Virus Fighting

Recently, a customer called me to solve a virus problem. The virus W32.ElKern.4926 had attacked the whole office, and almost all the Windows 2000 systems had been infected. The company had purchased Symantec's Norton AntiVirus Corporate Edition (NAVCE) and deployed the software to all the systems, but the problem remained.

After I researched the virus and visited Symantec's Web site, I decided to run a full scan in safe mode. The virus attacks executable files—running a scan in safe mode minimizes the number of files the OS opens.

I started with one of the network servers. I took the server offline, started the system in safe mode, and ran the full system scan. The scan was successful; NAVCE caught and cleaned all the instances of the virus on the system. But when I tried to use the same method on other systems, the scan failed. NAVCE found several infected files that the software couldn't clean—such as services.exe, which is required even in safe mode. When I restarted the systems, the virus repopulated because services.exe starts before the NAVCE services start.

I came up with two solutions. First, I could take the infected hard disk to a clean system and perform the full scan on that system. Second, I could install a second copy of Win2K on a system and scan the infected partition. Both methods are similar to using an MS-DOS startup disk to scan Windows 9x for viruses. As long as you don't wake up the OS, you can clear viruses from the infected system files. I didn't use the first method because cleaning up the whole office one hard disk at a time would have taken too long.

I decided to use the second method—that is, running the scan from a second OS installation on a system. Using Sysprep with disk-imaging software wipes personal data from the D drive, and Microsoft Remote Installation Services (RIS) must be on the C drive. Thus, I used the unattended Win2K installation method to deploy the second copy of Win2K in the D drive. I created a shared i386 folder, a shared folder for a silent NAVCE installation package, and an answer file that automatically installs NAVCE when the system boots up. Listing 1 shows Unattend.txt, which is the answer file to install Win2K automatically. Install.cmd, which Listing 2 shows, contains the command to run the Win2K setup with the answer file—i.e., Unattend.txt. (For information about creating a silent installation package, go to http://service1.symantec.com/support/ent-security.nsf/3d2a1f71c5a003348525680f006426be/e689b7512d1b2a4888256a9c0078b4c0?opendocument.) Finally, I configured all the systems to scan only the C drive. NAVCE caught and cleaned all the viruses because the infected files such as services.exe weren't in use. During scanning, the virus occasionally tried to attack files in the D drive, but NAVCE's File System Realtime Protection stopped the virus.

Next, I restarted all the systems in the original Win2K installation and ran the full system scan. Again, NAVCE cleared all the viruses.

Finally, I logged on to the original Win2K installation and created the simple Visual Basic (VB) script that Listing 3, page 16, shows to delete the D drive directories winnt, program files, and documents and settings; delete the second OS installation's pagefile; and modify the boot.ini file on the boot partition. The entire process took almost all night to run.

As an additional note, when I was trying to clean the viruses, I disabled NAVCE's quarantine feature. By default, NAVCE will quarantine an infected file if the software can't clean the file. The quarantine is at %ALLUSERPROFILE%Application DataSymantecNorton AntiVirus Corporate Editionversion numberQuarantine. I disabled this feature because the quarantined files took up 2GB of disk space on some of the systems.

—Tan Jian Bo
[email protected]