Removing a virus by actually running it

In my previous post, I have described a method to detect whether your portable drive is infected or not. If you follow this type of practice or scan your portable drive before opening it, most of time you’re safe. But now, assume that your PC is already infected due to some reason (maybe Lady Luck had a grudge against you :P). You probably don’t know what the virus does or at least not even know where its source resides in the infected machine. So, what should be done in such a case? My method… run the virus in your machine!! (WTF!!!) Yes, I’m serious. To know how, read on…

DISCLAIMER: Don’t perform the operations described hereafter if you seriously don’t know what you’re doing. Chances are that you might end up screwing your own PC due to a tiny mistake. Furthermore, this method doesn’t work for all types of malicious codes so it isn’t 100% foolproof. Having said that, lets see how do you run a virus safely on your machine.

How do I get hold of the virus?

Since the virus replicates itself, it’ll create a copy of itself in removable drives as soon as they are inserted. So, to obtain the virus, just plug in your removable drive and a copy of the virus will be created in the drive. Now, just unplug the drive WITHOUT SAFELY REMOVING it and insert it in a clean machine. You should now perform the tasks mentioned below in this machine.

The software which you’ll need is Sandboxie, that runs programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. And of course, you’ll also need a ‘sample’ of the virus you want to disinfect. Also, pause your antivirus’ real time protection temporarily to prevent it from deleting the virus. Perform the following steps to know how the virus works…

  1. Install Sandboxie.
  2. After installation, you’ll find an option called Run Sandboxed in the right-click menu. Perform it for the virus.
  3. Now whatever changes the virus makes to your machine, will be trapped in the Sandbox. This is a folder by the same name usually located in your root drive.
  4. Browse the contents. The 1st folder will be named as your USERNAME. The next, the name of the Sandbox. Inside this folder will be any of the following folders :
    • user : This corresponds to the folder Documents and Settings or Users located in your root drive.
    • drive : This will contain additional folders corresponding to the partitions of your drive e.g. C:\, D:\, etc.
    • RegHive : This is an extension-less file which contains all the registry changes made during the execution.

NOTE: After performing step 2, terminate the virus executable by right-clicking Sandboxie in the system tray and selecting Terminate All Programs. You’re done. Now, all you have to do is revert these changes in the infected machine. Let’s see each of the above mentioned folders/files in detail.

user

As mentioned, this folder corresponds to the folder named Documents and Settings or Users located in your root drive. This will further contain the following folders :

  • current : Folder named USERNAME
  • all : Folder named All Users

The contents of the above folders will be the same as in the actual corresponding folders.

drive

This folder contains sub-folders corresponding to the drive letters. Usually, the virus makes its files only in the root drive. So, assuming your root drive is C: you’ll find only a folder named ‘C’.

RegHive

This is a special file which contains info. on the registry changes made during the execution. It cannot be directly viewed in the registry editor by importing it; rather you have to load it as a separate hive in the registry. In case you don’t know, here’s how you go about it :

  1. Start registry editor by typing ‘regedit’ in Start Menu >> Run..
  2. Select HKEY_USERS
  3. Go to File >> Load Hive…
  4. Give any name for the hive; e.g SandBox

A new hive will now be created by the set name. Below is the analogy to the actual hives :

  • machine : HKEY_LOCAL_MACHINE
  • user\current : HKEY_CURRENT_USER
  • user\current_classes : HKEY_CLASSES_ROOT

Now, go through all the changes created in this hive and counter check with actual ones. The actual ones have optimal values so note them down for disinfecting purposes. Also, these values may not be the same in all machines, so you should Google some info. about them before changing them and also create their backups for safety.

NOTE: Some values will be pre-generated by Sandboxie so only check in the favorite locations for viruses which are :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT

There may be other locations as well, but these are the common ones.

When you’re done, unload the created hive by performing steps 2-3 and selecting Unload Hive… instead. Now you have all the information regarding your infection. So, go forward and revert back all the changes that were made by the virus. Once done, activate your antivirus’ real-time protection again and do a system wide scan to be safe.

Advertisements

Posted on July 24, 2009, in Fiddles and tagged , . Bookmark the permalink. Leave a comment.

Leave a comment...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s