Skip to content

Malware Infection

Your systems are infected with malicious software - this could be a virus, trojan, spyware, rootkit, or other malware. The key is to contain the infection, preserve evidence, and then clean or rebuild affected systems.

Types of Malware

  • Virus - Self-replicating, spreads to other files
  • Trojan - Disguised as legitimate software
  • Spyware - Collects information without consent
  • Rootkit - Hides deep in the system, hard to detect
  • Worm - Self-replicating across networks
  • Keylogger - Records keystrokes
  • RAT (Remote Access Trojan) - Gives attacker remote control

Immediate Actions

  1. Isolate the system - Disconnect from network (unplug cable, disable WiFi)
  2. Do NOT turn off the computer - Evidence in memory may be lost
  3. Document symptoms - What made you suspect infection? Screenshots?
  4. Identify scope - How many systems might be affected?
  5. Preserve evidence - Before cleaning, consider forensic imaging

Online Malware Analysis Tools

VirusTotal

  • Website: virustotal.com
  • Upload suspicious files for scanning by 70+ antivirus engines
  • Also analyzes URLs, domains, and IP addresses
  • Free to use

Hybrid Analysis

  • Website: hybrid-analysis.com
  • Free malware analysis service
  • Detailed behavioral reports
  • Shows what the malware does when executed

Any.Run

  • Website: any.run
  • Interactive malware sandbox
  • Watch malware execute in real-time
  • Free tier available

Joe Sandbox

  • Website: joesandbox.com
  • Deep malware analysis
  • Free community edition

MalwareBazaar

  • Website: bazaar.abuse.ch
  • Malware sample database
  • Check if your sample is known

Antivirus & Removal Tools

Free Scanning Tools

Bootable Rescue Disks

For severe infections, boot from clean media: - Kaspersky Rescue Disk: support.kaspersky.com/krd18 - ESET SysRescue: eset.com/int/support/sysrescue - Bitdefender Rescue CD: bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

Evidence Collection Tools

Memory Capture (Before Shutdown)

Triage Collection

Threat Intelligence

Check Indicators of Compromise (IOCs)

IP/Domain Reputation: - AbuseIPDB: abuseipdb.com - Check malicious IP addresses - URLhaus: urlhaus.abuse.ch - Malicious URL database - ThreatFox: threatfox.abuse.ch - IOC database

Hash Lookup: - VirusTotal: virustotal.com - File hash lookup - MalwareBazaar: bazaar.abuse.ch - Known malware hashes

Swedish Resources

CERT-SE

  • Report: cert.se
  • 24/7 hotline: +46 10 240 40 40
  • May have intelligence on the malware family

Guides & Documentation

SANS Malware Analysis

CISA Malware Analysis Reports (MARs)

Security in a Box - Malware

Recovery Decision

Option 1: Clean and Monitor

  • Run multiple antivirus scans
  • Remove detected malware
  • Monitor for reinfection
  • Risk: May not remove all components
  • Image the disk for evidence
  • Wipe and reinstall operating system
  • Restore data from clean backups
  • Safest: Ensures complete removal

Evidence to Preserve

  • [ ] Memory dump (before shutdown if possible)
  • [ ] Suspicious files (quarantine, don't delete)
  • [ ] System logs
  • [ ] Network logs showing C2 communication
  • [ ] Browser history showing infection vector
  • [ ] Hash values of suspicious files

Need Help?

If your Swedish organization needs help analyzing malware or investigating an infection:

Apply to HackAid - Our volunteers have digital forensics training.

Last updated: 2026-01