I needed to check a Compaq SR1900NX PC running Windows XP for malware. Since I wanted to do an initial scan outside of Windows, I booted and scanned the system with a F-Secure Rescue CD 3.11. You can find additional information on the Rescue CD at the F-Secure Mac & Linux Blog; the last posting on the rescue CD I found there was Rescue CD 3.11 posted on September 22, 2009.
The rescue CD is provided in .iso form from F-Secure, a prominent antivirus vendor. If you download the .zip file for the rescue CD from the F-Secure website, you will find a .iso file within it along with the release notes and user guide for the F-Secure Rescue CD. You can use any software that you may already have on a system to burn the .iso file to a CD or, for Microsoft Windows systems, if you don't already have a disc burning utility capable of writing .iso files to a disc, you can use the free ImgBurn utility.
When you boot a system using the Rescue CD, which is a Live CD using Knoppix, a GNU/Linux operating sytem, for the operating system, you will see a screen similar to the following when scanning is initiated.
Scanning Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see malware found. Ctrl-C To cancel scanning. Scan started at Tue Sep 20 21:54:23 UTC 2011 with Database version: 2009-09-13_01. No malware found on Master Boot Records. Scanned Malware Done Progress 145024 4 100% oooooooooooooooooooooooo.......................... Scan completed. Press Enter to see report.
When I hit Enter to see the results for this system, I saw the following:
Scan report
The following files have been disinfected or removed.
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/d
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/R
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/i
sda1/Program Files/MyWebSearch/bar/2.bin/MWSSVC.EXE: Infected: Adware:
Scan completed
Scan started at Tue Sep 20 21:54:23 UTC 2011
and ended at Tue Sep 20 23:51:15 UTC 2011
Database version: 2009-13_01
Scanner Engine version:
F-Secure Corporation Hydra engine version 4.0 build 9271
F-Secure Corporation Hydra database version 2009-09-12
F-Secure Corporation Aquarius version 0.99 build 140
F-Secure Corporation Aquarius database version 0000-00-00
<Arrow keys to scroll. Enter to continue.>
If you hit the Alt-F2 keys, you will get a shell prompt where you can issue standard Linux commands. Hitting the Alt-F3 or Alt-F4 keys will give you other shell prompt displays. You can get back to the original display with Alt-F1. Alt-F5 will show you the scan results for all files, which you can scroll through using the up and down arrow keys on the keyboard. Alt-F6 will also take you back to the display showing the results of the scan, i.e., the same display as obtained with Alt-F1.
If you wish to copy the file in which the results of the scan are stored,
you can do so by hitting Alt-F2 to get a shell prompt. You can then
type cd /tmp to change the working directory to the directory
where the F-Secure antivirus software stores its scanning results. In that
directory you will find the following files:
mount_errors.txt
mount_error_details.txt
scan_count
scan_errors.txt
scan_log.txt
scan_results.txt
The results of the scan are stored in scan_results.txt. You
can use pico scan_results.txt or nano scan_results.txt
to view the contents of that
file. This can be useful, if, as in the case above, the full path
for the infected file was so long that the filename and the particular
virus found aren't displayed. In the pico editor, you can use the right arrow
key on the keyboard to move the cursor to the right, so that you can see
all of a file name.
E.g. in the screen display above, I saw the following information for the infected files:
sda/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/d sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/R sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/i sda1/Program Files/MyWebSearch/bar/2.bin/MWSSVC.EXE: Infected: Adware:
If I want to know what virus F-Secure identified associated with
the files, I could look in /tmp/scan_results.txt to check,
since I could see the full text for each entry there. When I did so, I
saw the following:
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/dance into nite.mp3: Infected: Trojan-Downloader:W32/Wimad.gen!A [FSE]
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/Rza - Fast Cars.mp3: Infected: Trojan-Downloader:W32/Wimad.gen!A [FSE]
sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/irene toby mac.mp3: Infected: Trojan-Downloader:W32/Wimad.gen!A [FSE]
sda1/Program Files/MyWebSearch/bar/2.bin/MWSSVC.EXE: Infected: Adware:W32/MyWebSearch.I [FSE]
You can also view the list of infected files with
more /tmp/scan_results.txt.
You can see the results for every file checked by viewing
scan_log.txt. Those that were deemed uninfected will have
clean after their entries in the log files. If any problems were
encountered scanning particular files, you can find information on the reason
within scan_errors.txt. E.g., I saw the following errors listed in
that file:
/mnt/scan/sda1/Program Files/HP Games/Jeopardy 2/Jeopardy.dat: ERROR: Bad archive
/mnt/scan/sda1/WINDOWS/Installer/ac7315.msp: ERROR: Scan timeout.
For hard drive partitions that were scanned, look
under /mnt/scan with ls /mnt/scan.
You should see something like
/mnt/scan/hda1 for an
IDE
disk drive or /mnt/scan/sda1 for a
SATA drive.
So, if you want to copy the scan files created during the scan of the
system to the system's hard disk, you could create a directory on
the system's hard drive and copy them there. E.g., suppose I want to put
the files in the C:\temp directory on the hard drive in a
subdirectory called F-Secure. I could create the subdirectory
with mkdir /mnt/scan/hda1/temp/F-Secure. Note: since the
rescue CD is a Knoppix Linux
LiveCD, you need to be mindful that directory names are case-sensitive.
temp is not the same as TEMP. You can use the
Linux ls command to view directory contents, e.g.
ls /mnt/scan/sda1. After creating the directory for the scan
files, I could copy scan_errors.txt, scan_log.txt,
and scan_results.txt to it with cp scan*.txt
/mnt/scan/sda1/temp/F-Secure/., allowing me to retain that information
after rebooting the system. Otherwise, when the system is rebooted, the
scan files, which were stored only in memory, will be lost.
Another alternative, since the rescue CD has Secure Shell (SSH) and Secure Copy (scp) on it, is to use scp to transfer the files to a SSH server.
Infected files have a ".virus" appended to the file name. E.g., for the
first infected file reported, I could see the new name using the following
ls command:
root@Microknoppix:/tmp# ls "/mnt/scan/sda1/Documents and Settings/Compaq_Owner/M
y Documents/LimeWire/Saved/dance"*
/mnt/scan/sda1/Documents and Settings/Compaq_Owner/My Documents/LimeWire/Saved/d
ance into nite.mp3.virusNote: you will need to enclose at least part of the full path name and file name in quotes, if there are spaces in the path name or file name.
If you are wondering what the malware may do, you can get additional information from the F-Secure Virus Description database. E.g. a search of the database for "Wimad.gen" provided the Trojan-Downloader:W32/Wimad.gen!A page with additional details.
You may also be able to find further information using the Virus Bulletin: VGrep online - identify a virus by all its different names page on the Virus Bulletin web site.
You can return to the Scan report screen with Alt-F1. When you hit Enter to continue, you are prompted to "Scan again" or "Restart computer"
Scan report
Summary
No malware found on Master Boot Records.
The computer was scanned. All files still containing malware are
renamed.
Scan is now complete. The computer will be restarted.
< Scan again > <Restart computer>
The disc will be ejected as part of the restart process.
References:
Created: Wednesday September 21, 2011 9:49 PM