Computer Viruses to really watch out for
My big repair today was the removal of a rootkit virus that damaged my customer’s computer. The rootkit apparently changed permissions on his folders and apps. This rootkit virus also stole my customer’s data.
In my second installment of viruses, I will describe different types of viruses. Identifying the type of virus is an important first step in the removal of the virus. Knowing what kind of virus infection you have may point to different removal steps. Also, if the virus is the type that steals password information, then changing your passwords may be an important step to protect your banking and financial data. Removal of viruses will be addressed in future blog posts.
File infector virus
A file infector virus invades other files and places its malicious code into them. It also places itself into system memory and lies in wait to invade other files. This virus comes from the Internet or corrupted flash media. A form of the virus emulates the Win 32 file and is distributed by the Httpsendrequest browser code. It is often installed by other malware and corrupts important DLL files.
Boot sector virus
Another type of virus is a boot sector virus which infects the boot sector of the hard drive. It usually modifies the volume label of the drive. This bad virus may cause booting problems which may require a reinstallation of the boot files or Windows itself. A reinstallation of Windows can be a costly repair.
A multiparte virus spreads in more than one way. To fully remove the virus, you have to find and remove all of the different parts.
A Macro Virus
A Macro is written in the language of the software and attacks word processing software such as Microsoft Office. If the file is encrypted, then the virus may be beyond the capability of an antivirus program. Since it doesn’t affect the operating system, it can run in any operating system.
The Polymorphic Virus
A Polymorphic engine is used to create a virus that can mutate itself with each infection. This virus infects with an encrypted copy of itself which makes it difficult to remove.
Worms are programs that copies themselves without the use of a host file. Worms infect by copying itself to an outbound email. Some worms will drop a Trojan Horse virus on a computer to open a network port for communication with its sponsor.
Trojan Horses are malicious programs which can send information such as passwords back to their sponsors. These programs are concealed by their true names and you have to give it permission to come on your computer. They can be dangerous as they can steal data from your computer.
Spyware are programs that get information for marketing purposes and send it to a third party. Spyware is not a virus but malware and is usually not picked up by virus scans. It usually attaches itself to downloads and thus passes through firewalls. A good program such as Malwarbytes will scan for this kind of malware and quarantine it. A symptom of spyware is the slowing down of computer performance. Almost all computers will have malware/spyware on it unless an antimalware programs is used. When Perry’s Computer Repair tunes a computer, the first scan is a malware/virus scan.
Rogue Antispyware programs are malware posing as removal scans and may result in false positives. High-pressure salesman use deceptive tactics to sell these programs. Often free scans are offered but you will need to pay to get the malware removed. Other products are so dangerous that they will place rogue malware on your computer with Trojans and other serious viruses. So beware of the virus protection you put on your computer.
Adware and Toolbars
Other types of malware include adware and toolbars. Adware can secretly monitor your traffic and direct pop ups to your web page. When you download a program you want, the fine print may include adware or other unwanted programs. So you will want to read the end user agreement.
Toolbars can attract other malware to your browsing. Beware of your downloads and toolbars that you add to your browser. Conduit Search, for example, is a browser hijacker program that has changed your browser homepage to search conduit.com. You can delete this program in Google Chrome settings. While malware are not viruses, they consume computer resources and ultimately slow down your computer.
Rootkits are specialized programs that exploit known vulnerabilities in an operating system and are used to gain access to your computer. They are called root because they gain administrative access to your computer. The virus mentioned in the introduction was a rootkit which had prevented my customer from backing up his computer. It had changed the permissions on his computer so that he could not back up his computer. The virus had blocked his access to the volume root directory.
Another type of rootkit virus is the user mode root kit which involves hacking in the user or application space. It involves the memory modification of system, DLLs and the hooking of the Windows Model Specific Register. This causes the kernel mode, which acts as a gate, to direct the execution of the virus which then changes code in the operating system and the registry.
Kernel space is generally off-limits to standard authorized (or unauthorized) users. One must have the appropriate rights in order to view or modify kernel memory. However, the kernel is an ideal place for system hacking because it is at the lowest level. It is the most reliable and robust method of hacking. The system call’s path through the kernel passes through a variety of hook points.
Another effect of this virus is to modify the System Service Descriptor Table which then can redirect execution of the code to the rookit. There are other techniques which it can employ to create havoc on the computer. Rootkits are very malicious and complicated viruses but they are very common on the Internet. It is best not to get them, but if you do call Perry’s computer repair for removal.
The last virus for discussion is a DNS (Domain Name Server) poisoning attack and applies to servers which regulate users on its network. This virus attacks a vulnerability in the DNS Software. A DNS server acts like a telephone book and has the IP entrees of all the users on the network. The attacker can direct users to its own websites and servers who pick up Trojan viruses and worms. Users are tricked into downloading malicious content.
Our next installment will discuss a particularly dangerous Trojan; Zeus.