Saturday, July 12, 2008

Working with malware

hi. it's been a long time since i was last here. one month, eh? that's pretty bad. anyway, the point of this post is that i was recently in school, and came across some malware - one of which isn't picked up by any antivirus program i know as at now. this worms spread via USB storage (flash drives, external hard disks and so on). each copies itself to a clean device and also creates an autorun.inf entry in the device if it does not already exist (i can't tell what happens if it already exists). the one detected by AVG 8 Free has an executable named asp.net, and the one that isn't detected as at now has an executable named EXPLORER.EXE.

when i got to school, i had the 'privilege' of cleaning out two of my friends' computers. one was infected by the EXPLORER.EXE worm - which is easier to deal with if you don't have any antivirus installed - and the other was infected with the asp.net worm (if you have an antivirus that detects this, this is much easier to clean than without any antivirus, or one that doesn't detect it). let's start with the first.

EXPLORER.EXE worm in Process Monitor normally, a Windows machine has a process called explorer.exe. this process usually serves both as the shell (the program you use to launch applications) and the file manager. the executable for this is located in C:\Windows, has version information that comes from Microsoft, has the 'My Computer' icon and is about 1MB on a Windows XP machine. this worm is about 36kB, has no icon, has the same version information as the legal explorer.exe and runs from C:\Windows\system32. to get rid of this worm, you'll need a couple of applications from Windows Sysinternals, specifically Autoruns and Process Explorer (you can also download the entire suite if you want - it contains both). launch Process Explorer (an excellent task manager for Windows), accept the license agreement if you need to, and kill the EXPLORER.EXE process that doesn't have the My Computer icon and is running from C:\Windows\system32. next, launch Autoruns, allow it finish scanning, then delete the entries containing C:\Windows\system32\EXPLORER.EXE (use Ctrl-F) if you need to search). lastly, get rid of the worm executable itself. open a command prompt, and run attrib -h -r -s C:\Windows\system32\EXPLORER.EXE; del C:\Windows\system32\EXPLORER.EXE. this gets rid of the executable in its default location. your mileage will vary if Windows isn't installed on C:. EXPLORER.EXE worm in Autoruns

the other one is much harder to deal with because it creates a 'non-existent' process, according to Process Explorer. in fact, the process won't even be displayed in the processes list. i had to search for it manually. going through the console to use taskkill with the process id won't work either. so we're going to do it in the reverse flow. first, run Autoruns. search for appearances of asp.net autorunning, and disable, don't delete them. that's because if the worm is still running, it will simply recreate those entries. once you've disabled the entries, you can note the locations of the worm and reboot so you can delete it from all its hiding places (for me it was C:\Windows\system32 and C:\Program Files\Common Files\Microsoft Shared\MSInfo. again, this worm is hidden and probably has a system attribute set, so you need to remove those flags first. i'd personally recommend getting a recent (and decent) virus removal tool to remove this particular nasty, as it not only infects removable drives, but also fixed drives on your computer.

well, hope this is of some use to someone. have fun!

UPDATE: After a couple of days carrying around the EXPLORER.EXE worm on my external hard drive, i found that McAfee picks it up when i connected it to a colleague's computer. as at that time, neither AVG 8 Free nor PC Tools Antivirus was detecting it as a worm.

1 comment:

lamikayty said...

Dipo has a blog! of course it has to be a techy blog!
thanks for this article. i'm printing it straightway to work on with my laptop at home! cheers!