Dealing with a stubborn virus

I have talked before about Sophos and how wonderful it has been to use. It ran into a virus yesterday and it took some time to resolve it.

The problem was a class of virus called Command & Control. These are more sophisticated viruses that send information back to an internet connected server. It might be the screen captures, or specific data. The problem is that this is a custom virus that can’t be immediately fixed. Here is how I went about fixing it.

Dealing with a stubborn virusFirst I googled to find the most information I could about the error message. I found a couple of Sophos library references that were not helpful. I also read about a similar virus since often you can use the steps for one for another. The similar virus wasn’t acting like this. I think it might be helpful if I wrote it out in number form.

Dealing with an unknown Virus

  1. Google to find as much information you can about it. If no information exists search for the generic class of virus.
  2. Try additional free utilities. In my case I tried 3 utilities that a website said would fix an earlier generic form of the virus. Two of them didn’t help, but MalwareBytes found things and deleted them.
  3. Download utilities from Sysinternals such as Autorun and RegDelNull. These help you see if there are any processes that don’t look normal. If you don’t understand everything in this tool that is ok, you are looking for a lack of information in the place where other things show information. Autorun also helpfully highlights in yellow and red issues that demand your attention. After running these tools it showed that there weren’t any issues.
  4. Do additional full scans after trying each fix. If the problem exists it might coexist with other problems. In this case, it found a similar problem and was able to fix it automatically. Run a deep scan at least 3 times to make sure it is ok.
  5. Delete the generic warning error in Sophos when Sophos tech has confirmed there is no virus. If Sophos finds it, it will alert you as the administrator with an email.
  6. Explain to the client what happened and how to prevent the error in the future. Often the error couldn’t be avoided by using a Windows system so you can still suggest using a Mac if they want to avoid these problems in the future.
  7. Sit back and enjoy being able to figure out complex things quickly, and be happy you thwarted an illegal attempt.