How to quickly discover Windows viruses without external tools

How to quickly discover Windows viruses without external tools

After several years of emergency response work, I think it is very useful to summarize a "methodology" to quickly determine whether a computer is infected with Trojans and viruses. This is obviously not that simple, but I found that the infection exists in almost all non-Complex attacks. If you perform the following detection, you can find the infection and kill it quickly. All these tasks can be completed by an administrator command prompt created on the Windows command line function.

1. WMIC Startup Item (WMIC Startup Items)

Windows already has a very powerful tool-WMIC, which is easy to create startup items for your investigation in the following ways. Open a command prompt and enter wmic startup list full ]. This is a real example. Guess which project does not belong to it. Will it be a local \ temporary folder? Yes. If you know what should be in the list and where it is generally normal, you can pause it here, which is usually very simple. Find the program and search for its hashes on malwr.com or VirusTotal to see if it has infected anything else and then delete it.

2. DNS Cache)

Open a command prompt and enter ipconfig/displaydns ]. Check whether there are any abnormal sites in these areas to be tested? Search for the domain name and IP address they resolved in VirusTotal or other places to see if there are samples associated with it. If yes, you will be infected. Here is an example:

3. WMIC Process List)

This is another popular project in WMIC. Enter wmic process list full | more, or output wmic process get description, processed, parentprocessid, commanline/format: csv in a more compact but longer way. ]. Find something that runs in a strange place or a malicious, random, and named program.

4. WMIC Service List)

If you do not know what you are looking for, it may be difficult to use it. However, it is easy to detect malware by path or exe name. The format is similar to others, or you can get a more specific "get" version. Enter wmic service list full | more or wmic service get name, processid, startmode, state, status, pathname/format: csv ]. Here is a small example showing only the service name and path.

5. WMIC Job List)

This is a project that seems the least likely to discover anything, because the vast majority of malware do not use jobs, but it is easy to detect in versions such as MPlug. Enter wmic job list full. You can get a receipt with no available instances. This means that no scheduled project is being executed.

6. Netstat

Do not forget the basics. If the IP address is Google or stealyourbanknumber. su. for netstat-abno, the output may need to be searched and viewed. Even so, you can still find strange external site port numbers, such as port numbers 25, 8080, and 6667.

The Netstat control is as follows:

-A: displays all connection and listening ports.

-B: displays the executable files used to create each connection or listener port.

-N: the address and port number are displayed in numbers.

-O: displays the ID of each link-related process.

7. batch file version

In a simple and repeatable way, how can we complete these WMIC tasks and generate a report? I already have it. Drop everything in a batch file and set a host name parameter. You can even use it in the whole network-get the appropriate permissions of other computers for remote evaluation.

This script gives you a better understanding of HTML output, including the information you obtain from your computer:

wmic /node:%1 computersystem get model,name,username,domain /format:htable > c:\triage-%1.htmlwmic /node:%1 startup list full /format:htable >> c:\triage-%1.htmlwmic /node:%1 process get description,processid,parentprocessid,commandline /format:htable >> c:\triage-%1.htmlwmic /node:%1 service get name,processid,startmode,state,status,pathname /format:htable >> c:\triage-%1.htmlwmic /node:%1 job list full /format:htable >> c:\triage-%1.html