Comments on: Viruses, worms, creepy crawlies… http://krishnamurthy.net.in/blog/2007/10/05/viruses-worms-creepy-crawlies/ You are what you read, and with whom you cook Thu, 04 Nov 2010 18:06:52 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Vinil http://krishnamurthy.net.in/blog/2007/10/05/viruses-worms-creepy-crawlies/#comment-17 Vinil Sun, 06 Jan 2008 22:36:26 +0000 http://krishnamurthy.net.in/blog/?p=15#comment-17 Yeah, missed reading that. I agree. Having ProcExp would've helped immensely. However, running taskkill doesn't need a command prompt. Most of the times, these programs have the command strings hard-coded - no hash checking or signature verification etc (it increases the file size.) So, if you ren the exe (from explorer or x2) and run it, it runs...Well, of course, there are the intelligent ones, that know how to cause damage, but then you'dn't have caught it in the first place, because the cyber-cafe wouldn't have been running ;) Need to catch some sleep, - Vinil Yeah, missed reading that. I agree. Having ProcExp would’ve helped immensely. However, running taskkill doesn’t need a command prompt. Most of the times, these programs have the command strings hard-coded – no hash checking or signature verification etc (it increases the file size.) So, if you ren the exe (from explorer or x2) and run it, it runs…Well, of course, there are the intelligent ones, that know how to cause damage, but then you’dn’t have caught it in the first place, because the cyber-cafe wouldn’t have been running ;)

Need to catch some sleep,
- Vinil

]]> By: KV http://krishnamurthy.net.in/blog/2007/10/05/viruses-worms-creepy-crawlies/#comment-16 KV Sun, 06 Jan 2008 20:26:02 +0000 http://krishnamurthy.net.in/blog/?p=15#comment-16 Hey Vinil, (if you are still reading this) thanks for the comments...got to see it just now.....still have to get used to administering the site....just saw that some comments are pending moderation. About using tasklist....since I was unable to open my command line, tasklist wouldn't have worked. The same process that I was trying to kill, was closing any cmd windows immediately after they were opened. So I had to get a handle on the process somehow and kill it. Hey Vinil, (if you are still reading this) thanks for the comments…got to see it just now…..still have to get used to administering the site….just saw that some comments are pending moderation. About using tasklist….since I was unable to open my command line, tasklist wouldn’t have worked. The same process that I was trying to kill, was closing any cmd windows immediately after they were opened. So I had to get a handle on the process somehow and kill it.

]]> By: Vinil Menon http://krishnamurthy.net.in/blog/2007/10/05/viruses-worms-creepy-crawlies/#comment-15 Vinil Menon Thu, 27 Dec 2007 07:17:06 +0000 http://krishnamurthy.net.in/blog/?p=15#comment-15 Hi, Reached your blog via Vaishali's recommendation. Good piece of work in removing the malware. May I suggest a few tools to be added to your arsenal. It is not always feasible nor practical to write programs in C#, rt? ;) Anyway, here are some of the tools (you are warned, they become essential once you use it a couple of times ;) 1. Get the entire array of tools by Mark Russinovich. He's da man. site: www.sysinternals.com (you'd be redirected to ms technet.) Anyway, the most important tools over there are Procexpnt (Process Explorer), ProcMon (Process Monitor - monitors registry and filesystem activity) and autoruns (msconfig is a poor hack when compared to autoruns) 2. Get TcpView from there to view tcp port activity on your system. You could've immediately figured out that skype is blocking port 80 with this tool (ref: your later post about IIS not starting) 3. Check this video out for uber-geekiness in malware removal. http://video.google.com/videoplay?docid=-5856330670787297158 From the tech lead at the company that makes the antivirus that you used to remove the virus finally. Yup the guy works at Kaspersky. ;) 4. Did you try using tasklist and it's cousin taskkill (both are standard xp commands) to list and kill tasks? +++ATH0. Vinil Hi, Reached your blog via Vaishali’s recommendation.
Good piece of work in removing the malware. May I suggest a few tools to be added to your arsenal. It is not always feasible nor practical to write programs in C#, rt? ;)
Anyway, here are some of the tools (you are warned, they become essential once you use it a couple of times ;)
1. Get the entire array of tools by Mark Russinovich. He’s da man. site: http://www.sysinternals.com (you’d be redirected to ms technet.) Anyway, the most important tools over there are Procexpnt (Process Explorer), ProcMon (Process Monitor – monitors registry and filesystem activity) and autoruns (msconfig is a poor hack when compared to autoruns)
2. Get TcpView from there to view tcp port activity on your system. You could’ve immediately figured out that skype is blocking port 80 with this tool (ref: your later post about IIS not starting)
3. Check this video out for uber-geekiness in malware removal. http://video.google.com/videoplay?docid=-5856330670787297158 From the tech lead at the company that makes the antivirus that you used to remove the virus finally. Yup the guy works at Kaspersky. ;)
4. Did you try using tasklist and it’s cousin taskkill (both are standard xp commands) to list and kill tasks?

+++ATH0.
Vinil

]]>