7 steps to identifying viruses and Trojan horses on your system
The phone calls always start the same way: "My antivirus scanner isn't finding anything, but I know something is there." People don't call an antivirus consultant until the usual antivirus tools and checks have failed. And the callers' statement doesn't surprise me. I have more than 20,000 different malicious computer programs in my collection (not even half of what's out there), and hundreds of them aren't detectable by any scanner. Only a few byte changes or a different encryption scheme can make a familiar program unrecognizable. Even the best virus scanners can't find everything.
So, how do you find malicious code (e.g., worms, viruses, Trojan horses, backdoor programs) when the expert tools can't find it? Seven steps will help you find viruses and other types of malicious programs on all Windows systems. (I don't cover macro- or boot-virus detection. Describing the techniques for finding these two types of malicious mobile code would significantly lengthen this article, and boot viruses aren't as popular as they used to be.)
1. Disconnect from the Internet
If you have a live connection to the Internet, physically unplug it. A rogue program on your system might be in the middle of downloading data or placing more bad programs. If intruders have placed a remote access Trojan horse on your PC so that they can watch your every move on the system, you want to cut off their backdoor access before they realize that you're on to them. Many rogue programs have "kill" batch files that erase evidence or contain destructive payloads that crackers can trigger if they notice your discovery search. Windows XP and Windows 2000 let you disable network connections from within My Network Places, but sometimes you remain connected when you think you aren't. Physically disconnecting is the safest way to proceed. Remain disconnected until you've cleaned your system or confirmed the absence of harmful code.
2. Rerun Your Antivirus Scanner
You've already run your antivirus scanner once, but run it again. Before you run it the second time, make sure all other programs are shut down. Close programs in the System tray (you can usually do this by right-clicking the program icons, then clicking Close or Exit). Press Ctrl+Alt+Del to start Task Manager and close other unneeded programs. Closing programs, then running a virus scanner a second time are a good idea even when the tool finds infected files on the first pass. Many times, I've used scanners and found multiple infected files. Then when I've run them again with fewer programs in memory, I've found many more infected files than the first time. In general, the fewer things running in memory, the more accurate a scanner can be. Close everything that isn't essential. Notice that I don't recommend booting into Safe mode. Booting into Safe mode often disables Windows-based antivirus scanners or complicates the detection process later on.
Also be sure to turn on your scanner's most invasive scanning mode. You might have done your initial virus scan with the default settings that the vendor configured for typical, day-to-day use. The vendor has made cost/benefit decisions in the default settings so that the tool will complete scans more quickly by skipping the search for less frequently occurring malicious file types. For example, many scanners don't scan the Recycle Bin folder, a fact that malicious coders have used to their advantage. But if you're suspicious, you want the scanner to look for everything, everywhere, even in compressed files.
3. Look in Startup Areas for Suspicious Programs
Most intruders want their viruses and Trojan horses to be loaded into system memory as frequently as possible. A malicious program can place itself in dozens of spots so that it's automatically executed the next time the PC or some other program starts. You need to search each location and rule out every program that's automatically launched. This step is probably the most difficult and time-consuming part of the rogue-code hunt because finding malicious code means knowing which programs are legitimate. You might have to do quite a bit of research to rule out all the nonmalicious programs.
Each time you start your PC, it goes through a series of steps to load the OS and many autostart programs. Before you start one program, your PC might have already called a dozen programs and hundreds of files that the OS and other software need. Microsoft Task Scheduler, AOL, RealNetworks' RealPlayer, and video-card programs are commonly loaded programs. Many different areas of Windows load programs and files. Figure 1 shows some of the places, in order, that can load programs during a generic startup of a Windows Me or Windows 9x machine. XP, Win2K, and Windows NT follow a different startup path. Figure 2, page 90, shows the generic startup path for XP, Win2K, and NT.
The following files and areas can automatically execute malicious code. At a minimum, you should check these components and note any statements that load programs whose names you don't recognize. Later in this article, I explain how to check the legitimacy (or illegitimacy) of any unfamiliar or suspicious programs.
Previous
Register
