Go to NetZ Home

Site Map
Support
    Knowledge Base
    Single Installation
    Network Installation
    Network Administration
    Bug Report
Registration
Downloads
Information

  

Subscribe to mailing list

Send To a Friend

Search the Knowledge Base

Spyware, Trojans, worms, and plugins

    ”Virus” is a misnomer for the larger part of today's malware, as most are actually spyware.

    Originally, the name virus was given to parasitic code that replicates itself into host files, without changing the functionality of the host, just adding its own code and functionality.

    Worms replicate too, but to other computers. Worms will normally place a single instance of themselves on the affected PC, and try infecting additional PCs. Despite the inaccuracy in terminology, “virus” is now accepted for describing both viruses and worms. In the following, we use “virus” to describe malware in the larger context, and virus or worm when referring to the specific category.

    'Spyware' or plugins as they are now known are a category in itself. First, they aren't viruses as they do not replicate. They aren't Trojans either as they do not pretend being something else than what they really are: Adware (advertising plugins), or spyware. Lastly, they aren't malware in the strict sense of the word. The reason for which adware plugins are brought here is because they have a lot in common with worms, especially in the way they hook themselves in the Windows system, and in how to get rid of them.

    Although particular malware differ from each other in the details, they share features and methods that help detecting their presence and in eradicating them.

    The same as with viruses, the purpose of worms is to affect as many computers as possible before they are detected and removed. In order to accomplish its aim, malware needs to install itself in a way that assures its initialization every time Windows is started. This is usually done by inserting the malware's initialization in the Windows startup queue. A list of possible initialization are:

    • By adding a key to the registry’s startup queue. Keys that are targeted the most for that purpose, but not only, are:

      • Local machine (or per user) ‘Run’

      • Local machine (or per user) ‘RunServices’


    • Through a LOAD or RUN directive in WIN.INI, in the [boot] section. This approach is common under Windows 95/98/Me


    • By injecting the worm process to the Explorer.exe shell. Under Windows 95/98/Me, this can be done by modifying the Shell=Explorer.exe entry in SYSTEM.INI.

      Under NT/W2K and XP, the same is achieved by modifying the content of
      [HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon] in the registry.


    • By adding a link to the malware code in the Windows startup group / folder


    • By redirecting the file association of executable files of the following types: EXE, COM, BAT, SCR, PIF. This type of initialization is especially nasty as it leaves the affected computer in a non-functional state when attempting to clean the malware with conventional AV.


    Important note: The addition of an application to the startup queue does not necessarily indicate the presence of malware. Such addition is perfectly normal when intentionally done by you, like after having installed new software, or added a new hardware device.

    Worms' propagation: Worms propagate through various channels. Current worms use more than just a single propagation mode to attain the highest possible distribution. The following is a list of common propagation channels used by worms. The names in parentheses are of worms representing the respective mode:

    • Attachment to e-mail (Swen, Klez, Sobig)

    • File sharing (Opaserv, Mumu, Litmus)

    • Weakly protected administrative shares (applies to NT/W2K/XP only) (Litmus, Mumu)

    • OS vulnerabilities, e.g. RPC buffer overrun (Blaster, Welchia)

    • Browser / E-mailer vulnerabilities, such as the “incorrect MIME header” (Klez, Swen, Nimda).

    • Script embedded in an e-mail message. Typically the script would be concealed in an HTML signature, added to outgoing mail (Kak, Fortnight).

    • Installation of adware plugin through an aggressive ActiveX script (they don't take 'no' for an answer whether to install the plugin), from web page, typically on porn and warez sites (ISTbar, XXXToolbar, Bargain Buddy).


    InVircible usually detects the presence of malware (spyware as well as worms) through any of the following methods (many malware will respond to more than a single method from those listed):

    • An application was added to the startup queue and is reported by SAM (startup applications monitor)

    • Interceptor signals the presence of a blacklisted objects. The list of the blacklisted objects can be viewed under ‘offensive files list’ under Interceptor options. The OFL is automatically updated through IV’s ‘smart update’.


    • Some malware have intrinsic features that trigger the IV built in PE infector probe. In which case Interceptor will prevent the malware from installing. Examples are Blaster and its variants, and Sobig-f.


    • Worms sometimes use a double extension to their file name. The purpose is to deceit the potential victim and lull him/her into a false sense that the attachment is safe to open, as the first and visible extension name suggests that the attachment is plain text, or an image file. While in reality the attachment is an executable, with an invisible (to Explorer) extension filename such as PIF and such. Interceptor will detect such attempt and block it right in its tracks.


    Discriminating between a legitimate startup application and newly installed malware: A new application in the startup queue is legitimate if you expect it, like after installing a new program that requires initialization with Windows startup.

    InVircible’s SAM popup window will show the details of the new startup application. Legitimate startup entries usually have a meaningful name that identifies the owner’s application. Malware, on the other hand, use a “generic” description, sometimes borrowed from a legitimate application - but with a quirk, to make the victim believe that it’s legitimate. Users are encouraged to look into their startup list through SAM (second from bottom on the IV menu, when clicking the IV icon on the tray) and memorize that list.

    An addition that wasn’t asked for, to the list could indicate the onset of malware attack! Note that processes like installing a Windows update, place a ‘RunOnce’ command in the startup. These are exceptions, and you should not interfere with!

    How to remove malware:

    A word of warning, first! Current malware are complex entities and removing them without leaving trace requires more than just deleting a single file. As explained, malware may change system initialization files and deleting the bogus file, or even just quarantining it without reverting the changes made to the initialization files, risk ending in loss of control on Windows and will render the PC inoperable.

    Therefore, before attempting generic recovery from malware affection, you should first check if there exists a dedicated removal tool for that particular virus or spyware, and use it if there is one! Free dedicated removal tools are provided by most AV and anti spyware producers, since their main product is not built to deal with collateral damage caused by the newer malware! Dedicated removal tools, especially those made to run under Windows, are designed to handle malware side effects and revert their doing.

    If running under XP or Windows 2000, it could be worth trying Microsoft's Marlware Removal Tool (MRT). The MS tool is distributed through Windows Update (free) and is invoked by typing MRT via the desktop 'run' command.

    To identify an already known malware, submit the offending file for online inspection (e.g. Kasperky AV, or VirusTotal). The next step would be to pick a dedicated removal tool for the particular malware just identified, if one exists, and use it. A list of available tools can be obtained through Google search from this link.

    General removal procedure when no dedicated tool exists

    The following section is for advanced users, with a fair knowledge on computers and their working! You may use this procedure if there exists no dedicated tool to handle the malware that affected the computer, or if the removal by other means was botched and left the computer in a non-functional state.

    • First, identify the offending process(es) and parent file – there may be more than just one – by noting the details of the offender in the IV startup list. Normally, these will be highlighted in red in IV’s SAM list, unless the user confirmed the new entry by pressing SAM's OK button. Even then, everything is not lost as the new offensive entry can be retrieved from the IV real time report. To view the report, click on the IV icon and open the third item from top on the drop-menu. When going through the startup list, pay attention to the following:

      • Look at the description first. It should be familiar and recognized as belonging to the system, or to your personal list of startup applications, to which you should be familiar! A random name description will often disclose malware, but you shouldn’t count on it!


      • The name of the file and its path provide additional clues and useful information in case the application should be removed from the active tasks list, from the startup queue, and from the registry. Note the name of the offending file, as you will need it to complete the cleaning process.


      • ’Location’ describes the initialization method, which tells where to look for removing the item from the startup queue, if needed. Typical initialization are from the registry (e.g. machine run, user run, RunOnce, RunServices, etc.), Win.ini, System.ini, and the startup folder.


    • The next step would be to stop the offending process, with task manager. The process to stop would have the same name as of the parent file, identified above.


    • After the bogus process has been stopped, its initialization can now be removed from the startup queue. The removal can be done by any method you master, like with IV’s SAM, REGEDIT or MSCONFIG (the latter is not available under W2K, only under Win 98, Me and XP. W2K users may import the Msconfig.exe application from XP to the Windows 2000 default directory and it will work like a charm).


    • Tip to advanced users: Some malware modify multiple keys in the registry. To reverse the changes, you can use the REGEDIT search function to locate them all and fix what needs fixing. Use the offending filename as the search string.


    • Before restarting the computer and deleting the malware file from the disk, you need to revert changes that it could have made to the registry, or you may not be able to regain control on Windows after restarting. As a precaution, run the FixRegEx utility from the server (or you may run it from floppy, after having downloaded the file).


    • You may now delete the offensive file and restart the computer.


    • The method described above may not always work. Either the offensive process can’t be stopped, or the offensive file can’t be deleted, or the bogus process will automatically return and reload after having been removed from the startup queue. In such case, conduct the removal process under safe mode with command prompt, as described on the Toggle Mode page.


    Fixing the registry after a botched virus removal: As explained, Windows may lose control on launching applications in result of inappropriate AV procedures, like the quarantining of the malware before reverting the changes done in the registry. If this happens, then proceed as follows:

    • From a functional PC, download FixRegEx from this link and copy the file to floppy.


    • Restart the affected computer:

      • To ‘command prompt only mode’, if running under Windows 9x.

      • To ’safe mode with command prompt’, if running under W2K or XP.

      • Look in page 72 of this knowledge base for how to start Windows Millennium or NT in “safe command mode”.


    • When at the command line prompt, insert the floppy with the FixReg utility on it and run A:FIXREGEX.


    • Restart now Windows normally.

Last modified: 17 May 2006

Send this page to a friend

Back to Knowledge Base