicated any viruses that are on the system. The means do not use floppy disks, external hard drives, USB flash drives that are not in read-only mode (many flash drives do not provide this option), CD-Rs and DVD-Rs that have sessions that are not finalized, CD-RWs, and DVD±RWs. Any of these portable media are susceptible to being infected by the virus. If you have no choice and need to use one of these media types, once it is put in the system, assume that it is also infected and treat it accordingly.

If you do not come up with a virus after scanning the system with two antivirus packages, this does not mean that your system is virus free, even though it probably is not infected. But, as someone once said, “Just because you are paranoid, it doesn’t mean they aren’t out to get you!” So, be paranoid.

Check for Unusual Startup Applications

A virus needs to be running in order to work. And if the virus does not have a way to start itself up again when the system is rebooted, then it would be a simple matter of rebooting the system and the virus goes away (at least, until someone runs the virus manually). There are typically five ways that a user can run a program automatically:

From the Startup folder. Any application or shortcut to an application that is located in a Startup folder will automatically run that application each time a user logs into the system. There are several of these folders located throughout the system including each user’s profile (including the Default and All Users profiles). There are also some more added in Windows Vista including one in C:ProgramDataMicrosoftWindowsStart MenuPrograms.
From the Registry. There are several locations in the registry that will allow you to run a program automatically. These programs can be run either when the user logs in or when the computer starts up automatically. Typically, settings under the HKEY_USERS and HKEY_CURRENT_USER run when the user logs in while settings under HKEY_LOCAL_MACHINE run when the system starts up. Some of the registry keys that you need to look at include:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_USERS<UserGUID>SoftwareMicrosoftWindowsCurrentVersionRun
Anything that is located under any of these keys will be run when the user logs in. The biggest challenge is that not all of these applications run when every user is logged in. The programs under HKEY_USERS are specific to individual users and may not run for every user.
From a Scheduled Task. A scheduled task has the ability to run applications on start up and on log in of a user. They also have the ability to run a program as a different user or as the system itself. The Scheduled Tasks can be found under the Control Panel.
From a Service. A program installed as a service can launch itself non-interactively when the system starts up. It can also run as the system. To check out the services that are running on your system, look for Services under the Administrative Tools.
From a Startup or Login Script (Local Policy). Every system has a local policy that can launch scripts and programs on start up and log in. To access these settings, run gpedit.msc to open the Group Policy console. The two areas that you will then want to look in are Local Computer PolicyComputer ConfigurationWindows SettingsScripts (Startup/Shutdown)Startup (for programs that run when the computer is started) and Local Computer PolicyUser ConfigurationWindows SettingsScripts (Logon/Logoff)Logon (for programs that run when the user logs in).

Some of the things to look for in these areas include:

Applications that you have not installed
Applications with names that look random (e.g. od7f29p5.exe)
Applications running from odd locations (e.g. svchost.exe running from a temporary directory)
Applications running as odd users (e.g. svchost.exe running under your account rather than a system account)

A really great resource to check on the validity of these applications is ProcessLibrary.com. It allows you to do a search for any executable that may be running on your system and tell you whether or not it is a legitimate process. Not 100% infallible but it can sure point you in the right direction.

Check for Processes Accessing Remote Computers

In order to replicate itself, viruses need to infect other systems. One of the most common ways to do this is by copying itself through network connections. Thus, it is really useful to have the ability to determine what applications are attempting to connect to remote resources.

An excellent freeware application for doing this is CurrPorts. With it, you can easily see what applications are using the network, where they are connecting to, where the application resides, and what port(s) it is using. You also have the option to close any network connections or kill processes that are making the connections.

Some things to look for:

Applications that are accessing the network that should not be accessing the network (e.g. notepad)
Applications accessing the network using different ports than they should be using (e.g. iexplore on port 5800)
Any application listening on port 25 (SMTP)
Heavy activity between any application that is attempting to connect to a network resource outside of the local network
Network activity that is on a non-standard port
Network activity on ports 80 and 443 from non web browser applications

A good resource for what type of traffic is typically on each port, check out the Port Knowledgebase.

Kill and Rename Suspicious Files

If you have determined that there is a file or two that should not be running on your system, your best course of action is to rename the file. The problem occurs when the file is running. A running application (or virus, for that matter) will not let you rename it. So, what do you do?

One of my favorite tools to circumvent this problem is called Unlocker. It gives you the ability to stop (or unlock) files so that you can perform different functions on them. If it can’t unlock the file live, it will allow you to make changes to the file on next reboot before the file is executed.

Recover Deleted Files

If the virus was destructive, it may have started to delete some important files and data. Fortunately, most viruses do not securely wipe your data and some of it may still be available. Use a tool like Restoration to look for and retrieve data that may be still available.

Clean Up System

Even once you have renamed the virus and prevented it from starting, there could still be some remnants that could cause errors. Use your favorite system cleaner to remove orphaned links and registry entries.

Conclusion

It is rare for an IT person to not come across at least one infected system during their career. Being prepared for this eventuality will help you get through this tough time relatively unscathed.