Detox-Comic

Pro-active Computer Virus protection

I've received many emails from DTX readers requesting help with their virus problems. So I have decided to write a general article to make you more aware of what you yourself can do to prevent further infections, how to look at your PC for possible viruses that your virus killer may not detect yet and how to be more aware of what you as a PC user today can do to protect yourself from viruses and malicious programs.

Note: This article is written with a PC user running a Microsoft Windows based Operating System in mind.

Being over-protective.

It pays to be a wary online surfer today. What with all the viruses and malicious programs being reported in the news on an almost daily occurrence. Having a virus killer installed is a must. Ensuring that it is kept up to date at least once a week with the latest virus definition files is essential. This process however, is reactive rather than pro-active. In other words, the virus has to have been detected first before an anti-virus can be created. So someone out there (or lots of someone's) have been infected with a new strain of virus, the virus community investigates and virus definition files are updated to recognise this new virus. You then download and install the new virus definition file and run a scan of your system.

The following tips will reduce your risk to viruses and malicious programs and are worth knowing and implementing.

  • If you must use Microsoft Outlook/Outlook Express then turn off auto-preview. The Outlook email program is the one most likely to be targeted by viruses.
  • Never open an email from someone you do not know. Especially if it contains an attachment.
  • Delete all junk email or configure a junk email filter to get rid of spam.
  • Never open Microsoft Word (.DOC) files in Word that you received via Email. If you want to see what they contain, save them to a temporary folder and open them in WordPad. WordPad has no macro support so an embedded macro virus can not run.
  • Avoid downloading any software from a source you do not trust. Even then, scan it for viruses first with your virus killer program using the latest definition file available.
  • If you must use P2P software, download the files to a directory and scan the files for viruses before you use them. (The chances of catching a virus via P2P communications is very high)
  • Do not store anything in the default My Documents folder. Some viruses look here for files which they delete/extract information from/email to someone. Create a directory somewhere else and rename it to something like 'Pauls Files'.
  • Backup essential files as often as possible. CDRs cost very little these days. Virus scan your files before you back them up.
  • Switch on Internet Connection Firewall in Windows XP if you use a dial-up connection.
  • Become familiar with the files stored in your Downloaded Program Files directory located within your Windows installation directory. If new files appear here but with old/no creation dates, be very suspicious. Right click on the file name, select properties and look at the CodeBase field. Is it a dialler program?
  • If any files look suspicious you can delete them (to Recycle Bin) or move them to a directory such as Quarantine. If they turn out to be harmless and are required by another program you can always move them back later.
  • Clear out your Recycle Bin on a regular basis.
  • Run System Information often (Start>Programs>Accessories>System Tools) and in Software Environment, look in your Startup Programs folder for any programs that look suspicious.
  • Set Internet Explorer to prompt you to download any ActiveX components so you can see what web pages are trying to install on your PC rather than just blindly accepting everything.
  • After you have finished using Internet Explorer for the day go to Tools>Internet Options and delete files (from Temporary Internet Files)
  • Run WindowsUpdate and install all critical updates from Microsoft (once a week is advisable).
  • Check in your registry for any suspicious programs under HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run

Removing a virus

Ok. Let's say that your PC has been infected with a virus or you believe it has. What should you do now?

First off, turn on your PC or re-start it if it is already on and as it starts to boot press F8 every second until you get the Windows boot menu. If you miss it and it starts loading Windows press CTRL+ALT+DEL. Do not press your reset button as your hard drive could be damaged.

  • Make sure you have the latest virus definition file for your antivirus software or a tool designed to remove the virus that you believe/know has infected your PC.
  • Select SAFE MODE from the menu. Allow the PC to boot into Windows Safe Mode.
  • Backup your registry. To do this run regedit and select Export registry file from the Registry menu. Give your export a name and select ALL.
  • Still in regedit go to HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run and remove any keys pointing to a virus
  • Disable System Restore in XP. (My Computer>Properties>System Restore)
  • Use your virus removal software at this point or find the virus files if you know where they are and erase (SHIFT+DEL) them (not delete to Recycle Bin).
  • Install any Microsoft Security patches now for this particular virus.
  • Enable System Restore
  • Reboot your machine.

Finding a web dialer virus

The following locations on Windows machines are where you can generally find web dialer viruses:

Directory Structure:

Note: WINDIR means your Windows installation directory and can be WINDOWS, WINNT, etc.

  • Start menu
  • WINDIR\
  • WINDIR\SYSTEM\
  • WINDIR\SYSTEM32\
  • WINDIR\WINDIALUP\
  • WINDIR\SYSTEM\
  • Program Files\dialers\
  • Program Files\webdialer\
  • Documents and Settings\Administrator\Desktop\Mijn Weirdmovies.exe
  • Documents and Settings\Administrator\Start Menu\Mijn Weirdmovies.exe

Registry:

  • HKEY_CURRENT_USER\RemoteAccess\
  • HKEY_CURRENT_USER\RemoteAccess\Profile\
  • HKEY_LOCAL_MACHINE\Software\DKSoftware\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKEY_LOCAL_MACHINE\Software\WindowsRTS "SerialID"
  • HKEY_CLASSES\ROOT\MS-Connect.Scriptfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Comsoft

File names:

  • msite18.exe
  • webdialer.*
  • wininetd.*
  • Mijn Weirdmovies.exe
  • live_girls.exe
  • instantpleasure.exe
  • 0190Alarm.exe
  • 0190Killer.exe
  • Warn0910.exe
  • SmartSurfer.exe
  • hh.exe
  • dc.exe

Summary

Ok, in summary it pays to be suspicious of anything on your PC that you do not recognise. However a suspect file can have a legitimate reason for being there so it is always worth scanning your system with an up-to-date antiviral software program first. If you are still not sure, you can quarantine the suspect file somewhere and if a program refuses to work afterwards because it needs the file you have quarantined, you can always put it back.

From the above article you now have an understanding of how a computer virus works. This article does tend to lean more towards web dialer viruses, as this is my area of expertise. However not all viruses conform to this way of infection. The general virus procedure is as follows:

  • Infect a users computer either via being run directly on the computer via techniques such as ActiveX, Java, email attachments or as a standalone executable or as code embedded in an executable.
  • Ensure that I can run. Either put a link to myself in the startup directory or in the registry's Run keys or attach myself to an executable that is run often on this users computer such as a program in the Windows, System or Program Files directory. Maybe even pretend to be a program like notepad.exe and once I am run call the real program which I have renamed something else so the user thinks notepad is running and is not suspicious.
  • Copy myself into memory so if I am discovered on the hard drive and deleted, I can save another copy of myself. Or I can use virtual storage space on the hard drive in case the computer is rebooted in an attempt to wipe me from memory.
  • Next I must execute the task I am designed to complete. Whether it is to cause damage, replicate, steal data, cause network congestion or dial a number.

And that's it in summary. A virus basically has four goals:

  1. Infection
  2. Execution
  3. Stealth/Replication
  4. Payload

If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at dave@detoxcomic.com.

Article updated - 21-May-2006