Original URL: http://www.theregister.co.uk/2004/11/11/av_workshop/
Gadzooks! My PC has the pox
Windows virus cleanup primer
Workshop There's no shortage on advice of how to avoid catching a computer virus: use up to date anti-virus software and install a firewall. Be careful about unsolicited attachments. Use an alternative browser. Stop using Windows! But when it comes to advice about disinfecting contaminated PCs advice is thin on the ground.
Corporates have access to extensive support and (likely) internal specialists. But for home users and small businesses this lack of knowledge is a real problem.
Often people resorting to searching on the net for an explanation of why their computer is performing oddly. Sometimes this quest takes them to our door. The ensuing conversations follow a familiar pattern "My girlfriend's / wife's PC is infected by a virus and I don't know what to do...". Less frequently, men (it's always blokes who call in about computer viruses) call us up about spoofed, virally-contaminated email ostensibly coming from our domain.
Five years or so ago disinfection was a straightforward process. Run an up to date anti-virus program and follow the instructions to cleanse infection. Voila!
The latest generation of viruses (MyDoom et al) are designed to allow attackers to take over infected computers. Virus writers have gone out of their way to disguise their presence and make them harder to remove. Worms, the class of malware that can spread without any user interaction, have also progressed. Blaster exploits a well known Remote Procedure Call (RPC) in Windows to spread. Infection often results in PCs becoming unstable in many cases preventing users reaching the internet to download a fix. All users would see is a shutdown error that would baffle most home users.
Anti-virus companies say that the advice on cleaning up a virus varies with the infection. While there's some truth in this a number of general points can be made. Think of these as pointers rather than definitive advice. In essence, this is a three stage process:
- Recognise infection has taken place and stop the viral process
- Protect your Windows box
- Remove the worm or virus and repair any changes it has made to a system
My PC is a sick puppy
Your machine is running slow, IE is taking you to porn sites instead of your normal home page or your PC has become unstable. All signs of possible viral infection. The most straightforward way to determine if a PC has the pox is to run an anti-virus scanner, loaded with up to date signature files. For home users antivirus company GRISoft makes its AVG package available for free to home users.
Unfortunately over the last year or so, AVG has become less useful. Typical problems include flagging up infected files but offer no immediate way of deleting them. An alternative antivirus scanner is Avast. CA's eTrust scanner works well but tends to available to users for free only during special promotions. None are currently taking place. One useful alternative still available is a free version of Romanian firm BitDefender's AV scanner.
Most anti-virus scanners are available for a free evaluation period (typically 30 days). This might be the best option to get a system back up and running for some people. Many anti-virus vendors also make scanners available as a Web service application.
For example, consumers can use the free Symantec Security Check here. This will scan the PC and run a hacker exposure check, windows vulnerability check, Trojan horse check, anti-virus product check and virus protection update check. The virus check will produce a report of the results. Trend Micro and Panda Software offer similar services called Housecall and Panda Active Scan respectively. A useful list of free anti-virus scanners can be found here.
None of this is much good if you can't access the internet, of course. Worms like Blaster effectively prevent users from accessing the internet. Users have to first kill the Msblast.exe process in Windows Task Manager before they can get anywhere. Instructions on doing this can be found here but will doubtless vary with the emergence of new worms.
The best advice we can offer in these circumstances is to find an alternative machine that still has access to the internet, search for information on the sites of anti-virus firms and Microsoft, and print out instructions from there.
Protect and survive
Once you've stopped the viral process the next thing you need to do is shore up your PC's defences. A personal firewall is one of the best defences against worms like Blaster. XP users can turn on the firewall that ships with the product. Installing SP2 will do this automatically. Alternatively, consumers can use free firewall products from Zone Alarm, Kerio Technologies or Agnitum Outpost Personal Firewall.
Next up, you need to update Windows. It's little use removing an instance of Blaster, for example, if you leave the vulnerability it exploited intact. Probably the most straightforward way to do this is to turn on Windows Update. Or, for those wary of agreeing to the installation of DRM components you'd rather not have, you can install the specific update you need. Protection against the latest Bofra worm is currently unavailable, unless users move up to Windows XP SP2, so we're seeing a reduction in choice in this area.
Once your system is patched you should update your antivirus software and run it to detect and remove virus infection. XP users will need to turn off system restore before doing this or else you might subsequently revert to a time your system was contaminated. Depending of your anti-virus scanner you may need to restart your machine and go into safe mode before running a scan. Viruses commonly make changes in IE settings, so flushing the cache and making sure you're pointing towards a site of your choice, rather than a site running exploit code, is a necessary step. You're then ready to run an anti-virus scanner repeatedly until a scan comes back clean or until you can't make any further progress.
By now you should have disabled the infection on your system. But you still need to apply tools to remove infections from your PC. In the case of Blaster, Microsoft made a clean-up tool available. Apps to get rid of common viruses such as MyDoom are available from vendors like Symantec and these need to be downloaded from their sites and run to remove malware.
Spyware, annoying programs that snoop on a user's actions or worse, is becoming an increasing problem. The line between spyware, ad-ware (which causes annoying ads to pop up on PCs) and viruses is blurring. Anti-virus scanners are not designed to ferret out spyware.
Fortunately free spyware scanners are available (list here). And the good news is that free products like Spybot Search and Destroy are good at reversing the changes that virus infections make to contaminated systems.
Even with all these tools at your disposal it's still possible that you won't be able to restore your system to full health. Modern viruses make changes to Windows that are difficult to reverse. This is why you should back up important data.
It's good practice to reinstall Windows every 12 months or so as the many interdependencies of the OS can result it becoming slow and unreliable without an annual clean.
This isn't ideal and many users might be tempted to move over to alternatives like Linux and Macs that are far less subject to viral assault. However the wealth of applications available on Windows means that the majority of home users are likely to stick with the OS for the foreseeable future.
Email-borne infections are the most common route to viral infection. Installing P2P apps and surfing for porn are also potentially hazardous activities. But users can also get infected through browser vulnerabilities, an infection route used by Bofra. The problem of email viruses has stimulated the growth in services from companies like MessageLabs, Black Spider and Avecho, whixch filter out spam and malicious code from email traffic. That still leaves web traffic as a route to infection, a gap in the market ScanSafe is seeking to address. Meanwhile host-based intrusion prevention firms are seeking to prevent malicious code running on Windows boxes, creating a new product category in the security market. PrevX recently released host-based intrusion prevention software targeted at consumers, called Prevx Home. It's currently free. For users not looking to go the whole hog, it's easy to enhance Windows security simply by replacing common applications, utilities, and clients with open-source alternatives, such as Firefox and Thunderbird.
Whatever route you choose to protect you PC from malware remember what they said in The Hill Street Blues: Let's be careful out there. ®
Big guns back UK IT security drive
UK preps major security awareness campaign
Computer Security: a handbook for the ordinary user
Blaster rewrites Windows worm rules
Blaster clean-up tool was stellar success MS
Bofra worm sets trap for unwary