Using Unusual Scanner

About: Disk scanner for nonstandard (possibly malicious) files.

Current version: 0.20. May 17, 2005.

System requirements: Windows 9x/NT.

Installation: xcopy install. Put downloaded files any place you like.

Overview

Dealing with trojaned PC, while most trojan programs could be identified by looking at autorun entries, some trojans lay on disk waiting for user to execute them. Inspecting all autorun entries is also not very easy.

Unusual Scanner tries to show you the most suspicious files on disk. It also supports white list of known good (to system administrator) applications.

Files for analysis

Press Add tree to add all .exe and .dll files in selected directory and all subdirectories to file list. Most modern adware trojans have form of .exe or .dll 32bit Windows files without company and version information. So, file list sorted to show most suspicious files first: files without Win32 PE header (mostly MSDOS and Win16 applications) go to the bottom of the list, files without company and version information go to the top of the list.

Press Add file to add any single file to file list.

Working with files info

For selected file in the file list you can Copy file path to Clipboard and view Properties (file size, modification time, ability to rename file).

Send to server feature requires separate server program with support of Unusual Scanner network file transfer protocol and is disabled by default.

Preparing known good applications signatures

Unusual Scanner loads white list applications signatures from known_good.txt file in current directory during startup. To prepare this file you should:

Run Unusual Scanner on server without known_good.txt file.
Add tree with path to your application.
Export files info into application_name.txt file.
Repeat steps 2 and 3 for all of your applications.
Combine applications files to known_good.txt (e.g. copy application_name1.txt + application_name2.txt known_good.txt).

Keep prepared known_good.txt with uns.exe when inspecting client computers.