Uncovering a Virus/Trojan

Getting done with the first part really got my juices flowing. I was shopping looking and thinking about this next article. I came up to only one option turning this into a 3-5 length post due to all the content that I will have.  So where did we leave off?  Oh that is right figuring out if you have a virus/Trojan.  The instant I made a post about this 12 hours later someone make a comment and here is what he said:
[ad#ad2-right]

Rene Van Belzen

I can’t wait to read part two of this article. I always wondered how you’d know you’re infected if a virus don’t want to be detected and no virus definitions are yet available, because the virus is so new.

Now the truth is anytime a Virus does something it usually leaves a footprint somewhere and somehow.   Even the hardest working hacker can’t plan for all possibilities and that is where we begin.   I have been helping people for a while with viruses and know that no matter how hard the virus tries to hide you can usually find it relatively quickly and easily do to virus check here are the ways I’ve done to figure out if they may or may not have a virus/Trojan.

Now if this is a client’s computer and you don’t want to be rude to the client, there are a few indications of user error and installing a virus.   This is relatively simple, all you do is do a quick inventory of all the start menu programs.  You’d want to look for any P2P file sharing program, If they have Firefox Installed, and if they are using Window Mail and not Thunderbird.   You see 80% to 90% of virus downloaded are installed by the End USER.  They either downloading a game and installing a virus with [ad#ad2-left]a game, or not protecting themselves by using Internet Explorer or Using Windows Mail.  That is usually my first step due to the fact, I’ve got to be diplomatic about finding out about security ways.  Also make sure they are up to date on there Window updates, unless they are using a really old system then you will have to work even harder.  Also you can suspect a virus if the client is talking about having problem with a program recently although this isn’t always true it sometimes is the case due to the fact hackers don’t have a big chance to test these viruses/Trojans out before they set them into the wild.  So there are always going to be unplanned problems associated with them.

After the first initial search of desktop, you should really know the likely hood of a possible virus getting on the system and later we will talk about counter measures to prevent virus attacks in the future.   There are a few places a hacker likes to put commands.   Hackers love to put in the Registry to run a program every time Windows starts.  It usually in:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Usually 50% to 70% of virus like to make sure the program to runs.  This is a flaw in Windows because hackers can edit this without much effort but there isn’t many places a hacker can go to make sure a program is set to run when you boot.   So this is also a benifit to finding those little programs.

Now just like the Regisitry, Hackers also like to put programs in a few areas on the hard drive.   This is also kinda hard to hide because most of the time these are consider important to the system but if you know what to look for you can pretty much figure out if it is truelly a system file.  These areas of the hard drive are:

  • C:\WINDOWS\System32[ad#ad2-right]
  • C:\WINDOWS
  • %programfiles%\common files\microsoft shared
  • %windir%\temp\

These are just a few but if you look hard enough it can be found most of the time.   Most of the time I use the registry to tell me where these programs are so I can do a further check of the program.  Some of this is not needed with some of the programs that I recommend but this is for those who want to be a through job and make sure the virus is gone.

On my next post we will talk about some good tools for the trade to help get rid of a virus/Trojan.  This little step here is used to  better help identify a virus and also give you chance to google each name on the list of registry and the hard drive  to see if you can identify the virus.

Internet Explorer still has a Vulnerability after Tuesday Patch!!

I just read this on several blogs and thought I’d share the details with you, it seems that Microsoft didn’t know there was a problem with this Bug/Vulnerability.   Computer world has a great article and  says this:

[ad#ad2-right]“The updates Microsoft released yesterday do not address this possible vulnerability,” a Microsoft spokesman said today in an e-mail reply to questions, “but I can tell you that Microsoft is investigating these new public claims of a possible vulnerability in Internet Explorer.”


[Via ComputerWorld]

I can only hope that Microsoft fixes this Vulnerability soon, I would take a guess that they will try to get this out on the patch cycle if not they will push it out after.   Some things to remember with IE(Internet Explorer) is only use it with Microsoft Updates.   I also Suggest downloading FireFox and checking out my Anti-virus and Anti-Spyrware Page for ways to prevent from getting a virus.

The Important Windows patches Released Today

As many of you know we talked about the Non-critical patches that Microsoft will release today.  IF you want to read those please go and check it out.   I’ll be talking about the REALLY important ones that Microsoft has kept tight until now.    These are the more important ones but I will list the ones that I previous talked about to better help people recognize the non-important ones:

[ad#ad2-right]

  • KB955839
  • KB957388
  • KB890830
  • KB905866
  • These are just the tip of the iceberg. although this list are not A lot.  I’d wanted to let people know about what people coin “Exploit Wednesday“.  I really don’t know if this is a Myth or actually does exist but I’d figure we discuss the problems associated with installing the critical updates and try to tell you which ones should be installed As soon as possible.  Though people have in the past used a Virtual Machine to see if there is any problem, that should be your first step if you don’t want to have any problems with these updates.  I don’t suggest testing it more than a couple days.  Here are some good Virtual Machine software to try out yourself:

    Here is the list of updates that are critical that Microsoft released today.   Each one of these are quite important and should be considered installed when you get a chance.

    [ad#ad2-left]Microsoft Security Bulletin MS08-073 – Critical
    Cumulative Security Update for Internet Explorer (KB958215)

    This security update resolves four privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    Microsoft Security Bulletin MS08-071 – Critical
    Vulnerabilities in GDI Could Allow Remote Code Execution (KB956802)

    This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    [ad#ad2-right]Microsoft Security Bulletin MS08-075 – Critical
    Vulnerabilities in Windows Search Could Allow Remote Code Execution (KB959349)

    This security update resolves two privately reported vulnerabilities in Windows Search. These vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    KB952069
    (not quite sure what this one is, when I go do a Google search this is what pops up. It was in German but Google translated it for me)

    In the Windows Media Runtime to the default in Windows XP SP3 contains Windows Media Player (WMP) 9 were discovered vulnerabilities that could allow an attacker to compromise your Windows-based system and gain control over it. See Security Bulletin MS08-076 ( englisch bzw. deutsch ) See Security Bulletin MS08-076 (English or German)

    These are just ones that I found and wanted to let you know, the others have been explained on the other article.  So check them all out and I suggest installing them quickly as possible.

    trojan.zlob removal tricks!!

    [ad#ad2-right]

    Aliases:
    Trojan-Downloader.Win32.Zlob.qyl (Kaspersky)
    Trojan-Downloader.Win32.Zlob.qzs (Kaspersky)
    Trojan-Downloader.Win32.Zlob.qzn (Kaspersky)
    Trojan.Zlob.CPP (BitDefender)
    Puper (McAfee)
    SystemDefender (Symantec)

    Trojan:Win32/Zlob.G is a component of Win32/Zlob that downloads rogue security programs, adware, and additional Win32/Zlob components.

    [Via Windows Live OneCare]

    [ad#ad2-left]This one just popped up today on my radar it seems to be a very low threat on everyone’s radar according to my sources say “Trojan.Zlob.G is a Trojan horse that may download and execute remote files and redirect the Internet Explorer home page and search page.”  So to remove this little Trojan you would want to download one an Anti-virus and firewall.   Once you install the software the program should fix the problem for you.   This one seems to be really easy to fix.   So Please read my post on how to better protect your self if you want to prevent this in the future.

    Trojan.PWS.ChromeInject.A is not a Firefox plugin.

    A new type of malware designed to harvest web passwords has been detected in-the-wild by BitDefender’s antivirus research labs. This latest e-threat – called Trojan.PWS.ChromeInject.A – is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox’s Plugin folder. Once installed it gets to work every time Firefox is started.

    [Via Bitdefender]

    [ad#ad2-right]So having seen this I thought I’d come up with ways around this to better protect yourself.  One way to prevent this from getting your sensitive data is to get a program like Sandboxie.   You could stop using Firefox that would be silly, because right now Firefox is more secure than Chrome and Internet Explorer.   I’d also suggest checking out my Anti-spyware page and Anti-Virus page and get some more protection.

    The key to this virus protection is just be cautious of where you go and keep all you system update to date to prevent all this from happening.  It is also advisable to not have your passwords saved on Firefox, you should use something like Roboform, it is free  to download and try.  It will encrypt your passwords so if they don’t know the master password then they are out of luck.  Roboform is also good for coming up with some strong passwords.  Just some suggestions to prevent from people seeing your sensitive data, you don’t want anyone to get that data.