devil

Find Hidden Malware in Windows’ System Folders

it’s no fun to go into Task Manager
and discover that a bunch of mysterious
processes are running on your PC.
In the case of the unknowns, you may
ask yourself how much of this stuff you
actually want. Or more seriously, if anything
on your machine is doing harm.
Unfortunately, few of us have more
than a passing familiarity with what’s
under Windows’ hood: the programs that
run it and that run alongside it. In this
column, I’ll explain how to identify most
Windows system fi les (and to research an
unknown file) so you can tell the good
ones from the miscreants. I’ll also show
you how to trace every application running
on your PC, including the newest
menace—hidden rootkit fi les.
Of course, as with tremors, you can
never know where or when the next security
breach will open and swallow your
data. Even if you run a fi rewall, use up-todate
antivirus and anti-spyware scanners,
and maintain strict download discipline,
you can still end up with the latest and
meanest infectious agents in your PC.
Antivirus and other security tools need
frequent and detailed updates to work
effectively; they can’t block a piece of
malware that they haven’t seen before.
Consequently, these programs always
suffer a period of vulnerability between
the time when source code for a new
worm hits the IE, for example, and the
time when the antivirus defi nitions to
block or clean the infection are available.
Whether it’s for a few minutes or for
many days, that window always gapes
open when new threats appear.
Fortunately, once identified, malware
is usually fairly easy—albeit tedious—
to clean up. So follow my
detection procedures,
and your PC will be in
good shape.
SAFETY FIRST
first, and the most
important is the operating
system
you’re dealing
with, so don’t
leap into your
system files,
deleting things willy-nilly
as soon as you suspect
trouble. If you blow it,
you may render Windows
unbootable. Second, cover
your behind at every step. System Restore
(in Windows XP and Me) can safely return
you to the point just before you crashed.
Click Start, Programs (All Programs in
XP), Accessories, System Tools, System
Restore, select Create a restore point, and
step through the wizard. Make a new
restore point before each change.
You may also need to make your system
fi les visible. Open Explorer or any
folder window, and click Tools, Folder
Options, View. Click Show hidden files
and folders, and make sure that both
‘Hide extensions for known file types’
and ‘Hide protected operating system
files (Recommended)’ are unchecked.
Click Yes if you see any Windows
warnings. Run your
up-to-date antivirus and antispyware
apps. Finally, delete
a file only if you strongly
believe it’s part of a malware infestation.
For example, don’t use the following
techniques to remove old DLLs from
your system folders.
FIND OUT WHAT’S RUNNING
now you’re ready to determine what
programs and services are currently
running on your PC. Windows’ Task
Manager can’t authenticate each of your
running apps, so download a copy of the
free Process Explorer from Sysinternals.
(www.sysinternals.com).
Unzip the procexpnt.zip file, and then
double-click the fi le named procexp.exe.
Process Explorer is the sumo wrestler of
Task Manager replacements: It may not
look pretty, but it’s dependable and very
effective. And unlike the top sumo pros,
it does its job for free.
Some of Process Explorer’s useful info
is hidden by default. To see it, right-click
a column name and then choose Select
Columns. Both ‘Process Name’ and
‘Description’ should be checked already,
but be sure to check Company Name and
Command Line as well. Click the DLL
tab, check Path, and click OK. Next, click
View and make sure that ‘Show Lower
Pane’ is checked. Last of all, click View,
Lower Pane View, DLLs (see FIGURE 1).
With these Process Explorer options
on, you can select any process and see
it listed in the lower pane the DLLs that
the program uses. The Command Line
column shows the hard-drive location of
every running program, or— in the case
of services (which sometimes run under
svchost.exe)—it identifi es which instance
of svchost.exe invoked that service.
Any processes running from the Temp
folder should raise a red flag. Spyware
tends to install itself in and run from such
out-of-the-way nooks as the Temp folder.
Likewise, if a running process points to a
DLL in the Temp folder, be wary. The only
occasion when something should be running
from the Temp folder is when you
are installing an application that uses an
installer program such as InstallShield.
In addition to Explorer.exe, Windows XP
users will likely fi nd other processes running,
including smss.exe, winlogon.
exe, services.exe, alg.exe,
and lsass.exe. All of these are
critical Windows fi les. Don’t nix
any of them.
One legitimate Windows file
that bears a little more scrutiny
when found in the running-processes
list is rundll32.exe. Some
forms of malware, distributed
as DLL files, hide themselves
by using this program as a
launching pad. Task Manager
indicates only that the rundll32
program is running, but Process
Explorer’s Command Line fi eld
shows you which DLL rundll32 is associated
with. Still, keep in mind that some
device drivers use rundll32 for legitimate
purposes, so before killing the process,
make sure it’s actually doing damage.
The folder name at the end of the file
path should give you a clue about the
process’s legitimacy.
IDENTIFY MYSTERY
PROCESSES
you likely have several other Windows
program fi les running in addition
to these OS fi les, including ones for applications
and services running in the background,
and drivers for your hardware.
These fi les normally start with Windows.
Examine the Description, Company
Name, and Command Line information
for each process. You should be able to
identify most of the programs associated
with processes as software you installed
or that was preinstalled on your PC.
When a software maker has failed to
include a Description and/or Company
Name, you’ll need to dig a little deeper.
Right-click its entry in Process Explorer’s
list, and choose Properties. If the information
under the Image tab leaves you
scratching your head, click the Services
tab. Some legitimate services that are listed
in the indented column below ‘services.
exe’ in Process Explorer’s main window
will appear under this tab (see FIGURE 2).
For example, Process Explorer once
showed two processes running on my PC
without Description or Company Name
entries. One was ‘slee81.exe’; when I looked
at the process’s entry under the Services tab,
it identifi ed the fi le as Steganos Live Encryption
Engine. I had installed the Steganos
software myself, so I wasn’t surprised to
fi nd its components running in the background.
This isn’t a security threat, but
unless I’m using Steganos to encrypt and
decrypt fi les, I can save some CPU cycles by
turning the service off.
The second fi le, ‘WLTRYSVC.EXE’, was
even easier to puzzle out from its Services
entry. While the name of the process
(‘WLTRYSVC service’) isn’t any more
illuminating than its fi le name, a slightly
indented fi le just below it in the Process
Explorer’s main window, indicated that
‘WLTRYSVC’ had launched another app,
called ‘BCMWLTRY.EXE’. That file was
identifi ed as the ‘Broadcom Wireless Network
Tray Applet,’ which I installed to
display Wi-Fi signal strength. Since I’m
likely to be using my Wi-Fi connection frequently,
that’s a process I want to keep.
Follow these steps to identify all of your
running services and background apps.
The tricky part comes when something
you fi nd doesn’t identify itself and doesn’t
seem to serve a purpose. That’s when it’s
time to look to the Internet for answers.
ONLINE VERMIN TRACKERS
if i suspect a DLL might be bogus,
the fi rst place I check is Microsoft’s DLL
Help Database (see FIGURE 3), which lets
me search for information about a DLL
by name. If a fi le is connected to spyware,
I’ll dig around in Computer Associates’
Spyware Information Center. Another
great resource is the Pest Encyclopedia at
the PestPatrol Center for Pest Research,
which provides information about more
than 27,000 forms of malware.
Bottom Line: You can’t always trust the
first few results when you research an
unknown fi le on the Web. Even if hundred
sites post data about a suspected piece of
malware, one page on a Microsoft site that
explains the legitimate use of the fi le can
trump those analyses. The more you fi nd
out about a fi le, the less likely you’ll kill a
legitimate program .or DLL.


ADVERTISEMENT
Subscribe to this Blog via Email :

Would love to here from you...