[vox-tech] [OT] Now I have a virus. Argh!!!!!

[Shwaine]

On Sat, 17 Jul 2004, Peter Jay Salzman wrote:

> Ever have the feeling that you shouldn't have gotten out of bed?
>
> One of my systems, lucifer, is a dual boot (Debian/win2k).  The only
> thing I use win2k for is to play Serious Sam, Serious Sam Second
> Encounter, and Syberia.
>
> My wife checks her school email, which is web based.  Apparently, Opera
> can't handle the Javascript, so when lucifer is in Linux, she uses
> Galeon and when lucifer is in win2k, she uses IE.
>
> We're behind a firewall, and NO ports are forwarded to lucifer.  There
> is no mail service on that machine --- win2k is only booted for a few
> hours a day while I play Serious Sam or Syberia.  The only packets (that
> I know of) that can reach lucifer from the outside world are
> http packets coming back from an ipmasqed request.  The only way to send
> anything to lucifer from the internet is to first ssh into another
> machine to get into the home LAN to begin with.  Anyway.
>
<snip>
> Anyway, that's neither here nor there.  I've never had a worm before,
> so I'm new to all this.  What's the standard procedure?  Reinstallation?
> Can "virus checkers" also erase viruses?   What is a good "virus
> checker" for this purpose?
>

Personally, if it were my box, I'd do the following. First I'd use one of
my trusty Linux machines to cruise on over to Microsoft and download W2K
SP4 and use their TechNet search tool,
http://www.microsoft.com/technet/security/CurrentDL.aspx, to download all
security related patches released since SP4. Then I'd look into personal
firewalls for W2K and pick one. Chose one that performs some sort of
checksum (MD5 seems common) on the binaries. I personally use an older
version of Tiny Personal Firewall that has forked into many versions as of
a couple of years ago. Others prefer ZoneAlarm Free for its simplicity,
but it's too simple for me. The download the latest Mozilla (there was a
MS bug in it recently that was patched, so don't use an old download).
Then I'd burn a CD of this voluminous software, reinstall the system,
patch patch patch, install the personal firewall, remove IE from the
desktop, replace with Mozilla. I'd also go in and minimize the services
that W2K is running, but don't disable RPC services. I found the hard way
that doing so very nearly borks the system to the point of needing to use
regedit on the RPC services key to get things functioning again.

I would do all this because if there's one obvious worm on the system,
then there could be any number of stealthy worms on the system. With the
proliferation of IE exploits, it's just a major risk that there's other
cruft hanging about. Besides virii and worms, there's also spyware and
adware to be concerned about. Several of the recent ones have also
implemented keyloggers, which are by any measure not a good thing to
have around. A fresh install that is well patched and protected before
going online would be a cleaner way to get rid of all the cruft rather
than hope the tools removed everything.

Also, having a firewall block incoming is not as helpful these days
because more and more of the MS stuff is web-page (IE) targeted, which
follows the basic trojan route of piggy-backing on legitimate requests. A
personal firewall on the desktop will help somewhat in preventing the code
from dialing home, but it is not a fool-proof solution. Being a program on
the machine, it could be disabled. It also depends on the user being
knowledgable enough NOT to click "allow" on any suspecious connections
when in prompt mode. There also exists code to hijack IE sessions (perhaps
Mozilla as well, although I can't remember the specifics) to use to get
data, thereby bypassing the checksum check since usually IE is an allowed
program (although I'd strongly suggest making IE a disallowed program).

As for other monitoring software, remember that most are signature based,
so they only help with known attacks. They are not foolproof against new
attacks or variants of old attacks. That caveat being said, besides
anti-virus programs, you should also look into spyware and adware removal
tools. Look for programs that do not charge you for updating definitions,
as a tool with out-of-date definitions is pretty much useless.

You might also want to consider having the firewall restrict outgoing
connections from the W2K box, or at the very least logging them. If the
box is only used to connect to a small handful of IPs, firewalling this
fact will offer a little more protection against malware which download
their payloads from the Internet. It won't help much against
self-contained email/IE/script malware though.