Friday, January 29, 2010

Manually Killing Viruses, Part 3

Hunting for viruses in the Registry...
The most obvious startup location in the Registry is...

The following are normally empty...

It gets more complex beyond that...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows /v AppInit_DLLs (this is normally blank)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" and "UserInit" values often are edited by viruses, sometimes loading worms or Trojans.

If the computer is un-bootable, and you're booted of a Rescue CD, then you need to load Registry hives off the hard drive. To do this, you need to launch Regedit and expand HKEY_USERS. With HKEY_USERS highlighted, click "File", "Load Hive...", and browse to C:\WINDOWS\system32\config\. Make sure you're loading from the correct drive, or you're wasting your time. If booted from a rescue CD, the Rescue CD's Windows folder will be the default. Make sure you pay attention and get to the correct, infected, hives. Give them sensible names.
Load "SOFTWARE" and "SYSTEM", naming them something that makes sense. Or name them anything beginning with any letter after "S" so that alphabetically the hives you load always drop below the other normal hives. This is because you'll be doing searches and it's faster to search only the loaded hives.

Next, load all the user profiles which create HKEY_CURRENT_USER when users are logged on. These hives are called NTUSER.DAT and are stored at the root of every profile...
C:\Documents and Settings\%username%\NTUSER.DAT

Some don't realize that HKEY_CLASSES_ROOT is identical to HKEY_LOCAL_MACHINE\SOFTWARE\Classes. When you load the "SOFTWARE" hive, you effectively get full access to HKEY_CLASSES_ROOT through the ...\Classes key.
Look into every startup location as mentioned above.

In the System hive, you'll be looking for malicious services. It helps to have a healthy Windows XP machine to compare with. Still, there is some guess-work. Proprietary OEMs like to add tons of mostly legitimate craplets. That's what I call the 30-50 odd-ball "goodies" that HP, Gateway, Sony, Dell, etc. like to infest new computers with so that they run like crap. Since these things usually cause more degradation that value, if you accidentally break one of these, thinking it's a virus, no real harm done.

You need to look at all the suspicious DLL's and EXE's that you carved out of \Windows\ and \System 32\. Copy the names and search the loaded hives. This is how you find where they're activated. In doing this, you sometimes find out that the files are okay, and you can put them back. Other times, you get confirmation that they're malicious.

When you're done, always unload the hives. If you forget, things usually tend to unload okay anyways, but sometimes it will corrupt the hives (or the logs) and make things worse.

This whole set of posts is abbreviated. There really are too many sneaky places in the Registry to launch threats to mention all of them. Many replace Windows files with malicious files, diverting normal functions. Others create new services and functions.

Finally, check C:\boot.ini to see if anything is bogus.

When you believe you've carved the worst out, try booting off the normal hard drive.

Tuesday, January 26, 2010

Manually Killing Viruses, Part 2

It helps to have a healthy example of every OS to compare a viral computer with. Not sure exactly what the healthy Registry key should be? Look on your XP example machine.
And of course you have to have another computer connected to the Internet to Google any questions. Look up info on files, Registry values, viruses, cleaning and repair advice in various situations...

So we left off with temp files deleted and you sorted the Windows and System 32 folders to see what the most recently modified files were. And you moved suspicious files to a dormant folder we named C:\Suspicious.
You can also do the same inside the Program Files folder. You can move entire folders.

Browse to every Startup folder in every profile on the computer and look for links to suspicious executables.
Check all Favorites, QuickLaunches, Desktops, etc. for evil links.
Check Microsoft Office Startup folders for C:\Program Files\Microsoft Office\Office12\STARTUP and \XLSTART and every profiles startup folders for Word and Excel.

If they have a legal copy of McAfee, you can download the latest McAfee definitions, expand them, and run a commandline scan. Example for the SuperDAT definition file named "sdat5873.exe"...
- Download the DAT or SuperDAT to the McAfee installation folder. Also download the latest engine.
- Then open a command prompt at the same path and run the following command...
sdat5873.exe /e
- Then run 5400eng.exe to update the McAfee engine. If this fails, you're dead in the water until you get the computer booted the hard way.
These files will not expand unless you have a legal McAfee license.
You may not get much feedback when the def's expand, so open Task Manager and watch until sdat5873.exe drops out of memory. On a slow computer, it can take 15 minutes. On a fast computer, it can take 20 seconds.
- Assuming all went well, and both the engine and the def's are expanded, you should see quite a few files, one being scan.exe and several ending in .dat. In the same command-prompt path, launch a scan with the following command...
scan.exe /adl /all /noexpire /clean /rpterr /report c:\ScanRpt.txt
This can take an hour.

You can do the same sort of things for Norton/Symantec - download various stand-alone tools and start scanning.
You can also scan using tools that come on the UltimateBootCD4Win. There are all sorts of anti-virus and anti-malware scanners on the CD.

While that's churning, you can browse suspicious files some more.
One of the crafty things malicious hackers do is they might take legitimate Microsoft files and rename them. So you might do a cursory glance and file properties and see that it is labeled as a Microsoft file. It looks legit. But pay attention. Sometimes they'll take something like tftp.dll and rename it to something else, like ftfp.dll. Their code might use trivial ftp to open a conduit for the hacker to take control of your computer, or send your passwords or credit card account numbers. So make sure that the file name matches the what the properties say it is. A mismatch is definitely suspicious.
To avoid DLL-hell, Windows will sometimes keep multiple copies of one DLL on the hard drive. They obviously have to have different names. Depending on what version of a DLL is required, Windows will register a DLL by an alias, and then when loaded into memory, an alias'd DLL is loaded with the proper name so that the program works. So just because a DLL has a different name doesn't necessarily prove that it's bad, but if it looks suspicious, like tftp does, you should move it to the C:\Suspicious folder.

This concludes part 2.
Next, we'll get to the Registry.
Only a geek would think this is fun.

Monday, January 25, 2010

Manually Killing Viruses, Part 1

This is mostly for Windows XP, since I've never personally seen OSX, Vista, or Windows 7 with a virus. The latter three can get viruses, but they tend not to because they have a far better OS design.

I was recently presented with the most virus-infested junk-heap I've ever seen. First, it was clogged with cat hair and dust. Second, it REEKED of cigarette smoke! Every time I turned it on, I gagged.
This computer was running Windows Media Center Edition SP3, but it was unbootable. It kept prompting to restore from the Sony recovery partition that would reformat the hard drive. This would have nuked about 2,000 songs, video clips, and movies. It would also have taken several licensed products with it, including Office 2007.

Geek Squad wanted $200 just to "look" at it. No offense - they're just making a living. I'm sure they would have just reformatted and handed it back with a $300-$400 bill. I fixed it for $40, since she was a friend and co-worker.

My primary tool in these situations is the Ultimate Boot CD 4 Windows. This developed from BartPE, which is almost an historical name, now. But those of us who participated in developing it felt like pioneers. I may have been the first person to build a bootable USB stick, with Windows XP on it, but the computer I was trying to use wasn't USB-bootable as Dell had claimed. Two weeks after someone else had succeeded, I got a Dell D800 that I successfully booted my USB stick to - the same one that had been built three weeks before.

Enough nostalgia...
Booting to the UltimateBootCD4Win allows you to be a virtual god. The viral hard drive is dormant - nothing on the hard drive is running.
I boot from a 4GB USB stick. The boot-image is only 512MB - the USB boot-image limit. But that doesn't matter. The boot image ends up being drive X: and the rest of the space on the USB stick is whatever drive letter is available after the other drives have been enumerated.

The strategy/mentality is thus... Every virus in the past 10 years seems to be a "blended threat", meaning you never get infected with just one bug. You end up with a virus, a few worms, and a Trojan or two. There's often a root-kit installed, too.
So, booting from the UltimateBootCD4Win, I browse to the C: drive.
- Save time and delete all temp files...
-- C:\Windows\Temp
-- C:\Documents and Settings\%userprofile%\Local Settings\Temp
-- C:\Documents and Settings\%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\ (delete all folders and index.dat, but leave desktop.ini)
Do a searching delete of all files ending in .tmp, .del, .dmp, .chk, or beginning with tilde (~).
Now look at all the old Windows patch folders that collect in the Windows folder. Delete every old folder and log file that you know you'll never want to uninstall. Usually that means keeping anywhere from 3 months to a year - no more.
This saves time from then on when running scans and searches because now there are fewer files on the hard drive. And you probably broke several viruses in the process.
- Next, analyze the contents of C:\Windows\ and C:\Windows\System32\, sorting by date/time. Some legit files update every second, like the Windows XP licensing file wpa.dbl, so this is an example of an important good file. Many of the others will be viruses. Don't just start deleting everything unless you know for sure. If you don't know for sure, then try moving them to a folder, like C:\Suspicious\. Recreate the folder structure inside there. Wherever you take a file, drop it in the same folder, like C:\Suspicious\Windows\System32\. That way when you're finished, and you decide some files are safe, you can put them back.

This concludes part 1 - the easy preliminary steps. It gets more complex in following chapters.