Identifying malicious code in Win98
I recently had to add a Win98SE drive to my server, because my IBM
ViaVoice software and others wouldn't install in Win2K. Eventually, I
intend to go to a UNIX system, but for now, I am stuck with what I've got.
My question is, how can I get a list of active processes or memory
residents in Windows 98 so I can see for myself whether I have any active Trojans or other
tomfoolery happening? After all, the best defense is regular monitoring and
Depending on your experience with MS-DOS and Windows 98, you can use the
First, try the Microsoft Article Q184075
that explains how to use the Win98se tool Microsoft System Information tool.
Second, try this Microsoft Article Q181966
the use of the Microsoft Config program.
Third, if you feel you need greater detail, try the DLL tree walker
. Remember, DLL's in
the Microsoft world are library files (a.k.a. compiled code), thus walking
the DLLs may also provide some assistance.
Use of these should provide some assistance in your quest. If these fail or
you do not have access to the resources I mentioned, try the old standby "MEM" command with
the "/C" for Classify and "/D" for debug information contained in memory.
This last option is limited, for it will only show memory use up to the first
megabyte(old EMS, now XMS RAM). Examples from the command prompt:
mem /c /d
Although MEM is not the greatest tool, it will sometimes provide assistance.
With a combination of the Microsoft solutions, DLL tree walker and the
"MEM" command from the command prompt, you should be able to determine most
applications located in system memory (RAM).
Finally, after verifying the applications loaded in memory try these checks:
1. Check all active connections using the "nbtstat -c" and "netstat -a"
commands from the DOS command prompt.
2. Check all systems logs if they are enabled.
3. Check the "startup folders" folders, C:config.sys and c:autoexec.bat
for any strange applications.
4. Check for hidden files using the "dir /ah" command at the DOS command
5. Last, compare the original OS files to the install media (if possible).
Checking active system memory with the Microsoft tools and use of the
privious checklist should provide good starting points to determine if your
system has been compromised by a Trojan or other malicious attack.
This was first published in September 2001