Ram &
Reason: A Virus and Incident Checklist
By Rob Rice August 2005
Much has been said about virus and malicious software
prevention, but what if all of your
precautions
fail? So there you are, happily clicking along the Internet when suddenly a
popup ad obstructs your view. You start to close it and then another and
then another pops up so that in just a few seconds there are so many pop-up
ads that you cannot possibly close them all as they just keep coming. So
what do you? Delete them as fast as you can in hopes that they will stop?
Turn off the computer? Suddenly a program appears from nowhere and informs
you that you have been infected with a trojan virus and the program needs to
scan your system so that the trojan can be removed. The problem is that you
do not remember ever having installed this program. Do you trust it?
There are some industry-accepted procedures for dealing
with this type of incident and any virus or trojan infection. Just follow
these five simple steps in the following order to minimize damage:
|
Step One:
Do not turn off your computer. Not every trojan and
virus is the same so this rule will have exceptions, but generally you do
not want to turn off the computer unless you can see that the virus is
deleting your files. If you think that it can be stopped from deleting your
files without turning off the computer, then this is a better option than
turning off the computer. The reason is that while turning the computer off
will temporarily stop the damage more harm can come when you turn the
computer back on. System files can be infected when loading, boot sectors
contaminated, hard drive partitions erased, registries corrupted. For
example, on a Windows system every time you make a major system change one
of the first things that it wants you to do is reboot, “To allow the changes
to take affect”. In the case of a virus or trojan, the last thing we want to
do is to allow the changes to take affect.
Step Two:
Disconnect the network cable from your computer and/or
turn off your wireless connection. Trojans are designed to open a door and
let other trojans, spyware and viruses in. Physically disconnecting its link
to the Internet stops this behavior, prevents your personnel information
from going out and prevents other machines from being infected. Many
checklists have this action rated number one and for good reasons. I rate it
here as step two because step one is simply a quick decision that can have a
significant impact on the recovery outcome.
Step Three:
Write down any error messages that appear and the names
of any programs or software that was running at the time the infection
occurred. This is important not only for repairing the system but also for
identifying which alerts are real and which ones are bogus. Error messages
that contain misspellings and poor grammar are likely bogus and generated by
the virus.
Step Four:
Mark the computer “Do Not Use”. This is in case you get
called away and have to leave the system alone for any length of time.
Step Five:
Run any of your applications that you are certain are
yours and that might have opened to identify a virus attack. Next, run your
antivirus anti-trojan tools.
It’s possible that your antivirus or anti-trojan software may have detected
the attack and started running a system scan or is prompting you and waiting
for instructions. If you are certain that it is your software then let it do
what it wants to do and let it clean the system. If you have any doubts as
to whether the program is in fact one of your programs then DO NOT RUN THE
SOFTWARE!
Some trojans actually install and run a program
pretending to be antivirus/anti-trojan software and scan your system all the
while claiming to be cleaning your computer. In reality it is part of the
trojan. Some of these programs look very commercial and very polished so be
careful!
Rob Rice is a computer specialist working in Anchorage, Alaska. Rob can be contacted at articles@isp.com