Saturday, February 07, 2009

Inside an infected laptop

A non-techy friend of mine had bought a laptop 2 months back. As he wasn't aware of installing the OS and software etc., I installed all the required software for him. Just after 2 months, last week, he complained saying "nothing" works. He said that the computer is saying 'you are at risk', 'your system lacks security', 'the winamp is not playing' etc., etc., He was even worried that the speaker is blown up. I got the laptop back from him to set it right for him.

As I am not a service engineer (who would have formatted the laptop right away and installed everything fresh), I wanted to discover each and every portion of the problem before I recover the laptop. I wanted to have some real-time experience on an infected machine. It was actually funny to see each trojan and worm's behavior.

The laptop boots and the desktop starts to come up. There is no welcome music -- the sound card driver is gone for a toss. The (fake) Windows security center pops up saying 'Your computer is not running an anti-virus and might be at risk'. Then, I get a popup saying 'your computer is infected, do you want to scan for viruses'. The program calls itself 'Internet Antivirus Pro' and presumes the user is an idiot. Without the user's permission it starts scanning the computer (yes, everytime the user logs in). The funny part is that, the software doesn't bother to read the files at all while scanning. It was clear from the hard-disk usage that no files were read. The software managed to scan thousands of files in less than a minute. One smart thing it did to make the user believe was to really pickup some files from the user's Documents and Settings folder, so it looks as though they were real scans. When you know what it is doing, it is just funny -- but if you are a non-techy user there is no surprise that you would panic. At the end the software asks 'do you want to clean these viruses?'. If you say yes, it takes you directly to a payment site and you will be billed for nothing. Uhh!!

As I was looking at the billing page for any identity, I could see the Internet Explorer's title bar saying -- "Internet Explorer -- hacked by xyz" (I don't remember the exact name). Aha! The next one. Having known that it is possible to change the IE's title bar in registry, I searched for scripts with the appropriate registry key path (maybe not, I don't want to publish the path here) and hurray! I managed to get hold of the script. Thankfully it was a script and not a binary. The script had successfully managed to propagate itself to all the drives and into the \WINDOWS folder. The script spreads itself through autorun.inf in Windows (autorun.inf seems to create more problems than it solves). Whenever you double-click on a drive, the autorun.inf (if any) on that drive's root folder gets executed. This is the heart of this worm. It copies itself into all other drives, specially looking for any flash disks connected to the computer and replicates. In addition, this script registers itself with Windows to get executed on startup. So anytime, you start the computer with any removable drive, it gets infected too. This worm was later identified as 'VBS:Solow-L (worm)' by avast!.

The last one is the sound card issue. I believe this is also caused by the IAPro worm that I had discussed earlier. A close look at the device manager revealed that the sound card is powered by a device driver which is not digitally signed by anyone; and the publisher name seems to say "unknown". The driver was smart enough to claim that it supports the sound card's device instance id so that windows loads this same driver every time -- even if I uninstall/reinstall the hardware or disable/enable the sound card. I had to rollback to the earlier driver to make it work.

There was no other visible sign on the laptop that needed to be addressed although there were many other resident viruses/worms. Just installed avast! and it found around 20+ viruses spread out in around 520 files. It isn't surprising me now that a laptop was infected with so many viruses in such a short-time. I think with a little promising note, any website can make an average non-techy user to install their software and get control of their machine. Even a simple popup in the browser stating 'Your computer is infected, do you want to scan for viruses' might do the trick. No wonder phishing has become so easy and common. Lack of fundamental exposure is the issue here, but the users cannot be that easily blamed for their ignorance. After all this isn't their cup of tea. Hmm, computer is a complicated device to understand but a life without it is becoming inevitable in this modern era. Using a computer with no understanding is starting to be dangerous when connected to the Internet!!

Whatever it is, I enjoyed the exercise :)


  1. interesting that you did find so many stuff.. unfortunately when i was reading this here, one of my teammate usage of my office laptop has got in tooo many spywares into it :-(((( and the bloody Mcafee scanner doesn't seems to find it yet the IT support guys at client site have been running it for the past 6/7 hours and yet to complete :-((( my whole day is lost when there's so much work to do :-(( , what a timing that i read this post :-)

  2. hope you recover your laptop safe, all the best :)