Computer viruses
INTRODUCTION
Contents:
� How to determine whether your computer is infected with a computer virus, a worm, or a trojan
� How to recover from an infection
� How to prevent future infections from a computer virus
What is a computer virus?
A computer virus is a small software program that spreads from one computer to another computer and that interferes with computer operation. A computer virus may corrupt or delete data on a computer, use an e-mail program to spread the virus to other computers, or even delete everything on the hard disk.
Computer viruses are most easily spread by attachments in e-mail messages or by instant messaging messages. Therefore, you must never open an e-mail attachment unless you know who sent the message or unless you are expecting the e-mail attachment. Computer viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Computer viruses also spread by using downloads on the Internet. Computer viruses can be hidden in pirated software or in other files or programs that you may download.
Symptoms of a computer virus
If you suspect or confirm that your computer is infected with a computer virus, obtain the current antivirus software. The following are some primary indicators that a computer may be infected:
� The computer runs slower than usual.
� The computer stops responding, or it locks up frequently.
� The computer crashes, and then it restarts every few minutes.
� The computer restarts on its own. Additionally, the computer does not run as usual.
� Applications on the computer do not work correctly.
� Disks or disk drives are inaccessible.
� You cannot print items correctly.
� You see unusual error messages.
� You see distorted menus and dialog boxes.
� There is a double extension on an attachment that you recently opened, such as a .jpg, .vbs, .gif, or .exe. extension.
� An antivirus program is disabled for no reason. Additionally, the antivirus program cannot be restarted.
� An antivirus program cannot be installed on the computer, or the antivirus program will not run.
� New icons appear on the desktop that you did not put there, or the icons are not associated with any recently installed programs.
� Strange sounds or music plays from the speakers unexpectedly.
� A program disappears from the computer even though you did not intentionally remove the program.
Note: These are common signs of infection. However, these signs may also be caused by hardware or software problems that have nothing to do with a computer virus. Unless you run the Microsoft Malicious Software Removal Tool, and then you install industry-standard, up-to-date antivirus software on your computer, you cannot be certain whether a computer is infected with a computer virus or not.
Symptoms of worms and trojan horse viruses in e-mail messages
When a computer virus infects e-mail messages or infects other files on a computer, you may notice the following symptoms:
� The infected file may make copies of itself. This behavior may use up all the free space on the hard disk.
� A copy of the infected file may be sent to all the addresses in an e-mail address list.
� The computer virus may reformat the hard disk. This behavior will delete files and programs.
� The computer virus may install hidden programs, such as pirated software. This pirated software may then be distributed and sold from the computer.
� The computer virus may reduce security. This could enable intruders to remotely access the computer or the network.
� You receive an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear, or a sudden degradation in system performance occurs.
� Someone tells you that they have recently received e-mail messages from you that contained attached files that you did not send. The files that are attached to the e-mail messages have extensions such as .exe, .bat, .scr, and .vbs extensions.
Symptoms that may be the result of ordinary Windows functions
A computer virus infection may cause the following problems:
� Windows does not start even though you have not made any system changes or even though you have not installed or removed any programs.
� There is frequent modem activity. If you have an external modem, you may notice the lights blinking frequently when the modem is not being used. You may be unknowingly supplying pirated software.
� Windows does not start because certain important system files are missing. Additionally, you receive an error message that lists the missing files.
� The computer sometimes starts as expected. However, at other times, the computer stops responding before the desktop icons and the taskbar appear.
� The computer runs very slowly. Additionally, the computer takes longer than expected to start.
� You receive out-of-memory error messages even though the computer has sufficient RAM.
� New programs are installed incorrectly.
� Windows spontaneously restarts unexpectedly.
� Programs that used to run stop responding frequently. Even if you remove and reinstall the programs, the issue continues to occur.
� A disk utility such as Scandisk reports multiple serious disk errors.
� A partition disappears.
� The computer always stops responding when you try to use Microsoft Office products.
� You cannot start Windows Task Manager.
� Antivirus software indicates that a computer virus is present.
How to remove a computer virus
Even for an expert, removing a computer virus can be a difficult task without the help of computer virus removal tools. Some computer viruses and other unwanted software, such as spyware, even reinstall themselves after the viruses have been detected and removed. Fortunately, by updating the computer and by using antivirus tools, you can help permanently remove unwanted software.
To remove a computer virus, follow these steps:
1. Install the latest updates from Microsoft Update on the computer.
2. Update the antivirus software on the computer. Then, perform a thorough scan of the computer by using the antivirus software.
How to protect your computer against viruses
To protect your computer against viruses, follow these steps:
1. On the computer, turn on the firewall.
2. Keep the computer operating system up-to-date.
3. Use updated antivirus software on the computer.
4. Use updated antispyware software on the computer.
Source: Microsoft
Types of Computer Viruses
Boot Sector viruses: A boot sector virus infects diskettes and hard drives. All disks and hard drives contain smaller sections called sectors. The first sector is called the boot. The boot carries the Mater Boot Record (MBR). MBR functions to read and load the operating system. So, if a virus infects the boot or MBR of a disk, such as a floppy disk, your hard drive can become infected, if you re-boot your computer while the infected disk is in the drive. Once your hard drive is infected all diskettes that you use in your computer will be infected. Boot sector viruses often spread to other computers by the use of shared infected disks and pirated software applications. The best way to disinfect your computer of the boot sector virus is by using antivirus software.
Program viruses: A program virus becomes active when the program file (usually with extensions .BIN, .COM, .EXE, .OVL, .DRV) carrying the virus is opened. Once active, the virus will make copies of itself and will infect other programs on the computer.
Multipartite viruses: A multipartite virus is a hybrid of a Boot Sector and Program viruses. It infects program files and when the infected program is active it will affect the boot record. So the next time you start up your computer it'll infect your local drive and other programs on your computer.
Stealth viruses: A stealth virus can disguise itself by using certain tactics to prevent being detected by antivirus software. These tactics include altering its file size, concealing itself in memory, and so on. This type of virus is nothing new, in fact, the first computer virus, dubbed Brain, was a stealth virus. A good antivirus should be able to detect a stealth virus lurking on your hard drive by checking the areas the virus infected and evidence in memory.
Polymorphic viruses: A polymorphic virus acts like a chameleon, changing its virus signature (also known as binary pattern) every time it multiples and infects a new file. By changing binary patterns, a polymorphic virus becomes hard to detect by an antivirus program.
Macro Viruses: A macro virus is programmed as a macro embedded in a document. Many applications, such as Microsoft Word and Excel, support macro languages. Once a macro virus gets on to your computer, every document you produce will become infected. This type of virus is relatively new and may slip by your antivirus software if you don't have the most recent version installed on your computer. .
Active X and Java Control: Some users do not know how to manage and control their web browser to allow or prohibit certain functions to work, such as enabling or disabling sound, pop ups, and so on. Leaving your computer in danger of being targeted by unwanted software or adware floating in cyberspace.
svchosts.exe
svchosts.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
The svchosts.exe file is installed and used by SpyGraphica
SpyGraphica Description:
SpyGraphica is a commercial PC surveillance application that logs keystrokes and takes screenshots of user activity. It sends gathered data to a configurable e-mail address. SpyGraphica must be manually installed. It automatically runs on every Windows startup.
svchosts.exe Manual Detection
Below are manual removal instructions for svchosts.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.
Step 1: Use Windows File Search Tool to Find svchosts.exe Path
1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in " svchosts.exe" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of " svchosts.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete svchosts.exe in the following manual removal steps.
Step 2: Use Windows Task Manager to Remove svchosts.exe Processes
1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the "Image Name" button to search for " svchosts.exe" process by name.
3. Select the " svchosts.exe" process and click on the "End Process" button to kill it.
Step 3: Detect and Delete Other svchosts.exe Files
1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
3. To change directory, type in "cd name_of_the_folder".
4. Once you have the file you're looking for type in del "name_of_the_file".
5. To delete a file in folder, type in "del name_of_the_file".
6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
7. Select the " svchosts.exe" process and click on the "End Process" button to kill it.
Backdoor-SS
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
Backdoor.LittleWitch
Backdoor.LittleWitch.B (Symantec)
Characteristics -
This threat is a Low risk and Profiled in the following Tech Live article Wicked Code Emerges for Halloween.
There are many variants of this remote access trojan. This description is meant to be a guide. When this trojan is run it may copy itself to the WINDOWS SYSTEM (%SysDir%) directory as Rundll.exe. The following regsitry key is created to load the trojan at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
\RunServices\Rundll=Rundll.exe
Other registry keys may include:
HKEY_CURRENT_USER\Software\Msn\Date=%Date_Run%
HKEY_LOCAL_MACHINE\Rundll=Rundll.exe
The trojan sends an ICQ pager notification to the author/configurator. This provides the attacker with the necessary information to connect to the compromised system remotely. A .DAT file is created to store trojan information, %WinDir%\usr.dat.
Once infected, a remote attacker can connect to the compromised system to perform various tasks, such as:
Chat
FTP functions
Retrieve logged keystrokes
Retrieve cached passwords
Open/close CD-ROM door
Retrieve configured email account information
Retrieve system information (CPU speed, RAM, Drive space, etc)
Open a remote command console
Swap mouse buttons
Open URLs
Hide/Show
Kill processes
Change screen resolution
Capture screen shots
Play sounds
Shutdown/restart Windows
Symptoms -
TCP Port 31,320 being left opened.
Method of Infection -
Trojans often come disguised as a desired program, but they do not propagate on their own. Once the trojan is run, it installs itself on the local system, and allows a remote attacker to perform various functions.
Manual Removal Instructions
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Enjoy....!!!
Contents:
� How to determine whether your computer is infected with a computer virus, a worm, or a trojan
� How to recover from an infection
� How to prevent future infections from a computer virus
What is a computer virus?
A computer virus is a small software program that spreads from one computer to another computer and that interferes with computer operation. A computer virus may corrupt or delete data on a computer, use an e-mail program to spread the virus to other computers, or even delete everything on the hard disk.
Computer viruses are most easily spread by attachments in e-mail messages or by instant messaging messages. Therefore, you must never open an e-mail attachment unless you know who sent the message or unless you are expecting the e-mail attachment. Computer viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Computer viruses also spread by using downloads on the Internet. Computer viruses can be hidden in pirated software or in other files or programs that you may download.
Symptoms of a computer virus
If you suspect or confirm that your computer is infected with a computer virus, obtain the current antivirus software. The following are some primary indicators that a computer may be infected:
� The computer runs slower than usual.
� The computer stops responding, or it locks up frequently.
� The computer crashes, and then it restarts every few minutes.
� The computer restarts on its own. Additionally, the computer does not run as usual.
� Applications on the computer do not work correctly.
� Disks or disk drives are inaccessible.
� You cannot print items correctly.
� You see unusual error messages.
� You see distorted menus and dialog boxes.
� There is a double extension on an attachment that you recently opened, such as a .jpg, .vbs, .gif, or .exe. extension.
� An antivirus program is disabled for no reason. Additionally, the antivirus program cannot be restarted.
� An antivirus program cannot be installed on the computer, or the antivirus program will not run.
� New icons appear on the desktop that you did not put there, or the icons are not associated with any recently installed programs.
� Strange sounds or music plays from the speakers unexpectedly.
� A program disappears from the computer even though you did not intentionally remove the program.
Note: These are common signs of infection. However, these signs may also be caused by hardware or software problems that have nothing to do with a computer virus. Unless you run the Microsoft Malicious Software Removal Tool, and then you install industry-standard, up-to-date antivirus software on your computer, you cannot be certain whether a computer is infected with a computer virus or not.
Symptoms of worms and trojan horse viruses in e-mail messages
When a computer virus infects e-mail messages or infects other files on a computer, you may notice the following symptoms:
� The infected file may make copies of itself. This behavior may use up all the free space on the hard disk.
� A copy of the infected file may be sent to all the addresses in an e-mail address list.
� The computer virus may reformat the hard disk. This behavior will delete files and programs.
� The computer virus may install hidden programs, such as pirated software. This pirated software may then be distributed and sold from the computer.
� The computer virus may reduce security. This could enable intruders to remotely access the computer or the network.
� You receive an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear, or a sudden degradation in system performance occurs.
� Someone tells you that they have recently received e-mail messages from you that contained attached files that you did not send. The files that are attached to the e-mail messages have extensions such as .exe, .bat, .scr, and .vbs extensions.
Symptoms that may be the result of ordinary Windows functions
A computer virus infection may cause the following problems:
� Windows does not start even though you have not made any system changes or even though you have not installed or removed any programs.
� There is frequent modem activity. If you have an external modem, you may notice the lights blinking frequently when the modem is not being used. You may be unknowingly supplying pirated software.
� Windows does not start because certain important system files are missing. Additionally, you receive an error message that lists the missing files.
� The computer sometimes starts as expected. However, at other times, the computer stops responding before the desktop icons and the taskbar appear.
� The computer runs very slowly. Additionally, the computer takes longer than expected to start.
� You receive out-of-memory error messages even though the computer has sufficient RAM.
� New programs are installed incorrectly.
� Windows spontaneously restarts unexpectedly.
� Programs that used to run stop responding frequently. Even if you remove and reinstall the programs, the issue continues to occur.
� A disk utility such as Scandisk reports multiple serious disk errors.
� A partition disappears.
� The computer always stops responding when you try to use Microsoft Office products.
� You cannot start Windows Task Manager.
� Antivirus software indicates that a computer virus is present.
How to remove a computer virus
Even for an expert, removing a computer virus can be a difficult task without the help of computer virus removal tools. Some computer viruses and other unwanted software, such as spyware, even reinstall themselves after the viruses have been detected and removed. Fortunately, by updating the computer and by using antivirus tools, you can help permanently remove unwanted software.
To remove a computer virus, follow these steps:
1. Install the latest updates from Microsoft Update on the computer.
2. Update the antivirus software on the computer. Then, perform a thorough scan of the computer by using the antivirus software.
How to protect your computer against viruses
To protect your computer against viruses, follow these steps:
1. On the computer, turn on the firewall.
2. Keep the computer operating system up-to-date.
3. Use updated antivirus software on the computer.
4. Use updated antispyware software on the computer.
Source: Microsoft
Types of Computer Viruses
Boot Sector viruses: A boot sector virus infects diskettes and hard drives. All disks and hard drives contain smaller sections called sectors. The first sector is called the boot. The boot carries the Mater Boot Record (MBR). MBR functions to read and load the operating system. So, if a virus infects the boot or MBR of a disk, such as a floppy disk, your hard drive can become infected, if you re-boot your computer while the infected disk is in the drive. Once your hard drive is infected all diskettes that you use in your computer will be infected. Boot sector viruses often spread to other computers by the use of shared infected disks and pirated software applications. The best way to disinfect your computer of the boot sector virus is by using antivirus software.
Program viruses: A program virus becomes active when the program file (usually with extensions .BIN, .COM, .EXE, .OVL, .DRV) carrying the virus is opened. Once active, the virus will make copies of itself and will infect other programs on the computer.
Multipartite viruses: A multipartite virus is a hybrid of a Boot Sector and Program viruses. It infects program files and when the infected program is active it will affect the boot record. So the next time you start up your computer it'll infect your local drive and other programs on your computer.
Stealth viruses: A stealth virus can disguise itself by using certain tactics to prevent being detected by antivirus software. These tactics include altering its file size, concealing itself in memory, and so on. This type of virus is nothing new, in fact, the first computer virus, dubbed Brain, was a stealth virus. A good antivirus should be able to detect a stealth virus lurking on your hard drive by checking the areas the virus infected and evidence in memory.
Polymorphic viruses: A polymorphic virus acts like a chameleon, changing its virus signature (also known as binary pattern) every time it multiples and infects a new file. By changing binary patterns, a polymorphic virus becomes hard to detect by an antivirus program.
Macro Viruses: A macro virus is programmed as a macro embedded in a document. Many applications, such as Microsoft Word and Excel, support macro languages. Once a macro virus gets on to your computer, every document you produce will become infected. This type of virus is relatively new and may slip by your antivirus software if you don't have the most recent version installed on your computer. .
Active X and Java Control: Some users do not know how to manage and control their web browser to allow or prohibit certain functions to work, such as enabling or disabling sound, pop ups, and so on. Leaving your computer in danger of being targeted by unwanted software or adware floating in cyberspace.
svchosts.exe
svchosts.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
The svchosts.exe file is installed and used by SpyGraphica
SpyGraphica Description:
SpyGraphica is a commercial PC surveillance application that logs keystrokes and takes screenshots of user activity. It sends gathered data to a configurable e-mail address. SpyGraphica must be manually installed. It automatically runs on every Windows startup.
svchosts.exe Manual Detection
Below are manual removal instructions for svchosts.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.
Step 1: Use Windows File Search Tool to Find svchosts.exe Path
1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in " svchosts.exe" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of " svchosts.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete svchosts.exe in the following manual removal steps.
Step 2: Use Windows Task Manager to Remove svchosts.exe Processes
1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the "Image Name" button to search for " svchosts.exe" process by name.
3. Select the " svchosts.exe" process and click on the "End Process" button to kill it.
Step 3: Detect and Delete Other svchosts.exe Files
1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
3. To change directory, type in "cd name_of_the_folder".
4. Once you have the file you're looking for type in del "name_of_the_file".
5. To delete a file in folder, type in "del name_of_the_file".
6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
7. Select the " svchosts.exe" process and click on the "End Process" button to kill it.
Backdoor-SS
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
Backdoor.LittleWitch
Backdoor.LittleWitch.B (Symantec)
Characteristics -
This threat is a Low risk and Profiled in the following Tech Live article Wicked Code Emerges for Halloween.
There are many variants of this remote access trojan. This description is meant to be a guide. When this trojan is run it may copy itself to the WINDOWS SYSTEM (%SysDir%) directory as Rundll.exe. The following regsitry key is created to load the trojan at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
\RunServices\Rundll=Rundll.exe
Other registry keys may include:
HKEY_CURRENT_USER\Software\Msn\Date=%Date_Run%
HKEY_LOCAL_MACHINE\Rundll=Rundll.exe
The trojan sends an ICQ pager notification to the author/configurator. This provides the attacker with the necessary information to connect to the compromised system remotely. A .DAT file is created to store trojan information, %WinDir%\usr.dat.
Once infected, a remote attacker can connect to the compromised system to perform various tasks, such as:
Chat
FTP functions
Retrieve logged keystrokes
Retrieve cached passwords
Open/close CD-ROM door
Retrieve configured email account information
Retrieve system information (CPU speed, RAM, Drive space, etc)
Open a remote command console
Swap mouse buttons
Open URLs
Hide/Show
Kill processes
Change screen resolution
Capture screen shots
Play sounds
Shutdown/restart Windows
Symptoms -
TCP Port 31,320 being left opened.
Method of Infection -
Trojans often come disguised as a desired program, but they do not propagate on their own. Once the trojan is run, it installs itself on the local system, and allows a remote attacker to perform various functions.
Manual Removal Instructions
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Enjoy....!!!
Such a Nice post on Computer Viruses. You can also post some interesting or informative links about virus removal tools or software, that would help out you readers more about the topics. I was going through your post and found little bit bored out while reading so much about a computer viruses. Rather on the Blogroll I have found som intersting posts too. Thanks for awesome post.
ReplyDelete