Full Disclosure mailing list archives
Re: List of worm and trojan files
From: James Tucker <jftucker () gmail com>
Date: Wed, 29 Dec 2004 10:28:11 -0400
Assuming the attacker is competent, the only way to "clean" a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient.
I would agree with this. W95.CIH was one such virus which formatting the drive alone was not sufficient and managed to achieve allot of damage due to its dormant nature. (http://www.symantec.com/avcenter/venc/data/cih.html) These types of virus are not very common.
One of the definitions of insanity: "Doing the same thing and expecting a different result". Therefore, it's certifiably insane to reload the system (to the previous state) and expect it to not be reinfected. =)
I would agree with this too. Common sense would surely suggest combining such things? ;-) So maybe find out where the infection came from, then rebuild preventing that next time. As for the specific problem, many module based viruses may be hard to find with systeminternals tools, more so for the less initiated than for the experienced (without familiarity there's over 1000 modules to look up, and that's just the common ones). The best methods for native (non-rebuild) removal (in my experience) are either a BartPE boot disk or a boot into [safe mode with command prompt] (specifically with command prompt, we don't want to load explorer) with access to a clean virus scanner (it is sometimes not easy to get a clean virus scanner onto such a system, so BartPE is better). In these modes it is hard for a virus to ensure that it is loaded. In the case of BartPE nothing should be loaded from the hard disk, and a virus would have to exploit the bios or some drive loader (NTFS/USB/removable media initialisation) to load a module during boot. Such things are unlikely at the moment. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: List of worm and trojan files James Tucker (Jan 06)