Ask the Expert

Identifying malicious code in Win98

I recently had to add a Win98SE drive to my server, because my IBM ViaVoice software and others wouldn't install in Win2K. Eventually, I intend to go to a UNIX system, but for now, I am stuck with what I've got. My question is, how can I get a list of active processes or memory residents in Windows 98 so I can see for myself whether I have any active Trojans or other tomfoolery happening? After all, the best defense is regular monitoring and awareness.


    Requires Free Membership to View

Depending on your experience with MS-DOS and Windows 98, you can use the following:

First, try the Microsoft Article Q184075 that explains how to use the Win98se tool Microsoft System Information tool.

Second, try this Microsoft Article Q181966 that explains the use of the Microsoft Config program.

Third, if you feel you need greater detail, try the DLL tree walker. Remember, DLL's in the Microsoft world are library files (a.k.a. compiled code), thus walking the DLLs may also provide some assistance.

Use of these should provide some assistance in your quest. If these fail or you do not have access to the resources I mentioned, try the old standby "MEM" command with the "/C" for Classify and "/D" for debug information contained in memory. This last option is limited, for it will only show memory use up to the first megabyte(old EMS, now XMS RAM). Examples from the command prompt:

mem /c /d
mem /d
mem /c

Although MEM is not the greatest tool, it will sometimes provide assistance.

With a combination of the Microsoft solutions, DLL tree walker and the "MEM" command from the command prompt, you should be able to determine most applications located in system memory (RAM).

Finally, after verifying the applications loaded in memory try these checks:

1. Check all active connections using the "nbtstat -c" and "netstat -a" commands from the DOS command prompt.

2. Check all systems logs if they are enabled.

3. Check the "startup folders" folders, C:config.sys and c:autoexec.bat for any strange applications.

4. Check for hidden files using the "dir /ah" command at the DOS command prompt.

5. Last, compare the original OS files to the install media (if possible).

Checking active system memory with the Microsoft tools and use of the privious checklist should provide good starting points to determine if your system has been compromised by a Trojan or other malicious attack.


This was first published in September 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: