How to quickly discover Windows viruses without external tools

Source: Internet
Author: User

How to quickly discover Windows viruses without external tools

 

 

After several years of emergency response work, I think it is very useful to summarize a "methodology" to quickly determine whether a computer is infected with Trojans and viruses. This is obviously not that simple, but I found that the infection exists in almost all non-Complex attacks. If you perform the following detection, you can find the infection and kill it quickly. All these tasks can be completed by an administrator command prompt created on the Windows command line function.

1. WMIC Startup Item (WMIC Startup Items)

Windows already has a very powerful tool-WMIC, which is easy to create startup items for your investigation in the following ways. Open a command prompt and enter "wmic startup list full ]. This is a real example. Guess which project does not belong to it. Will it be a local \ temporary folder? Yes. If you know what should be in the list and where it is generally normal, you can pause it here, which is usually very simple. Find the program and search for its hashes on malwr.com or VirusTotal to see if it has infected anything else and then delete it.

 

2. DNS Cache)

Open a command prompt and enter ipconfig/displaydns ]. Check whether there are any abnormal sites in these areas to be tested? Search for the domain name and IP address they resolved in VirusTotal or other places to see if there are samples associated with it. If yes, you will be infected. Here is an example:

 

3. WMIC Process List)

This is another popular project in WMIC. Enter [wmic process list full | more] or output more compact but longer [wmic process get description, processed, parentprocessid, commanline/format: csv. ]. Find something that runs in a strange place or a malicious, random, and named program.

 

4. WMIC Service List)

If you do not know what you are looking for, it may be difficult to use it. However, it is easy to detect malware by path or exe name. The format is similar to others, or you can get a more specific "get" version. Enter [wmic service list full | more] or [wmic service get name, processid, startmode, state, status, pathname/format: csv ]. Here is a small example showing only the service name and path.

 

5. WMIC Job List)

This is a project that seems the least likely to discover anything, because the vast majority of malware do not use jobs, but it is easy to detect in versions such as MPlug. Enter "wmic job list full" to get a "no available instance" receipt, which means that no scheduled project is being executed.

6. Netstat

Do not forget the basics. If the IP address is Google or stealyourbanknumber. su. [netstat-abno], the output may need to be searched to view, even if this can still find strange external site port numbers, such as 25, 8080, 6667, and so on.

The Netstat control is as follows:

-A: Display All connections and listening ports-B: Display executable files involved in creating each connection or listening port-n: display the address and port number in numbers-o: display each connection related process ID

7. batch file version

In a simple and repeatable way, how can we complete these WMIC tasks and generate a report? I already have it. Drop everything in a batch file and set a host name parameter. You can even use it in the whole network-get the appropriate permissions of other computers for remote evaluation.

This script gives you a better understanding of HTML output, including the information you obtain from your computer:

wmic /node:%1 computersystem get model,name,username,domain /format:htable > c:\triage-%1.htmlwmic /node:%1 startup list full /format:htable >> c:\triage-%1.htmlwmic /node:%1 process get description,processid,parentprocessid,commandline /format:htable >> c:\triage-%1.htmlwmic /node:%1 service get name,processid,startmode,state,status,pathname /format:htable >> c:\triage-%1.htmlwmic /node:%1 job list full /format:htable >> c:\triage-%1.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.