My PC has a virus , now what ?

My PC has a virus , now what ?

Erdal OZKAYA

WHAT IS A COMPUTER VIRUS?

Computer virus is a computer program which is not designed to help or make your life easy. PC Viruses can replicate itself and spread from one computer to another. Some viruses affect computers as soon as their code is executed, where some other viruses stay still until a preconfigured condition is met.

Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Computer viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download.They can exist in numerous forms like backdoors, worms , Trojans ,rootkits etc.

What are the Characteristics of the PC Viruses ?

image

 

  • The virus can infect many files in the attached computer or network that it belongs.
  • Can be Polymorphic: Polymorphic code means a code that mutates while keeping the original algorithm intact. In other words : Some viruses have the ability to modify your code, which means that a virus may have multiple similar variations, making them difficult to detect

SNAGHTMLb8b3e63

 

  • They may be resident in memory or not
  • The virus might download or open the way to downloaded other viruses
  • Might not show any signs of infections.

 

How Computer Viruses Work?

image

Once the virus arrives the system ( from one of many possible ways) Computer Viruses will replicate itself and will attach to any .EXE file ( randomly garnered name) Each virus has different characteristic and may work different in each variation.

SNAGHTML89c5e

How does the Virus effect your Computers ?

The computer viruses will not be able to infect your computers without its permitted to execute its code to the memory. And to get your permission , the Computer viruses will be attached with a Software Wrapping Program ( more info about Wrapper here)in to most “FREE” wanted “commercial” programs In the infection phase, the virus will replicate itself and attaches to an .EXE file in the system. This can change every time when the virus executed or triggered.

As you can see in the below figure, in a clean Computer (left ) the .EXE IP will start the Program , where in a infected system, the Virus will start before the infected program starts.

image

How does a Computer get Infected by Viruses ?

image

How can you protect your Computers from Viruses ?

  1. Install antivirus and antispyware programs from a trusted source
  2. Update software regularly ,not just your Operating System also your , lets say Adobe Acrobat reader
  3. Use strong passwords and keep them secret
  4. Use at least a software Firewall and never turn it off
  5. Be careful with “attachable” external devices like USB Disk
  6. Don't be tricked into downloading malware ; always double check the URL that you are downloading the software, if possible check the digital signature,
  7. During you browse the net, if a Pop Up pops up, avoid clicking Agree or OK, instead press CTRL +F4
  8. Never download “cracked software”
  9. Be picky when opening e-mail attachments (sometimes even from trusted source, as your friends systems might get infected, see info about virus Klez below )

image

 

Virus Analysis

As viruses are difference from each other and there are many virus types, I will just deep dive in few of them, and give you some info about them, so you can understand how they are designed and worked.

KLEZ

The Klez virus appeared in late 2001 and infected a victim’s computer through an e-mail message. The virus replicated itself and was sent itself to all the contacts in the victim’s address book.

image

 

The virus could disable virus-scanning software and could falsely act as a virus-removal tool. The modified version of this virus could take any name from the contact list of the victim and can place that address in the “From” field. This technique is called spoofing.

By spoofing the e-mail appears to come from a source when it’s actually coming from somewhere else. Spoofing will prevent the user’ s chance to block email from a suspected recipient.

image

Melissa

Melissa showed up in mid-1999 and was one of the first viruses designed to spread from computer to computer without relying on action on the user’s part.

image

The virus prompts the recipient to open a document and by doing so the virus gets activated. The activated virus replicates itself and will be transferred to 50 persons whose address is present in the recipient’s e-mail address book.

MyDoom

The MyDoom creates a backdoor in the OS of the victim’s computer. The MyDoom virus had two triggers. One of them began a denial of service (DoS) attack on Feb. 1, 2004. In Feb. 12, 2004 the second trigger was initiated which stopped the virus distributing itself.

Later that year, MyDoom virus outbreak occurred for a second time, which targeted several search engine companies. The virus would send a search request to a search engine and will use e-mail addresses obtained in the search results. Such a type of attack slowed down search engine services and caused some website crash.

W32/Virut

Virut virus, writes its initial code into a GAP in the end of the original file’s code section and redirects the entry point address to that “malicious code” .

image

Types of Viruses

image

For more info about Virus types please visit my blog.

Virus Detection Methods :

1) Scanning : This will make a virus detected. A scanning program will look for virus signatures compare it with its database and can take the necessary action.

2) Integrity Checking : It works by reading the entire disk & recording integrity and recording data that acts as signature for the files and system sectors.

3) Interception: It monitors the operating system requests that are written to the disk.

What is a Computer Worm ?

Computer worms are malicious programs that replicate, execute and spread across the network connections independently without human interaction.

A worm is a special type of a computer virus, that can replicate itself and use memory, but cannot attach itself to other programs.

A worm spreads itself through network automatically.

Conficker Worm

The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

What does the Conficker worm do?

It might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.

The Conficker worm can also disable important services on your computer.

image

Virus & Worm Countermeasures:

image

 

Online Malware Analysis Services:

Microsoft Malware Protection Center

image

The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support the Microsoft range of security products and services.

http://www.microsoft.com/security/portal/

Virus Total

image

VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

https://www.virustotal.com/

 

image

Threat Expert

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

http://threatexpert.com/

More Computer Virus and related Terminologies :

image

 

Anti Virus Tools :

Windows Sysinternals Utilities : http://download.sysinternals.com/Files/SysinternalsSuite.zip

Microsoft Security Essentials : http://www.microsoft.com/en-au/security/pc-security/mse.aspx

Kaspersky, Symantec, BitDefender, Microsoft Forefront, McAfee are some of the paid Anti Virus vendors

How can I tell if my computer has a virus?

image

You have to be suspicions of some activates in your computer, such as

  • Computer beeps with no display
  • If your computer running very slowly
  • If you are you getting unexpected messages
  • If your programs starting automatically
  • Anti Virus alters ( if you have one)
  • If your modem or hard disk working overtime ( fan is always active)
  • If your PC freezes frequently
  • If your drive label changes (C:\ to T:\ for example)
  • If your files or folders are missing
  • If your Internet browser acts usual.
  • etc…

How do I remove a computer virus? (source Microsoft.com)

If you can reach a website using your web browser, run an online scan.

To run the Microsoft Safety Scanner
  1. Go to the Microsoft Safety Scannerwebpage to download the scanner.

  2. Click Download Now, and then follow the instructions on the screen.

If you can't connect to the Internet

If you can't get to the Microsoft Safety Scanner online, try restarting your computer in safe mode with networking enabled.

To restart in Safe Mode with networking enabled
  1. Restart your computer.

  2. When you see the computer manufacturer's logo, press and hold the F8 key.

  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.

  4. Log on to your computer with a user account that has administrator rights.

  5. Follow the steps above to run the Microsoft Safety Scanner.

If you can't connect to the Internet

If you can't get to the Microsoft Safety Scanner online, try restarting your computer in safe mode with networking enabled.

To restart in Safe Mode with networking enabled
  1. Restart your computer.

  2. When you see the computer manufacturer's logo, press and hold the F8 key.

  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.

  4. Log on to your computer with a user account that has administrator rights.

  5. Follow the steps above to run the Microsoft Safety Scanner.

For more information about different startup modes, see Start your computer in safe mode.

If you still can't access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. The following steps reset the proxy settings in the Windows‌ registry so that you can access the Internet again.

To reset Internet Explorer proxy settings
  1. In Windows 7, click the Start button Picture of the Start button. In the search box, type run, and then, in the list of results, click Run.

    -or-

    In Windows Vista, click the Start button Picture of Start button, and then click Run.

    -or-

    In Windows XP, click Start, and then click Run.

  2. Copy and paste or type the following text in the Open box in the Run dialog box:

    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

  3. Click OK.

  4. In Windows 7, click the Start button Picture of the Start button. In the search box, type run, and then, in the list of results, click Run.

    -or-

    In Windows Vista, click the Start button Picture of Start button, and then click Run.

    -or-

    In Windows XP, click Start, and then click Run.

  5. Copy and paste or type the following text in the Open box in the Run dialog box:

    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f

  6. Click OK.

Restart Internet Explorer and then follow the steps listed previously to run the scanner.

Source for the above section: Microsoft.com

Remove a virus manually

This might be challenging. Please follow my blog to read the article about how to remove a virus manually.

Sample Flowchart on how to fight with a Virus

Comments
  • Anonymous
    |

    Great post Erdal, awesome work as usual

  • tom.milliner
    |

    Thank you for taking the time to post this.

  • Anonymous
    |

    Hello Sir. Extremely liked that. if you have a presentation copy of it, plz do send it to me, i will present it in my campus. aryans14@yahoo.com

  • cheong00
    |

    Great article, but seems something a bit off on these lines.

    You have to be suspicions of some activates in your computer, such as

    [...]

    •If your Internet browser acts usual.

  • Anonymous
    |

    very well written and i think

    •If your Internet browser acts usual.

    supposed to be UNUSUAL ;)

  • Anonymous
    |

    Excellent post and more awesome your live presentation some days earlier! Keep the good work!!!

  • Anonymous
    |

    I am going to use this in my User Group

    Thank you rdal Ozkaya

  • Anonymous
    |

    Very good post. I've never seen a diagram such as this.  Do you have that on your professionally written resume www.rightfitresumes.com?

  • Anonymous
    |

    The virus removal flowchart is way too complicated, removing a virus is very simple if you follow the following advice:

    technet.microsoft.com/.../cc512587.aspx