4.7 Removing Infected Files

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 4.  Viruses in a Windows World

4.7 Removing Infected Files

This section assumes that either you or the virus scanner has identified the infected files.

4.7.1 Research the Virus

Get up on the Web and learn as much about the virus as you can from a reliable source to help in its extraction.

4.7.2 Stop Any Virus Services

Viruses like Remote Explorer install themselves as a Windows NT service. If you have identified the malicious service's name , go to Control Panel figs/u2192.gif Services figs/u2192.gif Startup figs/u2192.gif Disable. This will prevent the malicious service from automatically re-starting during a reboot.

4.7.3 Boot to the Command-line Mode

Like in the detection process, we are trying to keep the virus out of memory so we can disinfect it. In Windows 3.x, 9x, or NT with FAT partitions, consider booting from a known clean DOS disk and getting to a DOS prompt. NTFS partitions will require a clean NT boot diskette.

4.7.4 Delete and Replace Infected Files

If a virus scanner doesn't clean the virus out of the host file, you should delete the file and restore from a clean source. Often I'll rename suspected or identified virus files with a .VIR extension. With that extension, they are not likely to cause further harm, but it allows me to reverse the process if I'm mistaken.

In-Use File Replacement

A lot of users do not have an Emergency Recovery Disk , a Windows NT Boot Disk , or the device drivers necessary to create a workable boot disk and access the data on the NTFS partitions. In such cases, it is necessary to allow NT to boot up getting access to the partitions and the infected files (which now may be in memory). Occasionally, the infected files we need to delete or replace are locked in use, and NT prevents manipulation. This can be especially frustrating when you have a virus-infected .SYS file and you can't get the system clean until the file is gone. In this case, you have a few different options.

First, you can try faking Windows NT into letting you delete the file. It doesn't work often, but it does work. Instead of trying to delete the file(s) with Explorer, try using the REN and COPY commands at the DOS prompt. Occasionally, NT will allow you to rename a file to another name, which almost has the same effect as deleting it. Then you can copy a new version of the renamed file into the original's place. You can try copying a fresh copy of the infected file from another location over the infected copy. Windows NT isn't as strict at the DOS prompt with file attributes and locks as it is using Explorer.

Second, you can perform a parallel install of NT. This involves installing a fresh copy of NT to a new subdirectory. Once the new copy is loaded, you can access the old system files and data, make your changes, and then boot back to the old system. Because this can take hours, it's not my favorite choice.

Third, you can use the registry (Microsoft Knowledge Base Article #Q181345 ) to implement a file copy upon boot up. Using REGEDT32.EXE , locate this key: HKLM\System\CurrentControlSet\Control\Session Manager. Create a new value name, PendingFileRenameOperations with a Data type of REG_MULTI_SZ and a value of \??\c:\<sourcedir>\<sourcefile> !\??\c:\<destdir>\<destfile> (value data is stored on two lines). Save your changes by quitting the editor. Copy the fresh file to the source directory indicated in the data and restart the PC. The registry edit will force Windows NT to copy the source file over the top of the destination file.

Fourth, Microsoft has two special utilities (Knowledge Base Article #Q288930 ), called MV.EXE and INUSE.EXE , which can be downloaded and used to replace locked files.

4.7.5 Clean Up Startup Areas

If a virus has modified your startup areas (i.e. registry, WIN.INI, SYSTEM.INI, AUTOEXEC.BAT, CONFIG.SYS, WINSTART.BAT, DOSSTART.BAT, or Startup group ), you will want to clean up those areas. In Windows 98 you can use MSCONFIG.EXE to disable any malicious startup programs. In the other platforms, you will have to manually edit the necessary files.

4.7.6 Replace Registry to Remove Malicious Startup Programs

Most people are not registry experts and don't feel comfortable making customized changes to the registry. In these cases, it may be easier to restore a previously saved copy of the registry over the virus-modified version in order to stop virus programs from launching on startup. The Registry menu option in REGEDIT.EXE allows complete copies, or just parts , of the registry to be exported and imported.

Restoring an older copy of your registry can cause problems because legitimate changes are also wiped out.

Windows 95 registry restoration

The copies of the Windows 95 registries, SYSTEM.DA0 and USER .DA0 , can be copied over their respective registry cousins, SYSTEM.DAT and USER.DAT . You will need to make sure you used a boot disk to be able to overwrite the registry. The Windows 95 CD-ROM includes a utility called Emergency Recovery Utility (ERU). It can be used to create a Windows 95 emergency boot diskette with copies of your registry and startup configuration files, such as AUTOEXEC.BAT and CONFIG.SYS .

Windows 98 and ME registry restoration

Windows 98 and ME include the Registry Check (Start figs/u2192.gif Programs Accessories figs/u2192.gif System Tools figs/u2192.gif System Information figs/u2192.gif Tools figs/u2192.gif Registry Checker), which can be used to backup your registry at any time. It is also run at each bootup , and if it finds a corrupt registry, it will replace the bad version with a copy. The Registry Checker (SCANREG.EXE) keeps your five most recent registry versions. You can boot to DOS and run SCANREG /RESTORE and restore any of the five copies.

Windows NT registry restoration

Windows NT's registry editor, REGEDT32.EXE can be used to save and restore parts of, or whole, registries. You can also use the RDISK.EXE program with the /S parameter to back up the registry database to an Emergency Repair Disk. Then you can use NT's Repair option to restore the registry from disk. Unfortunately, Windows 2000's RDISK command does not backup the registry as it too large to fit on a single diskette.

Unlike 9x's ability to automatically make a backup copy of the registry and save each copy to a file after each successful restart, Windows NT stores only part of the registry as a backup. Even stranger, the backup copy is stored in the current registry. The different copies of the HKLM\System hive, which documents which devices and services to start during the NT bootup process, are stored in separate Control Sets . NT usually maintains three different control sets, CurrentControlSet, ControlSet001, and ControlSet002 under the HKLM\System hive. During boot up, NT prompts you with the message, "Select L to load Last Known Good Configuration." If you choose this option, NT will load the registry settings listed in ControlSet002. Otherwise, ControlSet001 is loaded and becomes the CurrentControlSet.

4.7.7 Using System Recovery Tools

Using most Windows system recovery tool requires that you take the steps to back up, save, and record the system while it is in clean health. These tools do to little to help you after a malicious code attack if you haven't done your prework first in preparation of a disaster recovery event.

First, always make a system startup diskette during the system's installation, or at least have one copy on hand from a similar machine. With most Windows operating systems, you can make an emergency recovery diskette that records critical system files and settings. Windows 9x allows you to make one during install. NT 4.0 uses RDISK.EXE /S . Windows 2000 uses Start figs/u2192.gif Programs figs/u2192.gif Accessories figs/u2192.gif System Tools figs/u2192.gif Backup figs/u2192.gif Tools figs/u2192.gif Create an Emergency Repair Disk. The registry in Windows 2000 is too large to fit on one disk. In order to backup the registry, make sure to perform a full tape back up (including backing up the system state). Startup disks can be used to boot the machine and access the disk partition while minimizing the chances that a virus is in memory. The ERD can be used to restore some system files and the registry (not in 2000).

Backing up the system state

Windows 2000, ME, and XP have the ability to backup and restore crucial system files. Windows ME does it automatically, to the disk, every 10 hours of up-time with the System Restore feature. Windows XP does it after every driver replacement or system upgrade. In Windows ME choose Start figs/u2192.gif Programs figs/u2192.gif Accessories figs/u2192.gif System Tools figs/u2192.gif System Restore figs/u2192.gif Choose a Restore Point, and then choose a date when you know your system was clean. Windows will bold all dates that contain a system restore point.

The Windows 2000 system state feature is a part of the MS Backup program and will backup boot files, system files, the registry, and all files protected by WFP. To back up the system state in Windows 2000 use Start figs/u2192.gif Programs figs/u2192.gif Accessories figs/u2192.gif System Tools figs/u2192.gif Backup figs/u2192.gif Backup figs/u2192.gif System State. You can then back up the system state with the MS Backup program. When you restore the system state it is an all or nothing decision. The system state restoration cannot be done on a selective file by file basis.

Windows Recovery Console

The Windows 2000 Recovery Console is a text mode command-line tool that allows an administrator to access the hard disk of a Windows 2000, regardless of the file format used. The Recovery Console allows you to manage files and folders, stop and start services, and repair critical system files (including the registry, boot sector, MBR, and partition table). It is an excellent tool for removing computer viruses. In order to be used, you must install the console after Windows 2000 is already running. Place the Windows 2000 install CD-ROM in your drive, and choose Start figs/u2192.gif Run figs/u2192.gif <CD-ROM drive letter> \i386\WinNT32.EXE /cmdcons and hit Enter. Follow the instructions and restart your PC when prompted.

In certain situations, like a corrupt registry or boot sector, Recovery Console will start automatically and carry out repairs . The console contains many other commands, like CHKDSK, FIXBOOT , and FIXMBR (which are covered elsewhere). Type in HELP at the console prompt for a complete list of commands. After you install the Recovery Console for the first time, it becomes a menu option you can access during bootup by hitting F8.

4.7.8 Restore from a Tape Backup

In the event that you suffer damage due to a malicious mobile code attack, and none of the previous steps helped to remove the virus and repair the damage, restore files from your most recent backup.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net