This image states it best :)
Source: http://www.howtogeek.com/news/the-best-anti-virusanti-malware-ever-humorous-image/6737/
Source: http://www.howtogeek.com/news/the-best-anti-virusanti-malware-ever-humorous-image/6737/
Monday, October 3, 2011
Thursday, June 9, 2011
Image hijacks
What is image hijack?
Image hijack - in one line definition - refer to method opening specific applications or dlls with specified debuggers.What is the purpose of image hijacks?
Suppose you are having some executable file, which you want to debug. Then the standard method would be – open the debugger; say visual studio. In that debugger, load the application to be debugged. And then debug in usual way, like single stepping, stepping in, putting breakpoints, etc.Another smart (?) way provided by Windows is image hijacks.
Here, we can assign a specific debugger for a specific executable. Thus, when you open that executable by double clicking on it, it launches the debugger with your executable as argument. And you are saved from efforts (?) of manually opening the debugger and loading application. This is done using windows registry.
As an exercise, let’s hijack some executable file.
- Select any sample executable for experiment, say Mozilla Firefox – firefox.exe.
- Open registry editor.
- Navigate to the key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options”.
- Under that key, create a new sub-key named “firefox.exe”
- In the right side pane, create a new string value. Name that entry as ‘debugger’.
- Double click that string, to edit its value. Set its value to another executable, say notepad.exe.
- A single line command to do above steps would be
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v debugger /d "notepad.exe" /f - Now double click your Firefox icon. This will indeed open firefox.exe using notepad. – You can verify the command line using process explorer.
- Now, close notepad without saving. If you save binary file using notepad, it will corrupt it. Hence make sure that you do not save the firefox.exe file with notepad. Off course, if you save it by mistake, you still have option of re-installing Firefox.
- Now the undo part - delete the key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe”
- Done – your system is back to normal. You can verify it by opening Firefox again.
Some useful image hijacks I used:
I normally don’t like notepad. I prefer notepad++. Hence whenever some file is being opened using notepad, I want it to be opened by notepad++ instead of notepad. Hence I created a small C program, which reads the command line arguments. I made that as debugger for notepad.exe using image hijacking. So when I open any text file – say boot.ini, it would rather launch the command "my_app.exe notepad.exe boot.ini”. Now my application receives them as command line arguments. All required to be done is to strip out the first argument – notepad.exe, and launch the notepad++ command with remaining arguments. A similar trick was used to force open Firefox instead of internet explorer.Just for the record, “replace task manager” feature in process explorer is implemented by using image hijacks. (And that’s where I first discovered this concept of image hijacks. :) )
What is the risk involved with it?
There is a big risk involved with this ‘feature’ Microsoft has provided. What if the debugger associated with an application is a virus file? That file is executed instead of your application. That virus file can then launch the real application.Suppose some virus hijacks the file reg.exe. And you are trying to remove virus infection within registry using reg.exe.
All the calls you make to your application – reg.exe are completely visible to the virus file. It would also know what parameters you passed to the reg.exe, where you called the reg.exe from (which process) and all other such details.
The virus knows the parent process, which called reg.exe – say command prompt – it can terminate that process, knowing its PID.
The virus knows the arguments passed. It can allow reg.exe to run and then again undo the effect caused by reg.exe. It’s funny that you see reg.exe run. It does its job; but in the end, nothing happens. :D
The worst risk is, you carefully remove virus from different autorun locations and then you try to delete it using command prompt. And if cmd.exe has been hijacked by the same virus, the virus would run again. It will again copy itself to the startup locations and your efforts to remove from startup are all in vain.
How to get rid of such hijacks?
Open sysinternal’s utility called autoruns (mentioned in previous post). Navigate to tab called image hijacks. Remove any suspicious entries. Before you delete these entries, make sure that the virus is not already running. There are “N” no of ways; the virus can be in execution – as exe, as dll, as injected code within some other exe etc. Hence this caution – virus should not be executing – must be handled with trial-and-error.Suppose the virus is not already in execution. Now using autoruns utility, delete the image hijacks first. Then delete it from screensaver, if any entry is present and then subsequently from other autorun locations. After removing it from such autorun places, delete the virus executable from your disc, either using windows explorer, or command prompt.
Off course you can manually delete it using registry; but going through all the keys is more troublesome.
How to overcome such hijacks – what is the workaround?
Suppose that autoruns.exe has been hijacked. Now what to do? Whenever you try to open autoruns.exe, it will launch virus file. Other commonly hijacked files are task manager (taskmgr.exe), command prompt (cme.exe), registry editor (regedit.exe), reg.exe, msconfig.exe etc.The answer is simpler than I could imagine. Note that the image hijacking is done for autoruns.exe. Thus the solution is to rename it to autoruns2.exe or any other name of your choice. Normally, the viruses would not stop the user from using his PC altogether. Hence they would never hijack some executables like explorer.exe. Copy autoruns.exe to your desktop, rename it to explorer.exe and simply execute it. Then after the autoruns utility has been opened, you can easily remove the image hijacks as per your wish.
How to USE image hijacks to get rid of viruses?
This is interesting and easy. Once you know the name of the virus – say shahrokh.exe, you can hijack the virus executable. The procedure is same as the one we experimented for Firefox.exe. Just ensure that the virus name does not coincide with some system file.I would recommend that debugger to be kept to notepad.exe or some simple windows executable file known to you. Now whenever the virus tries to execute itself, it will launch notepad with virus file as argument. Thus the virus does not get executed. The virus will not get executed, even if you accidentally or rather purposely double click on it :) . Now you can safely remove the autorun entries using autoruns utility & subsequently delete it from system.
Tuesday, March 29, 2011
Disabling autorun feature of USB drives
As you are aware, currently one most common medium for virus spreading is USB flash drives. There is a feature in Windows which allows automatically executing a program when removable disc (either USB drive or CD drive) is inserted. (This post will use the terms USB drive, flash drive, USB flash drive interchangeably. All refer to the same term.)
This autorun feature is implemented using a file autorun.inf. Autorun.inf is not a virus. It is a file which defines the autorun task which executes when the removable media is inserted. This file was a method to create automatic installation CDs, such that the software installation will start immediately after the CD is inserted into the CD-rom. For window OS, there is no distinction between a CD drive & USB drive, as far as autorun feature is concerned.
Viruses use this file – autorun.inf – in order to spread via USB flash drives.
A typical autorun.inf file created by a virus may look like follows:
By default, when you attach the USB drive, windows will check for this file in the drive. If found, it will check whether there is an entry for “open=” part. If there is any entry, this file will get executed after you attach the USB drive. Hence as per above sample autorun.inf file, the program path-to-virus-file.exe will get executed when it is attached. This way, the virus executes after connecting the USB drive.
Similarly, if you right click on the drive in my computer, you will see options like open, explore etc in popup menu. The corresponding entries in autorun.inf are executed when the respective menu items are clicked. If the entry for some option is missing in autorun.inf, the default action (open / explore e.g.) is taken. Also, when you double click on the drive, the default action is open; thus the command corresponding to ‘open’ in autorun.inf executes.
Now, above paragraph was a bit confusing. In short I would say, whether you double click on the drive, or right click on drive & select open/explore, in any of these cases, the autorun entry in autorun.inf will get executed. If this entry points to a virus file, virus file will get executed. Hence, never double click on drive. Never right click on drive & select open / explore.
Having said all this, how do I access files in the drive, if I cannot open the drive? Well, there is a way for that.
Open windows explorer, (by pressing <Windows button + E> together). After that, in left side pane, you will see the drives & folders in tree like structure. Now click on the desired drive in that pane. This will open the drive in safe way – bypassing autorun.inf. There are even more methods to achieve this, but I found this as simplest & safest method.
So this was about bypassing autorun.inf, while opening the drive. But what about the original feature of autorun? – automatically opening the installation program when the drive was connected…
For this, there are several ways out...
Simplest one is by keep pressing shift key, while attaching the USB drive (or inserting CD), till the drive is fully detected. When new type flash drive is connected for the first time, windows will install specific device driver. (E.g. when connecting sandisk drive for the first time, windows will install sandisc flash drive driver.) You have to keep the shift key pressed till the driver installation is complete & you can see the drive in “my computer”. If connecting external hard disc, containing multiple partitions, keep the shift key pressed, till all the partitions are detected.
Hint: open windows explorer by pressing Win+E, BEFORE connecting the USB drive, so that you can identify the point, when the device is fully detected & thus, when you can safely release shift key.
This method of pressing shift key is simple, but not reliable, because it involves human factor. You might forget to press shift key. Or some friend may connect his USB drive, when he is using your pc, without pressing shift. You might release the shift key before the drive detection is complete, & so on.
Thus there is another way – automatic way – of skipping the autorun feature when the USB drive is connected. This involves disabling autorun by using registry.
For this, copy following text into a text file. Save that file as autorun.reg. Double click on that file & press OK when prompted.
With this, the autorun feature will be disabled, when you connect the drive. So, no need to keep pressing the shift key. However, when the system is freshly installed, in order to make this setting for the first time, I generally copy this .reg file using a USB drive. So for that first time, while connecting, I need to use shift-key-method.
Also note that, this method disables the autorun, only when connecting the USB drive. This registry method or the shift key method will not work, if you double click on the drive. To prevent autorun from that method as well, use the windows explorer -> selecting the drive from tree view method.
With these precautions, the autorun feature of the USB drive is bypassed. & the virus, if any, does not execute when connecting the flash drive. This way, there is no need to virus-scan the flash drive, when connected.
Now, how to remove the virus, if any, from the flash drive?
Open the autorun.inf file, if found. It may be marked as system &/or hidden file. Make sure that you keep the system & hidden files visible (use folder options from the tools menu of windows explorer).
Ideally, you should see the autorun.inf file, only if there is some software installation in the flash drive. In autorun.inf, find the “open=something.exe” entry. If that name looks like some virus name, delete it. & Finally, don't forget to delete the autorun.inf file itself.
This autorun feature is implemented using a file autorun.inf. Autorun.inf is not a virus. It is a file which defines the autorun task which executes when the removable media is inserted. This file was a method to create automatic installation CDs, such that the software installation will start immediately after the CD is inserted into the CD-rom. For window OS, there is no distinction between a CD drive & USB drive, as far as autorun feature is concerned.
Viruses use this file – autorun.inf – in order to spread via USB flash drives.
A typical autorun.inf file created by a virus may look like follows:
[autorun]
open=path-to-virus-file.exe
explore=path-to-virus-file.exe
open=path-to-virus-file.exe
explore=path-to-virus-file.exe
By default, when you attach the USB drive, windows will check for this file in the drive. If found, it will check whether there is an entry for “open=” part. If there is any entry, this file will get executed after you attach the USB drive. Hence as per above sample autorun.inf file, the program path-to-virus-file.exe will get executed when it is attached. This way, the virus executes after connecting the USB drive.
Similarly, if you right click on the drive in my computer, you will see options like open, explore etc in popup menu. The corresponding entries in autorun.inf are executed when the respective menu items are clicked. If the entry for some option is missing in autorun.inf, the default action (open / explore e.g.) is taken. Also, when you double click on the drive, the default action is open; thus the command corresponding to ‘open’ in autorun.inf executes.
Now, above paragraph was a bit confusing. In short I would say, whether you double click on the drive, or right click on drive & select open/explore, in any of these cases, the autorun entry in autorun.inf will get executed. If this entry points to a virus file, virus file will get executed. Hence, never double click on drive. Never right click on drive & select open / explore.
Having said all this, how do I access files in the drive, if I cannot open the drive? Well, there is a way for that.
Open windows explorer, (by pressing <Windows button + E> together). After that, in left side pane, you will see the drives & folders in tree like structure. Now click on the desired drive in that pane. This will open the drive in safe way – bypassing autorun.inf. There are even more methods to achieve this, but I found this as simplest & safest method.
So this was about bypassing autorun.inf, while opening the drive. But what about the original feature of autorun? – automatically opening the installation program when the drive was connected…
For this, there are several ways out...
Simplest one is by keep pressing shift key, while attaching the USB drive (or inserting CD), till the drive is fully detected. When new type flash drive is connected for the first time, windows will install specific device driver. (E.g. when connecting sandisk drive for the first time, windows will install sandisc flash drive driver.) You have to keep the shift key pressed till the driver installation is complete & you can see the drive in “my computer”. If connecting external hard disc, containing multiple partitions, keep the shift key pressed, till all the partitions are detected.
Hint: open windows explorer by pressing Win+E, BEFORE connecting the USB drive, so that you can identify the point, when the device is fully detected & thus, when you can safely release shift key.
This method of pressing shift key is simple, but not reliable, because it involves human factor. You might forget to press shift key. Or some friend may connect his USB drive, when he is using your pc, without pressing shift. You might release the shift key before the drive detection is complete, & so on.
Thus there is another way – automatic way – of skipping the autorun feature when the USB drive is connected. This involves disabling autorun by using registry.
For this, copy following text into a text file. Save that file as autorun.reg. Double click on that file & press OK when prompted.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
"NoDriveAutoRun"=dword: 03FFFFFF
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
"NoDriveAutoRun"=dword: 03FFFFFF
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
"NoDriveAutoRun"=dword: 03FFFFFF
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
"NoDriveAutoRun"=dword: 03FFFFFF
With this, the autorun feature will be disabled, when you connect the drive. So, no need to keep pressing the shift key. However, when the system is freshly installed, in order to make this setting for the first time, I generally copy this .reg file using a USB drive. So for that first time, while connecting, I need to use shift-key-method.
Also note that, this method disables the autorun, only when connecting the USB drive. This registry method or the shift key method will not work, if you double click on the drive. To prevent autorun from that method as well, use the windows explorer -> selecting the drive from tree view method.
With these precautions, the autorun feature of the USB drive is bypassed. & the virus, if any, does not execute when connecting the flash drive. This way, there is no need to virus-scan the flash drive, when connected.
Now, how to remove the virus, if any, from the flash drive?
Open the autorun.inf file, if found. It may be marked as system &/or hidden file. Make sure that you keep the system & hidden files visible (use folder options from the tools menu of windows explorer).
Ideally, you should see the autorun.inf file, only if there is some software installation in the flash drive. In autorun.inf, find the “open=something.exe” entry. If that name looks like some virus name, delete it. & Finally, don't forget to delete the autorun.inf file itself.
Saturday, March 26, 2011
Know your friends
So you have decided that you won't install antivirus, or use some low-end antivirus. Now what? What to do when a virus comes to your system? What tools do you use for the virus detection and removal?
Below is a list of free-wares that I use.
With these handy tools, you will most likely be able to detect, delete most of the viruses.
Below is a list of free-wares that I use.
- Process explorer
It’s a tool developed by sysinternals for Microsoft and is available for free download. This is a kind of better version of task manager. It’s better than task manager in several ways.
- It can show the running processes in tree-like format, thus the process creation hierarchy is shown and you can identify which process initiated which one.
- It also shows the path of running process. Thus, if there is a fake executable, (say explorer.exe), which is located at some wrong location, (say your profile folder) instead of its correct location (system32 folder in case of explorer.exe), you can detect that the path is wrong. And hence the file can be a fake one, or at least undesirable one.
- New process creating and destruction can be seen visually, using color indication. Thus it’s easier to keep track of process creation, when you need to diagnose.
- Provision to suspend / resume any process – when the parent process is suspended and its children are killed, the suspended parent process cannot re-start the child process again and you can easily delete the child process executable.
- Process handle – many a times we encounter the issue while “safely removing hardware” that some process is using the hardware. Hence windows cannot remove it. Now, question is which process? You can search for the drive letter (say h:\) and can get the list of processes, which are accessing the drive.
- And finally, the best part of it: it can replace task manager. I.e. when you try to open task manager (say by pressing ctrl+alt+del or ctrl+shift+esc), it will actually open process explorer. Hence, there is hardly any change required in user habits.
- Command prompt
Nothing comes as handy as command prompt, when trying to delete any file, when your windows explorer does not allow you to do so easily. Simple basic commands like
- cd
- dir /a
- rmdir /s /q
- type
- del/erase
- attrib -s –h
- title (very stupid command, but helped me in removal of one virus)
- msconfig
Know which processes and services are loaded at your system startup. Remove suspicious processes and services. You may also remove some genuine process, which you don’t want to run at system startup (like winzip quickpick). It will make your system run faster, as less processes are running on your system. Press Win+R and enter msconfig in the dialogue box to open msconfig. - Autoruns
it’s kind of advanced version of msconfig. It’s also developed by sysinternals for Microsoft and can be downloaded from here. It shows many paths, where the system checks for startup programs. Remove suspicious items from the list. - Windows explorer / Internet explorer 6 + Shift-delete
When you find the location where your virus is located, next thing to do is shift+delete (unless, if you want to keep that file as pet for experimentation :P). The virus location can be found out by using tools like process explorer or msconfig or autoruns. Internet explorer 6 can be used to browse your directories, if windows explorer is unable to do so, due to some reason. If you could not delete the virus file for some reason, try deleting using command prompt. - Registry editor
This is one risky thing to work on. If you mess up something in this, there is a possibility that your system will never boot again. Having said this, I will also recommend that one should play with the registry. Safe option is, to enable system restore, create a system restore point and then play with the registry. In registry, you will find many configurations and settings. When you want to remove some viruses manually, it’s good idea to use registry, to disable the execution of virus. The details of how to use registry, will be given in coming posts, wherever required - Commands – tasklist, taskkill, reg etc
Well, it’s easy to use task manager (read: process explorer), registry editor… but what to do if somehow the task manager or registry editor has been disabled by some virus? In these cases, we first need to enable these tools using registry. Sometimes, these tools are not disabled in registry, but the virus detects that you have opened the task manager and then t kills the task manager’s process. How to know the name of virus in such case?
Here, the command line tools are helpful.
As you can understand from name, tasklist gives you a list of processes running in your system. And taskkill can be used to end a process. There are several options to these 2 commands. For more details, run “tasklist /?” or “taskkill /?” at the command prompt.
Similarly, whatever you can do with registry editor, everything can be done with reg command. Run “reg /?” for more details about the reg command. - Notepad
Use notepad to create the registry files, batch files, vbscripts and so on
I would however, recommend using freeware notepad++ because of the features it provides. - Process Monitor
It can be used to monitor the process creation, exit, thread creation, exit, opening and closing of files by the processes already running in the system. Thus, it’s easier to keep track of what’s happening in your system. - tweakui
Again, a powertool by Microsoft… Google for tweakui for the link.
This gives you many features and customization options, with a nice GUI. The options like autorun features, etc (explained in next post) can be set using this GUI. Overall, it’s a nice free tool. - Firefox + google
When (almost) everything fails, google comes to our rescue. :-)
Whatever problem you are facing, try to find some peculiar thing about the virus. This can be the virus exe name (say msmxeng.exe obtained using process explorer or otherwise) or some message string, it pops up (e.g. “I dont hate mozilla but use IE or else”), Search for such specific keywords on internet. Check the sites for some antivirus company, for solution about how to manually remove the virus. These sites may also give details about what harm that particular virus does, so that you can undo that if possible. - Linux live CD
Finally, you have tried everything possible and known, but you could not delete the virus due to some reason. In such cases, Linux comes to rescue your windows. Boot using the Linux live cd. Mount the partition containing the virus. Locate the virus executable file and, peacefully, delete that file. No program will prevent you deleting that file in windows, when you are booting from Linux.
There are many, many flavors of Linux live cds, which you can use for this. I mostly use ubuntu or knoppix live cd. - Other computer, with antivirus
Disconnect the virus infected hard disk from your system and connect to other system with up-to-date antivirus and scan that hard disk. (Still this means, that you install antivirus on only one windows machine. Other systems don’t need to have the antivirus.) After scanning, you can reconnect to your system. - Parted magic
If for some reason you cannot disconnect it from your system (say, e.g. it’s a laptop hard disk) then copy the infected partition to another external HDD using parted magic. Scan that HDD using antivirus and overwrite that partition from external HDD to internal HDD.
With these handy tools, you will most likely be able to detect, delete most of the viruses.
Wednesday, March 23, 2011
Popular beliefs vs reality
I have a good antivirus program, hence my computer is safe from any viruses.
As mentioned in an earlier post, all what an antivirus program does is, it checks the file under test with its virus definitions. If all the definitions show negative test with that file, the file is considered to be clean. Hence, if there is any new virus, whose definition is not present in the virus definitions of your antivirus, it will be shown as clean.
I have multiple antivirus programs installed, so I am safer.
Most likely, when an antivirus sees another antivirus running, it stops himself checking for viruses. & The other antivirus also does similar. Eventually, nobody protects your system from virus threat. Both the antiviruses, however, consume your hard disk space, RAM & CPU cycles.
All files flagged by my antivirus program are viruses.
The antivirus is also a software program. You can write a program, which will be fitting the virus's characteristics - autorun entry, creating of autorun.inf in removable drives, copying to system32 folder etc. A classic example was n.vbe file, which was reported by many antiviruses as infection. But, when I actually read the file (yes, it was a text file), I came to know that it was indeed a program to remove certain viruses.
I must have an antivirus program.
As I said earlier, having an antivirus does not imply that your system is protected from all sorts of viruses. & if it is not going to protect you, why do you must have an antivirus program? Just because Windows security center keeps warning you to have antivirus? In reality, with some simple precautions, one can work on Windows system normally, without having to use an antivirus. These precautions will be covered in next posts. Generally it's a good idea to clean your hard disk, once-for-all, by connecting to separate, clean system, with good, up-to-date antivirus running. Then onwards, with these precautions, viruses won't affect your system.
I need a great firewall.
For normal user like us, windows firewall is generally sufficient.
I have never connected to internet. How can a virus enter my system?
A virus can enter your system from many sources. The most common medium these days is USB flash drives & LAN.
Transferring over LAN / P2P will bring viruses with them.
Generally, yes. But not always. You can copy files over LAN. Just make sure that you don't execute the executable files without scanning.
I have downloaded only from authentic site. How can it have a virus?
My personal experience - My sony ericsson phone's memory card, newly bought, just taken out of the box, had virus. So even if you are downloading something from authentic source (website, friend, computer vendor), be cautious.
Also, which sites do you think are authentic sites? I trust very few sites for that matter. microsoft original website. Sites like sourceforge.net, which provide mainly open source softwares, sites like download.com / softpedia.com, when they explicitely mention that the software is virus free. & known official sites of certain softwares. Beware of fake websites.
I have virus on my system. My files are infected:
A virus is a software program. It's very unlikely that any virus will corrupt your data files. Very rarely the purpose of writing a virus is data corruption. The common purposes are - keylogger/password sniffer, trogens, threatening the user to buy the antivirus, etc.
I have got a virus on my system. At least now, I MUST install antivirus.
No again. As said earlier, an antivirus can not guarantee you that there will be no virus in your system after scanning. A simpler approach would be to remove the virus manually. This also helps to keep your system resources consumption less; since there is still no antivirus.
My flash drive has a virus. If I connect it to my system, it will infect my system also.
A virus is nothing more than a software program. It cannot execute on its own. So, in short, if you prevent it from executing, it will not execute against your wish & if it does not execute, it cannot do any harm to your system. How to prevent it from executing - see later posts.
Autorun.inf is a virus.
Autorun.inf is actually not a virus. Rather, it is a file which defines the autorun task which executes when the removable media is inserted. This file was a method to create automatic installation CDs, such that the software installation will start immediately after the CD is inserted into the CD-rom.
Viruses use this file in order to spread via USB flash drives.
A typical autorun.inf file created by a virus may look like follows:
Hint: We can open this file using a text editor, like notepad & see the path where virus is located in your flash drive & then happily delete the virus executable file.
Lastly, a file looks like a genuine windows file. How can it possibly be a virus?
Don't ever believe that just because it looks like a windows file, it is a genuine file. The author of the virus program will try to make sure that you think that the file is genuine windows file.
A file marked as system file (see file attributes) does not necessarily imply that it is system file, required by windows. In fact, most of the files in your system32 folder are not with hidden or system attributes. If you find executable file with hidden / system attribute, in system32 directory, it is quite likely a virus.
As mentioned in an earlier post, all what an antivirus program does is, it checks the file under test with its virus definitions. If all the definitions show negative test with that file, the file is considered to be clean. Hence, if there is any new virus, whose definition is not present in the virus definitions of your antivirus, it will be shown as clean.
I have multiple antivirus programs installed, so I am safer.
Most likely, when an antivirus sees another antivirus running, it stops himself checking for viruses. & The other antivirus also does similar. Eventually, nobody protects your system from virus threat. Both the antiviruses, however, consume your hard disk space, RAM & CPU cycles.
All files flagged by my antivirus program are viruses.
The antivirus is also a software program. You can write a program, which will be fitting the virus's characteristics - autorun entry, creating of autorun.inf in removable drives, copying to system32 folder etc. A classic example was n.vbe file, which was reported by many antiviruses as infection. But, when I actually read the file (yes, it was a text file), I came to know that it was indeed a program to remove certain viruses.
I must have an antivirus program.
As I said earlier, having an antivirus does not imply that your system is protected from all sorts of viruses. & if it is not going to protect you, why do you must have an antivirus program? Just because Windows security center keeps warning you to have antivirus? In reality, with some simple precautions, one can work on Windows system normally, without having to use an antivirus. These precautions will be covered in next posts. Generally it's a good idea to clean your hard disk, once-for-all, by connecting to separate, clean system, with good, up-to-date antivirus running. Then onwards, with these precautions, viruses won't affect your system.
I need a great firewall.
For normal user like us, windows firewall is generally sufficient.
I have never connected to internet. How can a virus enter my system?
A virus can enter your system from many sources. The most common medium these days is USB flash drives & LAN.
Transferring over LAN / P2P will bring viruses with them.
Generally, yes. But not always. You can copy files over LAN. Just make sure that you don't execute the executable files without scanning.
I have downloaded only from authentic site. How can it have a virus?
My personal experience - My sony ericsson phone's memory card, newly bought, just taken out of the box, had virus. So even if you are downloading something from authentic source (website, friend, computer vendor), be cautious.
Also, which sites do you think are authentic sites? I trust very few sites for that matter. microsoft original website. Sites like sourceforge.net, which provide mainly open source softwares, sites like download.com / softpedia.com, when they explicitely mention that the software is virus free. & known official sites of certain softwares. Beware of fake websites.
I have virus on my system. My files are infected:
A virus is a software program. It's very unlikely that any virus will corrupt your data files. Very rarely the purpose of writing a virus is data corruption. The common purposes are - keylogger/password sniffer, trogens, threatening the user to buy the antivirus, etc.
I have got a virus on my system. At least now, I MUST install antivirus.
No again. As said earlier, an antivirus can not guarantee you that there will be no virus in your system after scanning. A simpler approach would be to remove the virus manually. This also helps to keep your system resources consumption less; since there is still no antivirus.
My flash drive has a virus. If I connect it to my system, it will infect my system also.
A virus is nothing more than a software program. It cannot execute on its own. So, in short, if you prevent it from executing, it will not execute against your wish & if it does not execute, it cannot do any harm to your system. How to prevent it from executing - see later posts.
Autorun.inf is a virus.
Autorun.inf is actually not a virus. Rather, it is a file which defines the autorun task which executes when the removable media is inserted. This file was a method to create automatic installation CDs, such that the software installation will start immediately after the CD is inserted into the CD-rom.
Viruses use this file in order to spread via USB flash drives.
A typical autorun.inf file created by a virus may look like follows:
[autorun]
open=path-to-virus-file.exe
explore=path-to-virus-file.exe
open=path-to-virus-file.exe
explore=path-to-virus-file.exe
Hint: We can open this file using a text editor, like notepad & see the path where virus is located in your flash drive & then happily delete the virus executable file.
Lastly, a file looks like a genuine windows file. How can it possibly be a virus?
Don't ever believe that just because it looks like a windows file, it is a genuine file. The author of the virus program will try to make sure that you think that the file is genuine windows file.
A file marked as system file (see file attributes) does not necessarily imply that it is system file, required by windows. In fact, most of the files in your system32 folder are not with hidden or system attributes. If you find executable file with hidden / system attribute, in system32 directory, it is quite likely a virus.
Tuesday, March 22, 2011
Basic definitions
(These are definitions in my words. For more accurate definitions, refer wikipedia.)
Computer virus: It's a software program, not desired to be running in your system. (Contrary to this definition, microsoft products are not counted as Viruses ;) :P).
Computer viruses show similar symptoms as living-viruses (or for that matter, humans too).
1. They hog your system resources.
2. They spread to other systems & infect them also.
3. They can corrupt the data on your system for their purpose - spreading.
There are multiple types of these unwanted programs like
- Virus,
- Spywares (these can upload your personal data on web without your knowledge),
- keylogger (mainly for stealing passwords),
- trojens (they try to steal your information & can allow external user to control your computer),
- etc.
For more correct definitions of these, please refer google / wikipedia.
Antivirus: It's the program that does/tries/claims to remove virus threats from your system. They have definitions of known viruses as their database. These definitions are nothing but some patterns that are commonly seen in these virus files.
Similar to antivirus, there are anti-spywares, which are designed to remove spywares from computer systems.
Firewall: Apart from the virus infection on files on your system, there is another source of threat - the network. Network threats include many types of attacks like IP address forging, DNS response forging, denial of services attack etc. These network related attack are taken care of by the firewall. firewall protects your computer against these network attacks. There are many more related terms, but those may not be required at this stage & will be covered in the individual post, if required.
Computer virus: It's a software program, not desired to be running in your system. (Contrary to this definition, microsoft products are not counted as Viruses ;) :P).
Computer viruses show similar symptoms as living-viruses (or for that matter, humans too).
1. They hog your system resources.
2. They spread to other systems & infect them also.
3. They can corrupt the data on your system for their purpose - spreading.
There are multiple types of these unwanted programs like
- Virus,
- Spywares (these can upload your personal data on web without your knowledge),
- keylogger (mainly for stealing passwords),
- trojens (they try to steal your information & can allow external user to control your computer),
- etc.
For more correct definitions of these, please refer google / wikipedia.
Antivirus: It's the program that does/tries/claims to remove virus threats from your system. They have definitions of known viruses as their database. These definitions are nothing but some patterns that are commonly seen in these virus files.
Similar to antivirus, there are anti-spywares, which are designed to remove spywares from computer systems.
Firewall: Apart from the virus infection on files on your system, there is another source of threat - the network. Network threats include many types of attacks like IP address forging, DNS response forging, denial of services attack etc. These network related attack are taken care of by the firewall. firewall protects your computer against these network attacks. There are many more related terms, but those may not be required at this stage & will be covered in the individual post, if required.
Disclaimer
I am not any computer expert. These are some of my understandings, as I read on internet, software documentation & my own exploration. I won't take any legal responsibility, if any damage is caused because of use of this information. The purpose of this blog is just knowledge sharing. This information is not universal & may not work in some cases.
Also, I have gathered this information from various sources. I will try to put the references whenever I will remember. But if I missed at some place, original authors, please forgive & comment the link of your post.
Happy reading.
Also, I have gathered this information from various sources. I will try to put the references whenever I will remember. But if I missed at some place, original authors, please forgive & comment the link of your post.
Happy reading.
Subscribe to:
Posts (Atom)