Malware Handling Guidelines

Surbhi Jain

What is a Virus?
The terms computer virus and virus are used very loosely in everyday conversation and have become synonymous with trouble. Viruses are simply software programs. A virus infection is most often invisible to the user. A computer virus is a malicious program, which may attach to other programs, damage or corrupt data, change data, or degrade the performance of your system by utilizing resources such as memory, CPU or disk space, reproduce itself to choke the network, etc.
Causes:

However, in all scenarios the cause for the virus infection can be any of the following: Weak or outdated antivirus software. Un-patched OS or application vulnerabilities. Emails with malicious attachments. P2P file sharing. Unsafe web browsing, unsigned ActiveX control, java applets and scripts. Un-scanned portable drives.
Symptoms:

A computer virus infection may cause the following problems: Unusual behavior of the operating system and applications. Poor System Performance. Corrupt files. Unknown startup items and pop-ups. Unknown services. Hardware malfunctioning. Poor network performance and high bandwidth usage. Increased system utilization. Unusual and random error messages. Malfunctioning of security software like anti-malware, firewall, Windows update. Malicious registry entries and system configuration changes.

Types of Viruses
Term Description Boot Sector Virus - These viruses infect the boot record on hard disks,
floppy disks, and theoretically also on CD's and DVD's. Master Boot Record Virus - MBR viruses are very similar to boot sector viruses, except that they infect the MBR (Master Boot Record) instead of the boot sector. File infector - These viruses infect files which contain executable codes, such as .EXE and .COM files. Email Virus - An email virus can automatically forward itself to thousands of people, depending on whose email address it attacks. Macro Virus - Macro viruses typically use the Visual Basic macro language which is built into Microsoft Office applications.

Virus

A computer worm is a self-replicating computer program. It uses a network Worms to send copies of itself to other nodes and it may do so without any user intervention and may not necessarily infect the host. The Trojan horse describes a class of computer threats that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the host machine, giving them the ability to access the user's computer. Spam is the abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately. The term applies to email spam, instant messaging spam, Web search engine spam, spam in blogs, online classified ads spam, mobile phone messaging spam and file sharing network spam. Spyware are so called spy programs that intercept or take partial control of a computer's operation without the user's informed consent. Spyware is designed to exploit infected computers for commercial gain. Adware is a trojan that presents banner ads or pop-up windows through a bar that appears on a computer screen. Those advertising spots usually cannot be removed and are consequently always visible.

Trojan

Spam Spywa re Adwar e

Guidelines for Virus Prevention

Educate yourself and be careful about where you visit and what you click on the web. o Be careful when using P2P file sharing. o Beware of spam-based phishing schemes. o Stay aware of current virus news. o Ensure that only authentic files are downloaded. Update your Antivirus Software to the latest release signature. Schedule periodical full-system scan. Always keep your patch levels up-to-date for the operating systems and all applications. Ensure updation of latest service packs. Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. Implement a password policy with strong passwords for the user accounts. Ensure that local admin rights are used only when required. Install only required applications and services. Ensure that only the latest released versions of utilities, tools, plug-ins etc. are used. Keep the web browsers updated with the latest versions. Enable and use the new security features. Reduce the usage of file sharing. Ensure that appropriate ACL is maintained. Backup your data regularly. Device Management -Access to all the portable devices should be provided only after approval of customization requests. Access should be reviewed on need to have basis. Vulnerability Management Vulnerability is a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from missing patches, weak passwords, software bugs, a computer virus or other malware, a script code injection, a SQL injection or misconfigurations. Use vulnerability scanning tools to identify the vulnerabilities, categorize them based on the criticality & severity and close these vulnerabilities accordingly. Do not respond to the Autoplay of Optical drives and portable drives. Disable AutoPlay wherever feasible. Do not open email attachments without scanning. Do not respond to unknown pop-ups and message boxes. Do not allow unsigned ActiveX controls and Java applets.

Guidelines for Virus Removal & Recovery

Educate yourself with the infection details, removal procedures, symptoms, vulnerabilities exploited from authentic antivirus and operating system vendors. Do not use removable drives in the infected system. Isolate infected computers from the network to prevent propagation. Disable all the shares in the infected system. Ensure the antivirus service is running properly with latest signatures. Use appropriate removal tools from anti-virus vendors to clean the infections. Disable system restore. Update the Operating system with up-to-date patches. Run a full Anti-Virus scan. Delete all temporary files in the system. If a threat exploits one or more network services, disable or block access to those services until a patch is applied. Back up the registry before making any changes to it. Delete any values added to the registry which refer to the path of executable worm. Ensure that all required services and applications are running properly after cleaning the infection. Determine infection vector and prevent re-occurrence.