Kill worms dead!

by Simon Edwards

Using anti-virus software is no longer enough to keep your systems clear of malignant programs.
Simon Edwards explains how viruses work, how to discover an infection and how to recover from one.

You know computer viruses have hit the big time when the public is warned about them on a Monday morning by national television. Thousands of people arriving at work to be greeted by an unusable system is big news, so the computer virus has climbed the news agenda. The media generally puts the frighteners on computer users, but you don't have to be a security guru to minimise your chances of becoming infected. You don't have to be a genius to disinfect your computer either, but there's more to combating viruses than relying on the copy of Norton AntiVirus that came with your PC. We're going to show you how to become a virus killer.

Anti-virus software works reactively, relying largely on updates made available by the vendor. The speed at which these are created and made available directly affects the usefulness of the anti-virus program. When floppies were the main transport medium for viruses, this model of protection was sufficient. But the Internet, which allows viruses to spread faster than anti-virus companies can react, has reduced the effectiveness of anti-virus software. We need to be more aware of how to protect ourselves, above and beyond relying on £30 software packages.

Viruses have been multiplying exponentially every year since 1995, according to McAfee's research labs. This increase is largely due to the spread of Internet access from universities and forward-thinking companies to nearly every home in the developed world. Email, in particular, has long been the virus writers' friend. It has been many years since floppy disks posed the greatest threat to your computer. Instead, you're far more likely to receive an email message from a friend, politely offering you an attractive attached file. It seems that many of us are still happy to open these attachments despite relentless advice from the media to be wary.

But it's not just attachments and email we need to beware of: viruses are still making their way to us using tried and tested methods you might think software developers should have closed by now. Today's top virus is the Internet worm, which is back with a vengeance after its first outing in 1988. Combine a virus, a network and software containing security flaws and you get a worm, the first of which was written 16 years ago by Robert T Morris at Cornell University.

If you want to experience one first-hand, you only have to turn off your personal firewall and dial up the Internet using any free ISP to witness the dizzying effects of Blaster or one of its variants within just a few minutes. (Not that we recommend you try this!). Email viruses are very common too, and travel so fast that anti-virus vendors struggle to create the timely updates necessary for anti-virus mail and firewall systems, as well as for desktop programs.

If these threats weren't enough, it's very easy to accidentally download and install insidious spyware programs that in part hijack your computer and are, from a user's perspective, just as evil as a real virus. They often reduce a system's performance to the same degree as a worm.

This might seem like the end of the world, and you'll certainly feel rotten if it happens to you. In this workshop we're going to look at ten essential steps you should take after an attack. Some will help your PC back up on its feet, while others will help prevent a repetition of the horrors you've experienced.

KNOW YOUR ENEMY

With the odds stacked against us like this, it's hardly surprising that even security-savvy, professional PC users occasionally fall victim. In this article, we'll look at how you can protect yourself. We're not going to just recommend you install an anti-virus program and keep it up to date, because that's simply not sufficient to protect your PC.

To make sure you're thoroughly protected, you need to know your enemy, so we'll look at the different ways your PC can become infected with a virus, how you can tell when something is wrong, what you can do to remedy the situation and how to take steps to stop it ever happening again.

CATCHING THE VIRUS

At the moment, there are two main ways that your PC is likely to become virus infected: by an automatic Internet worm or by an email worm. Email worms need you to help run them, but Internet worms can infect your system and spread without your interaction. Internet worms, which target Windows vulnerabilities, are a major threat. Without a firewall in place, an Internet-connected system is living on borrowed time. In our experience this can be measured in seconds rather than days.

When Microsoft announced a vulnerability and fix for its Windows NT, 2000 and XP operating systems in July 2003, many systems administrators rushed to update their systems. Notably, many people didn't.

The vulnerability was a flaw in the Remote Procedure Call (RPC) service. An attacker could exploit this flaw and run code on the system, so this was clearly a real problem. You didn't need to be running Microsoft's Internet Information Server (IIS) to be at risk - every Windows system upwards from NT that was connected to the Internet and wasn't protected by a firewall could be hacked.

The following month a virus ripped across the Internet - the Blaster worm. Also known as Lovsan, this virus used the RPC vulnerability to manipulate the victim machines. It connected out, trying to infect other systems, and was scheduled to attack Microsoft's Windows Update servers a few days later. Users experienced crashing systems and very slow Internet dial-up connections as the virus stole their bandwidth. Had they run a firewall, the worm would have been unable to gain entry.

Had they patched their systems, they would have not only avoided infection but also have been invulnerable to the raft of Blaster copies that continue to plague the Internet. Nearly a year on, we're still finding systems infected with this virus.

WHAT MAKES A SUCCESSFUL VIRUS?

Despite the cleverness of the original Blaster writer and its copycats, automatic Internet worms tend to peak and die down as systems become infected, cleaned and updated. But it's human naivety that remains the best tool in the virus writer's kit, and email viruses such as NetSky, MyDoom and Swen regularly dominate anti-virus companies' top threat lists.

The automatic worms Sasser and Korgo, which exploit a vulnerability in the Local Security Authority Subsystem Service (LSASS), have dominated the scene so far this year, but the majority of threats just previous to this were posed by email worms. It's likely that, as ISPs and systems administrators take measures against Sasser and Korgo, then email viruses will rise to take the top spots again.

Anti-virus articles usually give checklists of things you should do to avoid a virus infection. One of the most common and important pieces of advice they repeat is: be careful when opening email attachments. This is sensible, but it's clear that plenty of people are either unaware of this golden rule or are easily fooled into clicking on supposed JPEGs or reports. We clearly need help from anti-virus software and/or services. Besides, attachments are a very useful feature of email. It's simply not fair to expect most users to be able to analyse the probability of an attachment being a Trojan.

Here's a true story about how an IT journalist working for a rival magazine became infected with the Prolin worm, a similar virus to the better-known Melissa. It shows how following general advice doesn't always work, and why good anti-virus software is essential. 'M' received an email from a PR company. This company was best known for its main client at the time, a major software house. The email message read, 'A great Shockwave flash movie' and the attached file was called CREATIVE.EXE.

He knew the contact, and receiving a multimedia file with a similar name to the client company isn't unusual. He opened the file and his PC became unusable. If he regularly updated his anti-virus software, the IT department wouldn't have had to reformat his PC and restore everything except his data, which was lost for good.

The moral of this story: be sensible about attachments by all means, but don't think that being careful is a substitute for backups and updated anti-virus software.

ARE YOU INFECTED?

What makes you think you've got a virus? It's easy to blame slow Internet connections, ageing hard disks and buggy software on a virus, so you need a more concrete way of investigating.

The typical signs of a virus are your Internet connection slowing to a crawl, annoying pop-up windows starting to appear even when you aren't using the Web, applications opening and closing on their own, your documents not saving properly, or error messages appearing more often than normal.

Recent, successful viruses don't make themselves too obvious, but there are some nasty ones around that will corrupt your files, fill your disk space or even wipe whole disks. If your file system starts misbehaving, suspect a virus.

On the other hand, if you receive complaints from people claiming you've been sending them email viruses, don't assume you're infected. It's possible that a virus has infected someone else's machine. It has found your address in their address book and spoofed itself as if you had sent it.

WHAT DID YOU DO LAST?

If your PC has been acting strangely recently, try to remember what you might have done. This includes installing new hardware, updating an application with a patch or disabling firewall software when online. New hardware could be causing a non-virus-related problem, while a program patch could be corrupt and causing crashes. But if it's been obtained from an unorthodox source, it could be a Trojan. Disabling personal firewall software on a dial-up connection isn't a good idea, and doing so even for a few minutes opens a window of opportunity for a worm.

Be brutally honest with yourself. If you've visited a pornographic website, then come to terms with the fact and understand that there's a growing trend for some websites to try to install software on your system. While not viruses per se, diallers that call premium numbers are still an expensive nuisance. Similarly, if you've installed pirated or cracked software, consider this another likely route for a virus to get on to your PC.

Spyware programs can install themselves when you visit a website. And once installed, they report your online activities to marketing websites and generally affect your system's performance. Some use unsubtle techniques, such as offering to install their software and only giving you one option - to accept. If you remember doing this you're probably running some spyware, also commonly known as adware.

Also, if you recently opened an email attachment and discovered it was either empty or didn't contain what you expected, then you might have unleashed a virus on your system.

INVESTIGATING

The easiest thing to do is install some anti-virus software and let it do its job. Unless its virus definitions are out of date, it should identify and remove the infection. However, sometimes a virus won't allow this, so you need to do things manually. Either way, it makes sense to identify the virus and research it further, so you can work out how it gained entry in the first place and avoid a repetition. This should also help you choose an appropriate removal tool if you're unable to run your anti-virus software.

The first step is straightforward: try running an online virus scanner. Most will allow you to scan for free, although not all will solve your problem unless you sign up and pay. If you can get an Internet connection going, and the virus hasn't blocked access to anti-virus websites, visit one of the following: Free Online Virus and Security Check (www.symantec.com), McAfee FreeScan (www.mcafee.com) or Online Virus Scanner (www.kaspersky.co.uk). This last one only scans suspicious files that you upload manually; it doesn't check your whole system.

If you can't get online using the infected system, make a note of the symptoms affecting your PC and log on using a different PC.

There are many virus databases available that list the various viruses and their symptoms, but one of the best is Symantec's: http://securityresponse.symantec.com/avcenter

REMOVE THE VIRUS

Once you've found out what's infecting your system, download one of the free removal tools that anti-virus vendors kindly offer on their websites. Copy the files to a floppy disk or CD and run them on the infected PC. McAfee's Stinger program is an excellent choice and the download executable file is less than 1MB, so it conveniently fits on a floppy disk. Kaspersky Labs has several utilities at www.kaspersky.co.uk/removaltools and if you can't find what you need there, Symantec has a larger collection at http://securityresponse.symantec.com/avcenter/tools.list.html

McAfee’s stinger currently detects and removes 41 viruses, Trojans and other nasty programs for free.

Although not a virus, a spyware program can have similar symptoms. Anti-virus programs often won't detect this type of threat, although they're starting to improve in this area. For now, free tools, such as Lavasoft's Ad-aware (www.lavasoft.de) and Spybot - Search & Destroy (www.safer-networking.org), are excellent additions to your anti-malware toolkit.

Even if you've never had a virus outbreak, download these files and store them on your PC. Keep your library up to date and if the unmentionable should happen - leaving you without Internet access - you'll be well prepared.

TO CLEAN OR NOT TO CLEAN?

Anti-virus programs usually deal with infected files in one of three ways. The default option is usually to try to clean the file, removing the infected code from the document or executable file. Alternatives include deleting the file or leaving it alone. The last option isn't sensible for most people, but there are also disadvantages to cleaning a file.

Windows executable files, otherwise known as Portable Executable (PE) files, are complex. When a virus interferes with a PE file there's a risk the infected program will become unstable. However, the virus writer will do their best to keep things running as smoothly as possible, otherwise their creation will be discovered too soon, thereby foiling their objective of spreading the code to other PCs. Removing this code from the EXE file is very hard to do, and even if most of the virus is removed, there's still a chance that small amounts of it will be left behind. This can cause the program to become unstable at best, and potentially damaging at worst.

An infected Portable Executable file: virus code can remain even after anti-virus software has attempted to clean it.

In the diagram (see above ) you can see a representation of an infected PE file. The virus has attached itself to the end of the Code section of the program file. During the infection process it has edited the PE file's internal records that determine the structure of the program. To fully clean this virus out, an anti-virus program would have to calculate the changes and reverse the process, while removing the viral code, which is extremely hard to do. In reality there's also a good chance that some of the virus' code will remain, which is represented in the right-hand side of the diagram.

Even if the newly cleaned program appears to work, there's no guarantee that, under certain circumstances, it won't crash or even run the remaining virus code. Installing a new service pack could, for example, cause problems.

The best thing to do is to delete the infected file and restore the application from a backup. Alternatively, reinstall it from the original discs. This has the advantage of ensuring that infected backups aren't used.

If you still don't trust that the system has been sufficiently cleared of viruses, the next step is to remove your potentially infected data files and restore them from a backup that was made earlier than the infection date.

However, if you can't calculate when the system first became infected, then you can check with one of the anti-virus databases (see Investigating), which should give you an indication of when the virus first became known. Symantec's site reports that the NetSky.Z virus was discovered on 20 April 2004. If you were infected by this virus, restore data and application backups dated a few days before this date just to be sure.

As a last resort you could reinstall your entire operating system, suites of applications and start from scratch all over again. Home users without important data files, and who have the time, might find this an attractive option, as restoring everything to a 'virgin' state will certainly remove any trace of the virus.

Businesses taking this route will need to ensure that the data being deleted is archived somewhere securely before the disks are formatted. They should also ensure they know what virus caused the problem, and how it came to infect the system. Otherwise it could reappear on the clean system, wasting further valuable man hours as the computer is re-cleaned.

THE END?

Now that your system is back to its old self, you'll want to take steps to stop this ever happening again. Unless you're a virus researcher, you won't want to spend all your time reading about the latest threats. The best approach is to shift the worry onto someone else, which means installing some red hot anti-virus software and possibly subscribing to a managed anti-virus service such as MessageLabs' email system, which catches viruses before they arrive in your inbox.

ISPs are also starting to add anti-virus to their email services. If you run your own mail servers, you should also consider adding anti-virus software directly to those machines, as well as using desktop scanners, to provide defence in depth.

So which anti-virus package should you choose? Contrary to what you might have read elsewhere, the user interface is not the main differentiating factor between products. In tests, we've found significant differences in detection abilities between well-known packages. We'll be testing anti-virus software for the desktop over the coming months and publish the results before Christmas. For now, you won't go far wrong with offerings from Kaspersky Labs and F-Secure.

Finally, keep up to date with Windows updates and install a firewall. Standalone firewall boxes, such as those made by SonicWALL, are ideal and less vulnerable to attacks than personal firewalls.

However, installing the free ZoneAlarm program is much better than not bothering with a firewall at all. Market-leading products include the aforementioned ZoneAlarm, ISS BlackICE PC Protection, Sygate Personal Firewall Pro 5.5 and F-Secure Internet Security 2004, which includes a top-class anti-virus package alongside a solid firewall. And Zone Labs has just joined the all-in-one brigade too, with its A-Listed ZoneAlarm Security Suite (see PC Pro, issue 119, September 2004 p72).

With competent security measures, and the knowledge that you can recover from a breach should it happen, there's no need to live in fear of viruses again.

TYPES OF VIRUSES

Classifying viruses isn't as easy as it used to be. Modern virus writers often combine different techniques to keep their offspring well-hidden, or to enable them to spread as quickly as possible. The results are hybrid threats that don't fit comfortably into a set category of virus. For example, programs designed to hide on a system and allow an attacker to control it remotely are usually called back doors or Trojans, as opposed to viruses, because they don't replicate.

But many viruses now include an element of remote control and usually appear to be something appealing in order to trick the victim into running it. By looking at the vulnerabilities that viruses target, it's still possible to categorise harmful files.

Boot: This venerable type of virus infects either the boot sector of a floppy disk or the boot sector or Master Boot Record (MBR) of a hard disk. Not as common as they used to be, but boot viruses remain potentially very dangerous.

Worm: This type of virus attacks vulnerabilities in an application or operating system. It programs infected computers to search for other vulnerable systems. Email worms send themselves out as email attachments.

Macro: Abusing scripting features of programs such as Microsoft Office applications, macro viruses can infect word-processing, spreadsheet and database documents. They can carry destructive payloads that may format hard disks.

Back doors/Trojans: Not strictly viruses, because they don't replicate, these programs run hidden in the background of a victim's computer and allow an attacker to connect and control the system remotely.

Other: There are a few other odd viruses that are fortunately rare, but also highly innovative. Some use Windows CHM help files, others can hide in PDF files. The Peach VBS is an example of a PDF Trojan. In May 2004, Rugrat, the first virus to exploit 64-bit Intel systems, appeared. The Phage virus, discovered in 2000, infects Palm handhelds, and as far back as 1998 a virus writer created the first Java virus, StrangeBrew, that infected Java class files.

ANATOMY OF A VIRUS

It might not look as exciting as the contents of a dissection table at Roswell, but the screenshot below shows exactly what the NetSky virus actually looks like, specifically W32/NetSky.Z-mm's top-level routines that are called to perform malicious operations on your system.

This is the view that anti-virus researchers see when they analyse new viruses. The software used to take the virus apart is IDA Pro Disassembler and Debugger (www.datarescue.com/idabase). This analysis comes courtesy of Maksym Schipka, Senior AV Researcher at MessageLabs.

1 The virus checks for today's date and compares it against 25 January 2005.

2 If the date is after that, the virus removes itself from the system by deleting its Registry keys and then exits. This trick is used to prevent further variants of this virus overloading the system and interfering with any new and bright ideas the virus writer might come up with.

3 If the date is before 25 January 2005, the virus starts a separate thread to defend itself against the vast majority of anti-virus scanners, firewalls and other protective utilities. It tries to kill the processes belonging to these programs.

4 The virus reports its presence to several URLs, which allegedly belong to the virus writer or to people associated with the writer, or to systems hacked by these same people.

5 It starts a back door thread, allowing the virus writer to control the infected system.

6 The virus looks for P2P shares, including Kazaa, and copies itself to them. It pretends to be an attractive file. For example, it can name itself as 'Microsoft Office 2003 Crack, Working!.exe', 'Porno Screensaver.scr' and 'Adobe Photoshop 9 full.exe', to name just a few of its options.

7 Finally, the virus hides its self-defence routines and waits for somebody to connect to its back door.

NetSky also sends itself out via email in large quantities, using email addresses it gathers from the infected system. This is a small selection of the anti-virus, firewall and other utilities that NetSky.Z tries to disable:

WINDOWS XP SYSTEM RESTORE

System Restore protects important system files in a part of the file system that users, their programs, hackers and virus writers are, in theory, not able to access. This means that if certain operating system files become corrupted, are deleted or otherwise damaged, the original files can be copied back. You can manually create Restore points, and Windows will also take snapshots when certain situations arise, such as when installing Windows updates, drivers and so on.

Unfortunately, System Restore can actually provide a haven for viruses. It’s quite common for an infected file to be saved into the System Restore archive, and once there it’s safe from anti-virus software. Your utilities might detect the viruses, but System Restore will prevent them from deleting or cleaning them. Even worse, if you were ever to restore your system to an earlier point, you risk reinstating infected files.

It might worry those with a cautious nature, but the only solution is to temporarily disable System Restore, and then run the anti-virus program’s scanner. It will then be able to remove the infection. The problem with this is that all of your previous Restore points will be lost. However, the only alternative to this is to undergo a complete reinstallation or suffer from a reinfection.

To disable System Restore in Windows XP, open the Control Panel and double-click the System icon. Click on the System Restore tab and tick the box called Turn off System Restore. Click OK and answer Yes to the prompt that warns you that your Restore points files will be lost.

Once you’ve disabled System Restore, run your choice of anti-virus program. If it’s any good it will remove the infected files. Choose to delete, rather than clean the files.

HOW TO RECOVER YOUR SYSTEM

REMOVING A VIRUS USING AN ONLINE SCANNER

McAfee FreeScan is one of many online services that effectively install an anti-virus scanner on your system over an Internet connection. In most cases a free online scanner will identify the virus but not remove it. For that luxury you need to buy the full package, or subscribe to the online service on a monthly basis.

The problem with using an online scanner is that you have to install software after an infection, which might not work. The virus could block the installation, or prevent it reporting correctly.

If it does successfully identify any viruses on your PC, you don’t necessarily need to pay for a subscription. If you have the time and energy, use one of the free removal tools available, often downloadable from the same websites as the online scanner.

In most cases, free online scanners identify any viruses infecting your PC, but won’t remove them.

USING A FREE TOOL TO REMOVE A VIRUS MANUALLY

Once you know what viruses are on your system, visit one of the sites listed in Remove the virus and download the relevant tool. In our example case, the system holds a copy of NetSky.C so we’ve downloaded FxNetsky from Symantec’s download area of its security site. If you use System Restore, don’t forget to disable it before running the tool, and re-enable it after the viruses have been removed (see Windows XP System Restore).

After running the tool, your system should be virus-free. Keep copies of the free removal tools in a safe place, and update them regularly. Sometimes, though, your system could become so damaged by a virus that it will no longer boot, and these programs won’t run. In cases like this, you’ll need to boot from a rescue disk and run a command-line scanner.

The most welcome dialog box you will ever see in computing.

USING A RESCUE DISK TO DELETE AN INFECTION

Some anti-virus packages come with a bootable floppy disk or CD, while others allow you to make one yourself. The advantage of the latter approach is that you can include the latest updates. Bootable rescue disks allow you to fix a Windows installation that can no longer boot, perhaps because of damage caused by a virus.

Kaspersky Labs Anti-Virus Pro 4.5 has a Rescue Disk feature that lets you create a single boot floppy and a set of disks containing the virus definitions, known as bases. The boot disk runs Linux, which is able to read a large range of file systems, including NTFS. This is very important if you use Windows XP. A regular DOS boot disk won’t be able to read an NTFS partition without a lot of help.

Update the software’s definitions and create the disk set. You’ll need at least four disks. Write-protect them, then boot the infected system with the boot disk and load the bases disks when prompted. The rescue system will automatically scan your disks. If you’re not used to Linux then its interface might worry you, but you don’t have to do much other than answer yes/no questions every so often.

Create a rescue disk yourself, so you can include all the latest updates.