I have seen a few new threads about various viruses (including my own thread about the Klez virus).
My questions are the following…
How does the virus write to your hard drive and make itself impossible to delete (or in some instances even see it?) I found the offending virus file that was hosing my system, but I could not shut the executable down or delete the executable file. In fact, I couldn’t even SEE the file, even though I knew where it was by searching the registry.
This virus also made it impossible for me to delete any keys from the registry that pertained to it. How does it get “superuser” or “admin.” access to make itself so difficult to remove?
The antivirus software also has the ability to access these files so it can delete the virus. Again, why can’t I delete it on my own?
Finally, what purpose does the virus serve? Are there sociological reasons why a person would write a virus in the first place? Other than being an annoyance, or to be a malicious prick intending to sabotage a stranger’s system, are there any theories out there that would cause someone to write a virus? Are there viruses out there that send personal info. on your hard drive out to the world? The Klez virus seemed to suck up my computer’s resources, making it very hard to do anything on it. What kind of person gets his/her jollies on that?
>What kind of person gets his/her jollies on that?
The kind with too much free time on their hands, like most of the tech support people in the world who are usually playing rather than teching.
Instead of writing viruses destructive to the general user, why don’t these admittedly bright people write programs that will detect spam, track it down, and screw up the computer and original ISP that generated it? Bingo! Instant millionaire.
You can’t delete the file because the program is running; Windows never lets you delete or move a running program (this is a good thing – otherwise the program will crash). Most viruses set themselves up to run at startup, so they can’t be deleted once Windows starts. You can delete them if you boot to DOS, boot into safe move (sometimes), or if you get a virus cleaning program (there are programs for specific viruses as http://www.sarc.com and http://www.antivirus.com). The cleaning program removed the virus from your registry so it doesn’t run on startup. Then it can be deleted (though the program will also do that).
The virus can also make itself a hidden file, and can keep itself from showing up when you hit CTRL-ALT-Del
2&3. Never heard of this (what version of Windows are you using?). Usually you can delete any key (that’s why fooling around with the registry is so dangerous).
Unix has let the user delete files that are in use, even executables, since the 70s. Without the program crashing. This is because it doesn’t actually delete the file until all inodes referencing the file have been released. I’m not sure why Microsoft can’t do something similar.
Of course, Sun managed to fsck things up with NFS. Last I checked, it was still Broken As Designed.
I’m using NT. The fact that I couldn’t delete things from the registry is what made me very concerned. I went to antivirus.com and ran the housecall. This seemed to do the trick, including deleting the offending keys from the registry. Again, both the virus and the antidote were able to access areas of my computer that I couldn’t get to.
Accessing some registry keys is protected by a privilege known as localsystem. Most user tasks (including your own logon) do not have this privilege, unless you logon as Administrator, which you should not do unless you’re actually administering.
System tasks (“services” in NT) can run with this privilege, giving them access to the whole system. Check out the Services icon in Control Panel, and look at the properties of any service. There is a radio button group offering the alternatives of running as LocalSystem account, or an account of your choosing. Your virus checker most probably runs with the localsystem privilege (which also opens it up to exploitation by “bad” code - see Slashdot today).
Forgive me, but I am a bit confused. Are you saying that I would be able to work as an “administrator” even if I don’t have the privilege? I went to Services icon as you suggested, however I did not see a radio button group offering the alternatives you mentioned. Perhaps I’m looking in the wrong place.
Each NT machine has a bunch of user accounts - “real” users and some built in accounts such as Administrator and Guest. You can login as these users if you know the password. Presumably you login as, say, Max now, and type your password. Instead you could login as Administrator, and type the Administrator password. This would give you access to the whole machine - you could do anything.
You’re looking in the right place - once you’ve double clicked the Services icon you’ll see a list of services, starting with (IIRC) Alerter. Double click on one of these to see the properties, including the account that the service runs as.