myNetWatchman   KnowledgeBase

Pooling knowledge to
secure the internet.


mNW Reports  FAQ: mNW Reports




(Registered Users Only)


Look Up Incidents by IP Address
 

 

myNetWatchman SecCheck

SecCheck is a Windows forensic tool which aids in the detection and removal of malicious applications, backdoors, trojans, worms, and viruses that may be unknowningly installed on your computer. There are two different versions of SecCheck available, please chose the one that best fits your situation/needs:

SecCheck Version 2 SCU (with binary upload):use for COMPREHENSIVE Analysis

Download and run the following:

SecCheck SCU

This version is meant for computer novices that need the most help in identifying malware on their systems. This version automaticaly collects and sends forensic data and copies of any active program or module to the SecCheck analysis server. Upload time is minimized by only copying programs/modules which are not already contained in the SecCheck file repository ...this then enables us to perform centralized virus scans of these files and return the results to you.

When the submission is done, a new SubmissionStatus browser window will be opened. Note: Virus scanning can take 3-5 minutes to complete, so you may need to refresh the page a couple of times until results are populated.

Removal Procedure:

See: mNW Disinfection Guide

If you would like help either interpreting the results or removing the malware, email the URL you receive to the mNW Support mailbox. We do NOT charge for assistance, as such we can only help as time permits. Also, at this time we can currently only help end-users in the US or Canada that receive a myNetWatchman infection notice or who are referred here from an ISP abuse department for spam zombie issues.

IMPORTANT: when emailing for assistance, please forward a copy of the abuse notice you received along with a CONTACT PHONE NUMBER *and* the BEST TIME/DAYS to reach you when you can be in front of the infected system.


SecCheck SCU Case:for Analysis of Multiple Computers

This version is meant for business/enterprise analysts and admins that are investigating malware that may be on multiple systems. It is similar to SecCheck SCU, but also allows scans on multiple systems to be grouped together by a unique case identifier.

SCU Case requires special configuration of an already-registered SecCheck account prior to use. If you are interested in more information on using SCU Case, please email the Support mailbox for more information.

If we have already configured your account, SCU Case can be downloaded here:

SecCheck SCU Case


SecCheck Version 2 GUI (no binary upload):use for LIMITED analysis

Advanced users that prefer not contribute active binaries to the file repository can use:

SecCheckUI DOS

Click 'Do Check', then 'Submit results to mNW'. SubmissionStatus page will include virus scan results, but only for files which we already have in our repository.

In addition to submitting the XML scan from above, you will probably also want to 'Do Text Check' option, and save results to Text file. This will produce a human-readable version of the output (vs. XML) enabling output to be easily reviewed using a text editor (e.g. Notepad).

Important: If you prefer to only collect Seccheck data locally then simply avoid using the 'Send Results to mNW button'...just understand that all analysis will be up to you and we won't be able to provide any virus scan information.

Analyzing SecCheck results:

If you have a good background in Microsoft Windows, you can likely interpret some or all of the SecCheck output yourself...here are some pointers:

  • Compare current connection activity with reported behavior (e.g. outgoing port scans)
  • Identify hostile application generating behavior
  • Locate how it's being started
  • Check for signs of backdoors/trojans
  • Identify startup method
Full Guide here

SecCheck Case Studies

The following are samples of SecCheck results submitted from real-life infected systems...these should give you an idea of the kinds of things to look for and see exactly how the manifest themselves in SecCheck output

Agobot Variant - with multi-vulnerability scanner
Nachi/Welchia Infection
IRC Bot
Spam Bot - Simple
Spam Bot - Advanced
Ole McDonald Bot
Dameware Scanner

Here is what information SecCheck gathers from your system:

  • Currently active processes
  • Defined services
  • Startup folder items
  • Startup Registry Key contents
  • Applications listening for inbound connections
  • Applications with active network communications
  • Active Browser Helper objects (BHOs)
  • Installed ActiveX controls
  • Module dump (DLLs) for all active applications
  • SHA1 hashes for all active files (SC V2 only)
  • A copy of any active binary not already in SecCheck file repository (SC V2 w/upload only)