LiveDeviL's Lab.

Most of us have heard about computer virus, computer worms, or trojans. They are simply a (usually) small sized computer program, specially designed to damage other people’s systems. Once this virus or worm successfully infects a system, it will try to spread out to other systems to create greater damages. They corrupt files, slows down the system, clone themselves as much as possible, steal data or password, etc. Scary! Millions of losses have been caused by these malwares. In this article, I’d like to share my tips and tricks to help preventing your system from getting infected, or worse, damaged by these malwares.

Malwares evolutes rapidly every day. They got more and more features to get more success rate infecting the target systems. The creators of these malwares also find more and more creative ways to increase the chance to spread around their malwares. One of them, is to trick users with little knowledge of computer systems. The trick is by arming their malwares with the innocent look. Yes, they made them looks like the files or directory people would click everyday. They will try to mime many common files found in everybody’s computer, ie. image files, spreadsheet files, directories or folders, etc. All by simply using the same icon the system used to display our files or directories. If people clicked these “innocent looked” malwares, then they are going to be executed in the system. Which will trigger the infection. But what if we can identify these impostors just by looking at them? It would be cool right? Errr… no?

Malware characteristics to keep in mind

There are some points we must remember to prevent ourselves from being deceived by these kind of malwares.

• They will only mime the look of common files in order to deceive more victims. They will not use such as Autocad project file’s icon or 3D Max file’s icon. For simple reason, the number of computers with Microsoft Excel installed or computers with jpg files are much more than computers with Autocad’s or 3D Max’s file. Therefore, the target victims will be much more by using common daily file’s icons, such as image’s icons, or directory icon.
• When the system has been infected, they usually hide the real files or folders, and replace them with their clones. So people will click them without knowing that they are not the real folder or files. Thus creating even more sever infections.

The philosophy

There is a saying that says, “Preventing is better than recovering”. This is very true. By preventing the malwares from infecting our system, we will save ourselves from the trouble fixing an infected system. Not forgetting the trouble of losing our important data. So here is my trick to help you identify malwares amongst your files and directories.

The idea

The idea is separating the look of these malware. As I said earlier above, these malware tries to make themselves looks the same as our common real files or directories. So we are going to reverse the method by making our common files or directories different from the default ones. Which will make you say, “Ah ha! Gotcha! I can see you…”

Step by step how to

• Set the folder options to show all hidden files and directories in Windows XP

  1. Open My Computer
  2. Click View, then click Details
     
  3. Click Tools, then click Folder Options
     
  4. Click View tab, tick the “Show hidden files and folders”, uncheck the “Hide extensions for known file types”, uncheck the “Hide protected operating system files (Recommended)”, Click Apply, Click Apply to All Folders, and finally click OK.
     
  5. Now you can see the hidden files and directories, including the operating system files. Be careful not to move and or delete any of these operating system files and folders, as this will make your operating system to stop working. Be warned!
     

• Download,install, and setting iColorFolder

  1. Download iColorFolder and the additional skins (optional) here.

  2. Install iColorFolder simply by clicking next until it’s finished.

  3. Click start button, highlight All programs, highlight iColorFolder, and click on Skin selector
     

  4. Choose a skin of your choice, I choose Mac OS X.
     

  5. Notice how your real directories icon changed all across your windows explorer.
      

• Identify fake directories from the real ones just by looking at them

  • By now, we can just identify the fake directories (if any) in your hard disk or your memory card, simply by looking at them. See the picture below to get the idea.
    
    Before installing and setting the iColorFolder
    

    After setting Windows XP folder options, installing, and setting the iColorFolder

    Now I can easily spot the malware by looking at it’s icon. Since all my real directory icons have been changed into Mac OS X’s style, whenever I see an ugly yellow directory like icon in my drive or memory card, I can instantly tell that this is a malware that try to deceive me and delete this at once.

• Identify fake files from the real ones (again) just by looking at them

  • If you see the image above, there are malwares that tries to mime MS Excel’s icon, and even Windows XP default image icon. How to tell which is the fake one and which is not? We can answer this question by looking at the file extension, file type, and the file size. 
    

  • Real directories or folders will never show any size (always blank), while the impostor will have a size.

  • Typical common file impostor’s file types will be either Application, Screen saver, MS-DOS Application, Windows NT Command Script, or MS-DOS Batch File.

  • To change the image icons like the above picture, I simply install XnView and set to associate all the image file to be opened with it. This will change the default image icon to one given by XnView. Download XnView here.

• Remove the impostors

  • From this point, the malware removal will be much easier, since we can spot them instantly before they even attack our system. This can be done by deleting them right away. Of course if you have an updated Antivirus you can just scan the whole disk. But sometimes these malwares are so new that our Antivirus still don’t have any data of them. Therefore it can not detect these malwares. Or even worse there is no Antivirus installed on he system. Perhaps on your “noob” client’s system? This is where the method above comes handy.

Summary

We have learned how to analyze and identify the impostors by :

• Knowing the characteristics of the impostor.
• Counter attack the impostors by changing the majority real directory icons to a different one. Just like putting a spotlight right on their nose.
• Learning how to tell impostors which use other common file icons (other than default directory icon).

Conclusion

The very basic way to keep our system clean is to identify these malwares using this method. The sooner we identify the malwares, the easier and faster we can remove them. Because we already know who we’re dealing with. Hope this article would be useful for you.