When searching for malware there are two areas that may prove fruitful - the file system and the registry. There are a number of tools available that can provide the necessary information, some such as HijackThis focus mainly on the registry while others such as DDS cover both areas.
One important issue for the malware writer is to keep his/her creation safe from detection and subsequent removal, and choosing the right name for the file is a key part of that. Knowing some of these choices will enable us to better spot these files when reviewing the various logs that we may come across. Some options are as follows:
1) The random filename. Example: adsgruda.exe
This is generally not a good idea as nothing quite shouts malware as a meaningless filename. It is only the work of a minute or two to run the filename through the search engine of your choice and, although you should never assume that random always equals bad, few or no hits is very good evidence that closer inspection is necessary.
2) The meaningful filename. Example: servicehost.exe
Definitely a better choice than the first for passing a brief inspection, but a little research will again show their true colours. Never assume that just because it looks legitimate, that it is.
3) The nomadic filename. Example: spoolsv.exe
The trick with this one is to use a legitimate filename but place it in a different folder to normal. The example above is normally found in the WINDOWS\system32 on XP, so C:\WINDOWS\system\spoolsv.exe should sound the alarm bells.
Always pay attention to the location when researching a file as it may be the key to solving the problem.
4) The squatter filename. Example: C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
With the advent of security programs that monitor the registry looking for the creation of autostart instructions, one method of getting around this is to look for orphaned entries. Sadly not all programs remove everything that they originally created and, in this age of recycling, if a quick scan of the registry finds one such entry this will provide both a name and location for the malware and also avoid the need to try and bypass the security to get the malware started.
As both the filename and location are legitimate, research will draw a blank here. Cross-referencing the installed programs with the registry entries will allow you to see if any don't belong and while they may not be anything other than leftovers, good housekeeping will see them removed and ruled out as malicious.
Checking for the creation of new files on the date that any problems first occurred is another option here, which is why newer tools provide this information.
5) The identity theft filename. Example: C:\Windows\System32\drivers\atapi.sys
It is possible to replace a legitimate file such as the one above with a malicious version and relocate the legitmate one to another folder. Now when the legitmate file is called the malicious one will become active instead and it can in turn call the legitimate one, which should leave the user none the wiser.
A similar approach is to add malicious instructions to a legitmate file and these will be carried out when the legitimate file is called.
The danger when facing the removal of this infection is that the infected/replaced file will be removed and this can spell the death of the current installation depending of the file in question. Whether you delete the infected file or the malicious one that calls the legitimate one, you deprive the system of legitmate instructions and this could prove to be a disaster if these instructions are vital to the system. This is a very good reason for sticking to online scanners that have no removal capability, such as Kaspersky, or have one which can be disabled, such as ESET.
File sizes and MD5 checksums are helpful here, that and a softly-softly approach to removal.
Guests: 165
Hidden: 0
Users: 0