How ransomware infects a Windows computer

In the event of a virus attack: How to save your PC

Thomas Joos, Michael Rupp & David Wolski

If the system is infected by viruses, Trojans or rootkits, it is important to act quickly to assess and limit the damage. Antivirus tools are only part of a secure strategy - prevention is more important.

EnlargeIn the event of a virus attack: How to save your PC

The theory of computer viruses is as old as modern computer systems: The mathematician John von Neumann, to whom the Von Neumann architecture of today's computers goes back, philosophized in 1944 in a lecture on self-replicating automata about the possibility of computer viruses. Indeed, self-replicating programs have become faithful companions of electronic data processing technology. While the first worms and computer viruses from the 1970s and 1980s were still concerned with proving a concept or blindly destroying data, today the goals are higher: It is about taking over and controlling infected systems. A new category of malicious code is targeting the data of private users: Crimeware - blackmail viruses, also known as ransomware - go so far as to take the system or user data hostage and demand ransom via anonymized, digital payment methods. Blackmail software is the current star among malware. Both private users and companies are increasingly affected by ransomware attacks. The attacks are becoming more and more widespread and causing more damage. The media-effective success of current ransomware attacks on companies and hospitals, also in Germany, is likely to tempt even more cybercriminals to jump on this bandwagon at short notice.

Windows 10:The best tips on security & data protection

Windows threat scenarios: Virus programs in flux

The typical route of infection is still user negligence. In addition, another very dangerous infection vector has been added in the last few months: zero-day exploits. These are security gaps in programs for which the manufacturer has not yet provided a patch, which are practically exploited. In the worst case, all you need to do is visit an infected website. For some time now, the Adobe Flash browser plug-in has been particularly negative as a gateway.

The hustle and bustle of virulent code has become subtle and too varied for there to be a convenient all-round tool against it. The magic bullet against viruses & Co. is still vigilance and timely updates of systems, programs and firmware, for example in WLAN routers, as well as precaution in the form of regular backups to protect your own data from blackmail viruses. However, this form of protection often requires the user to cooperate, as updates are often not installed automatically.

If the virus scanner sounds the alarm on your Windows PC

EnlargeRed alert! Here the guard program strikes a back door in the system of a Windows rootkit. A Windows reinstallation is pending.

The usual situation with an infection is that the virus scanner or a virus monitor sounds an alarm during a scan. The task now is to act quickly. Not every type of malicious code immediately causes clear signs of an attack on the system. Trojan horses, "Trojans" for short, usually want to take over a system as unnoticed as possible. A back door set up in this way, which, in the worst case scenario, digs itself deep into the system as a "rootkit" under Windows, has many options for camouflage until it is actively exploited. Hostile takeovers of this kind are more difficult to detect and require regular system checks with a virus scanner that works independently of the Windows installed. Only scan programs in their own, bootable live systems, which you will find on the DVD, can reliably detect rootkits (see box). During normal operation, this advanced malware often makes itself noticeable through ominous system crashes - because malware developers also make mistakes and often use undocumented parts of the Windows API. A suspicion is also appropriate if the previously solid Windows system is suddenly prone to repeated crashes and error messages.

The virus check via live DVD reveals, on the one hand, whether the system was infected at all, and if so, which virus it is. On the other hand, the virus scanner provides information outside of Windows about how many individual files in the system have been affected.

Eliminate viruses with the live system

An installed virus scanner such as Bitdefender Internet Security 2017 detects known malware, but is often powerless if rootkits are already active. It is therefore advisable to scan the system at intervals via a live system, regardless of the installed Windows system. A control scan with various antivirus programs is also important in the event that malware is found in order to rule out false positives. Use the PC-WELT emergency system version 5.6 with the Clam AV virus scanner and the Bitdefender Rescue CD with the Bitdefender engine. Both live systems are Linux-based and work independently of your Windows. An update of the definitions via an Internet connection is mandatory for both scanners before a search; an online connection is a prerequisite for use.

EnlargeIndependent virus check: Since rootkits are well hidden in a running Windows system, a virus search from a live system is recommended, for example with Clam AV via the PC-WELT emergency system.

PC-WELT emergency system: Attach the partitions to be checked using the “Mount hard disks” icon (the third icon from the left in the main bar) and check the “Writable?” Checkbox. Click on the “Menu” icon at the top left and then go to “Rescue Tools -> ClamAV”. Then confirm the virus signature update with "Yes". Wait for the update to finish. You will then see the "Virus scan with ClamAV" window. The path “/ media”, which contains the mounted Windows partitions, is set after “Directory to be scanned”. The item "With subdirectories" is mandatory for a complete examination of the data carrier. A click on "Start Search" starts the search.

Bitdefender Rescue CD: Bitdefender's live system is very tightly specialized and essentially only supplies the virus scanner. After confirming the terms of use, Bitdefender will immediately update the virus signatures online. Then start Bitdefender via the conspicuous B-symbol on the desktop and click on "Scan now".

Get certainty: Identification of the malware on your computer

EnlargeGet a second opinion: You cannot rely on an antivirus program installed in the Windows system alone. If an infection is suspected, an additional virus scan with another program is necessary for diagnosis.

In general, it is advisable to start from the smallest suspected accident and to narrow down the problem from there. The notification of a virus monitor about a single file that has just been downloaded or copied from USB drives and network shares on the computer does not, however, prove that this malware is actually already active. You can determine whether the transmitter is still harmless, because it is passive, with a check using the live system: