Wednesday, May 25, 2005 9:53 AM
SANS - Internet Storm Center - Combating Windows Malware Tutorial (using WinXP Pro)
There is a great article on cleaning malware off of systems over on yesterday’s ISC Diary.
Combating Windows Malware Tutorial (using WinXP Pro)
Earlier today, I received a note on one of the mailing lists I monitor asking for help trying to remove a virus off of a computer on his network. His antivirus software was detecting malware on his computer and was cleaning much of this junk out of the \Windows\System32 directory, but periodically these files would get recreated. So he was ending up in this cycle of the antivirus software removing the files and something else putting them back.
As I work in an academic environment, I have seen this happen a lot with various botnet files and spyware. So I shared with this technician how I have gone about getting the system stable again. Before I proceed in my "tutorial", let me note one thing. THIS IS NOT THE WAY TO CLEAN A SYSTEM THAT HAS BEEN COMPROMISED. This is just a way to stabilize a system enough that you can backup user data prior to a complete reinstall or re-image. If you use this procedure as a way to "clean" a system, be aware that the process is not perfect and can be defeated. So in all cases, I believe it to be best to use this as a stop gap measure one can use until you can do what really needs to be done. (Think of this as placing a tourniquet on a limb before transporting the victim to a hospital. This is a field procedure to stop the "bleeding" only.)
You can read the entire entry here: SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis
Filed under: Security and Anti-Virus