Surviving a Virus, Worm or Trojan Horse Infection

1
Surviving a Virus,Worm or Trojan HorseInfection

• The layered approach to security

2
Present Approach Is Not Working

• Playing catch-up creates windows of opportunity
• New ideas such as Process Guard by DiamondCS
• Registry Monitors
• New approaches to OS Updates

3
1. Pre-Infection strategies2. Is it or
isnt it a virus3. Cleaning up
4
Good Anti-virus practices

• Use a firewall such as Zone Alarm
• Keep OS security patches up to dateGet the free
  Microsoft cd
• Update anti-virus definitions daily
• Do weekly full system scans
• Run SpyBot S D or AdAware weekly
• Do a separate Trojan scan weekly

5
Good AV practices, contin.

• Dont open attachments or strange looking
  messages
• Dont use preview pane
• Delete messages from strangers
• Avoid Internet file sharing!! ICQ, Kazaa,
  eDonkey, newsgroups
• Dont send a friend an message to see if you have
  a virus

6
Good AV practices, contin.

• View send messages in TEXT mode only mode
• Peek inside unsolicited messages
• Use a spam-filter
• Dont fall for scam messages
• Avoid URLs of questionable repute

7
Good AV practices, contin.

• Teach children about security
• Supervise Internet access or scan your computer
  afterwards
• Physically unplug or turnoff your modem
• Use care when typing in URLs!!
• Avoid using My Documents for data store
• Be cautious about enabling file sharing online

8
Partitioning

• C\ Windows
• D\ Programs
• E\ Data worth backing up
• F\ Clutter

Fat32..NTFS
9
Imaging and Cloning

• Acronis True Image 7.44-49
• Norton Ghost 200340-70
• Freeware imager
• Save your images to cds, across a network to
  another computer, or to a removable USB hard drive

10
Backing Up

• Get to know where everything is stored (mail,
  favorites, financial data)
• Partition to keep data organized and separate
• Full and incremental
• Back up regularly to more than one place!!
• Save your old backups
• Low tech sticky notes as reminders

11
Utilize Task Manager info

• Msinfo32.exe
• Use Google as a resource
• Keep a list of all the processesthat appear
• Process Explorer free from www.sysinternals.com

12
Utility toolbox

• Trojan Scanner
• Process Explorersysinternals.com
• Port Enumerator Netstat -ano, TCPView, Port
  Explorer
• Registry tools such as
• ERUNT back up and recover the registry
• and Registry Medic
• AVDISK helps you put AV software on DOS disks
• NTFSDOSERD commander !
• A Guide to 2000/XP Recovery Console

13
Have a Game Plan

• Internet sites with virus info fixes
• Online virus and Trojan scanners
• Access to Google
• A second computer
• List of ports and associated services

14
Symptoms

• AV program is disabled for no reason and it
  cannot be restarted
• AV program cannot be installed on the computer or
  it will not run or update
• Strange dialog boxes or message boxes appear
  onscreen
• E-mail complaints from acquaintances
• New icons appear on the desktop
• Strange sounds or music plays
• A program disappears from your computer

15

• Sudden degradation in system performanceit locks
  up
• Windows will not start at all
• There is a lot of modem activity
• Critical system files are missing
• Computer stops responding before the desktop
  icons and taskbar appear
• Your computer runs very slowly
• Start-up takes an unusually long time
• Out-of-memory error messages

16

• New programs do not install correctly
• Windows spontaneously restarts
• Programs stop responding frequently
• Scandisk reports multiple serious disk errors
• A partition completely disappears
• Your computer always stops responding when you
  try to use Microsoft Office products
• You cannot start Task Manager
• Strange process running in Task Mgr.

17

• Or no symptoms
• at all

18
Identify the virus

• Full System scan from safe mode
• Use on-line scanning tools
• F-Prot makes a free DOS scanner
• Examine Task Manager
• Look at port usage
• Query Google with symptoms and the word virus
• Search for files added or changed on a certain
  date

19
Cleaning up

• Physically disconnect from network at first
  suspicion of a virus
• Disconnect modem to keep a worm from spreading or
  worse
• Try to locate a fix
• Read the instructions carefully before applying
  the fix
• Look for manual removal instructions
• Rename rather than delete
• Backup your registry before editing it

20
Trojans/back doors

• Trojans once identified can be deleted. Use an
  automated scanner/deletion tool first.
• Manual aids in identification
• Port Explorer30, free trial
• Task List or msinfo32.exe
• Netstat ano from cmd prompt
• TCPView free from Sysinternals
• They often make registry or startup file changes
  so that they are executed on boot-up. Warning
  YOU CAN TRASH YOUR SYSTEM making changes in the
  registry.

21
Trojans, contin.

• If the Trojan cannot be removed because the files
  are held open by the operating Win9x/me system
• Reboot the computer from a clean startup or
  system disk
• Delete the Trojan files manually or using the DOS
  instructions (Fat 32)

22
2000/XP

• See Sophos emergency Trojan removal instructions
• Download latest definitions to floppy
• Restart in Safe Mode/command prompt option
• Run SAV32CLI from Sophos as per
• http//www.sophos.com/support/dis-infection/troja
  n.html

23
NTFS strategies when there is no fix

• Use the 2000/XP recovery console to remove and/or
  replace infected files
• NTFSDOS or ERD Commander !!
• Install infected drive as a slave in a clean
  system to remove/replace files
• Create a Linux based rescue disk set that
  can/will mount NTFS volumes

24
Last Resort

• When all else fails
• Reformat
• Reinstall
• and/or
• Restore