February 12, 2009

The warning signs of a PC infected with malware

Dennis O'Reilly By Dennis O'Reilly

Last week's news alert by Woody Leonhard described the high level of sophistication behind the Sinowal/Mebroot Trojan and described tools that attempt to remove the malware.

Many readers asked for more information on symptoms they should look for if they fear for their machines' security.

Subscriber Leslie Kight asks the following question:

  • "Great article. I'm curious, though: what makes Woody suspect his XP machine is infected by Mebroot? What symptoms did he see to raise that question?"

Here's Woody's reply:

  • "I kept getting weird virus warnings from AVG — viruses would appear, I would remove them, then they would reappear in different locations, or entirely different viruses would show up. AVG reported that the MBR [Master Boot Record] was being changed every time I rebooted, even when I did nothing.

    "I did a deep scan — first with AVG, then with NOD32 — to remove all the reported malware, but the viruses kept reappearing. Antirootkit scans turned up nothing. Then I couldn't connect to F-Secure's Web site, so I pulled the plug.

    "As I said in the article, I have no idea at all if it was Mebroot. But I couldn't find any reports of similar collections of problems and decided to err on the safe side.

    "Periodically reinstalling Windows is something I recommend anyway: once a year is ideal, in my experience. I'm happy to report that I've reinstalled XP Pro (SP3, of course), reactivated [Windows], and brought back the data files; everything appears to be working just fine. The machine's snappier than ever."

Double up to remove a virus from a hard drive

In deference to animal lovers, I will avoid the cat-skinning analogy, but as reader Bob Biegon points out, there's more than one way to return an infected hard drive to a healthy state:

  • "One of the easiest and, by my experience, most effective ways to remove many serious virus-spyware-rootkit infections is to remove the PC's hard drive, put it in another PC (or connect to another PC via a USB-to-IDE/SATA adaptor), and scan the drive with the second PC's anti-malware software.

    "This method ought to work well for the Mebroot virus without compromising the host PC's drive. My favorite products to use in this endeavor are AVG 8 and Sunbelt Software's Vipre."

Since when did mice start hunting cats?

The best analogies have a basis in reality (not the one I mentioned above relating to feline pelts, thank goodness). But another kind of cat reference in Woody's column from last week gave reader John Walsh pause:

  • "I do enjoy Woody Leonard's cialis generic vs brand articles and have been a fan of his for many years. However, in his latest article, Woody notes 'Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.'

    "In my mind, the cats are actually the good guys trying to help eradicate the vermin (malware) represented by the mice. Therefore, I would suggest it is actually the black mice who are winning and proliferating, much to the consternation of the white cats."

Indeed, the bad guys are scavenging for your data and your money while the good guys hunt them down. However, Woody's use of "black cats" in this sense plays off the term "black hat" to describe a hacker with evil intent.

Mixing puns and analogies is dangerous business, but that's the kind of adventurous, risk-taking writer Woody is. That's only one reason why his readers love him so.

Filed under security, tech hints by al

Permalink • Print • Comment

Leave a comment

You must be logged in to post a comment.

Made with WordPress and a healthy dose of Semiologic • Sky Gold skin by Denis de Bernardy