Abstract A computer virus is a computer program that can spread across computers and networks by making copies of itself

, usually without the user’s knowledge. Viruses can have harmful side-effects. These can range from displaying irritating messages to deleting all the files on your computer. Description viruses and virus like programmes Trojan horses Trojan horses are programs that do things that are not described in their specifications The user runs what they think is a legitimate program, allowing it to carry out hidden, often harmful, functions. For example, Troj/Zulu claims to be a program for fixing the ‘millennium bug’ but actually overwrites the hard disk. Trojan horses are sometimes used as a means of infecting a user with a computer virus. Worms Worms are similar to viruses but do not need a carrier (like a macro or a boot sector).They are subtype of viruses. Worms simply create exact copies of themselves and use communications between computers to spread. Many viruses, such as Kakworm (VBS/Kakworm) or Love Bug (VBS/LoveLet-A), behave like worms and use email to forward themselves to other users.

Signs of virus attack • • • • • CD-ROM drawer opens and closes by itself. Computer screen flips upside down or inverts. Wall paper or background settings change by themselves. Documents or messages print from the printer by themselves. Computer browser goes to a strange or unknown web page by itself. Windows color settings change by themselves. Screen saver settings change by themselves. Right and left mouse buttons reverse their functions Mouse pointer disappears. Mouse moves by itself. Windows Start button disappears. Strange chat boxes appear on the victim’s computer and the victim is forced to chat with a stranger.

• • • • • • •

Deleting virus manually Brief study • • Registry Editor Group Policy Editor

Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings • • Many viruses use different techniques to load itself Here we are going to see many possibilities .• Sys Internals – Process Explorer – RegMon  HKEY_LOCAL_MACHINE\So ftware\Microsoft\Windows\Curr entVersion\Run Autoruns See what programs are configured to startup automatically when your system boots and you login.how a virus can load HKEY_LOCAL_MACHINE\Softw are\Microsoft\Windows\Curr entVersion\RunOnceEx  HKEY_LOCAL_MACHINE\So ftware\Microsoft\Windows\Curr entVersion\RunEx  HKEY_CURRENT_USER\Soft ware\Microsoft\Windows\Curre ntVersion\RunOnce  HKEY_CURRENT_USER\Soft ware\Microsoft\Windows\Curre ntVersion\Run  HKEY_CURRENT_USER\Soft ware\Microsoft\Windows\Curre ntVersion\RunOnceEx  Its well know startup place  c:\Documents and Settings \All Users\Start MenuPrograms\Startup  Or  c:\Documents and Settings\username\Start MenuPrograms\Startup  HKEY_LOCAL_MACHINE\So ftware\Microsoft\Windows\Curr entVersion\RunOnce HKEY_CURRENT_USER\Softwar e\Microsoft\Windows\CurrentVersi on\RunEx  HKEY_CLASSES_ROOT\exe\f ileshell\open\command [HKEY_CLASSES_ROOTexefilesh ellopencommand] =""%1" %*" [HKEY_CLASSES_ROOTcomfiles hellopencommand] =""%1" %*" .

"LOAD=" "RUN=" How can we delete Virus manually First Open computer in safe mode And then follow these steps 1.for this we are taking a help of small utility called "process explorer" or "process XP" Process Explorer Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. Identifying virus main file and it's location Every executable file must have a process in task manager Identifying virus's process is very difficult task . Changing attributes 3. It will show you detailed information about a process including its icon. Deleting the file(s) 4. Identifying virus main file and it's location 2. located in the Windows (or WinNT) folder.ini  Windows executes instructions in the "RUN=" line in the WIN.[HKEY_CLASSES_ROOTbatfilesh ellopencommand] =""%1" %*" [HKEY_CLASSES_ROOThtafileSh ellOpenCommand] =""%1" %*" [HKEY_CLASSES_ROOTpiffilesh ellopencommand] =""%1" %*"  HKEY_LOCAL_MACHINE\So ftware\MicrosoftActive Setup\Installed Components\  HKEY_LOCAL_MACHINE\So ftware\Microsoft\Windows\Curr entversion\explorer\Usershell\fol ders  HKEY_LOCAL_MACHINE\S YSTEM\CurrentControlSet\Con tro lSession\Manager\BootExecute  HKEY_LOCAL_MACHINE\S OFTWARE\Microsoft\Windows NT\Cu rrentVersion\Winlogon\UserInit  HKEY_LOCAL_MACHINE\S OFTWARE\Microsoft\Windows \NTCurrentVersion\Winlogon\S hell TASK SCHEDULER  Windows executes autorun instructions in the Windows Task Scheduler INITIALIZATION FILE win. Identifying and deleting registry keys 1.INI file. command- .

or to view the list of processes that have a DLL loaded. Changing attributes In this stage . The above 4steps are those who don’t know how to work with command prompt type the below command to check wheather virus is affected are not see now we are checking for “D” drive D:\>attrib Hit enter 2. A search capability enables you to track down a process that has a resource opened. security attributes. memory statistics.inf virus form “D” drive . When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open.then go to run – type cmd (hit enter) After clicking enter the result will be displayed on command prompt check for Autorun.inf in that result if present follow below steps C:\users\sai\d: (may changes “sai” to your username in your system) type below commands it will changes drive “C” to “D” drive . Process Explorer also has a powerful search capability that will quickly showyou which processes have particular handles opened or DLLs loaded.line. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks. directory or Registry key. and more. such as a file. full image path. user account. and provide insight into the way Windows and applications work Then here onwords our real process starts.we will change the attributes of the virus using command prompt if we want to delete Autorun.

Regedit is a powerful tool. viewing and editing REG_EXPAND_SZ and REG_MULTI_SZ.exe is used to modify the Windows NT configuration database. and saving and restoring hive files. On the left side.D:\> attrib -s -a -r -h autorun.exe" Hit enter 8. or the Windows NT registry.inf click enter we can fallow the same procedure for any virus Do the same procedure for any virus. It supports setting security on registry keys. Regedit. Missing or incorrect values in the registry can • . Regedit. After doing that check once again wheather it is deleted or not by typing D:\> attrib it will not displays “autorun. On the right side. there are the values associated with the selected registry key.inf” file because it is deleted by the above steps if it is presents repeat the above steps again. This editor allows you to view or modify the Windows NT registry. 3. there are folders that represent registry keys. Identifying and deleting registry keys What is Registry Editor ? • Go to Run-type "regedit.inf 4.exe is the configuration editor for Windows XP and Windows Server 2003. You must use extreme caution when you use it to change registry values. Deleting the file(s) D:\> del autorun.

run .avi. 2007 • . With static tools you might be able to see what Registry values and keys changed. • Identify virus's keys and modify them A virus may disable folder options . and the Registry data that they are reading and writing . which keys they are accessing.exe Name :SMSS.exe” .”SMSS. Case studies on some of the famous virus How “Killer. task manager and even the registry editor. • For that special case .exe”. cmd.make the Windows installation unusable. This advanced utility takes you one step beyond what static Registry tools can do.exe“ works • Name :Funny UST Scandal.exe Icon :Video file (GOM Player) Type of File :Application Size :224KB/240KB Modified :November 20. For identifying the registry keys which were used by the virus . ”Fun scandalavi.we will use Group Policy Editor What is a Group Policy Editor ? Press ctrl+f for finding Enter the virus name and hit enter Delete all the keys which contained virus name. to let you see and understand exactly how programs use the Registry.we will use a utility RegMon • Go to Run-type "gpedit. With Regmon you'll see how the values and keys changed.all in realtime.msc" • The Group Policy Editor in Windows XP Professional is a management console that provides convenient configuration of many system properties and for running scripts RegMon is a Registry monitoring utility that will show you which applications are accessing your Registry.

Type: del “%windir %\autorun.exe CreateFile C:\WINDOWS\killer.1 Solution • 1.exe” /f /a del “%windir%\killer.exe CreateFile C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.inf CreateFile C:\WINDOWS\smss.exe CreateFile X:\Funny UST Scandal.inf CreateFile X:\smss.exe • • • CreateDir C:\log\ CreateFile C:\WINDOWS\autorun.2.avi.exe” /f /a del “C:\log” /f /a del “C:\Documents and Settings\All Users\Start • • CreateFile X:\autorun. Reg delete HKCU\SOFTWARE\Microsof t\Windows\CurrentVersion\R un /v Runonce reg add HKLM\Software\Microsoft\W indows\CurrentVersion\Explo rer\Advanced\Folder\Hidden\ SHOWALL /v CheckedValue /t REG_DWORD /d 1 reg add “HKLM\SOFTWARE\Micros oft\Windows NT\CurrentVersion\Winlogon ” /v Shell /t REG_SZ /d Explorer. Enable Regedit.exe” /f /a del “%windir%\Funny UST Scandal.exe • \ REGISTRY\MACHINE\SOFTWAR E\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell • \ REGISTRY\MACHINE\SOF TWARE\Microsoft\Windows\ CurrentVersion\Explorer\Adv anced\Folder\Hidden\SHOWA LL\ • .exe 4. TaskManager. CMD.msc) 2. (using GPEDIT.exe CreateFile C:\WINDOWS\Funny UST Scandal.inf” /f /a del “%windir%\smss. Restart the comp in “Safe Mode with Command Prompt” 3. System (varies) File Version :3.Attibutes :Hidden.8.

some times we must fallow manually ways of detecting and deleting viruses Safe Computing Tips • • • • • • • • Enable Auto Updates Patches for Software's Firewall Antivirus Disable Autorun’s Disable Auto shares Suspect Processes before running it Do not accept disks or programs without checking them first using a current version of an anti-viral program.exe” /f /a del “D:\Funny UST Scandal. exe” /f /a • del “D:\autorun. Do not boot the machine with a disk in the disk drive. Keep the anti-virus software up to date .avi. Do not leave a USB disk in the disk drive longer than necessary.upgrade on a regular basis.exe” /f /a "Prevention is better than cure" Any antivirus does not provide a 100% security from viruses. Disable auto play IT IS ONLY INFORMATION AND FOR AWARENESS SAKE AMONG PUPIL MORE OVER NOT A INTEND OF MALICIOUS ACTIVITIES • • • • CONCLUSION . unless it is a known "Clean" bootable system disk .Menu\Programs\Startup\lsass.inf” /f /a del “D:\smss.

Sign up to vote on this title
UsefulNot useful