F-Secure 3.11 Rescue CD Scan of Compaq SR1900NX Windows XP PC

I needed to check a Compaq SR1900NX PC running Windows XP for malware. Since I wanted to do an initial scan outside of Windows, I booted and scanned the system with a F-Secure Rescue CD 3.11. You can find additional information on the Rescue CD at the F-Secure Mac & Linux Blog; the last posting on the rescue CD I found there was Rescue CD 3.11 posted on September 22, 2009.

The rescue CD is provided in .iso form from F-Secure, a prominent antivirus vendor. If you download the .zip file for the rescue CD from the F-Secure website, you will find a .iso file within it along with the release notes and user guide for the F-Secure Rescue CD. You can use any software that you may already have on a system to burn the .iso file to a CD or, for Microsoft Windows systems, if you don't already have a disc burning utility capable of writing .iso files to a disc, you can use the free ImgBurn utility.

When you boot a system using the Rescue CD, which is a Live CD using Knoppix, a GNU/Linux operating sytem, for the operating system, you will see a screen similar to the following when scanning is initiated.

Scanning

 Alt-F1  This screen.
 Alt-F5  To see details of files being scanned.
 Alt-F6  To see malware found.
 Ctrl-C  To cancel scanning.

 Scan started at Tue Sep 20 21:54:23 UTC 2011
 with Database version: 2009-09-13_01.

 No malware found on Master Boot Records.

 Scanned  Malware Done  Progress
  145024        4 100%  oooooooooooooooooooooooo..........................

Scan completed. Press Enter to see report.



When I hit Enter to see the results for this system, I saw the following:

Scan report


      The following files have been disinfected or removed.
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/d
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/R
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/i
sda1/Program Files/MyWebSearch/bar/2.bin/MWSSVC.EXE: Infected: Adware:

 Scan completed
   Scan started at Tue Sep 20 21:54:23 UTC 2011
   and ended at Tue Sep 20 23:51:15 UTC 2011

   Database version: 2009-13_01

Scanner Engine version:
       F-Secure Corporation Hydra engine version 4.0 build 9271
       F-Secure Corporation Hydra database version 2009-09-12
       
       F-Secure Corporation Aquarius version 0.99 build 140
       F-Secure Corporation Aquarius database version  0000-00-00

              <Arrow keys to scroll. Enter to continue.>



If you hit the Alt-F2 keys, you will get a shell prompt where you can issue standard Linux commands. Hitting the Alt-F3 or Alt-F4 keys will give you other shell prompt displays. You can get back to the original display with Alt-F1. Alt-F5 will show you the scan results for all files, which you can scroll through using the up and down arrow keys on the keyboard. Alt-F6 will also take you back to the display showing the results of the scan, i.e., the same display as obtained with Alt-F1.

If you wish to copy the file in which the results of the scan are stored, you can do so by hitting Alt-F2 to get a shell prompt. You can then type cd /tmp to change the working directory to the directory where the F-Secure antivirus software stores its scanning results. In that directory you will find the following files:

mount_errors.txt
mount_error_details.txt
scan_count
scan_errors.txt
scan_log.txt
scan_results.txt

The results of the scan are stored in scan_results.txt. You can use pico scan_results.txt or nano scan_results.txt to view the contents of that file. This can be useful, if, as in the case above, the full path for the infected file was so long that the filename and the particular virus found aren't displayed. In the pico editor, you can use the right arrow key on the keyboard to move the cursor to the right, so that you can see all of a file name.

E.g. in the screen display above, I saw the following information for the infected files:

sda/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/d
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/R
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/i
sda1/Program Files/MyWebSearch/bar/2.bin/MWSSVC.EXE: Infected: Adware:

If I want to know what virus F-Secure identified associated with the files, I could look in /tmp/scan_results.txt to check, since I could see the full text for each entry there. When I did so, I saw the following:

sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/dance into nite.mp3: Infected: Trojan-Downloader:W32/Wimad.gen!A [FSE]
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/Rza - Fast Cars.mp3: Infected: Trojan-Downloader:W32/Wimad.gen!A [FSE]
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/irene toby mac.mp3: Infected: Trojan-Downloader:W32/Wimad.gen!A [FSE]
sda1/Program Files/MyWebSearch/bar/2.bin/MWSSVC.EXE: Infected: Adware:W32/MyWebSearch.I [FSE]

You can also view the list of infected files with more /tmp/scan_results.txt.

You can see the results for every file checked by viewing scan_log.txt. Those that were deemed uninfected will have clean after their entries in the log files. If any problems were encountered scanning particular files, you can find information on the reason within scan_errors.txt. E.g., I saw the following errors listed in that file:

/mnt/scan/sda1/Program Files/HP Games/Jeopardy 2/Jeopardy.dat: ERROR: Bad archive
/mnt/scan/sda1/WINDOWS/Installer/ac7315.msp: ERROR: Scan timeout.

For hard drive partitions that were scanned, look under /mnt/scan with ls /mnt/scan. You should see something like /mnt/scan/hda1 for an IDE disk drive or /mnt/scan/sda1 for a SATA drive.

So, if you want to copy the scan files created during the scan of the system to the system's hard disk, you could create a directory on the system's hard drive and copy them there. E.g., suppose I want to put the files in the C:\temp directory on the hard drive in a subdirectory called F-Secure. I could create the subdirectory with mkdir /mnt/scan/hda1/temp/F-Secure. Note: since the rescue CD is a Knoppix Linux LiveCD, you need to be mindful that directory names are case-sensitive. temp is not the same as TEMP. You can use the Linux ls command to view directory contents, e.g. ls /mnt/scan/sda1. After creating the directory for the scan files, I could copy scan_errors.txt, scan_log.txt, and scan_results.txt to it with cp scan*.txt /mnt/scan/sda1/temp/F-Secure/., allowing me to retain that information after rebooting the system. Otherwise, when the system is rebooted, the scan files, which were stored only in memory, will be lost.

Another alternative, since the rescue CD has Secure Shell (SSH) and Secure Copy (scp) on it, is to use scp to transfer the files to a SSH server.

Infected files have a ".virus" appended to the file name. E.g., for the first infected file reported, I could see the new name using the following ls command:

root@Microknoppix:/tmp# ls "/mnt/scan/sda1/Documents and Settings/Compaq_Owner/M
y Documents/LimeWire/Saved/dance"*
/mnt/scan/sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/d
ance into nite.mp3.virus

Note: you will need to enclose at least part of the full path name and file name in quotes, if there are spaces in the path name or file name.

If you are wondering what the malware may do, you can get additional information from the F-Secure Virus Description database. E.g. a search of the database for "Wimad.gen" provided the Trojan-Downloader:W32/Wimad.gen!A page with additional details.

You may also be able to find further information using the Virus Bulletin: VGrep online - identify a virus by all its different names page on the Virus Bulletin web site.

You can return to the Scan report screen with Alt-F1. When you hit Enter to continue, you are prompted to "Scan again" or "Restart computer"

Scan report


      Summary
No malware found on Master Boot Records.

The computer was scanned. All files still containing malware are
renamed.

Scan is now complete. The computer will be restarted.










       


        <  Scan again  >     <Restart computer>



The disc will be ejected as part of the restart process.

References:

  1. Rescue CD
    F-Secure
  2. Rescue CD 3.11
    Posted: September 22, 2009
    F-Secure Mac & Linux Blog
  3. F-Secure Virus Description
    F-Secure
  4. Virus Bulletin: VGrep online - identify a virus by all its different names
    Virus Bulletin : Independent Malware Advice
  5. File Extension .ISO Details
    FilExt
  6. ImgBurn

Valid HTML 4.01 Transitional

Created: Wednesday September 21, 2011 9:49 PM