System security: manually identify viruses, Trojans from processes
Aug 03, 2007 - RISING

Viruses and Trojans cannot be completely invisible from the processes. We can find clues of viruses and Trojans from the processes. Therefore, the straightest way to detect viruses manually is to check active processes in system. But how can we differentiate a normal process from a Trojan process?

If a virus does exist in the system, but you cannot find a strange process by checking the "Task Manager", this means the virus used some techniques to be invisible by users. Basically the following three methods exist:

1. By default, svchost.exe, explorer.exe, iexplore.exe, winlogon.exe are normal system processes. However, you would probably find some processes such as svch0st.exe, explore.exe, iexplorer.exe, winlogin.exe, etc. You see the difference? This is a trick frequently used by viruses to confuse users' eyes. For example, iexplore.exe and explorer.exe can easily get confused and one more iexplorer.exe could bring more confusion. If a user is not careful enough, the virus process may be completely ignored.

2. What if a user is more observant? Viruses also study smart. If a process is in the name of svchost.exe, completely same with the normal system processes, can we ensure this process is safe? The answer is no. Actually, it may just take advantage of the deficiency that "Task Manager" cannot find the corresponding executable file of a process. We know that the executable file of svchost.exe is located in C:\WINDOWS\system32. If a virus dropped itself into C:\WINDOWS\ and changed its name to svchost.exe, we would only see one more svchost.exe process in the "Task Manager". Could you identify which is the virus process?

3. Apart from the above two methods, viruses contain an ultimate technique - DLL injection. The virus DLL files have been injected into the normal system processes. In this case, users cannot find the any suspicious processes, but the system processes has been controlled by the virus. To manually find out such viruses is extremely difficult unless we get help from professional detective tools.

System processes demystified

svchost.exe

This is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. We can open the Control Panel -> Administrative tools -> Services, double click the Alerter service, and find the executable file path is C:\WINDOWS\system32\svchost.exe -k LocalService and the executable file path of Server service is C:\WINDOWS\system32\svchost.exe -k netsvcs. By calling services in this way can save a lot of system resources and therefore we can find a number of svchost.exe in Task Manager. In fact, they are just the system services. However, if you find more than six svchost.exe processes in your system, you must be careful and check if certain viruses exist, especially if the executable file of the svchost.exe is NOT located in C:\WINDOWS\system32.

explorer.exe

This process is the Windows Explorer. By default it starts with the system together. If you find the executable file path is not C:\Windows, you must pay attention to it.

iexplore.exe

It is a process generated by Microsoft Internet Explorer. It is located in C:\Program Files\Internet Explorer\. Unless you manually moved its location, if you find this file at other directories, it could be a virus. Sometimes if we do not run IE but the iexplore.exe process still exists in the system, it could be: 1. a virus is running in the name of iexplore.exe; 2. a virus is secretly doing bad things through iexplore.exe at the background. In this situation, we recommend you to use antivirus software to scan your computer.


rundll32.exe

This is a process which executes DLL's and places their libraries into the memory, so they can be used more efficiently by applications. This program is important for the stable and secure running of your computer and should not be terminated. It is located in C:\Windows\system32 otherwise it is a virus.

spoolsv.exe

This is a Microsoft Windows system executable which handles the printing process. This process is not critical to the running of the system. Especially if you don't have any printer devices, you should stop this service to save the system resource.

In general, if we find a suspicious process, by carefully checking its name and executable file path, the ordinary virus will certainly be exposed.

 

*You can buy RISING Antivirus here or free download to try.
 
*If you have any questions about RISING products, please visit http://support.rising-global.com for help.