What to do when viruses target antiviruses?
Aractus
One of the main reasons I don’t like running antivirus software is because I usually don’t need to. Recently I managed to install a particularly pesky virus, although mostly harmless, it would insist on closing any antivirus software that discovered it and then changing the file-permissions to disallow access to it. It also had an insistent hatred of Process Explorer and would also terminate that on launch and then change the access to the file to disallow access.
What was most worrying was that the software I was using was unable to protect itself against this – except for SuperAntiSpyware which does have an “alternate start option”. That option, however, did not restore the ability to launch the program directly, I still had to manually change the permissions back using CACLS.
A quick Google revealed that since 09’ everyone who’s been getting infected by this virus (including PC technicians) give up on trying to clean the system and simply reformat or reinstall Windows. At least the ones that seek help on the internet do anyway.
Which brings me to this point: how is it that no antivirus software that I could find has created a workaround or otherwise fixed this?
The virus creates a rouge SVCHOST file which in task manager is near impossible to distinguish between the genuine one (this is probably why it wouldn’t let me run process explorer). On the other hand it has to start it somehow and there are only a handful of ways to autostart a program. Once I’ve determined that it’s not through any of the usual channels I’ve gone to the last place one would instinctively think to look – in the Device Manager.
The Device Manager contains all of the drivers that also “autostart” with windows. If you want to see for yourself what’s in there, open up Device Manager (Start > Run > “devmgmt.msc”). Then click “View” > “Show Hidden Devices”. Unfortunately it is extremely difficult to determine what’s what in there. As you can probably tell if you’re looking at it.
Since I didn’t feel like going through every single one individually, and granted that many perfectly innocent drivers have nothing more than a number or a jumble of indecipherable letters to identify them, I simply deleted the two that looked most likely to be a virus (which of course means I deleted at least one “valid” driver). Probably not a good idea to try at home though, especially if you don’t actually know a rootkit is involved, and even more especially if you don’t have a clue what most of those drivers are (I at least could identify about half with some degree of certainty relatively quickly).
On restart, however, the virus was permanently disabled. What did the other driver do? I don’t yet know – no doubt it was installed by one piece of software and its function may have been as simple as creating a virtual cd-drive or virtual printer, etc. It can be fixed easily whatever it was. A lot more easily than a complete reinstall of Windows anyway, that’s for certain. A quick re-run of SuperAntiSpyware and all traces of it are gone.
All in all I’m unimpressed by the inability of antivirus software to fix a problem that’s 2 years or so old. It’s no wonder people resort to reformatting when they get this virus: how many people are going to be able to manually delete a driver in device manager when they don’t even know what it’s called or where to look for it in the first place?
Well, that’s a stupid question isn’t it when I couldn’t find evidence of anyone successfully overcoming this virus without reformatting!
Of course there is one other way that would have worked to have fixed this: System Restore. I have that permanently turned off, however. And who knows, the virus may have also disabled the use of system restore (meaning you would have to access it from the recovery console)?
Until next time…