Slide 1

Malicious software on computer

Today, I would like to introduce to you about toxic software on the computer, also known
as Malware
Slide 2

Targets

1. Understand the types of malware, components

of malware
2. Knowing how to find malware in the computer.
3. Be able to remove found malware

Target of today’s lesson is as follows:

- Understand the types of malware, components of malware
- Knowing how to find malware in the computer.
- Be able to remove found malware
Slide 3

Content

1. Definition of malware
2. Classification of malware
3. Anti-malware
4. Method of finding and removal of malware

The following is content that I am going to present to you.

1. Definition of malware
2. Classification of malware
3. Anti-malware
4. Method of finding and removal of malware
Slide 4

Concepts

 Virus of computer: is computer program that is able to

self- copy from injected object to other object (file,
drive, computer)

 Malware (Malicious Sofware): is a intrusive software,

operating on the system without the license of user

 Distinguish between Virus and Malware?

 Habit of concepts use

Tr 4

We shall forward together the first section: Definition

Most of you are surely unfamiliar with the concept of Malware, we use a more familiar
term as Computer Virus. So, what do two concepts means?
Computer Virus: ….
Malware:…..
Based on two above definitions, Virus is a type (subset) of Malware, naming of special
malware strain having the ability to spread. And most users usually confuse these
concepts, they usually call all programs that cause the dangers and harm on the
computer is virus.
Slide 5

Signs identifying the computer is injected with

malware

The computer runs slowly

Applications operate unmorally or cannot operate
Browse web slowly
Ad pages appear automatically
Desktop screen is changed.
Appear unknown warns such as: “Your computer is
infected”, hoặc xuất hiện cửa sổ “Virus Alert”…

Tr 5

Most malware are installed into the compute, it shall affect operation of such computer,
so when the computer is infected malware, some the following characteristic signs shall
appear:

* The computer runs slowly

* Applications operate unmorally or cannot operate
* Browse web slowly
* Ad pages appear automatically
* Desktop screen is changed.
* Appear unknown warns such as: “Your computer is infected”, hoặc xuất hiện cửa
sổ “Virus Alert”…
Slide 6

Signs identifying the computer is injected with

malware

Appear the unknown files (in USB or file .exe , but

similar to folder)
Cannot use printer
Known sound appears automatically
The computer restarts
Size of files of system increases
Appear the unknown connections out Interrnet
…

Tr 6

* Appear the unknown files (in USB or file .exe , but similar to folder)
* Cannot use printer
* Known sound appears automatically
* The computer restarts
* Size of files of system increases
* Appear the unknown connections out Interrnet
* …
Slide 7

Classification of malware

According to mode of spread

- Virus (File, boot)
 Macro
 Worm
 Trojan

According to purpose
- Spyware, Adware, Backdoor, Botnet, FakeAV,
Ransomware, Rootkit
Tr 7

Next, we are going to forward a section of Malware classification.

Here, I classified according to 2 criteria, those are mode of spread and purpose of
malware.
According to mode of spread:…
According to purpose of malware:
Please note, this classification should not be too rigid, one malware sample can be
classified into several groups, such as spyware, backdoor, botnet…this depends entirely
on element of integration distributed to malware by disperser.
Slide 8

Virus
 Virus Boot: Viruses injects with Boot Sector. Boot Sector will be
implemented when injected computer starts up, prior to operating
system is loaded

Read Load
Open
boot operating
source
sector system is

Normal startup process

Read Load
Open Load
injected operating
source virus
boot sector system is

Start up when the computer is injected with virus

boot

Tr 8

We are going to delve into the first type classified according to mode of spread is Virus.
Virus is divided into two main types, the first type is Virus boot
Virus boot:…
The first figure: This is normal start-up process of computer.
The second figure: After infecting the virus boot, virus shall be loaded to memory in
advance, and then it is just loaded to operating system.
Slide 9

Because virus boot is loaded to RAM early

(sooner than anti-virus – AV), we shall have
the following cases
AV cannot be loaded.
After removing virus from the computer, virus
is re-appeared after such computer is
restarted.
Use the recovery software of Boot Sector, but
after restarting, Boot Sector is still infected.
If we want to remove virus boot, we should
boot the computer from CD drive, USB. Then,
recovering boot sector, rebooting by hard drive
Tr 9
and use AV to sweep repetitively the whole of

Because virus boot is loaded to RAM early (sooner than anti-virus – AV), we shall have
the following cases
- AV cannot be loaded.
- After removing virus from the computer, virus is re-appeared after such computer is
restarted.
- Use the recovery software of Boot Sector, but after restarting, Boot Sector is still
infected.
If we want to remove virus boot, we should boot the computer from CD drive, USB.
Then, recovering boot sector, rebooting by hard drive and use AV to sweep repetitively
the whole of computer.
Slide 10

Virus

Virus File: viruses injecting into files of program, in which

operating system of Windows is the most popular such as files
with the extensions of .com, .exe, .dll, .pif, .sys.
- Virus File does not exist in a separate file, attaching to other
program on the computer, this makes users difficult to find out
them and even though upon finding out them, users cannot
remove because if doing so, the original program cannot also
operate.
- When the computer is infected with virus, users usually think
that win is re-installed, virus shall be removed from the
computer, but if the computer is injected virus file, although
win is completely re-installed (normally shall format drive
installing win), when we running file injected other drive, virus
shall be brought back again to the whole of system.

Tr 10

Next, the second type of virus is Virus File

- Virus File: viruses injecting into files of program, in which operating system of
Windows is the most popular such as files with the extensions of .com, .exe, .dll, .pif,
.sys.
- Virus File does not exist in a separate file, attaching to other program on the
computer, this makes users difficult to find out them and even though upon finding out
them, users cannot remove because if doing so, the original program cannot also
operate.
When the computer is infected with virus, users usually think that win is re-installed,
virus shall be removed from the computer, but if the computer is injected virus file,
although win is completely re-installed (normally shall format drive installing win), when
we running file injected other drive, virus shall be brought back again to the whole of
system.
Slide 11

Operation principle of virus file

An executable file includes a set of commands
to perform various functions. In detail,
determining the positioned where command
shall perform firstly.
Virus shall insert additionally it command into
file that it needs to inject (usually the end of
file), then edit the first command position of
file known as the command of virus. After
commands of virus are completely
implemented, virus shall perform the first
command of the original file.
Tr 11

Operation principle of virus file

An executable file includes a set of commands to perform various functions. In detail,
determining the positioned where command shall perform firstly.
Virus shall insert additionally it command into file that it needs to inject (usually the end
of file), then edit the first command position of file known as the command of virus. After
commands of virus are completely implemented, virus shall perform the first command
of the original file.
Slide 12

Operation principle of virus file

Original file

Lệnh đầu tiên

First command

Original program

Tr 12

The following is spread process of virus

This is our original executable file, in which gray part is command that shall be
performed firstly in file.
Firstly, virus shall insert additionally its code snippet into the end of file. However, code
section of virus is not able to perform because order of command perform in file has not
still changed.
So, the next step, virus shall correct the first command position in area that has just
been injected. Accordingly, commands of virus can perform. However, there is still a
problem to be settled, that is injected file have to also operate normally. If stopping here,
all injected virus programs shall be broken leading to the ability to be detected and
obtain little exploitation from injected computer.
So, the final step of spread process is implementation of principal command of original
program.
We want to remove this virus, we cannot handle by deleting file, we must separate virus
from injected file.
Correct original command position about the original position.
Remove code snippet of virus from file.
Slide 13

Polymorphic, metamorphic virus

is virus that self –change “form” after each injection time

to avoid detecting and difficult to remove

File A File B File C File D

Normal injection

Normal virus

File A File B File C File D

Polymorphic injection

Polymorphic virus

Tr 13

Normally, code snippet that virus attaches to other file is not modified after each of
spreading, however, some types of virus can change their code snippet (“Figure”) after
each of spreading to avoid detection and be difficult to remove.
The first figure descripts the spread process of normal virus. We can see code snippet
of virus attaching to files is exactly alike.
As for polymorphic virus as in the figure below, whenever injection, virus change code
snippet itself when attaching to injected file.
The polymorphic virus has normally only several tens of forms, metamorphic virus can
produce the millions of forms when injecting.
Identification of remove thoroughly polymorphic virus and metamorphic virus is very
difficult and complex, clear understanding of code generation algorithm and code
change of virus is required because virus shall inject again the whole of computer in
case we can only leave out one form.
Slide 14

Macro

Virus Macro: The virus which uses macro language to

infect document files like Word, Excel, Powerpoint, cad
files of AutoCAD, etc.
 Macro virus does not infect files right upon its infection, but
waits for them to be opened to insert a macro code into
such files. This causes the files’ size to increase. This is
also the sign to detect the infection of macro virus.

 Macro virus can cause all document files to corrupt, their

sizes continually increase, and can use emails to send the
files to hackers.

Tr 14

Macro Virus: The virus which uses macro language to infect document files like Word,
Excel, Powerpoint, cad files of AutoCAD, etc.

Macro virus does not infect files right upon its infection, but waits for them to be opened
to insert a macro code into such files. This causes the files’ size to increase. This is also
the sign to detect the infection of macro virus.

Macro virus can cause all document files to corrupt, their sizes continually increase, and
can use emails to send the files to hackers.
Slide 15

Worm
Worm – worm of Internet: Worm is a program having
the ability to inject by self-replicating itself (virus
attaches to other object differentiating from the worm).
Worm combines both destroy of virus and silent feature
of Trojan, and most importantly, worm has terrified
spread speed.
Popular spread forms of worm
- Worm injects via email
- Worm injects via software vulnerabilities (Windows,
MS office)
- Worm injects via chat, social networks
- Worm injects via LAN network
- Worm injects via USB
Tr 15

Thus, I introduced completely to you 02 types of Malware as Virus and Macro. Then, I
am going to would like to present a Malware having the most horrible spread is Worm.
Worm – worm of Internet: Worm is a program having the ability to inject by self-
replicating itself (virus attaches to other object differentiating from the worm). Worm
combines both destroy of virus and silent feature of Trojan, and most importantly, worm
has terrified spread speed.
Popular spread forms of worm
- Worm injects via email
- Worm injects via software vulnerabilities (Windows, MS office)
- Worm injects via chat, social networks
- Worm injects via LAN network
- Worm injects via USB
Slide 16

Worm injects via Email

Tr 16

Macro Virus: The virus which uses macro language to infect document files like Word,
Excel, Powerpoint, cad files of AutoCAD, etc.
Macro virus does not infect files right upon its infection, but waits for them to be opened
to insert a macro code into such files. This causes the files’ size to increase. This is also
the sign to detect the infection of macro virus.

Macro virus can cause all document files to corrupt, their sizes continually increase, and
can use emails to send the files to hackers.
Slide 17

Worm injects via Email

Emails breading worm mainly fake address of
sender and reply address to reliable address.
This information is easy to fake, so if you want
to know exactly what this information is, you
have to see in Mail Header.
Header and content of such fake email are
stimulated and encouraged readers to open
attachment. As shown in above figure, we can
see that this is fake email of Paypal online
transaction website and trick users into
opening attachment and fill up their personal
information on it. Tr 17

Email Firstly, Worm injects via

Emails breading worm mainly fake address of sender and reply address to reliable
address. This information is easy to fake, so if you want to know exactly what this
information is, you have to see in Mail Header.

Header and content of such fake email are stimulated and encouraged readers to open
attachment. As shown in above figure, we can see that this is fake email of Paypal
online transaction website and trick users into opening attachment and fill up their
personal information on it.
Attachment is normally executable file with icons of Word, Pdf, Excel or files exploiting
Microsoft office vulnerability
Slide 18

Worm injects chatting service

Tr 18

Then, Worm injects via services of chatting such as yahoo, Skype, msn,..
Slide 19

Worm injects via chatting service

This worm shall send attractive chat section to

us and attach to 01 link. When we click this
link, worm shall be downloaded automatically
to our computer and perform.
When the computer is injected this worm, we
shall continue sending harmful link to all
accounts of our friend lists.

Tr 19

This worm shall send attractive chat section to us and attach to 01 link. When we click
this link, worm shall be downloaded automatically to our computer and perform.
When the computer is injected this worm, we shall continue sending harmful link to all
accounts of our friend lists.
Therefore, when appearing links to 01 such unknown address, you should not
absolutely click, even though in case sender is your friend because that account was
able to be stolen and taken advantages by hackers.
Slide 20

Worm injects via social network

Post cheat status Spread toxic link via chat

Tr 20

Virus injects via social networks

Post scamp status to trick users into clicking malicious links
Send malicious links to all friends of friends list.
Slide 21

Worm injects via USB, mobile

hard drive
 Autorun when plugging USB
(Autorun.inf)
 Fake icons (fake folders, image files, and
text files)
 Fake shortcut of USB drive

Tr 21

Next, Worm injects via USB, mobile hard drive. It can be said that worm is the most
common and the fastest spreading.
Worm injects via USB using 03 key methods
Autorun when plugging USB (Autorun.inf)
Fake icons (fake folders, image files, and text files)
Fake shortcut of USB drive
Slide 22

AutoRun Worm
From Windows Vista and earlier, windows support
AutoRun feature (when double-click on any folder,
Windows shall read autorun.inf file in such folder and
perform specified file in autorun.inf file)
This worm shall create autorun.inf file to perform virus
at USB drive (hidden autorun and virus files). Thus,
when we open this USB, virus is operated immediately.
This feature shall not be activated in case we open
folder by selecting the folder in left folder tree of
Explorer.
On Win Vista, this feature removed and on Win 7 or
later, this feature only exists on drives of CD/DVD.

Tr 22

Worm AutoRun
- From Windows Vista and earlier, windows support AutoRun feature (when double-
click on any folder, Windows shall read autorun.inf file in such folder and perform
specified file in autorun.inf file)
- This worm shall create autorun.inf file to perform virus at USB drive (hidden autorun
and virus files). Thus, when we open this USB, virus is operated immediately.
- This feature shall not be activated in case we open folder by selecting the folder in left
folder tree of Explorer.
On Win Vista, this feature removed and on Win 7 or later, this feature only exists on
drives of CD/DVD.
Slide 23

AutoRun Worm

Cách vào usb

ko bị autorun

Tr 23

Demo of worm Autorun sample

Slide 24

Fake Icon Worm

As executable file but containing the icons of folder,

word, excel, pdf ...
They often hide folders, text files in USB, and then
create one executable file with name is similar to hidden
file, users mistakenly believe that it is real folder and
text. When you open the fake file, the worm will open
again the original file, so users do not know that their
computer has been infected with worm.

Tr 24

Because from Win Vista or earlier has disabled this feature when plugging USB, as
presented by me in the slide, so spread of Worm through USB has forced to switch to
other forms of attack. It is the trick users into running worm. There are two popular
tricking ways as follows:
First, fake Icon (folder, document files ...)
As executable file but containing the icons of folder, word, excel, pdf ...
They often hide folders, text files in USB, and then create one executable file with name
is similar to hidden file, users mistakenly believe that it is real folder and text. When you
open the fake file, the worm will open again the original file, so users do not know that
their computer has been infected with worm.
Slide 25

Fake Usb Worm

When opening USB injected with a virus, user shall find a drive
another in such USB and have to continue opening the second
drive, they can see data. In essence, the second drive is a
shortcut file containing virus.
Tr 25

The second trick, they fake shortcut of USB drive.

When opening USB injected with a virus, user shall find a drive another in such USB
and have to continue opening the second drive, they can see data. In essence, the
second drive is a shortcut file containing virus
Slide 26

Worm exploits software vulnerability

Software on computer for serious

programming errors that lead to malicious
codes can exploit and install malware on the
computer.
Normally exploit errors of MS office, Adobe
Flash, Java, even though Windows operating
system.
If not updating the patches of the software,
the risk of being infected with malware strains
is extremely large, even the computer has
installed AV. Tr 26

We can see that all spreads of worm that I have just mentioned above, if we are more
careful during the use of our computer, worm is difficult to inject into our computer.
However, there is 01 type of worm that is too difficult for us to find out and although we
are very careful, our computer is still able to be injected with this worm. It is a worm
exploiting software vulnerability.
- Sometimes, software on computer for serious programming errors that lead to
malicious codes can exploit and install malware on the computer.
- Normally exploit errors of MS office, Adobe Flash, Java, even though Windows
operating system.
- If not updating the patches of the software, the risk of being infected with malware
strains is extremely large, even the computer has installed AV.
Slide 27

Worm exploits software

vulnerability

Tr 27

The following is an example of Vulnerability Exploiting Worm of Window. Worm model

named Confiker, one of the strongest worms in the history with the number of
computers are up to 15 million computers in January 2009.
Slide 28

Trojan
Trojan Horse: Different from virus, Trojan is a program
code snippet containing ABSOLUTELY NO THE SPRAEAD
FEATURE.
Trojan is usually used in targeted attacks.
They are installed into the computer through the path
such as:
- Download software of crack, keygen, the software
from websites, unknown forums that are not address of
provider producing such software.
- Be generated from worm when they inject into the
computer.

Tr 28

We are going to learn the final Malware in classification section according to spread
form. It is Trojan.
- Trojan Horse: Different from virus, Trojan is a program code snippet containing
ABSOLUTELY NO THE SPRAEAD FEATURE.
- Trojan is usually used in targeted attacks.
- They are installed into the computer through the path such as:
+ Download software of crack, keygen, the software from websites, unknown
forums that are not address of provider producing such software.
+ Be generated from worm when they inject into the computer.
Thus, we completed types of malware according to spread form; it is a little too much,
right? Well, let’s review of these types.
Slide 29

Backdoor
 Opens the door allowing hackers to remotely
access and control the victim

Tr 29

Now, we are going to learn types of malware classified according to the purpose of
attack. The first is Backdoor Now.
- Open connected gateway so that hacker’s computer can access and control remotely
your computer (browse file, send file, follow-up process, open camera, record, take
keyboard status…). It is worth mentioning here when hacker controls your computer,
you cannot feel it unless you are running the monitoring instruments on the computer.
Slide 30

Botnet

Tr 30

Next, a malware type used for attacking DDoS is botnet. Computer network is the same
as traffic system that we see every day. Each information package flows on the network
line is the same as a person taking part in traffic. And, perhaps, traffic jam while
participating is the most hated thing, most of traffic jam reasons are the excess of
number of participants in the route, and this makes traffic junctions of the route become
obstructive.

Like computer network, when we access to 01 certain website, we sent series of

information package to the server controlling the operation of such website. And each of
server system shall have certain bandwidth to allow the limitation of access within a time
unit. Therefore, hackers wants a certain server to be crippled, they can increase
unexpected datagrams to send to such website in short period, accordingly, the server
cannot promptly handle the queries and not responding. (This attack form is called as
Denial of Service). To do this, hacker may write 01 program for purpose of running on
one computer or several computers, sending continuously connection to the server, but
this method is not feasible because most of the server systems are easy to find out this
unusual IP addresses and block them. Therefore, more feasible method is the
installation of botnet on a large number of computers for purpose of controlling them as
a ghost computer performing to attack a certain server based on control command from
a C & C (Command and Control) server.

With a large number of IP queries continuously to the server, thus it is difficult to prevent
this attack.
Slide 31

Spyware

 Spyware: a software that tries

to collect information stored on
servers, personal computers
without users’ consent. The
information there might be
account credentials, password,
personal information, business
information, confidential of
governments, or technology
secrets of manufacturers, etc.

Tr 31

We are going to forward the third type known as Spyware.

Spyware: Spyware is a type of software that collects mainly information from the
servers, personal computer without the recognition or permission of the computer
ownership. The information may be information about account, password, personal or
business information, confidential documents of the Government or technology secret of
large production units (industrial information)…

Spyware is usually targeted attack on a certain individual, group of people or an

organization and when it has installed on the computer, it is difficult to find out and
remove.
Slide 32

Adware
 Adware: change browsers settings, continually display ad pop-
ups, etc.

Tr 32

Most of malwares usually operate silently on the computer, but some types when
installed in the computer operate openly, even attraction of user. It is Adware.

Adware is the abbreviation of Advertisement and Software, when installed on the

computer they change the browser (home page, search engine), display continuously
pop-up ads leading to inconvenience for users

Adware usually is attached to free software, or trial versions. When installing a software,
most of user is not paying attention to agreements of use (license and agreement) and
selections in case of installing (they usually click next until finish), so adware is easy to
install additionally.
Slide 33

FakeAV

 Fake AV: impersonate antivirus software to

deceive users to buy license
 When computer is infected with Fake AV, users
will continually see warnings about dangerous
virus infection, which urge them to buy license.
These warnings are in fact bogus and the
software which produce these warnings is
malware.

Tr 33

Next, we are going to forward malware impacting directly your wallet. It is Fake AV.

Fake AV: fake anti-virus software to trick users into buying copyright.

When injected this malware, user shall receive continuously caution that system is
being injected the dangerous virus, and should buy the copyright to remove. However,
in fact, the cautions are fraudulent and software showing this caution is malware.
Slide 34

FakeAV

Tr 34

If Fake AV can only stop at the tricking of gullible users, there is other type of malware
with manner to take money stronger. It is Ransomware.
Slide 35

Ransomware
 Ransomware

Tr 35

If Fake AV can only stop at the tricking of gullible users, there is other type of malware
with manner to take money stronger. It is Ransomware.
Slide 36

Ransomware
When a computer is infected with ransomware, a notice
occupies its entire lock screen. Users cannot close it or
run other programs.
The notice requires users to send money to a pre-
assigned account to get a key which allows users use
their own computer.
Besides, ransomware can encrypt all data on the victim
computer. Then, even when users can bypass the lock
screen, they cannot recover their data if not pay money
for hackers.

Tr 36

- When the computer is injected with ransomware, a bulletin board shall appear,
capturing the entire screen (screen lock), we cannot turn off it or turn on other
programs.

- Content of said bulletin board shall force us pay to appointed account; the victim shall
receive a key so that the computer can be reused.

- In addition, ransomware can code entire data existing on the computer, thereby we
find out how to unlock screen, we cannot restore data. We have to pay amount to them
in order to decode the data.
Slide 37

Rootkit
 Rootkit: A software that interfere deeply in the system to hide
its existence

Application Rootkit System

Tr 37

And final malware that I would like to introduce to you in today’s lesson as Rootkit

Rootkit is a type of software that interferes deeply the operating system to hide
information. It can be said that rootkit malware is difficult to detect and remove the most
because they place in the low level in the system (almost in driver manner). When
removing an element in such deep level, if we are not careful, we shall cause errors to
entire system, leading to green screen. Main effect of rootkit is to protect malware on
the computer, prevent them from detection and removal.

Operation mode of rootkit is the insertion between communication process, including

application and system; thereby information that obtained application is altered
according to purpose of rootkit.

Thus, we have completed types of malware classified according to purpose. Let’s

review the main points of these malwares.
Slide 38

Content

1. Definition of malware

2. Classification of malware

3. Anti-malware

4. Method of finding and removal of malware

38

We are going to continue with the third section of today’s lesson. It is how to prevent
malware.
Slide 39

Anti-malware – System
Consolidating system

 Equip system with licensed antivirus software

 Firewall

 Ensure software as well as the operating system to be

updated with latest patches

 For businesses, apply general solutions (set access

permission for employees, etc.)

39

In system level.
- Equip copyrighted Antivirus Software
- Equip Firewall
- Ensure the software as well as Operating system always are updated the last patches.
- For enterprises, general methods should be applied (divide network system, assign
the right to access to employees…)
Slide 40

Anti-malware – Humans
Enhance users’ awareness

 Do not use cracked softwares, keygen softwares

 Do not access strange websites, websites of unknown
origin
 Do not open attachments from email of unclear
origins
 Be careful when downloading from the Internet
 Do not indiscriminately use full share of folders
 Be careful when using USB drives
 Pay attention to links received via chat programs
 Use strong password for all Windows accounts
40

Other than strengthening of system, other importance is raising awareness of computer

use. After listening to the introduction about types of malware and their characteristics of
spread, we can see that most of we self-install ourselves malware on our computer,
very few cases are attacked by hackers to exploit vulnerabilities and install directly
malware on the your computer.
- Do not use the software of crack, keygen
- Do not access unknown websites
- Do not open attachments in known emails.
- Beware when downloading whatever from the internet
- Do not share folder indiscriminately
- Beware when using USB
- Beware links receiving via chat windows
- Set strong password for all accounts of Windows.
Slide 41

Nội dung

1. Definition of malware

2. Classification of malware

3. Anti-malware

4. Method of finding and removal of malware

41

The final section of lesson. Malware handling and review methods.

Slide 42

Basic components of malware

On hard disk: file (exe, dll, sys, scr, pif, bat,

vbs, etc.)
On memory: Process, Service, Driver (sys),
etc.
Startup components: Startup key, Startup
folders, etc.

Tr 42

Basic elements of malware

- Elements in hard driver: file (exe, dll, sys, scr, pif, bat, vbs, …)
- Elements in memory: Process, Service, Driver (sys), …
- Elements of AutoStartup: Key of Startup, Startup Folder, ….
Slide 43

Check tools
Available on Windows:

1. File: Explorer
2. Process: TaskManager
3. Startup Folder: Msconfig, Registry Editor
4. Network: netstat

Tr 43

Check tools
Available on Windows:
- File: Explorer
- Process: TaskManager
- Startup Folder: Msconfig, Registry Editor
- Network: netstat
Slide 44

Check Tools

Provided by third parties:

1. File: Total commander

2. Process: ProcessXP
3. Startup Folder: Autoruns
4. Network: TcpView, Wireshark, SmartSniff, …
5. Rootkit: Gmer, IceSword, PcHunter

Tr 44

The third unit provides:

- File: Total commander

- Process: ProcessXP
- Startup Folder: Autoruns
- Network: TcpView, Wireshark, SmartSniff, …
- Rootkit: Gmer, IceSword, PcHunter
Slide 45

Ways to check
Use check tools to find strange processes (files
generating such processes), strange startup files,
strange files:
 Files with strange icons (folder, Word, Excel, PDF, etc.)
 Files without version info, description
 Files with names similar to system processes (svhost.exe,
explore.exe, etc.) or identical to system processes but located in a
different directory
 Files with strange names (for example txxcxv.exe), meaningless
names or names including numbers only.
 Processes of which files are located with temp folder, Application
Data
 And so on

Tr 45

Use check tools to find strange processes (files

generating such processes), strange startup files,
strange files:
- Files with strange icons (folder, Word, Excel, PDF, etc.)
– Files without version info, description
– Files with names similar to system processes
(svhost.exe, explore.exe, etc.) or identical to system
processes but located in a different directory
– Files with strange names (for example txxcxv.exe),
meaningless names or names including numbers only.
– Processes of which files are located with temp folder,
Application Data
– And so on
…
Slide 46

Ways to check

In many cases, when the virus has already been

executed and has hidden relating details. Then, checking
cannot help us find out anything strange. If so, we
should restart computer in safemode before checking the
startup components as well as the file stored on the
computer.

Tr 46

In many cases, when the virus has already been executed and has hidden relating
details. Then, checking cannot help us find out anything strange. If so, we should restart
computer in safemode before checking the startup components as well as the file stored
on the computer
Slide 47

What to do upon malware detection

Delete malware’s process

Delete file and startup components
Restore important configuration of the
computer
Restart the computer to see whether there are
any signs of malware left
Note: This can only be done with Worm,
Trojan. It’s impossible to manually handle
viruses.

Tr 47

How to handle when detecting Malware. Deleting process of malware.

- Delete malware’s process
• Delete file and startup components
• Restore important configuration of the computer
• Restart the computer to see whether there are any signs of malware left
• Note: This can only be done with Worm, Trojan. It’s impossible to manually handle
viruses.