Surviving a Virus by sofiaie


									 Surviving a Virus,
Worm or Trojan Horse

 The layered approach to
Present Approach Is Not Working

Playing catch-up creates windows of

New ideas such as Process Guard by

Registry Monitors

New approaches to OS Updates
1. Pre-Infection strategies

2. Is it or isn’t it a virus

3. Cleaning up
 Good Anti-virus practices

Use a firewall such as Zone Alarm
Keep OS security patches up to date
Get the free Microsoft cd
Update anti-virus definitions daily
Do weekly full system scans
Run SpyBot S & D or AdAware weekly
Do a separate Trojan scan weekly
     Good AV practices, contin.

Don’t open attachments or strange looking
Don’t use preview pane
Delete messages from strangers
Avoid Internet file sharing!! ICQ, Kazaa,
eDonkey, newsgroups
Don’t send a friend an message to see if
you have a virus
  Good AV practices, contin.

View & send messages in TEXT mode
only mode
Peek inside unsolicited messages
Use a spam-filter
Don’t fall for scam messages
Avoid URLs of questionable repute
    Good AV practices, contin.

Teach children about security
Supervise Internet access or scan your
computer afterwards
Physically unplug or turnoff your modem
Use care when typing in URLs!!
Avoid using My Documents for data store
Be cautious about enabling file sharing

C:\ Windows
D:\ Programs
E:\ Data worth backing up
F:\ Clutter

       Imaging and Cloning
  Acronis True Image 7………….$44-49

  Norton Ghost 2003………………$40-70

  Freeware imager

Save your images to cds, across a network to
  another computer, or to a removable USB hard
          Backing Up
Get to know where everything is stored
(mail, favorites, financial data…)
Partition to keep data organized and
Full and incremental
Back up regularly to more than one place!!
Save your old backups
Low tech sticky notes as reminders
Utilize Task Manager info

 Use Google as a resource

 Keep a list of all the processes
 that appear

 Process Explorer free from
           Utility toolbox
Trojan Scanner
Process Explorer…
Port Enumerator
    Netstat -ano, TCPView, Port Explorer
Registry tools such as
ERUNT back up and recover the registry
and Registry Medic
AVDISK helps you put AV software on DOS
NTFSDOS…ERD commander $$$$$$!
A Guide to 2000/XP Recovery Console
    Have a Game Plan

Internet sites with virus info & fixes
Online virus and Trojan scanners
Access to Google
A second computer
List of ports and associated services
 AV program is disabled for no reason and it
 cannot be restarted
 AV program cannot be installed on the computer
 or it will not run or update
 Strange dialog boxes or message boxes appear
 E-mail complaints from acquaintances
 New icons appear on the desktop
 Strange sounds or music plays
 A program disappears from your computer
Sudden degradation in system performance…it
locks up
Windows will not start at all
There is a lot of modem activity
Critical system files are missing
Computer stops responding before the desktop
icons and taskbar appear
Your computer runs very slowly
Start-up takes an unusually long time
Out-of-memory error messages
New programs do not install correctly
Windows spontaneously restarts
Programs stop responding frequently
Scandisk reports multiple serious disk errors
A partition completely disappears
Your computer always stops responding
when you try to use Microsoft Office
You cannot start Task Manager
Strange process running in Task Mgr.
Or no symptoms
     at all
      Identify the virus
Full System scan from safe mode
Use on-line scanning tools
F-Prot makes a free DOS scanner
Examine Task Manager
Look at port usage
Query Google with symptoms and the
word “virus”
Search for files added or changed on a
certain date
             Cleaning up
Physically disconnect from network at first
suspicion of a virus
Disconnect modem to keep a worm from
spreading or worse
Try to locate a fix
Read the instructions carefully before
applying the fix
Look for manual removal instructions
Rename rather than delete
Backup your registry before editing it
           Trojans/back doors
Trojans once identified can be deleted. Use an
  automated scanner/deletion tool first.

Manual aids in identification:
    Port Explorer…$30, free trial
    Task List or msinfo32.exe
    Netstat –ano from cmd prompt
    TCPView free from Sysinternals

They often make registry or startup file changes so
  that they are executed on boot-up. Warning:
  changes in the registry.
             Trojans, contin.
If the Trojan cannot be removed because
   the files are held open by the operating
   Win9x/me system:

 Reboot the computer from a clean startup
 or system disk

 Delete the Trojan files manually or using
 the DOS instructions (Fat 32)
See Sophos emergency Trojan removal
Download latest definitions to floppy
Restart in Safe Mode/command prompt
Run SAV32CLI from Sophos as per
NTFS strategies when there is no fix

Use the 2000/XP recovery console to
remove and/or replace infected files
NTFSDOS or ERD Commander $$$!!
Install infected drive as a slave in a clean
system to remove/replace files
Create a Linux based rescue disk set that
can/will mount NTFS volumes
Last Resort

When all else fails:


To top