Friday, November 14, 2008

Winblows! Viruz

1:40 PM Posted by: Mad Lord Snapcase 0 comments

A weird thing happened last night. A friend was looking for episode guide for some TV show. Being a little more adept with Google's search tricks, I found a site that had the videos of the episodes and sent the link over.

5 mins later, my friend goes like "I think I have a virus". I am like whaaaaattttt???? My friend was like, yeah my box just turned off when I clicked on that page., That'd didn't make any sense. I was on the site earlier and then had clicked on the link to play the video and nothing had happened to me. Then it hit me, I was not using IE and that is a possible reason that I didn't see any attack if any. Groan! Bah! F**** Stupid IE.

I use firefox with noscript, flashblocker and adblock extentions. I fired up IE and went to the same link. Dude was I in for a surprise or what? The page was loaded with ton load of flash ads and there was a pop up for registry cleaner ad. The page took about a minute to load.

Now, I have a fairly decent box and it did suck up resources considering the number of instances of ads that loaded up. No wonder my friend's box which is probably not upto to date and an older system, turned off or crashed. It could have easily eaten up loads of memory and just went poof!. Arrrggggghhhh Winblows!

My friend all too tired to do anything just went to sleep. I was wondering what I would have done. I would have probably installed taken 2 different approaches.

a) Install anti virus and run a scan.
b) if I didn't have a anti virus then I would try trailware from Symantec or Clamav or other tools.
c) I would download Spybot and CCleaner first and disconnect myself from the internet.
d) Then install Spybot and have run trojans/virus scan and locked down hosts file after updating the definitions.
e) Installed CCleaner clean up the registry and the temporary Internet files.
f) b) c) , d) should give sufficient to identify what virus are there. There are virus specific removal tools from Symantec that can be used.
g) Call a friend for help!

or the other extreme

Wipe the disk out and install windows from scratch and run windows updates. Extreme way though, wouldn't recommend it.

When I have to browse the web and need to used IE from Winblows, I use a virtual instance of Windows. Makes it easy. This one time I had gone out of my way to a warez site and got myself infected with a virus to see how I could recover from it. To make a long story short, I simply wiped out the vm instance. It was FUBAR and I was too lazy to recover it. But saying it was FUBAR makes it all more believable! :p

Many a time Knoppix can come to rescue when some stubborn virus files don't allow themselves to be deleted. It certainly did rescue me from some tight spots.

If you are wondering why I chose to disconnect myself from the net, well it is because I didn't want some trojan/virus sending off files from my system.

If you want to a lil step further and do some forensics on the box, then you would be better off using some basic tools from Sysinternals. I would use at RootkitRevealer, TCPView and Process Monitor to start looking at things. Obvious indicators of processes trashing the hardisk and Processor would be the culprits to look at.

0 comments: