F-Secure Rescue CD 2.00

F-Secure provides a rescue CD, Rescue-CD 2.00, from which you can boot a system and scan it for viruses. This is very useful when a system is so infected it won't boot, runs extremely slowly under Windows, crashes unexpectedly under Windows, or is so badly infected that you don't want to boot into Windows to try and install software to disinfect the system. The F-Secure Rescue-CD allows you to boot into an alternate operating system. In this case the boot CD is a Knoppix Linux LiveCD.

To use the software, download the ISO file and create a bootable CD from it using Nero or whatever other CD-burning software you may use that can create bootable CDs from .iso files. Then boot the system from the F-Secure Rescue CD. You will need to hit Enter at the initial Rescue CD screen or the system will boot into Microsoft Windows within 15 seconds.

F-Secure Rescue CD

F-Secure Rescue CD will scan the computer.

This scanning process will rename all files containing malware.
Warning! If a Windows system file is infected the computer may not
restart anymore.

Select Next and press enter to scan the computer.

How to use this CD:

Press Space to select/deselect checkboxes
Arrow Keys to move the cursor
Enter to confirm selection

< Next > <Restart>

If you select "Next", which you can do by using the arrow keys or by Alt-N, the software will attempt to update its virus definition database over the network. If the system is connected to a network when you boot it, it will attempt to obtain IP address information from a DHCP server, which will allow the rescue CD software to update its virus definitions.

Updating virus defintion database.
This could take some time, depending you your Internet connection

You will be then be prompted to agree to the End User License Agreement. When you select "Next" at that screen, you are asked to confirm that you have read the License Terms and accept them. You are then prompted to select the drives you want to scan. You can toggle the selection of drives/partitions on/of by using the arrow keys to move to a drive/partition and then using the spacebar to select or deselect an entry.

You can then select whether to "Proceed to Scan" or "Quit and restart". When you opt to "Proceed to Scan", a scan of the selected drives/partitions will commence.

Scanning

Scanning all filesystems mounted under /mnt/scan/ directory.
The results of the scan will be saved in /tmp/scan_results.txt

Alt-F1  This screen.
Alt-F5  To see details of files being scanned.
Alt-F6  To see any malware found.
Ctrl-C  TO cancel scanning.

Scan started at Sat Mar  1 21:54:51 UTC 2008.
 Scanned  Malware   Progress
     100        0   ooooooooooooooooooooooooooooooooooooooo.........

The scan report will show which files F-Secure antivirus has determined were infected and renamed. When the files are renamed, .virus is appended to the end of the filename. Eg. hda1/WINDOWS/Temp/DWHD117.tmp would be renamed to hda1/WINDOWS/Temp/DWHD117.tmp.virus, if the antivirus software deemed it to be infected.

Scan report

Following files have been renamed

hda1/WINDOWS/Temp/DWHD117.tmp: Infected: JS/Bankfraud.B@troj [Libra]

hda1/WINDOWS/Temp/DWH897F.tmp: Infected: JS/Bankfraud.B@troj [Libra]

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

162064 files scanned

10 files infected

10 files renamed

43 files could not be scanned

< Next >

You can get to a shell prompt for the root account at any time by hitting Ctrl-Alt-F2, Ctrl-Alt-F3, or Ctrl-Alt-F4 (each will open a separate shell prompt). You can get back to the F-Secure Rescue CD selections by hitting Ctrl-Alt-F1

If you wish to copy the file in which the results of the scan are stored, you can do so, by hitting Ctrl-Alt-F2 to get a shell prompt. You can then type cd /tmp to change the working directory to the directory where the F-Secure antivirus software stores its results. In that directory you will find the following files:

The results of the scan are stored in scan_results.txt. You can use pico scan_results.txt or nano scan_results.txt to view the contents of that file. This can be useful, if, as in the case above, the full path for the infected file was so long that the filename and the particular virus found aren't displayed. E.g. in the screen display above,

hda1/Documents and Settings/All Users/Application Data/Symantec/Norton

is displayed. In that case, I know that the F-secure program is identifying something it found in a Symantec AntiVirus quarantine directory, but, if I wanted to know what virus F-Secure identified associated with that file, I could look in /tmp/scan_results.txt to check, since I could see the full text for each entry there.

You can see the results for every file checked by viewing

scan_log.txt

. Those that were deemed uninfected will have clean after their entries in the log files. If any problems were encountered scanning particular files, you can find information on the reason within scan_errors.txt

For hard drive partitions that were scanned, look under /mnt/scan with ls /mnt/scan. You should see something like /mnt/scan/hda1 for an IDE disk drive.

So, if you want to copy the scan files created during the scan of the system to the system's hard disk, you could create a directory on the system's hard drive and copy them there. E.g., suppose I want to put the files in the C:\TEMP directory on the hard drive in a subdirectory called F-Secure. I could create the subdirectory with mkdir /mnt/scan/hda1/TEMP/F-Secure. Note: since the rescue CD is a Knoppix Linux LiveCD, you need to be mindful that directory names are case-sensitive. Temp is not the same as TEMP. You can use the Linux ls command to view directory contents, e.g. ls /mnt/scan/hda1. After creating the directory for the scan files, I could copy scan_errors.txt, scan_log.txt, and scan_results.txt to it with

cp scan*.txt
/mnt/scan/hda1/TEMP/F-Secure/.

, allowing me to retain that information after rebooting the system.

Like many antivirus vendors, F-Secure doesn't do a good job of providing information on the viruses it detects, so you are left wondering exactly what the malware may do. For instance, in the example above, files were identified as infected with JS/Bankfraud.B@troj [Libra], yet I could find no information on this malware in the F-Secure Virus Description Database . It wasn't listed under "J", nor "B" for "Bankfraud", nor even "T" for "Troj, nor did anything relevant appear when I searched the Virus Description Database for "Bankfraud".

F-Secure suggests searching for information at the Project VGrep home page on the Virus Bulletin web site. That site provides cross-reference names for viruses. When I searched for js/bankfraud.b there, I did find it listed under other names for other vendors. There was no reference for F-Secure there.

Note: I scanned a Windows Small Business Server (SBS) 2003 system with F-Secure Rescue CD without a problem, but when I scanned a Windows Vista laptop, the scan hung after scanning 100 files. I rebooted the system and tried again. The second time, 300 files were scanned before the system hung again. In both cases, the system wouldn't respond to any keyboard input. I left the second scan run overnight, thinking that it might be taking a long time to scan a particularly large file, but the system was at the same point the next morning and was not responding to any keyboard input.