Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
banner Expire 25 April 2025
adv ex on 5 january 2024
adv ex on 22 February 2024
Banner expire 20 November 2024
Kfc Club

Patrick Stash
casino
banner expire at 13 August 2024
BidenCash Shop
Rescator cvv and dump shop
Yale lodge shop
UniCvv

Checking for viruses by hand

RedX

TRUSTED VENDOR
Staff member
Joined
Nov 26, 2020
Messages
716
Probably there is no longer a person who would not be directly or indirectly affected by the actions of computer viruses. Antivirus companies want a lot for their products, which never provide adequate protection. The question is, why install antivirus software at all?

System Analysis

It is logical that in order to detect and neutralize malicious code, an anti-virus program must exist. Prevention remains prevention ... Each type of malware
has its own symptoms, which are sometimes visible to the naked eye, sometimes invisible at all. Does Kaike have symptoms?

Since we are talking about a computer connected to the network, the first symptom is excessively fast consumption, as a rule, of outgoing traffic. Of course, on a gigabit channel, this may not be so noticeable if an attack is carried out with a width of a dial-up connection, but as a rule, the system slows down when opening Internet resources is striking.

The next on the list is the inability to enter or update from the sites of antivirus companies, malfunctions of programs such as CRC-error. This is due to the fact that quite a few commercial protectors support the function of checking the parity or integrity of the executable file (and not only the protectors, but also the protection developers themselves), which is done to protect the program from hacking. It is not worth talking about the effectiveness of this method against crackers and reversers, however, this can work perfectly as an alarm for viral infection. The payment of novice virus-makers for non-killable processes is that when the computer is turned off or rebooted, a process takes a long time to finish, or the computer freezes at all. I think it's not worth talking about the processes, as well as about the startup folder, if there is something incomprehensible or new, then,

Frequent computer reboots, crashes from the Internet, shutdown of the antivirus, unavailability of update servers, errors when updating the antivirus, the appearance of unknown files)), here is just a short list of symptoms of the infected machine. In addition to direct malicious codes,
there is so-called spyware, these are all kinds of keyloggers, dumpers of electronic keys, "assistants" to the browser. According to the method of detection, they can be divided into two opposite camps. If a keylogger attached by a dynamic library to the OS shell is extremely difficult to detect on the fly, then, out of nowhere, the donkey plug-in that came from (as a rule) catches the eye right away ...

Detection on the fly

We have already discussed enough about mail, the algorithm is the same for everyone, but the method of spreading mail worms is so banal that if you "manage" to run the file from the attachment, then this article will not help anyway)). For clarity, an example from life, not defined by any antivirus (until now) IRC-bot. The propagation principle is quite simple, through the found vulnerability in the axis. If you think with your head, you can understand that the main way to throw yourself on a vulnerable machine is to call the ftp server on this machine. According to vulnerability statistics, this is the notorious tftp.exe. The first symptom of such worms is outgoing traffic; when a vir gets on a machine, it starts looking for another vulnerable machine on the network, that is, it simply scans the ranges of IP addresses. Then everything is very simple, first of all we look at the logs in the OS event log.

Those. Control Panel ---> Administrative Tools ---> Event Log.

Here notifications about running services and the main error notifications are of interest. For two years now, worms have been crawling through an error in the DCOM server, so any error associated with this server is already a reason to believe that a virus is present in the system. To make sure that the latter is present, you should look at the name and rights of the user who made the mistake in the error report. If this place is "user undefined" or something similar, then rejoice, perhaps the infection was successful! Further, acting logically, the first step is to close the hole in the system for subsequent penetrations, and then localize the viri. As already mentioned, such viruses usually climb through tftp.exe, so we remove it from the system.

% WINDIR% Driver Cachedriver.cab

Then from the OS update folders, if any, then from

% WINDIR% system32dllcache

and then just from

% WINDIR% system32

Perhaps the OS will say that the files are damaged and ask for a disk with the distribution, do not agree! Otherwise, it will recover and the hole will be opened again. When everything is over, you can begin to localize the vir. A small, handy TCPView program helps to see which applications are using the network connection, but some worms have a good encryption algorithm or attach to processes or disguise themselves as processes. The most common process for disguise is undoubtedly the svhost.exe service, there are several such processes in the task manager, moreover, you can create a program with the same name and then it is almost impossible to distinguish who is who. But there is a chance and depends on attentiveness. The first thing to do is look at the Task Manager. With svhost.exe, it's not strange M $, of course, you can add fake information to the virus code, however, there are a couple of points. The first and probably the main one is that a well-written virus contains neither import table nor data sections. Therefore, such a file does not have resources, and, therefore, cannot be written to the creator's resources. Or, you can create a resource, but then an extra file size will appear, which is highly undesirable for a virusmaker. I must also say about svhost.exe, it is a set of system services and each service is a running file with certain parameters.

Accordingly, in the Control Panel ---> Administration ---> Services, all loaded services of svhost.exe are contained, then count the number of running services and svhost.exe processes, if not, then everything is clear (of course, it should be compared with the number of WORKING services ). Perhaps there is a vir among the services, one can say one thing, there is a list of services on MSDN and there are many more on the network, so it's not easy to take and compare the problem. After such actions, you can get the name of the file, which is possibly a virem.
For normal operation of the OS, 5 files are required in the root directory, so you can safely delete all other files, unless, of course, you manage to put programs in the root directory. Files for normal operation:

ntldr
boot.ini
pagefile.sys
Bootfont.bin
NTDETECT.COM

There should be nothing else. Naturally, the virus must somehow be loaded at system startup, as a rule. Accordingly, the following registry keys look for suspicious programs:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftActive SetupInstalled Components
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer SharedTaskSchedulerHKLM
SOFTWAREMicrosoftWindowsCurrentVersionShellService ObjectDelayLoad
HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Of course this will work for simple worms. Calculating a good virus is difficult. However, it can take a long time to find a good backdoor, keylogger, stealth virus, streaming virus, or just a virus that uses interception of file system API calls (then the virus turns out to be really invisible)! True, there are really few such creations, there are few real virmakers these days. Upset ...

Spyware, or, as they are called by the bourgeoisie SpyWare. The simplest spy often hides behind an innocent-looking toolbar. Be aware that if, suddenly, out of nowhere, you have a new button or search bar in your browser, then consider this a signal. It is also clearly visible if the browser start page has suddenly changed, there is nothing to say. Although viri, changing start pages are not necessarily spies.

How can a spy get into the system? There are several methods, as you have already noticed, we are talking about a donkey, the fact is that the most common method of penetrating a browser is precisely the use of ActiveX technology, the technology itself has already been sufficiently described and I should not get hung up on it. You can also replace the start page, for example, you can use a simple Java script located on the page, javascript to simply upload files and execute them on a vulnerable system.

There are three most common ways spies locate and operate on a victim's machine.

The first is the registry and nothing more, the virus may sit in startup, or may not be present on the computer at all, but it has one goal - to replace the browser start page through the registry. If a virus or a script only once replaced the start page, there are no questions, you just need to clear this key in the registry, but if after clearing, after a while, the key appears again, then the virus is running and
constantly accesses the registry. If you have experience with debuggers like SoftIce, then you can put a breakpoint on access to the registry (bpx RegSetValue) and track which program, in addition to the standard ones, is accessing the registry. Further, by logic, already.

The second one is precisely system event interceptors, or hooks. As a rule, hooks are used more in keyloggers, and are a library that monitors and, if possible, changes system messages.
Usually there is already the program itself and the library attached to it, so examining the main module of the program you will not get anything interesting.

The third way is to attach your library to standard OS programs, such as explorer.exe and iexplorer.exe, in other words, writing plugins for these programs. Here again there are a couple of ways, this is attaching using BHO and simply embedding your library into the executable file. The difference, roughly, is that Browser Helper Object is used as a plug-in to the browser, and the implementation of libraries is no longer so much a plug-in as a self-contained program, more reminiscent of a file virus of yesteryear.

Registry keys, where substandard goods can be registered, in the form of toolbars, buttons and browser start pages.

Start page

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain parameter StartPage.
HKEY_USERSS-1-5-21-1214440339-507921405-839522115-
1000SoftwareMicrosoftInternet ExplorerMain parameter StartPage

Register objects such as buttons, toolbars, etc.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionExplorerBrowser
Helper Objects

This is where all the "helpers" are registered, and if you do not have them, then the key must be empty, if not empty, then you must delete it.

A more detailed analysis will require some tools such as PETools by NEOx and PEiD. Perhaps, by checking the registry, you will not be able to find changes to the stat page, as well as not find the registration of plugins in the browser. A closer look will reveal that this search string (toolbar) appears in all OS windows. This already changes the essence of the matter a little. Perhaps two independent spies are doing this, and it is precisely by the method of introducing a dynamic library. At the same time, it is necessary to distinguish that if the toolbar was only in the browser, it means that it was embedded in the iexplorer.exe process, but it is everywhere, therefore, it was necessary to check it in explorer.exe. Launch PETools and just see which libraries the browser uses. And if against the background of system libraries from% SYSTEMROOT% some smt.dll flaunts with a path that goes somewhere in TEMP, then the goal is achieved. Restarting in safe mode and deleting this library and everything is fine, the spy is killed. It remains only to call PETools again, right-click on the process and rebuild the file. This is the simplest case.

Yes, she needs to find and kill the toolbar. In the same way, we look at the explorer.exe process, nothing striking ...? Most likely the toolbar is lost among the libraries, please read it carefully)). But how, then, can you tell a real library from a fake one? As you know, virusmakers are chasing code minimization and encryption. That is, more than one toolbar, as a rule, will not lie in open form, firstly, the code can be reduced, which means it is necessary, and secondly, if someone (more often not even an antivirus, but a competitor) discovers this library, then it is easier for him to understand the unencrypted code ... Therefore, we take PEiD and perform a bulk scan of the imported libraries. Libraries from microsoft are naturally written in visual C ++ and are not packaged in anything, so if you see a packaged or encrypted library, then 99% of this is what you were looking for. It is very easy to check whether it is or not,

If, nevertheless, you cannot find the packed library, then it is useful to look at the file versions with a resource editor like Restorator. It is on such matters that virmakers are pierced.

It is also worth noting that the * .dll library may not necessarily be injected into processes. Win # has a useful and well-known application like rundll32.exe, and using this process you can run any library. And it is not necessary to write rundll32.exe myspy.dll at startup, just write it inside the infected file. Then you will see only your own (infected files that are unlikely to be detected by an antivirus) and the rundll32.exe process, and nothing else. What to do in such cases? Here you will have to delve into the structure of the file and OS ...

List of system services svhost.exe (WinXP)

DHCP client svchost.exe -k netsvcs
DNS client svchost.exe -k NetworkService
Automatic update svchost.exe -k netsvcs
Secondary login svchost.exe -k netsvcs
Logical disk manager svchost.exe -k netsvcs
Start DCOM server processes svchost -k DcomLaunch
Windows Management Instrumentation svchost.exe -k netsvcs Changed Link
Tracking Client svchost.exe -k netsvcs
NetBIOS over TCP / IP Helper svchost.exe -k LocalService
Computer Browser svchost.exe -k netsvcs Shell Hardware
Detection svchost.exe - k netsvcs
Workstation svchost.exe -k netsvcs
Server svchost.exe -k netsvcs
System Restore
Service svchost.exe -k netsvcs Windows Time Service svchost.exe -k netsvcs Error Logging
Service svchost.exe -k netsvcs
Cryptographic Services svchost.exe -k netsvcs
Help and Support svchost.exe -k netsvcs
Themes svchost.exe -k netsvcs
System Event Notification svchost.exe -k netsvcs
Remote Procedure Call (RPC) svchost -k rpcss Security
Center svchost.exe -k netsvcs
Remote Access Auto-Connection Manager svchost.exe -k netsvcs
HTTP Protocol SSL svchost.exe -k HTTPFilter
WMI Driver Extensions svchost.exe -k netsvcs
Image Download Service (WIA) svchost.exe -k imgsvc
Network Provisioning
Service svchost.exe -k netsvcs Portable Media Serial Number Service
svchost.exe -k netsvcs
Fast User Switching Compatibility
svchost.exe -k netsvcs
Removable Storage svchost.exe -k netsvcs
Generic PnP Host svchost.exe -k LocalService
Application Control svchost.exe -k netsvcs
Background Intelligent Transfer Service svchost.exe -k netsvcs
Remote Access Connection Manager svchost.exe -k netsvcs
Network Connections svchost.exe -k netsvcs
COM + Event System svchost.exe -k netsvcs
SSDP Discovery Service svchost. exe -k LocalService
Network Location Service (NLA) svchost.exe -k netsvcs
Terminal Services svchost -k DComLaunch
Telephony svchost.exe -k netsvcs
Windows Audio svchost.exe -k netsvcs
HID device access svchost.exe -k netsvcs
Routing and remote access svchost.exe -k netsvcs
Annunciator svchost.exe -k LocalService
Scheduler jobs svchost.exe -k netsvcs Messenger

svchost.exe -k netsvcs
 
Top Bottom