Next, determine what the rogue program did to each PC. Did it drop off other files, rename files, overwrite files, make registry changes, or insert itself in startup areas? If not, then you have to eliminate the email problem only. If the worm or virus modified a PC, then you have a much larger problem. Do the dropped files have the same name every time? Are the system modifications consistent between computers? When you're investigating what the attack modified on a PC, look for newly created or modified files and look in areas that can automatically start programs, services, and daemons. If you're on a Windows PC, be sure to examine at least these areas and files:
- autoexec.bat and config.sys (or equivalents)
- win.ini (Inspect the LOAD= statement.)
- system.ini (Inspect the SHELL= and SCRNSAVE= statements.)
- winstart.bat, dosstart.bat, wininit.ini (if they exist)
- the Startup folder
- registry startup areas:
- HKEY_CLASSES_ROOT\exefile\shell\open\command
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell (Windows 2000 and Windows NT only)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit (Win2K and NT only)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (registered services and processes)
If you're sending several teams or individuals out on fact-finding missions, make sure they record their results so that you can compare them at a later meeting. You can also use integrity-checking tools such as Tripwire's Tripwire to detect the harm a virus or worm has done to a system. If you install after the fact, however, note this caveat: Some experts wouldn't trust the findings because the infection code could contain subroutines to defeat the integrity checker.
If you have the appropriate programming talent on your team, you can try to read the worm's source code (if it's readable) to see exactly what it's doing. For example, with a Microsoft Visual Basic (VB) script email worm, save the infected file attachment to disk with a .txt extension, making sure not to double-click or execute it. Then, open the code in Microsoft Notepad or Microsoft WordPad. If the code isn't encrypted, even a nonprogrammer can discover some of its logic. Figure 1 shows an example of the VBS.Love-Letter virus that I opened in Notepad.
Collect and log all the evidence. Figure out what you have to fix, delete, and modify to get rid of the email worm completely. Some antivirus tools only get rid of the worm or virus—they don't usually remove any other modifications.
Check Antivirus Sites for Detection and Repair Clues
If the outbreak is global and new, it will be front-page news on your trusted antivirus vendor's Web site. If you don't find complete information there, use the clues that you've discovered to research the attack. The complete facts surrounding tricky new bugs can take a day or two that you don't have to learn, so optimize your research methods. I compare the facts on several Web sites to compile a better list of facts. Two sites that I suggest you check are the Security Discoveries page at the Security Administrator Web site (http://www.secadministrator.com) and the NT-Bugtraq Web site (http://www.ntbug traq.com).
Implement an Initial Eradication Plan
With the information you've gathered, you can now develop and implement a methodical eradication plan. For example, with most email worms, the first step is to delete all infected email messages. In small shops, you can delete those messages individually on each computer or you can use an antivirus scanner. In larger companies, consider a server-side cleanup tool. For Exchange Server 4.0 and later, the Exchange Server Mailbox Merge (exmerge.exe) utility is the premier tool, and it's free.
Exmerge lets you delete massive numbers of infected email messages all at once from public and private information stores on the server. (You can download Exmerge from Microsoft's Web site at http://www.microsoft.com or install it from the Exchange Server Tools on the TechNet CD-ROM.) The Exchange Information Store service must be running to use Exmerge, and with preExchange 2000 Server versions, you must use the Exchange Service account logon name to log on to the Exchange server. The Administrator account won't work unless it's the Exchange Service account, too. (Note that Exchange 2000 comes with a version of Exmerge called Exmerge 2000; however, you can use the earlier version.) For steps that detail how to use Exmerge, see the Web-exclusive sidebar "Using Exmerge as a Virus Cleanup Tool." (To read the sidebar, go to http://www.secaadministrator.com and enter InstantDocID 23687.)
As an alternative to Exmerge, Microsoft suggests using its Findbin (findbin.exe), Profinst (profinst.exe), and Gwclient (gwclient.exe) utilities, which you can download from Microsoft's Web site, to delete infected copies of the message in the IMS and MTA queues. You'll find the steps related to using these utilities numerous and involved: Refer to Microsoft Product Support Services (PSS) for help.
Prev. page
1
[2]
3
next page 
