myNetWatchman SecCheck
SecCheck is a Windows forensic tool which aids in the detection
and removal of malicious applications, backdoors, trojans,
worms, and viruses that may be unknowningly installed on your
computer. There are two different versions of SecCheck available, please
chose the one that best fits your situation/needs:
SecCheck Version 2 SCU (with binary upload):use for COMPREHENSIVE Analysis
Download and run the following:
SecCheck SCU
This version is meant for computer novices that need the most help in identifying
malware on their systems. This version automaticaly collects and sends forensic data and copies
of any active program or module to the SecCheck analysis server. Upload time is minimized
by only copying programs/modules which are not already contained in the SecCheck file repository
...this then enables us to perform centralized virus scans of these files and return the results to you.
When the submission is done, a new SubmissionStatus browser window will be opened.
Note: Virus scanning can take 3-5 minutes to complete, so you may need to refresh the page a couple of times until
results are populated.
Removal Procedure:
See: mNW Disinfection Guide
If you would like help either interpreting the results or removing the malware, email the
URL you receive to the mNW Support mailbox.
We do NOT charge for assistance, as such we can only help as time permits. Also, at this time
we can currently only help end-users in the US or Canada that receive a myNetWatchman infection notice
or who are referred here from an ISP abuse department for spam zombie issues.
IMPORTANT:
when emailing for assistance, please forward a copy of the abuse notice you received along with
a CONTACT PHONE NUMBER *and* the BEST TIME/DAYS to reach you when you can be in front of the infected system.
SecCheck Version 2 GUI (no binary upload):use for LIMITED analysis
Advanced users that prefer not contribute active binaries to the file repository can use:
*New Build coming soon* SecCheckUI DOS
Click 'Do Check', then 'Submit results to mNW'. SubmissionStatus page will include virus
scan results, but only for files which we already have in our repository.
In addition to submitting
the XML scan from above, you will probably also want to 'Do Text Check' option, and save results to Text file.
This will produce a human-readable version of the output (vs. XML) enabling
output to be easily reviewed using a text editor (e.g. Notepad).
Important: If you prefer to only collect Seccheck data locally then simply avoid using the 'Send Results to mNW button'...just
understand that all analysis will be up to you and we won't be able to provide any virus scan information.
Analyzing SecCheck results:
If you have a good background in MicroSoft Windows, you can likely interpret some or all of
the SecCheck output yourself...here are some pointers:
- Compare current connection activity with reported behavior
(e.g. outgoing port scans)
- Identify hostile application generating behavior
- Locate how it's being started
- Check for signs of backdoors/trojans
- Identify startup method
Full Guide here
SecCheck Case Studies
The following are samples of SecCheck results submitted from
real-life infected systems...these should give you an idea
of the kinds of things to look for and see exactly how the
manifest themselves in SecCheck output
Agobot Variant - with multi-vulnerability
scanner
Nachi/Welchia Infection
IRC Bot
Spam Bot - Simple
Spam Bot - Advanced
Ole McDonald Bot
Dameware Scanner
Here is what information SecCheck gathers from your system:
- Currently active processes
- Defined services
- Startup folder items
- Startup Registry Key contents
- Applications listening for inbound connections
- Applications with active network communications
- Active Browser Helper objects (BHOs)
- Installed ActiveX controls
- Module dump (DLLs) for all active applications
- SHA1 hashes for all active files (SC V2 only)
- A copy of any active binary not already in SecCheck file repository (SC V2 w/upload only)
|
