An Introduction to Viruses and Malicious Code, Part Three: Recovery
by Brad Griffin
|An Introduction to Viruses and Malicious Code, Part Three: Detecting and Resolving Virus Infections
last updated April 30, 2001
This is the third and final installment in a series offering an introductory overview of viruses and other malicious code. In part one of this series, An Introduction to Viruses and Malicious Code we discussed viruses and malicious code; what they are and how they affect your computer. In part two, Protecting Your Computers and Data we discussed ways to prevent malicious code from infecting your systems. In this installment, we will take a step-by-step approach in dealing with a virus infection. As well, we will look at a real-life example of removing a worm from an infected system.
There are circumstances that can allow an infection to occur in your computer or network, no matter how diligent you are. Perhaps a user has failed to update their anti-virus definitions. Maybe your 'real-time' anti-virus software was disabled for one reason or another. Or, on a rare occasion you may be hit by a virus or worm that your anti-virus vendor has not yet developed detection for. What can you do?
Unfortunately, there is no generic 'one fix suits all' procedure for removing viruses. Viruses and worms infect different parts of an operating system through different methods. They can also install specific files in a system that must be removed through different methods. The following procedures will assist you in removing a virus infection, while minimizing the possibility of losing vital data through 'panic' formatting of a system by an individual.
Diagnosing a Virus Infection
So what are the common signs of a virus infection? A sudden increase in e-mail traffic between users on your network can be a sign of an e-mail worm overrunning the system. Typically the messages may be from one or more people on the network and may be marked by unusual and identical subject headings. For example, 'Romeo and Juliet', or perhaps 'A great Shockwave flash movie'. Strange pop-up messages may appear on the computer screen such as 'Did You Wish Shankar on his Birthday?' You may also find systems shutting down inexplicably at certain times of the day. Signs of an infection are almost as varied as the number of viruses in the wild. Therefore it is essential that you become familiar with the more common signals that indicate virus activity. This should be a part of your overall preparedness plan.
The best way to minimize the damage caused by a virus infection is to be prepared for a virus infection. First and foremost, you should have a virus incident policy in place. (In fact, such a policy should be part of an overall security policy, which every organization or group of users should have in place to provide the guidelines of computer and information security.) A regular back-up schedule should be in place for all servers and systems that contain critical data. If a destructive virus enters your systems or network, these back-ups may be your only source of recoverable files.
Users should be instructed to report any virus warnings announced by their anti-virus software, or any suspect activity/behaviour from their systems to a designated IT support officer. Ideally, two or more people will be the initial contact officers. This should ensure that at least one person will be available in the event of an incident at any time.
Support officers should advise the user of the initial course of action to take with respect to step one of the incident handling procedures described below. Support officers should be intimately familiar with the specific incident handling procedures of the organization.
Many anti-virus vendors provide free tools to assist in removing most common viruses and worms. Users can develop a very good collection of read-only floppy disks, or a CD-ROM with the necessary tools that could reduce the effort of cleaning a system or network of an infection. The following tools and resources from various vendors will assist in developing a good defensive arsenal:
Systems administrators should keep write-protected boot disks for their computer or computers to allow them to boot from a floppy disk. They should also ensure that they have up-to-date copies of any special disks that were created when installing anti-virus software. It may also be helpful to keep a copy of a DOS-based or operating system independent anti-virus application on hand. (Users can check their anti-virus vendor for availability of these tools.)
Users should also check anti-virus vendor sites for instructions on how to manually remove traces of particular viruses and worms. There are a number of worms and viruses that cannot be removed automatically. Therefore, users should keep a hard copy of any available information regarding the removal of these malicious code types, particularly, information regarding I-worm.MTX, Hybris, Navidad and some of the newer viruses such as W32/Magistr@MM
Handling the Incident
Incident handling is essential to minimizing the damage inflicted by a virus, Trojan or worm. Once it has been confirmed that there may be a virus infection on one or more machines on a network, the manner in which the incident is handled can mean the difference between an inconvenient episode and a disastrous loss of information. The following steps will briefly outline how users should handle a virus incident.
1. Disconnect the Infected Computer
If the infected computer is attached to a network (two or more connected machines), physically disconnect it from the network immediately. Many worms will use the network connection to spread. Therefore, it is important to contain any outbreak as soon as possible, even if it may be a false alarm.
2. Confirm the Virus Infection
Confirm that it is actually a virus infection. What appears to be an infection may just be a corrupt file, or a system instability problem. The computer may also have fallen victim to a 'joke' program. For example, there are programs available that falsely report that they are deleting all files on a drive and are convincing to the point that they cause a considerable amount of hard drive activity while the program is running. An apparent infection could also be a false positive generated by anti-virus software. This can occur immediately after updating the software with new virus definitions. False alarms can also be caused by running two virus scanners on a system concurrently, a practice that should definitely be avoided.
3. Inform Users of the Virus Infection
Systems administrators should inform all users that a virus has been detected. They should inform system users what to look for in terms of signs of infection and also what to do reduce and/or prevent the spread of the malicious file. For example, if the virus came in an e-mail attachment, let them know what the attachment is and explain to them how to deal with it. Don't act alarmist. All this will do is incite unnecessary worry throughout your organization. Be sure that you are informed of any other system that show signs of infection and issue instructions on what measures to take with each affected machine.
4. Run a Virus Scan on the Infected Machine
On the affected machine, run a full virus scan of the system to determine the extent of the infection. Common signs of an infection, rather than a false alarm are:
5. Clean the Infected Machine
Once the system has been scanned and the administrator knows which virus he or she is dealing with, the system should be disinfected using the anti-virus software. In some cases, the anti-virus software will not be able to clean all files. In this case the administrator will have to manually remove copies of the virus or worm. A non-infected system should be used to check the anti-virus vendor web pages for removal instructions as suggested in the introduction to this article.
6. Restore Damaged or Deleted Files
The user may find that some files have been overwritten, depending on what type of virus has infected the system. The only way to restore these files is from a back-up copy. (Creating back-up copies of crucial files is the cornerstone of preparation for any security incident - its importance cannot be overstated.) Further, some important system files such as Winsock.dll may have to be replaced with clean copies from the original installation disk.
7. Ensure that the Virus Has Been Removed
Once the infected computer has been cleaned, the administrator should run a full scan with the anti-virus software to ensure all traces of the virus have been removed. Once the admin is sure that the system is safe, he or she can reconnect it to the network.
Once the virus recovery process is complete, a thorough review of the organization's security policy should be undertaken. Somewhere the anti-virus protection measures that were in placed failed, allowing the virus infection to take place. In order to minimize the risk of repeat infection, the point of failure needs to be identified and the cause of failure rectified.
The system administrator must attempt to discover where and how the virus entered the system. Did the virus come in an infected disk? Could it have arrived via an infected e-mail message? Was it downloaded from the Internet, hidden in what appeared to be a harmless file? Once the entry point has been ascertained, the security policy should be adjusted to preclude a repeat incident. Also, the current user education program should be enforced to make users aware of the inherent risk behaviors, such as opening unexpected attachments, etc.
Hopefully this article has given readers a good basic understanding of how to handle a virus incident. This discussion has avoided getting 'in-depth' in regards to boot-sector infections and other system damaging malware, as they are beyond the scope of an introductory article. The best way to be avoid being adversely affected by a virus infection is to be prepared. Systems administrators should follow the guidelines offered in this article and build up an anti-virus arsenal of tools, documentation and awareness. Users must be educated, not just once, but on a regular basis to ensure they stay aware and don't become complacent. As I've state, prevention is much easier than a cure.
A Real-World Example
The following is an example of how to go about removing a typical worm from an infected system. We will describe the worm commonly referred to as Navidad.A, and describe how to reverse the damage it does.
The Navidad Worm
Navidad arrives as an e-mail attachment named Navidad.exe. It attaches itself to messages in the user's 'Inbox' and replies to each one. In doing so, it appears to be sent purposely by the original victim. Once run, it renders the system virtually inoperable due to a bug in the code.
Signs of Infection
Signs of infection begin with an error pop-up box with the text 'UI' and an OK button. Next, an icon in the form of a blue eye appears in the system tray. If the 'eye' icon is clicked, a large pop-up message box with a single button containing the text 'Nunca presionar este boton' appears. Once pressed, a second message box appears with the text 'Lamentablemente cayp en la tentacion y perdio su computadora'. The messages translate as 'Never push this button' and Unfortunately he did not resist the temptation and lost his computer'. A system infected with Navidad should be removed from the network *immediately*.
When a user double-clicks on the attachment, it installs itself in the system directory as winsvrc.vxd and modifies a number of registry entries, in particular, the default exe start up key to:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)="C:\WINDOWSSYSTEM\Winsvrc.exe "%1" %"
The bug in the code lies in the fact that it installs itself as 'winsvrc.vxd', *not* .exe (which signifies an executable file.)
The other key modified is:
The shell open registry entry prevents any .exe extension files from running. The second 'run' key does not take effect due to the misnaming of the key.
Please note: navidad.B is slightly different, using 'Emanuel.exe' instead of Navidad, and Wintask.exe instead of Winsvrc.exe
Cleaning the Infected System
As previously mentioned, remove the system from the network.
The following text should be copied via a text editor (not a word processing application) on a known clean computer and saved on a clean floppy disk as fixnav.reg:
*****cut here***** REGEDIT4 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Win32BaseServiceMOD" = "" ******cut here*****
On the infected system, go to start-->run and type 'command' (cmd for Win NT or 2000) without the quotes.
At the command prompt, type the following, depending on the operating system:
For Windows 95/98:
For Windows NT/2000
Doubleclick fixnav.reg to enter the data in the registry.
If you do not have access to a clean computer, or cannot copy the above text, you can copy regedit.exe as regedit.com and manually change the above keys.
Open a command prompt as above and type 'copy (path to system or system32 directory)regedit.exe regedit.com'
This will enable you to run the registry editor (com files are executable) and manually change the folowing keys:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)="C:\WINDOWSSYSTEM\Winsvrc.exe "%1" %*"
Change the above to:
i.e., delete the current value data and create a new data string. Also note that there is a space between the second quote and the second percent sign.
Delete the above values from the registry.
Close the registry editor and the command prompt, then do a search for all files using the following search strings:
(if you are infected with Navidad.B also search for wintask.* and emanuel.*) Delete any files you find named:
Run a full system scan to ensure no traces of Navidad are left on the system before returning the computer to the network.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.