Re: List of worm and trojan files

[James Tucker <jftucker () gmail com>]

> > Assuming the attacker is competent, the only way to "clean" a deeply
> > compromised machine is to reformat the drive and start from scratch.
> > The truly paranoid will question whether just formatting the drive is
> > sufficient.

I would agree with this. W95.CIH was one such virus which formatting
the drive alone was not sufficient and managed to achieve allot of
damage due to its dormant nature.
(http://www.symantec.com/avcenter/venc/data/cih.html)

These types of virus are not very common.
 
> One of the definitions of insanity: "Doing the same thing and
> expecting a different result". Therefore, it's certifiably insane to
> reload the system (to the previous state) and expect it to not be
> reinfected. =)

I would agree with this too.

Common sense would surely suggest combining such things? ;-)
So maybe find out where the infection came from, then rebuild
preventing that next time.

As for the specific problem, many module based viruses may be hard to
find with systeminternals tools, more so for the less initiated than
for the experienced (without familiarity there's over 1000 modules to
look up, and that's just the common ones).

The best methods for native (non-rebuild) removal (in my experience)
are either a BartPE boot disk or a boot into [safe mode with command
prompt] (specifically with command prompt, we don't want to load
explorer) with access to a clean virus scanner (it is sometimes not
easy to get a clean virus scanner onto such a system, so BartPE is
better). In these modes it is hard for a virus to ensure that it is
loaded. In the case of BartPE nothing should be loaded from the hard
disk, and a virus would have to exploit the bios or some drive loader
(NTFS/USB/removable media initialisation) to load a module during
boot. Such things are unlikely at the moment.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html