First of all, i am sorry to write this article in English (bad one) because i found out there is no one discuss about this matter other than Ching Tim Meng at Hack in the Box 2008. I was glad to see this kind of idea how to beat malware without any antivirus although i already know how to do it before i knew about this class. I only got into his class 15 minutes before it end. But i understood whatever in the class from the handout (slides). The knowledge is not giving us an idea to not use an antivirus but more to how to identify unknown malware and virus.
For the past few days ago, or i think, i got the same experience that i already forgot, about a new kind of virus behaviour. This virus is so hard to be removed untill we unable to use the idea from Ching Tim Meng and got fedup with it.
What make this virus activate and unable to detect by ordinary human are:
- As usual, virus disable CMD, Folder Option, Search, Run, Regedit and Task Manager.
- And also as usual, disable antivirus service and update server setting.
- Activate virus after boot at many location in registry and not only at usual setting such RUN and Winlogon.
- Activate virus as services and other Windows services such as Task Scheduler
- Virus file named after system file name.
- Got 2 or more virus activate at once or not after logon/boot. In this case, once you terminate 1 virus, the other virus will run the terminated virus back. But, when you terminate the other virus, the first virus will bring back the other virus from the dead.
- System Restore enabled.
- Virus (mostly execute file) hidden as Read Only, Hidden, System, Attribute and copied to c:\windows\tasks folder.
- Capable to disable, hide and delete popular troubleshooting utility such as Procexp, SIC (TrendMicro) etc.
- Capable to disable, hide and delete unknown troubleshooting utility such as Ultimate Washer. Maybe the virus can identify and learn any application that can access memory, hardware and operating system resource with an objective to look after them.
- This one is wierd. Virus close any application whenever user type a keyword like "IT", "Virus", "malware", "ICT" and many more. You need to learn what word that can make the applications close without any warning while you troubleshoot the problem. Not believe?? I dont mind at all.
Because of the above factor and virus behaviour, it is hard to detect and remove this virus. My explaination below is something additional from what available from Ching Tim Meng.
Most of the time, whenever i got this kind of problem, I prefer to make the affected harddisk as an external harddrive to a clean and up-to-date antivirus PC and scan it. But, I figure it out, how to beat virus from give us a lot of problem while troubleshooting without taking the harddisk out. In the other hand, do the troubleshooting remotely.
First, elliminate virus intervention or stop it from execute. Task manager is the basic way to identify and kill the virus execution. But, task manager usually disabled by virus. Procexp is known threat to virus and normally closed by it after execute. The only way to look after the virus and stop them is to use tasklist, taskkill and net start stop command in DOS. But DOS is disabled! Yes, your correct but batch file is not. We can trick the viruses while troubleshoot or counter the viruses processes using batch file.
Create a batch file (a.bat) with notepad. To view task manager write this line in notepad.
tasklist > task.txt
Save the batch file and double click it to execute it.
Log.txt file created after that. View the list from the file similar to what will you look at a task manager. Whatever you must identify is up to you. Better read Ching Tim Meng tutorial first. To kill a process/application/suspected virus write down below command.
taskkill /pid <process id number> /f
Check process id number from log.txt. If you suspect more than 1 virus, write down more than 1 taskill depend on what you find in task.txt
The task to write down the batch file make long time between try and error.
To view services, write down
net start > services.txt
And to stop a service, write down
net stop "<name of the service>"
From above steps, we can trick the virus by stopping the viruses processes and services at once by execute the batch file.Thefore, viruses unable to execute their partner-in-crime back from the dead. It is better for you to write at the bottom of the batch file the tasklist > task.txt and net start > services.txt command. So, you can see the result after the batch file executed.
You need to study the txt files for you to get a better batch file that can stop the virusses at ONCE.
Please remember or write down the processes and services name on a piece of paper.
Then, if you confidence the malware and virus processes has been terminated, this is the time for you to enable Folder Option, Find, CMD, Task manager and whatever features disabled by the virus. And then, execute msconfig and regedit and look after the virus startup by refering the list you remember or write down on the piece of paper before this.
From there, you need to find out the suspected virus files in the harddrive C:. Delete it or in my case, I move it to other folder that I create special for it. So, I can submit this suspected virus sample to other antivirus company to analyse and they can update their pattern.
Finally, you need to restart the PC to see the result. Remember, disable System Restore first before you restart.
It is a success whenever you restart the PC, all features in the PC is still there, not disable and Windows loaded smoothly.
ps: You can not do this if Windows load only untill wallpaper or log off after logon.