Finding The Source

Cd-MaN
Cd-MaN
in How to39s

There are a few instances when the malware keeps "coming back". One of the causes for this can be the fact that there exists a not yet detected component of the malware on the system (usually referred to as "dropper" or "downloader"). While the fact that BitDefender blocked the "dropped" or "downloaded" malware means that the machines is protected with a very high probability (since usually the sole purpose of the "dropper" or "downloader" is to create a new executable and launch it - an action which is blocked by BD), the popups can be annoying. To find out which file (re)creates a certain file, do the following:


  1. Download the free Process Monitor utility from Microsoft
  2. Extract the archive
  3. Launch Procmon.exe
  4. If it is the first time you use Process Monitor, you are presented with the license agreement, which you must study and accept to be able to use this tool. Also, you must have administrative privileges on the system, since Process Monitor needs to load a driver to do its work
  5. Press Ctrl+L or go to the Filter submenu in the Filter menu
  6. Select Path in the first dropdown, contains from the second and enter a representative portion of the filename / registry key (see the note below on how to choose the condition in more complicated cases). Make sure that the last drop-down says include and press Add.
  7. Now delete the file and look for an entry in the list it says in the Operation column WriteFile (if it is a file) or RegSetValue if it is a registry key.
  8. Double-click on such an entry and select the second tab in the dialog (where it says Process). Here you can see the path of the executable. Please submit the executable to us for further analysis.


Note:


Sometimes the created files have random names each time. If you encounter such a situation, you can filter these elements out by adding two rules at the 6th step: one with the path of the file (for example C:\Windows\System32) and one with the extension (for example .exe). This will list all elements which are located in the system directory and have the extension .exe, which means that all randomly named executables will be in the list. An other approach is not to specify any filters, waiting for the infected file to pop-up and then using the Ctrl+F or Find command to search for references to this file and look for entries which contain WriteFile in the operation column.

This discussion has been closed.

All Time Leaders

Categories

Defenders of the month