Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Remove a virus from an exe

Started by Mardymar , Jun 10 2012 09:32 AM

  • Please log in to reply

#1
Mardymar
Posted 10 June 2012 - 09:32 AM

Mardymar

    New Member

  • Member
  • Pip
  • 4 posts
I hope this is the right place to post this topic. I was really on the fence.

Hi all,

I got a virus a few weeks ago that copied itself to the top of the code on a lot of my exe's. I've neutralized the virus, and I'm not concerned about it anymore. But now a lot of my exe's are ruined and I would like to save some of them. When I look at the the binary it's obvious that the virus just inserted itself to the top of the code and the original binary is still intact. The program just won't read the old code anymore because it's buried under the malware. Is there a way to just cut out the virus from the exe and restore the original files? I tried doing it in a text editor, but that didn't seem to work.

Thanks.
  • 0

Advertisements

#2
michaelg9
Posted 10 June 2012 - 01:30 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
--Edit: I accidentally posted here. However here is my opinion. :)

You were infected with a file infector. :upset: This is what we usually post to people that are unlucky enough to get this kind of infection, specifically referring to virut and sality:

Warning!!
You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.


Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

  • Backup all your documents and important items only.
  • DO NOT backup any executable files (,exe .scr .html or .htm)
  • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
  • Reformat and Reinstall as outlined HERE


I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Do you remember the name of the infection? Actually, there are the bad ones, like virut and sality, that infect as much files as possible and others that are kind enough to only infect specific files.
As the above instructions say, the best way to guarantee that your computer will be 100% safe and stable after such an infection is to reformat. Even if one file is left infected with the working malware code, the whole infection will revive from scratch when executed.


Is there a way to just cut out the virus from the exe and restore the original files? I tried doing it in a text editor, but that didn't seem to work.

The easiest way if you aren't willing to reformat (which is the recommended action) would be to re-install the affected programs.

Edited by michaelg9, 11 June 2012 - 02:55 AM.

  • 0

#3
Mardymar
Posted 12 June 2012 - 09:58 AM

Mardymar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the reply, but I'm really not that worried about the virus. I have some old exe's that I really want to save. So my question is really more about how exe's work and how to edit them so that they can still work.
  • 0

#4
michaelg9
Posted 12 June 2012 - 01:06 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello
Do you remember the name of the infection? E.G: Virut / Sality / Parite / Mabezat ....

Can't you find these files again, for example re-installing the affected program? The best option would be if you could find them again from somewhere else. Otherwise:

You could try a removal tool of the infection you had, on these files. You have to tell me the name of the infection first and I'll see what tools can be used

Manually recovering affected exe files can be very tricky. However, exe files can be edited with the help of a hex editor (like Neo) and / or a debugger (like olly) however this process is very advanced and you must be able to understand what you are doing otherwise you may easily break the file.

If these files are unique and important to you, you can zip and upload one here and I'll ask my colleagues for some help, if possible.

Don't forget to tell me the name of the infection though
  • 0

#5
Mardymar
Posted 13 June 2012 - 07:58 PM

Mardymar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Avg identified the virus as tufik.b . In my last post I guess I made it sound like more of a life and death matter than it really is. I have copies of the really important things, just kind of a hassle to get to since their in an old laptop that needs some work. But I know what to do there.

I'm really more just curious. I've been using IDA on the virus and reading a book about it. I've also been learning more and more about assembly. I'm proud of myself since I changed some JNZ's to JZ's to help me debug the virus :yes: . It's also sparked my curiosity about how exactly exe's work and how to repair them when they get damaged.

If you want, I'd be happy to send you a copy of an infected file and a clean file to compare it to. I don't know if I should upload an infected file here, though. It's up to you.

But do you know anywhere where I can learn more about that 'advanced process'? And can Neo or Olly delete entire sections, or do you just change the values?

Edited by Mardymar, 13 June 2012 - 08:00 PM.

  • 0

#6
Mardymar
Posted 13 June 2012 - 08:50 PM

Mardymar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here's the virus:

http://www.liutiliti...us/w32-tufik-b/
  • 0

#7
michaelg9
Posted 14 June 2012 - 06:38 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts

I'm really more just curious. I've been using IDA on the virus and reading a book about it. I've also been learning more and more about assembly. I'm proud of myself since I changed some JNZ's to JZ's to help me debug the virus :yes: . It's also sparked my curiosity about how exactly exe's work and how to repair them when they get damaged.

But do you know anywhere where I can learn more about that 'advanced process'? And can Neo or Olly delete entire sections, or do you just change the values?

The process I was talking about is the one you referred to. If you are able to understand (basic) assembly code and edit instructions in order to make an executable behave in another way, then you may be able to patch the executable. I'm also studying assembly code and learned some basic stuff but I'm still a beginner in this field.
First, I'd recommend that you read this article, describing how virut, another file infector, infects executables. The idea is to inject malicious code somewhere in the executable and then add a jump instruction in the beginning of the file, so when it's executed, the malicious code is executed first. Have a look at this picture, showing at left a clean executable and at right an infected one (notice the jump instruction):
Posted Image
So my theory is that if you replace the malicious jump instruction with NOPs, instructions that do nothing, then the executable will start normally, without jumping to the malicious code first. The malicious code will still remain in the file but inactive though.
Additionally, you can go to the jump offset, where the malicious code is and replace it all with NOPs, but that would be dangerous to override normal instructions

Now, this is just theoretical; I have no idea what the removal tool did to the files that made them useless or if tufik infection uses different tactics etc.
So if you have backups, then I think trying to fix broken files is just a waste of time, unless you are just doing it out of interest! :)

Additionally, Neo hex editor can compare two executable files to see their differences, if you are interested to investigate further


If you want, I'd be happy to send you a copy of an infected file and a clean file to compare it to. I don't know if I should upload an infected file here, though. It's up to you.

As you have backup files, then I don't think we should try to fix the infected ones. However I'd be interested if you could zip and upload an infected and a clean executable file of the same program so I can feed my curiosity
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP