From: "Gerry Cornell" <
[email protected]>
| David
|
| Can it be run from a floppy? Does it extract to more than a floppy can
| accommodate?
|
| I think you may be misunderstanding the reason I was suggesting Stinger.
| If you have no internet connection and the affected computer does not
| have a CD drive then whatever you use to try to regain control must fit
| onto a floppy. It has the added advantage that if write protected any
| virus cannot disable Stinger. Stinger is only a way to start the
| cleaning process with a view to regaining the internet connection.
|
No true at all. There is no limitation to a floppy drive.
One can; burn a CDROM (if one is present), use a ZIP drive, use a USB Flash Drive, use a
USB Memory Card Reader and Memory card combo, etc...
As for the Multi AV Scanning Tool it has a depency upon the folder C:\AV-CLS which is hard
coded in the utility.
You stated ... "It has the added advantage that if write protected any virus cannot disable
Stinger"
That's NOT true at all. It is a simple concept to kill a running process. The Sober
Internet worm will kill any process called "stinger.exe". It has nothing to about wether
the executable is a Read-Write or Read-Only file on the media.
The Multi AV Scanning Tool uses Windows Management Instrumentation (WMI) to kill a running
process to increase the efficacy of the cleaning process becuase you can't clean/delete a
virus if the respective file handle of the EXE is running and held open. Thus, I have
created the capability in the Multi AV tool to kill pocesses listred in the file
C:\AV-CLS\killproc.txt
Example: Say a Trojan DLL is being used by RUNDLL32.EXE to execute the payload. By
appending RUNDLL32.DLL to the list in C:\AV-CLS\killproc.txt, the running process
RUNDLL32.EXE will be killed prior to scanning the system and the DLL being used by
RUNDLL32.EXE can the be cleaned/delted by the respective AV scanner.
The following isthe WMI function I use in the Multi AV Scanning Tool...
Function EndProc($proc, optional $strComputer)
DIM $Process
If $strComputer=''
$strComputer='.'
EndIf
For Each $Process In GetObject("winmgmts:{impersonationLevel=impersonate}!\\" +
$strComputer + "\root\cimv2").ExecQuery("Select * from Win32_Process where Name= "
+'"'+$Proc+'"')
$Process=$Process.Terminate
Next
EndFunction
Viruses don't tend to insert themselves in the Layered Service Provider that is something
that adware/spyware does as well as a few Trojans. None of the Stinger targeted infectors
would break the TCP/IP protocol (so to speak) therefore using Stinger is the wrong approach
for the reasons that it has a limited target list and because none of the infectors it does
target modify the Registry concerning WINSOCK and insert a Layered Service Provicer (LSP).
Please read the URL
http://vil.nai.com/vil/stinger/
Examine the list of infectors (mostly Internet worms, the few Trojans work with an Internet
worm as a sister component) and then put the name of the infector in the AVERT Virus
Information Library search engine URL
http://vil.nai.com/vil/advsearch.asp
Then you can get a grasp of the infectors that are targeted by Stinger and what those
infectors do and their side effects.
Conversely you can go to
http://vil.nai.com/vil/advsearch.asp and enter LSP into the AVERT
Virus Information Library search engine and you can see what infectors does insert a LSP.
Example:
Adware-NDotNet --
http://vil.nai.com/vil/content/v_133652.htm
"A Browser Helper Object (BHO) is installed in Internet Explorer and a new provider is added
into the Layered Service Provider (LSP) stack. This BHO-LSP combination intercepts requested
URLs containing applicable top-level domains and maps the requests to the appropriate
new.net subdomain. Default address bar searches and 404 "page not found" errors are
redirected to
http://find.reliableresults.info. "
Now if an infector does insert a LSP and that infector is removed without fixing the LSP,
then the objective would NOT scan with AV software but to use a LSP fix type program.
On WinXP SP2, this is done simply by executing the following copmmand line in a Command
Prompt..
netsh winsock reset catalog
If it is not WinXP SP2 (such as; Win9x/ME and Win2K) then the LSP Fix utility is warranted
(albeit, it can be used on WinXP SP2 as well)
http://www.cexx.org/LSPFix.exe
Note that LSPFix.exe will fit on a floppy as it is only ~182KB ;-)
