. . . . . Ir.S.S.R. Kwee Computer ConsultancyComputers running Microsoft Windows are a prime target for viruses, adware, spyware, commonly named malware. Recently I was called by several friends to fix some problems on their PCs only to find out that these were contaminated with several malware programs. In the process of removing those I found out some details that I like to share in this page.
My estimate is that nearly every PC running windows owned by a non-expert user contains multiple malware programs.
Removing malware isn't that difficult, and most often does not need special tools.
This page contains some notes on the problem of malware on Windows systems. It isn't a polished essay, but rather a bunch of notes, like a brainstorm. I lost so much time cleaning some machines, as mentioned, that I don't have the time to perfect this writing.
Contents
References
Here are some Internet references:
How do you get infected with malware?
It is easy to get infected. Often, you may come across a nifty utility or a fun screensaver or an interesting attachment in a trustworthy email or click just by accident on an advertisement banner. In fact, the term social engineering is used for exactly that kind of science that tries to convince a person to click or open or download something with a hidden agenda. But there are even possibilities to get infected or hacked by doing nothing at all. For example, by not patching your system, not configuring your web server, or not turning of certain services.
Messenger Spam
According to the spyware guide on messenger spam, network ports 135, 137, 138, 139, 445 are used by Microsoft Messenger, a built-in utility that is by default enabled. This allows anyone on the Internet to display a message in a popup on your computer like the one in the picture. 
Note that you do not need to be running any web, email, or instant messaging software. It has nothing to do with MSN Messenger, Yahoo Messenger, or any other application. There is no need for the sender to know anything about your computer and your computer doesn't care who does it. Just try it yourself with this command in a DOS box: net send 127.0.0.1 "test" where you may replace the IP address by that of another Windows computer. In recent incidents, people have used this capability to spread the SPAM messages like the one shown.
You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. This may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.
**Beware!** The problem is much **bigger**
- than just receiving annoying messages. It means your Pc is very vulnerable to all sorts of **attacks**.
Quoting [href="http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q330904 Microsoft's KnowledgeBase article Q330904] on the subject,
#<blockquote>
In addition to transmitting net send messages to your computer over the Internet, a malicious user may also be able to use the NetBIOS connection to your computer to perform the following tasks: * Access your private information * Initiate denial of service (DoS) attacks against a high profile Web site * Distribute software illegally by appropriating space on your hard disk
#</blockquote>
Hijacked Start Page
Of course you should set the browser to display on startup an internet web page interesting to you. But when you notice that, on startup, you get to see another web page, be careful. You probably have a Start Page Hijacking malware on your pc.
Especially clever is this trick if the new start page seems to contain very interesting links with security tools and all kinds of utilities.
Avoiding Malware
There are some practices that are important to avoid getting malware on your system.
The Real World
There is an analogy to safe downloads in the real world.
How would you choose a dentist? From an advertisement in a newspaper or the Yellow Pages? Just walk into someone's office, lie down in his chair and open your mouth wide open for his treatment?
Probably not. There are good and bad dentists, even if all are licensed by the government. Most people would spend some time with talking to family, colleagues, neighbours and acquaintances for recommendations.
Downloading
Similarly, before downloading some program, you'd better do some research. With an internet search machine as Google you could find out if that program is useful or useless, but also if it is safe or dangerous.
In case of doubt, you should better not touch that software at all.
And if that software turns out to be useful and safe, you should find out it's original web site where you can download a genuine copy. If possible, obtain a digital signature and verify the software's integrity. Finally, after downloading and installation, run your virus scanner.
Email Attachments
A good email reading program should include a feature to avoid the automatic opening of email attachments. Unfortunately, Microsoft Outlook is set by default to automatically open an attachment. Find out how to change settings and turn this setting off.
Files To Watch Out For
Are all files potentially dangerous? No, but many are. Here are some file types to watch out for, with typical file name extensions.
- .exe executable file - .com executable file - .bat executable script - .scr screen saver - .doc Microsoft text document, may contain a macro - .xls Microsoft spreadsheet, may contain a macro - .ppt Microsoft presentation, may contain a macro
The following file types are generally considered safe:
- .jpg JPEG picture - .gif GIF picture - .png PNG picture - .wav sound file - .avi video file - .txt ASCII text file - .tex TeX text document
Beware that attachments may contain a label different from the real type of file, e.g., a potentially dangerous *.EXE file labeled as a harmless sound file. In such a case, you would be reasonably sure to have encountered a virus.
Applications To Watch Out For
The essence of a Trojan Horse is that it looks interesting and valuable, but in fact is harmful. So think twice before downloading that new tool, gadget or program.
Especially enticing are files on peer-to-peer and messaging services. Even the software needed to access those highly popular services is highly suspect. Many peer-to-peer and messaging programs are known to contain backdoors, and are in fact malware. These programs are often also known to contain bugs that make it possible to hack your system. Just the basic feature of peer-to-peer that other people are allowed to access files on your computer is a very dangerous concept.
The popular program RealPlayer is a blatant example of adware. Most people allow this on their computer because it offers benefits too, as the ability to access much video content on the web. While the advertisements are annoying, personally, I wonder what invisible actions RealPlayer carries out. Does it spy on your system?
My advice is to at least carefully read the license texts (EULA) that is shown during the installation. This is boring reading, sure, but if it so honest to tell you about adware or spying, probably carefully phrased as collecting information to serve you better, you'd better be aware of this.
There may be alternative programs developed under Open Source, which is more likely to not contain malware. At least I am aware of an Open Source program for Linux that can handle Real-Video streams.
A worrisome development is the interest that big, otherwise bonafide, companies in the music industry have to hack the computers that they believe are violating their copyrights. This is one order of magnitude more dangerous than those "script-kiddies" that try to make virusses just for fun, and also more dangerous than those bogy music files that only contain boring noise or verbal warnings.
Even more worrisome is the CIA project Magic Lantern that in the name of fighting terrorism develops hacking software with a military budget.
Very popular are Flash animations on web sites. There are even many sites that are just impossible to enter without going through a Flash animation. When you don't have the Flash plugin, a popup will appear saying that "you must install the flash plugin". I am not aware yet of an open source version of a Flash plugin. My gut feeling is that nobody should dictate that I download and install a plugin that I don't trust, and I don't know why I should trust the Macromedia Flash plugin. That many others use it does not mean much to me, because many others also happily download all kinds of malware.
My recommendation is to stay away as much as possible from:
- peer-to-peer software - messaging software - browser plugins (Flash) - proprietary multimedia software (RealVideo)
If you insist of using these services, consider alternatives of chatting with open source software like ChatZilla and viewing video streams with open source MPlayer, xine or totem (linux).
As a final observation, Windows, as the most used and least secure operating system, combined with messaging, as the most used internet application, seems the ideal target for malware hackers. So avoid using either Windows or messaging, or both, to eliminate the most prominent classes of malware.
How do you remove malware?
Just assume that your system contains malware, until proven otherwise.
You are able to defend yourself! There are some ways to remove malware.
Remove Software
The Windows Configuration Panel contains a Software window. It lists installed software. Examine each program. If it has a clickable link for more information, click and read. It should name the company responsible for the software.
If you are unsure, check the name of the program on the Internet on a website of an anti virus company, a malware information site, or with a search engine as Google.
You will be surprised how many of those programs turn out to be malware.
Click the "remove" button in an effort to get rid of it.
However, there is no guarantee that the software will disappear completely. Also try to use your anti-virus program, windows-doctor program etc. Finally, reboot your system often.
It is also wise to disconnect your machine from the network and the Internet while cleaning up, to give the malware no chance to report back to headquarters about the removal.
Tools
There exist many anti-virus tools, spy-removal tools, etcetera. Examples are: Norton Antivirus, Ad-Aware (Lavasoft), System Mechanic. None of these guarantee good results, but it is better than doing nothing. On the Internet I have seen many complaints about Norton. I had also have to manually remove many malware programs from a system where Ad-Aware was installed.
Complete System Backups
Some system administrators recommend making complete backups of the Windows system using Partition Magic and Ghost. Instead of the tedious and uncertain labour of removing malware, you could do a complete restore of the Windows system from a clean backup, which could take less than 10 minutes on a not-to-slow machine.
While certainly effective, I see some drawbacks.
First, you will lose all modifications made after creating the backup, such as installation of new drivers, patches, and bonafide software packages, and also modifications to system configuration, such as passwords and disabling of messaging.
It may be necessary to do a full system restore directly before, and full system backup after, each modification to the system. The restore is needed unless you can guarantee that the system did not accumulated any malware since the last backup, and such a guarantee may not be possible. The backup is to save the modification. Thus, the backup method makes removal of malware easy and complete at the cost of more troubles for modifying and maintaining the system.
Second, it is a brute-force method expressing the belief that it is not feasible to clean a Windows system, that a Windows system is unmaintainable. This is contrary to the notion that Windows is an easy to use graphical user interface system.
Conclusion
It is easy to acquire viruses and other malware on a PC because of the advanced social engineering skills of malware authors, because of the relative insecurity of the Windows operating system, and because of the great innocence of most computer users. Some guidelines were presented to avoid malware, and to remove it from an infected system. Nonetheless it seems that a complete solution does not exist.
Roland Kwee, September 2004