PE file infectors are some of the most damaging viruses you will come across. They work by adding a copy of themselves to executable files on a computer and/or remote source
Removing them can be very difficult. Please follow the steps below.
Sophos product and version
Sophos Anti-Virus for Windows 95/98
Sophos Anti-Virus for Windows 2000+
As briefly mentioned above PE infector viruses will add a copy of themselves into executable files, including (but not limited to) .exe and .scr. Once a computer becomes infected the virus can spread very quickly to other machines. The more computers are infected the harder it is to remove.
Generally what will happen is an unprotected computer will be infected by the virus. Once the infected files are run they will be running in memory and so will the virus. As it comes across the other executable files on the computer it will infect them as well.
Note: executable files will not be infected if write permissions are denied.
In a lot of large networks, some applications are run directly from the file servers. If an infected computer (Computer-Zero) attempts to run the remote files they will become infected. The next time a clean computer (Computer-One) runs that file, that file will be able to infect all of computer-One's files and any other remote files it comes into contact with.
Obviously on large networks such as the example above the virus would be able to spread very quickly. Please note that this also means any removable media will also be infected if plugged into a computer running the viral code.
Most Common Threats:
What to do
1. How widespread is the infection?
If you are using an Enterprise Console or Sophos Control Centre you will be able to see and generate infection reports of managed computers. Please note that if a computer has not been protected/managed by the Enterprise Console/Control Centre you will not know it's status. It is therefore very important to keep your computers protected and monitored.
2. Quarantine computers
Any computer with a PE infector-type virus should be disconnected from the network immediately to prevent further damage to the network. This includes servers as many clients will connect to servers and be at risk.
3. How infected are the computers?
Note: File infectors 'infect' files, so they will need to be disinfected, please ensure you do NOT use -remove or delete.
Generally there are 3 levels:
a) Infected files have been detected and reported in the Console, but when scanning no infected items are found - see 4a.
b) A few application files have become infected, but so far no important operating system (OS) or Sophos Anti-Virus (SAV) files have succumbed to the infection - see 4b.
c) The computer is fully infected, OS files and Sophos Anti-Virus files have been compromised - see 5a.
4. Cleaning up the computers with scenario 3a and 3b
This will depend on the level of infection (see step 3 above).
Log on as an administrator and perform the following on the infected computer(s), ensuring that you unplug them from the network before you start:
a) The computer has probably tried to access an infected file on a remote resource or removable media, however the on-access scanner has prevented access to the infected files. Open Sophos Anti-Virus and run 'Scan my computer' to ensure that the computer is clean.
b) Open Sophos Anti-Virus and clear the quarantine list (select All|Clear from list|Yes)
Click on the 'Home' button and then 'Scan my Computer'
Once the scan has fully completed go into the quarantine manager and click 'Cleanup' next to the detections
You may need to reboot to complete the cleanup
5. Cleaning up the computers with scenario 3c
You will need to use SAV32CLI within Safe Mode to disinfect the files. Safe Mode has less system and application files running, so cleanup of the files will be easier.
To create the SAV32CLI CD, please see the following article: Disinfecting PE executables using SAV32CLI. You will need to customise the scan slightly with the following:
Place the CD you made in the CD drive (D: in this example).
- At the command prompt type
to access the CD drive.
to move to the SAV32CLI directory.
- Then type:
SAV32CLI -PUA -EXCLUDE * -p=%TEMP%\SOPHOS_MEMLOG.TXT
to terminate running processes that are infected and create a log file of the scan in the %TEMP% directory.
- Press 'Y' when asked if you want to disinfect files.
If SAV32CLI comes across an infected file that is still running it will output something similar to below:
>>> Virus 'W32/Vetor-A' found in file C:\Windows\explorer.exe:pid:000014e8:file
>>> Virus 'W32/Vetor-A' found in file C:\Windows\explorer.exe
>>> Virus 'W32/Vetor-A' found in file C:\Windows\explorer.exe:pid:000014e8\FILE:0000
You will need to open Task Manager or Process Explorer and end all of the running process mentioned in the SAV32CLI scan results. Once you have closed these running processes you will need to start the scan again with the following switches. SAV32CLI will now be able to disinfect the previously locked files.
- SAV32CLI -DI -P=C:\LOGFILE2.TXT
You should repeat the scan on the computer until no further infections are found. If core system files (i.e. files that cannot be killed easily, such as services.exe) have been infected you are best off replacing such files using Windows Recovery Console and a CD of the operating system as you will not be able to disinfect these within Safe Mode with SAV32CLI.
File infectors commonly misinfect files, breaking them, so even if they are disinfected they will still not work. Any files left over after the disinfect scan should be replaced from a clean copy.
If you are having trouble with this, or there are too many files to replace, please contact Sophos Technical Support and forward a copy of the LOGFILE2.TXT created by the SAV32CLI scanner.
6. Reconnecting computers Only connect computers that are fully clean, otherwise the infection could re-occur and continue spreading.
A Note on removable media
Removable media can be easily infected by these types of viruses and if you are not careful the virus can be reintroduced into the network on such devices. If the Sophos on-access scanner is active and set to on-read it will prevent such files from executing. However, if such a device is plugged into an unprotected computer you could end up back at square-one.
You should ensure that all removable media is thoroughly cleaned before it is allowed back into general use. We would recommend that you have a policy in placee to check all media before it is used on machines - a scan from a Sophos protected Linux, Mac or isolated Windows computer would be the safest way of doing this.
Sophos Endpoint Security and Control customers may find use of the Device Control functions to restrict the use of removable media. Please refer to the product documentation for more information.