Identifying malicious code in Win98

I recently had to add a Win98SE drive to my server, because my IBM ViaVoice software and others wouldn't install in Win2K. Eventually, I intend to go to a UNIX system, but for now, I am stuck with what I've got. My question is, how can I get a list of active processes or memory residents in Windows 98 so I can see for myself whether I have any active Trojans or other tomfoolery happening? After all, the best defense is regular monitoring and awareness.

Requires Free Membership to View

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

Depending on your experience with MS-DOS and Windows 98, you can use the following:

First, try the Microsoft Article Q184075 that explains how to use the Win98se tool Microsoft System Information tool.

Second, try this Microsoft Article Q181966 that explains the use of the Microsoft Config program.

Third, if you feel you need greater detail, try the DLL tree walker. Remember, DLL's in the Microsoft world are library files (a.k.a. compiled code), thus walking the DLLs may also provide some assistance.

Use of these should provide some assistance in your quest. If these fail or you do not have access to the resources I mentioned, try the old standby "MEM" command with the "/C" for Classify and "/D" for debug information contained in memory. This last option is limited, for it will only show memory use up to the first megabyte(old EMS, now XMS RAM). Examples from the command prompt:

mem /c /d
mem /d
mem /c

Although MEM is not the greatest tool, it will sometimes provide assistance.

With a combination of the Microsoft solutions, DLL tree walker and the "MEM" command from the command prompt, you should be able to determine most applications located in system memory (RAM).

Finally, after verifying the applications loaded in memory try these checks:

1. Check all active connections using the "nbtstat -c" and "netstat -a" commands from the DOS command prompt.

2. Check all systems logs if they are enabled.

3. Check the "startup folders" folders, C:config.sys and c:autoexec.bat for any strange applications.

4. Check for hidden files using the "dir /ah" command at the DOS command prompt.

5. Last, compare the original OS files to the install media (if possible).

Checking active system memory with the Microsoft tools and use of the privious checklist should provide good starting points to determine if your system has been compromised by a Trojan or other malicious attack.

Latest Headlines

Featured

E-Books

E-Zines

E-Handbooks

Topics

Hot Topics

Advice & Tutorials

Technology Dictionary

Tips

Answers

Ask a Question

Research Library

Product Demos

Resource Centers

Blogs

Identifying malicious code in Win98

Requires Free Membership to View

More News and Tutorials

Articles

Related glossary terms

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

More from Related TechTarget Sites