worm-detection/removal ???

Hi!

> Well, it seems that you are trying to do things backward.
> First, develop habits that make infections less likely.

my job is to help people with their computer-problems and a lot of
problems are related to viruses/worms. I try to teach people how to protect
their PCs, but first I have to fix them.

> Second, install software that blocks malware from getting installed in the
> first place. NAV will work, but you probably can find something else that
> is less expensive and has less overhead.

I have seen a lot of PCs with NAV runing and worms disturbing everything in
the system.
it seems that the only way to fight this is the MS-RPC-patch and a firewall.

> Third, regularly scan with good detection software (with recent definition
updates).
> THEN check into removal tools for anything that's found, or if you have
> symptoms of something specific. I certainly wouldn't use a removal tool
> for (as an example) Swen unless I were pretty sure that I had been
> infected with it.

I need a way to repair infected systems with minimal time-effort.
I cant know which worm has infected a system, to use a specific tool to fix
it.
I just see that something is pretty wrong. therefore I need good tools to
help me with this.

best regards,
Hans
 >> Stay informed about: worm-detection/removal ??? 

Hans Pesata wrote:
[snip]
> I need a way to repair infected systems with minimal time-effort.
> I cant know which worm has infected a system,

*STOP*

think to yourself, you want to repair the damage done by a worm but you
can't be bothered to figure out which worm it was - thereby completely
skipping the step about finding out exactly what damage was done...

does that sound reasonable to you? if it does, then you're in the wrong
line of work...

> to use a specific tool to fix
> it.
> I just see that something is pretty wrong. therefore I need good tools to
> help me with this.

use an anti-virus product to figure out what it was, then use a
dedicated removal tool if one exists or the anti-virus product itself
if no dedicated removal tool exists... dedicated removal tools are
preferable over the av itself as the av will often times simply
neutralize the worm/virus/whatever...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
 >> Stay informed about: worm-detection/removal ??? 

Hi!

> use an anti-virus product to figure out what it was, then use a
> dedicated removal tool if one exists or the anti-virus product itself
> if no dedicated removal tool exists... dedicated removal tools are
> preferable over the av itself as the av will often times simply
> neutralize the worm/virus/whatever...

that was exactly what I have been asking when I posted my question in this
newsgroup,
but I didnt get a clear answer, do you known if I can use NAV2003/2004 to
detect worms ?
I understand that using a dedicated worm-.removal-tool afterwards is the way
to go.

this is important for me to know, because I have to check a probably
infected system with a pretty full 80GB hard disc
and it will take NAV VERY LONG to scan all the files. If it doesnt work and
I therefore have to do a new, clean XP-setup,
I will lose quite some time my customer would have to pay for.
if I start with the clean XP-setup instead, it will cost less.

thanx for your comments!

best regards,
Hans Pesata
 >> Stay informed about: worm-detection/removal ??? 

On that special day, Hans Pesata, (dummy.user@dummy.com) said...

> but I didnt get a clear answer, do you known if I can use NAV2003/2004 to
> detect worms ?
> I understand that using a dedicated worm-.removal-tool afterwards is the way
> to go.

NAV and current signatures, yes. The problem is, modern worms place
themselves in the _restore or other corners where they can't be easily
reached. In fact, they abuse the system self repair and protection
features by disguising themselves as "system files".

The specific tools are there to cancel this system protection and render
the respective methods of the worms useless. But this strategy might
change from worm family to worm family, and require different approaches
according to the specific infection. This is the reason why there are
separate tools there for removing worms.

But first you have to know *which* worm is in the system, in order to
know which removal tool will be effective.

I hope that now you understand it.


Gabriele Neukam

Gabriele.Spamfighter.Neukam.TakeThisOut@t-online.de


--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.
 >> Stay informed about: worm-detection/removal ??? 

Hans Pesata wrote:
> Hi!

>>use an anti-virus product to figure out what it was, then use a
>>dedicated removal tool if one exists or the anti-virus product itself
>>if no dedicated removal tool exists... dedicated removal tools are
>>preferable over the av itself as the av will often times simply
>>neutralize the worm/virus/whatever...
>
>
> that was exactly what I have been asking when I posted my question in this
> newsgroup,
> but I didnt get a clear answer, do you known if I can use NAV2003/2004 to
> detect worms ?

yes... for all intents and purposes you can consider worms equivalent
to viruses and use the same software to detect them...

[snip]
> this is important for me to know, because I have to check a probably
> infected system with a pretty full 80GB hard disc
> and it will take NAV VERY LONG to scan all the files. If it doesnt work and
> I therefore have to do a new, clean XP-setup,
> I will lose quite some time my customer would have to pay for.
> if I start with the clean XP-setup instead, it will cost less.

cost less how? what about the value of the data that will be lost when
you do that, is that figured into your cost/benefit analysis?

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
 >> Stay informed about: worm-detection/removal ??? 

On Fri, 16 Jan 2004 14:36:43 GMT, Hans Pesata <dummy.user.TakeThisOut@dummy.com> wrote:

> that was exactly what I have been asking when I posted my question in this
> newsgroup,
> but I didnt get a clear answer, do you known if I can use NAV2003/2004 to
> detect worms ?

AV software will detect worms, that it knows about. So, if you're looking
to clean a system of worms that have been around for a while, it'll work,
or at least, should find them. Make sure you're booting from a known
clean boot disk or cd, just in case the malware is stealth, or can prevent
the av from running.

Don't rely on it to block new worms. Keep the software updated, and try
to teach the user's about safe hex.

> I understand that using a dedicated worm-.removal-tool afterwards is the way
> to go.

Unless you enjoy doing things manually, I'd say it's the only way to go.

> this is important for me to know, because I have to check a probably
> infected system with a pretty full 80GB hard disc
> and it will take NAV VERY LONG to scan all the files. If it doesnt work and
> I therefore have to do a new, clean XP-setup,

Make sure you limit the scanning to executables, and try to get the user to
clean up stuff they don't need, before you visit.

> I will lose quite some time my customer would have to pay for.
> if I start with the clean XP-setup instead, it will cost less.

Why not let the customer decide? Give them an estimate of the cost
of a clean install, versus cleanup.

Regards, Dave Hodgins

--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)
 >> Stay informed about: worm-detection/removal ??? 

Hi!

Thanx a lot for all the useful information and hints!
This is very valueable for me and helps me to learn how to deal with this
nasty topic.

Best Regards,
Hans Pesata
 >> Stay informed about: worm-detection/removal ??? 

Hi!

> cost less how? what about the value of the data that will be lost when
> you do that, is that figured into your cost/benefit analysis?

of course I would backup the users important files/documents BEFORE I do a
new system-setup.

Best Regards,
Hans
 >> Stay informed about: worm-detection/removal ???