Re: Ping Malke
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 06/09/05
- Next message: computer novice: "browser hijacker"
- Previous message: solstiz: "Re: PGPcoder Trojan"
- In reply to: Zvi Netiv: "Re: Ping Malke"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 09 Jun 2005 18:02:08 +0200
On Wed, 08 Jun 2005 15:42:16 +0300, Zvi Netiv
>I personally hold that cleaning under Windows should be conducted from self
>boot, from the installed OS.
This really depends on what you fear most; malicious effects from code
that is designed to be malicious, or side-effects from removing it.
My take is to approach traditional malware formally, and commercial
malware through the infected OS's Safe Mode Cmd Only, as my
expectation of the balance of risk differs with respect to these
categories. Also, right now, there are no scanners for commercial
malware that will run formally, unless already installed informally.
(by "formal", I mean without running any ?infected code first - i.e.
the opposite of what Zvi is advocating - so the malware is inactive)
Rather than guess, though, I'd say it's better to start with a formal
detection-only scan, so that you can read up on what is found, as
there may be caveats that guide the cleaning process.
Depending on the scanner, formal scanning may be less effective in
detecting malware, so I do repeat such scans informally and even
within each user account's normal mode, as I progress into the system,
detecting and cleaning as I go.
The reason is that scanners written to run from the infected OS are
likely to look to the wrong registry, and thus miss infection cues,
when they are run from a host OS - be it a PC into which the HD has
been dropped, or an OS that's booting from a Bart's CDR.
Currently, my standard protocol is:
- DOS mode boot, F-Prot for DOS (FATxx only) *
- Bart boot, Trend SysClean *
- Bart boot, McAfee Stinger (renamed) *
- Bart boot, F-Secure Blacklight Beta *
- Bart boot, F-Secure F-bot
- Bart boot, F-Secure F-SDbot
- Bart boot, Avast killer
- Bart boot, Spybot 1.4 (if already installed)
- Safe Cmd Only, Trend SysClean *
- Safe Cmd Only, McAfee Stinger (renamed)
- Safe Cmd Only, AdAware SE 1.06 *
- Safe Cmd Only, SpyBot 1.4 *
- Normal OS boot, AdAware SE 1.06
- Normal OS boot, SpyBot 1.4
- Normal OS boot, MSAS Beta
- Normal OS boot, Trend SysClean
* = essential scan
>...there exists a free (for private use) bootdisk to NTFS from DOS, with full
>read-write access, from http://www.datapol-technologies.com/dpe/recovery/ntfs/
Sounds good - OMW to check it out. Thanks, Zvi!
BTW, y'all prolly know about the two DOS TSRs that offer NTFS support,
as availavle from www.systeminternals.com - the free one is read-only
and self-contained, and the fee one shells NT's existing code and can
write as well as read. I've only used the free one, and found it a
bit of a RAM hog; F-prot for DOS manages to run under it, but fails to
recurse the volume's subtrees correctly.
The free NTFS driver doesn't support LFNs either, and because Odi's
LFN Tools can't work through a driver layer, that doesn't work either.
But I discovered that you can combine it with an LFN support TSR, and
thus access and preserve LFNs, as long as you load the LFN TSR before
the NTFS TSR. Counter-intuitive, but required if it's to work :-)
Finally, on this topic, note that one of the two LFN TSRs for DOS has
a serious bug; it fails to increment the 8.3 index number when
creating LFNs that have the same first 6 characters. So instead of
(say) MICROS~1, MICROS~2, MICROS~3, you get non-unique MICROS~1,
MICROS~1, MICROS~1. I've contacted the author on this, and it's going
to stay that way as he's abandoned the project.
I can't remember the details and URLs, but they're in here:
http://cquirke.mvps.org/whatmos.htm
>In your instructions (PDF file), I would recommend that anything you suggest
>running from safe mode, be run from safe mode WITH COMMAND PROMPT instead.
>The reason is that many malware load by injecting through Explorer, that loads
>in safe mode just as well.
Safe Mode isn't, and unfortunately, not only because of shell
integration into Explorer (CLSIDs, BHOs etc.) and process injection,
but also because by design, it's possible for some registry Runxx to
be active in Safe Mode, as are drivers, screensaver, and malware
integration via file associations.
Both Windows Explorer and Cmd.exe have their own exploitable risk
surfaces, but of the two, Cmd.exe is safer and more manageable (e.g.
if you always use full file spec and extension, you'd generally be OK)
>You have my permission to include the ToggleMode utility in your
>package, if required. You may need it to start Win 9x/Me in
>safe mode with command prompt (a mode they lack inherently). From
>www.invircible.com/item/80
That's a good point; else you'd have to first boot DOS mode and edit
System.ini shell=command.com to create a true Safe Mode Command Only,
i.e. a Win32 environment that can run Win32 apps, as DOS mode can't.
>------------------------ ---- --- -- - - - -
Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
>------------------------ ---- --- -- - - - -
- Next message: computer novice: "browser hijacker"
- Previous message: solstiz: "Re: PGPcoder Trojan"
- In reply to: Zvi Netiv: "Re: Ping Malke"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
