Kill dangerous processes

Discussion in 'NOD32 version 2 Forum' started by fosius, Oct 16, 2004.

Thread Status:
Not open for further replies.
  1. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I have a good idea. It will be great if NOD will be able to delete worms or clean virus (which are running in memory) from PC without restart. Just nod will detect it, kill its process, and delete or clean file. What do you think about it??
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Agreed, don't know if it is possible, at least Nod32 could advise that the process has been killed and now your system requires a reboot.

    Cheers :D
     
  3. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Maybe this will help. Can you say BSOD? ;)

    Infected DLLs can be hard to clean from the system because applications map these files from the disk to memory, and you can't modify these files once they load. Whereas you can boot an infected Win9x machine from a clean system diskette, it's much more complicated when you're using WinXP, Win2000 or NT with NTFS. In these situations, you need to use utilities such as NTFSDOS that can boot the system for write access. Windows System File Checker (SFC) will fix the modified system components automatically. To use SFC, type sfc.exe from the command prompt. SFC is not a virus security feature, but it helps reduce the risk of spreading viruses under WinXP and Win2000.

    Virus writers have written several Win32 viruses that attack kernel32.dll, which most PE applications load and use to access the most important Win32 API set, such as file functions. These viruses work by patching the export address of one exported API (e.g., GetFileAttributesA) to point into the virus code that the virus has appended to the end of the DLL image. Because 32-bit DLLs use the PE file format, virus writers can easily infect this type of file. These viruses can be per process resident (i.e., the viruses run actively as part of a process or several processes). As a result, each process that uses kernel32.dll, which is any process that uses the basic Win32 file functions and directory functions, links to the virus code. The infected DLL attaches to every program that has kernel32.dll imports. Whenever the application calls the API with the attached virus code, the virus code gets control in the address spaces of the infected application.

    Every system DLL contains a pre-calculated checksum that the linker places in the DLL's PE header. Unlike Win95, NT recalculates this checksum before it loads DLLs and drivers. If the calculated checksum doesn't match the checksum in the DLL's header, the system loader stops with an error message at the blue screen during system boot. However, this doesn't mean that a virus writer can't implement such a virus for NT. The Win32/Heretic virus was the first of its kind to implement proper kernel32.dll infection. As a result, the virus ran on NT. The Win32/Kriz virus also used this method and uses the CIH damage routine, but the damage routine doesn't work under NT because the virus runs in Ring3 (user mode).

     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    ROFLMAO, well there we have it :D

    Cheers :D
     
  5. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Wouldn't using something like regrun or ssm help to protect against this??

    Ruben
     
Thread Status:
Not open for further replies.