Monday, October 2

Virus experience

AdWare Experience

A computer in my lab got an AdWare today.I don't know what the girl did to her computer, but when she asked me about the installation of EditPlus, I noticed her computer was slow. Suddenly, a message popped up:” Your computer is infected with AdWares, Please visit xxxx.com". Yes, that AdWare’s function is to promote a software to delete adwares...First of all, the girl is a Computer Science graduate student, like me. So we can assume she knows the basic idea of computer and Internet.Second, Norton Antivirus Corporation Software is running in her computer. This is mandatory in all our labs, and the virus-library is updated. Also, the Windows XP is updated as required.Third, there is a firewall in the campus network.With all these 3 factors, we still can't protect a computer from attack of AdWare, what a brutal world!Then I tried to help her to get rid of the AdWare. She doesn't know too much about computer security, and I don't want her to bother me all the time. But 10 minutes later, I gave up.There is one system tray icon indicating this software, but the only function is to bring up the "Your computer is infected with AdWares" message. There is no "exit" or "close" menu attached with it at all.Since Norton Antivirus is installed, the standard procedure is to run it to scan the whole computer. Of course it failed as I expected. Since the BadWare is running in memory, there is no way to find it out, if it is smart enough. Five years ago, an Antivirus software can capture a running virus and kill the process before it deletes virus files. Now the virus knows how to hide itself from Antivirus softwares, especially when the virus is running with admin privilege. So I tried to kill the virus process manually. From the Windows Task Manager, I saw too many processes. After all other windows are closed, I saw several suspicious processes: ishost, hostsys, and some others. I am familiar with most of the system processes, and I am sure these two processes are not related to system. But after I killed "ishost", it appears again. Yes, this virus is smart enough to run several processes, and each of them can initial another, if one process is terminated. I actually tried to use "Ctrl" key to select both processes, but the Windows Task Manager doesn't support this operation.Since the virus procedure is running and it has administrator privilege, I know I can't delete it. So I checked the startup registry and the running service list. There're too many software installed in this computer, and I can't say I know everyone of them. So I gave up.I know the correct way to kill the virus is to restart into Safe Mode, and delete the virus files and registry entries of virus manually. But because it’s hard to tell the virus files and entries from normal files and entries, especially when the computer is not managed by me, I decided to leave this task to network admin. I think he may suggest to reinstall Windows, or leave the virus alone :D No kidding! Sometimes, if the virus is harmless, we leave them alone in our computer, if the expense of reinstallation is too much.

What is the expense to reinstall system? Let’s talk about this topic tomorrow.


-----------------
In the above article, I mixed AdWare, BadWare, and virus. AdWare is installed in computer without user’s permission, and the function of it is to show commercial Ads. Virus’s function is to destroy your file and use computer resource in your computer to distribute itself. Anyway, BadWare, or MalWare, includes everything we don’t like.
People are familiar with the word of “virus”, and we used to call any unwanted software as virus. But that is not correct. Virus, in computer history, has its own definition. A virus is a program which can conceal itself, and redistribute itself to other computers, and do something bad to the computer when the situations is met. Concealment, redistribution and bad action are the three signs of virus. BadWare is a new word, which can include virus, adware, spyware, Trojan horse, and joke program.

Update:
The Network Admin ran Cleanup!, Ewido Security Suit and AVG Anti-Spyware at the same time. After running them several times, that adware’s icon disappeared, but there is another popup message in some language I don’t know:
NON HO TROVATO NESSUN MODEM PER LA CONNESSIONELooks like an unclean program.

Labels:

2 Comments:

At October 01, 2006 10:08 PM, Anonymous Anonymous said...

"I do not know how the girl did to her computer"-->how the girl did THIS.(the objest is missing in the clause);
--

 
At October 02, 2006 10:02 AM, Anonymous xlsyu said...

this is a really smart virus.

You missed a lot of articles.

e.g.,

A computer in my lab was infected by an AdWare today.

I don't know what the girl did to her computer, but ...

 

Links to this post:

Create a Link

<< Home