Of all the security tasks you need to carry out, malware removal is
a tricky business. It often requires intimate knowledge of the
inner workings of a particular piece of malcode: How it got on the
computer in the first place; its attack mode; what it changes;
where it resides.
Malware removal is certainly not for the faint-of-heart.
Since malware is a term that describes a broad variety of
unwanted software, there are a multitude details to work out before
removal can commence. Each virus, spyware or rootkit can have a
completely different effect on a given computer system making
removal that much more complicated. For example, adware might only
manifest itself in Internet Explorer (IE) browser settings; a virus
might infect an instant messaging (IM) application and send IMs to
the buddy list; while a rootkit can hide itself at a computer's
kernel level to avoid detection by the operating system (OS),
applications and the user.
Therefore, the first step in the malware removal process is
identification and classification.
Malware classification
Aside from the basic security classification terms, like viruses,
worms, spyware, etc., you can classify malware on the basis of
what's pertinent to administrators and users alike -- without
needing to understand the precise technical definition of each
term. For example, attack vector. How does a piece of malcode
spread? Through email? Over IM? Does it disperse itself?
When you understand how a piece of malware infected your
computers in the first place, not only will that knowledge help you
identify the particular malware strain, but it will also help
prevent more attacks.
Another way to classify malware is by the flaw or vulnerability
it exploits. Does the malware affect a particular application like
Word or PowerPoint? Does it only affect a particular version of
software, like an IE 6 VBscript flaw? These vulnerabilities affect
client-level systems, but what if the malware affects a more
critical server system like 2003's SQL
slammer worm?
The potential severity of malware is another way to classify it.
Can it be easily dispersed through the network? Will it affect
server-level systems? Will it be confined to only desktop systems
running unpatched Office 2003 applications? Antivirus and
antispyware companies often classify threats based on the extent of
the damage caused by the malware to a single system and the
prevalence of the flaw or vulnerability across many systems.
You can further classify malware by the actions it takes once it
has infected a system. What files does it change? Does it change
registry settings? Does it implant itself in the OS startup file?
Does it initiate Windows processes? If it does, that is often the
key to finding out if you have a virus. A tool like Sysinternals
Process Explorer can help identify processes that should not be
running on a clean Windows computer.
Malware removal tools
A large number of tools out there are great at detecting malware --
and usually those same tools can prevent it from infecting a
computer in the first place. But far fewer tools can completely
remove an imbedded piece of malcode.
For removal, you often need to rely on tools that root out
malware by scanning your system for anomalies like foreign
processes, altered registry settings and corrupt files. Once the
tool finds and identifies a piece of malware, there are usually
manual instructions available for wiping its presence from a
computer -- often that information comes from security companies or
even blogs, user groups or independent security professionals.
Of course, some malware is so insidious that it cannot be
completely removed from an infected system. In those cases, the
only recourse is to reinstall the OS. And that makes the subject of
chapter three of this guide, prevention, that much more
important.