"Behind the Scenes"
|June 2012||The monthly newsletter by Felgall Pty Ltd|
Just How Safe From Viruses is Your Computer?
While in security terms a virus is just one form of malware that has specific characteristics, the general public just use the term to refer to any of the many types of malware. So an anti-virus program isn't just supposed to protect your computer from viruses, it is supposed to provide protection against all sorts of different malware.
Just because you have an anti-virus program installed on your computer doesn't mean that your computer is safe from malware. Even if you install all the different types of security programs that you can find. I have about a dozen different security programs installed on my computer from several different suppliers (only one anti-virus program and one firewall since if you install two of those they will interfere with one another - but multiples of some of the other types of security program). Even with all this in place a trojan still managed to install itself onto my system.
Now a trojan is a specific type of malware that hides itself on your computer and then calls back to its originator providing them with access into your computer so that they can install whatever other malware that they like. This means that it isn't initially as destructive as a virus or a worm but if allowed to do its thing it allows someone to install more malicious smalware onto your computer.
In this particular case the anti-virus I run did not detect that the particular files that I downloaded on this occasion contained a trojan even though I ran a specific scan of the files immediately after downloading them. None of the other security scans that I ran on the files detected anything either. There was every indication from all of the security systems installed on my computer that this download was safe to run. It was only after I ran it and the trojan was installed that the security on my system detected it. Yes I do perform checks like this on all the executables that I download and in this instance even performing all these checks wasn't enough.
With this particular trojan the first security program to indicate that anything was wrong was my firewall. It popped up an alert stating that this particular module (supposedly a part of the program I had just started running) required access to the internet and did I want to give it permission. The firewall told me both which program it thought the module belonged to and also where it was located on the computer. The location where it was trying to run the file from made me suspicious since it was trying to run from a sub-folder inside a data folder and when I looked at the data folder there didn't appear to be any such sub-folder there. I therefore blocked the module from being allowed to access the internet and started researching to try to find out just what this module was.
My research identified it as malware and more specifically as a trojan (which meant that my preventing it from accessing the internet had probably prevented it from doing any harm). The next step was to remove the trojan from my system. Now the pages I found that identified what the malware was also provided instructions for removing it. Following such instructions isn't necessarily the way to fix your problem though. The instructions I found suggested using specific programs to clean up the system and also advised that you should click on ignore to bypass any alerts that your anti-virus software might produce when you try to install these programs since the site claimed that such programs might trigger such an alert simply die to what they do. This opens the possibility that if such programs that are recommended to fix your system are actually malicious then they can take you from a bad situation to a far worse one by actually installing worse malware than the one you are trying to remove. In this particular case the recommended software were basically registry cleaner programs that would scan your system, report how many thousands of problems your system has in the registry and then suggest that it could fix the errors for you if you pay to register the program. Since I couldn't see much point in paying for another registry scanner to add the the one I already had installed I decided to work out for myself how to remove the trojan - particularly since a registry scanner by itself wouldn't remove everything.
First I opened the Task Manager and brought up the list of all running processes and stopped the trojan from running. Next I opened my "My Documents" folder and since the sub-folder that the trojan was in didn't show up I changed the settings so that system folders and files would also be displayed (something that the settings suggest is not recommended since generally you don't want to go tampering with system files unless they are malware masquerading as system files). Now even with the trojan stopped the system still thought that the file was in use (due to the way I stopped it) so I had to log out and log back in as a different user to be able to delete the folder (just another reason why you should have both an administrator and a regular user account on your computer). With the actual file removed I then ran my registry cleaner program to scan the registry. The scan found the references in the registry to the now missing module and removed them. I then rebooted the computer and checked that the trojan files I had removed were still missing and that the trojan was not running.
Well that's basically what steps I followed that look like they actually got rid of the trojan from my system. What I actually did involved a lot more trial and error with running some of those steps or alternatives to those steps, rebooting and seeing that what I had done hadn't got rid of the virus and so I tried a different combination. Fortunately my firewall prevented the trojan from doing any harm and I was able to figure out a safe way to remove it.
Now my computer has all the security features I can find that look like they ought to work installed on it (the only ones I remove are those that stop the system from working properly for the things I need it to be able to do). Even all this security only identified this trojan when it actually tried to communicate with its originator and got blocked by the firewall. So this simply demonstrates that no matter how much security you have installed, your computer is still not completely safe from attack. The security software is still well worth having though since it will at least trap most such threats to your system and in this instance the firewall did its job even though the anti-virus and spyware detection software didn't.
This particular computer is still running Windows XP where the firewall supplied with the operating system only blocks unauthorised incoming requests and allows all outgoing requests through. It is only that my computer had a third party firewall installed instead (which blocks unauthorised requests in both directions) that this trojan wasn't able to do whatever it was designed for and possibly trash my entire system. The reports I saw about this particular trojan did suggest that it could totally trash the operating system - presumably by downloading further malware but since it was blocked from access to the internet it was unable to actually do anything to my system.
The following links will take you to all of the various pages that have been added to the site or undergone major changes in the last month.