Aug 2, 2007

[Security] Checking for tell-tale signs of malware infection

If you have suspicions that your computer has been infected by a malware, what are the ways you can do to confirm such infection?

Here's one thing that your antivirus vendor won't tell you: they cannot prevent entry of a new malware if they don't have detection for it. So it is very possible that you can get infected, specially if you are not careful.

Generally, check the following to find out if your computer is infected:

1. Running applications and processes
2. The system registry
3. New files
4. Open ports

We'll discuss the first two, as the latter two are more complicated and technical.

Most malware are memory-resident; it means that they stay in memory upon execution. So to check, you can verify using the Windows Task Manager. To open the Task Manager, press Ctrl+Alt+Del or Ctrl+Shift+Esc. Check the Applications tab for unknown or unfamiliar names. Terminate them if necessary.

However, there are malware that employs techniques so that you can't see them via Task Manager, or you can't terminate them. A third-party process manager is necessary (for example, Process Explorer).

Check the process name. One time, I had encountered a process named "WORDPAD.COM". The problem is that the file name of the real WordPad is "WORDPAD.EXE".

Look for the file if it exists. In the same example, WORDPAD.COM was not present in my system.

Check what file the process points to. This will give you a clue on what file to delete or submit to AV companies for checking.

Most malware create registry entries so that they start when Windows boots up - this is what we call autostart technique.

Tweaking the registry is not for the faint-hearted. One mistake and you might have to re-install the operating system or an application that is affected by your mistake. It is better to back up the registry before doing any tweaking.

To view the registry, click Start, then Run. Type "REGEDIT.EXE" and then click Ok.

To back up your registry, click File on the main menu of the Registry Editor, then click on Export.

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Check the entries at the right pane for suspicious file names. If you have to delete entries do so, as long as you know what you are doing.

Also, check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

No comments:

Post a Comment