Microsoft Windows Worm Removal Information

To help protect everyone on the JMU network, computers infected with viruses will be quarantined. These computers will be able to reach all JMU sites but only a few outside web sites. It will take 12 working hours after the problem is corrected before Internet access will return to normal.

Unfortunately, cleanup procedures can be long and tedious. Be sure to follow StartSafe instructions when the cleanup is finished to help prevent a reoccurrence. With today's threats, simple solutions like anti-virus and firewall software are not enough. For even more protection, use a non-privileged account for day to day use. This will:

• prevent most infections
• limit the damage others can do
• limit the ability of the virus to hide itself making it easier to clean

To clean the computer, follow the appropriate instructions below for the type of computer to be cleaned. If the computer is used to handle sensitive information or services, the cleanup method that involves the least risk is to re-format and re-install. This is because determining the integrity of a system is a lot more complicated than most people realize.

• Windows Vista/7
• Windows XP
• Windows 2000
• Windows NT
• Windows ME
• Windows 95 and Windows 98

Reviewing the following information may help you in cleaning the infection and preventing another one.

An infected computer is simply a computer running an undesirable program or programs. Whether it is a worm, a virus, a trojan, spyware, or something else, it is telling the computer to perform undesirable actions. Many such programs allow others to connect to the infected computer and interactively control it capturing passwords, personal data, and run even more undesirable programs. The computer is under the complete control of the writer of the the infecting program. Effectively, it has been "hacked", compromised, broken into, or whatever term you want to use to indicate it is no longer under your control.

There are four basic ways these programs get on our computers:

1. We install them ourself by downloading and running unknown programs. These may be e-mail attachments, links in e-mail or instant messages that lead us to files on web sites, files in file shares or P2P music sharing applications, and almost anywhere else files may be stored. More information about refusing unknown programs can be found here.
2. Our computers have a defect allowing others to start programs of their choice on our computers. Software vendors regularly issue fixes for these defects that we must install. The defects may be in a browser or e-mail client which requires some action on our part to aid the criminal (although that action may be as simple as visiting a web site, clicking a link, or reading an e-mail message). Other defects are exploitable as soon as the computer is plugged into the network and require no action on our part.
3. We configure our computers in a way that allows others to run programs of their choice on our computers. For example, by sharing our hard drive on the network.
4. We use poor locks (i.e. passwords) to protect our computers.

Defects in Windows programs are particularly vexing right now. You can take a brand new Windows computer out of the box and if you hook it up to the Internet without taking some prior precautions, it is likely to get infected within minutes. Think of these defects as broken windows on your computer. Anyone can crawl into your computer through the broken windows without you knowing it and without needing your help. A network connection is all that is needed. You do not need to open an e-mail attachment or download anything for your computer to become infected.

Similar defects in web browsers like Internet Explorer or e-mail clients like Outlook Express are allowing people or worms to crawl into your computer if you visit a malicious web site, click a malicious web link, or read a malicious e-mail message. You do NOT need to open an attachment or download any software for this to happen. Just clicking a link in e-mail, in an instant message, or on a web page is enough.

Once in, the criminals or their programs are free to do whatever they want...read your e-mail, delete your files, copy your passwords, steal your identity, attack other computers, and send SPAM.

People have written programs, called worms, that travel the Internet hopping from one computer to another through the same broken windows. These are troublesome but it is important to remember the worm is only doing what anyone else can do...walk right in and take over.

Microsoft regularly releases updates to fix these regularly discovered broken windows. This is typical of all computer software. Installing these updates will prevent worms and criminals from crawling into your computer but it will not kick them out if they are already in. Once a bad guy or his program climbs into your computer, things get difficult.

Anti-virus software watches over your computer as you start programs and read files. If it recognizes the program as a bad one, it will pop up a warning and keep it from running. However, the anti-virus software must be constantly updated to recognize the new bad programs that are released daily. If a new one comes along, the anti-virus software will let it walk right in without even blinking.

While anti-virus software is good at stopping recognized bad programs from running, it is not so good at removing them. This may happen if an unrecognized bad program is run (i.e. a new virus) or if it crawls in through a broken window. To get them out often requires specialized tools and/or procedures.

Firewalls protect computers whose windows are broken, whose locks (passwords) are weak, or whose doors are inadvertently left open by their owners or shipped open by vendors. Windows XP comes with a firewall. A firewall will keep worms and criminals from jumping through broken windows until you can install the latest updates to fix those broken windows. But don't think of a firewall as a panacea. Its only there as a patch for underlying failures. The underlying failures and/or operating practices must be corrected. In addition, if you permit malicious programs to run on your computer, for example  by opening a malicious e-mail attachment, it may disable the firewall.

All of these things are interrelated and no one of them is as effective as the combination. Perhaps more importantly, operating practices can render all of them ineffective. Particularly not heeding the recommendation about refusing to run unknown programs. Running the wrong program can disable anti-virus software, firewalls, and any other safeguard you have on your computer.

A new class of unwanted software, sometimes known as Spyware or Adware, is often installed by the operator of a computer as a by product of other software installations. This type of unwanted software, which can be as compromising as more traditional worms and viruses, often requires specialized removal tools.

Risk of infection by any type of unwanted software can be reduced considerably by operating the computer using a safer account.

To clean a computer, you have to:

• Fix the problem that allowed it to happen in the first place.
  • Apply patches to fix broken windows
  • Create strong locks (passwords)
  • Add additional defensive layers to help protect against future mistakes
    • Anti-virus software
    • Firewalls
    • Safer account
  • Change operating practices to avoid self-infection through running unknown programs
    • Safer account
  • Be more conservative and cautious about software installs particularly as a result of web pop-ups
    • Safer account
  • Use a safer account for day to day use to decrease the effects of mistakes
• Remove malicious software and fix the damage it may have done.
  • Disable Windows features that protect the bad software
    • Disable System Restore to prevent Windows from restoring bad software that you delete
    • Boot into safe mode to prevent bad software from starting so you're able to delete it
  • Run a removal tool
  • Manually fix other problems the bad software may have caused

Reformat and Reinstall for Maximum Security

The cleanup steps above remove many common, widespread infections that are straight-forward in nature. However, to determine with any certainly whether a computer has been compromised or is "clean" involves an extremely tedious, complex, time consuming process that requires advance planning. Yes, even more tedious and complex than the steps above. See this CERT guide for more information on assessing a Windows computer's integrity.

If security and privacy are your utmost concerns, it is always safest to do a complete re-format and re-install after a computer has been compromised.  If you do choose to take this step, it is extremely important to use the following procedure to keep from getting re-infected almost immediately:

• 1. Gather all materials you need. For example, backup media, firewall software, and any downloads you may need during the rebuild process. This is important because if you forget something and need to get on the network before all procedures are complete, your computer may become infected again and you'll have to start all over again. If you are running Windows XP, it would benefit the process greatly if you would download Windows XP Service Pack 2 and burn it to CD.
• 2. Disconnect the network cable.
• 3. Perform your document backup. It would be best if only documents are backed up, not programs. Programs should be restored from original, trusted media.
• 4. Reformat your computer.
• 5. Reinstall programs from vendor media.
• 6. If you are running Windows XP and you have a copy of Windows XP Service Pack 2, install that now. Newer computers come with Windows XP Service Pack 2 so this step may not be necessary.
• 7. Enable the Windows XP firewall or other firewall you may have. See StartSafe instructions. Windows XP Service Pack 2 comes with the firewall already enabled.
• 8. Reboot your computer.
• 9. When computer has completely rebooted, connect your network cable and follow the rest of the StartSafe procedures ( http://www.jmu.edu/computing/security/startsafe ). Do not browse the web, use instant messaging, read e-mail, or anything else until the StartSafe steps are completed.
• 10. Change all passwords that were typed into your computer while it was infected.

With the prevalence of "viruses" today that provide third parties the ability to control infected, compromised computers, including the ability to log password keystrokes, it is strongly recommended that any passwords that may have been typed into an infected computer be changed. You must also keep in mind that other information, such as credit card numbers, personal documents, and electronic communications, may also have been intercepted.

If you have reason to believe you are the victim of identity theft or that your personal information was exposed, here are some resources and additional information:

• ID Theft Home ( U.S. Federal Trade Commission )
• Consumer Advice: What To Do If You've Given Out Your Personal Financial Information ( AntiPhishing.org )
• Identity Theft and Fraud ( U.S. Department of Justice )
• ID theft victims face lifetime of vigilance ( CNN )
• What To Do If You're An ID Theft Victim -- Or Think You Might Be ( SecurityFocus )