Microsoft Windows Worm Removal Information
To help protect everyone on the JMU network, computers infected with viruses will be quarantined. These computers will be able to reach all JMU sites but only a few outside web sites. It will take 12 working hours after the problem is corrected before Internet access will return to normal.
Unfortunately, cleanup procedures can be long and tedious. Be sure to follow StartSafe instructions when the cleanup is finished to help prevent a reoccurrence. With today's threats, simple solutions like anti-virus and firewall software are not enough. For even more protection, use a non-privileged account for day to day use. This will:
To clean the computer, follow the appropriate instructions below for the type of computer to be cleaned. If the computer is used to handle sensitive information or services, the cleanup method that involves the least risk is to re-format and re-install. This is because determining the integrity of a system is a lot more complicated than most people realize.
Reviewing the following information may help you in cleaning the infection and preventing another one.
An infected computer is simply a computer running an undesirable program or programs. Whether it is a worm, a virus, a trojan, spyware, or something else, it is telling the computer to perform undesirable actions. Many such programs allow others to connect to the infected computer and interactively control it capturing passwords, personal data, and run even more undesirable programs. The computer is under the complete control of the writer of the the infecting program. Effectively, it has been "hacked", compromised, broken into, or whatever term you want to use to indicate it is no longer under your control.
There are four basic ways these programs get on our computers:
Defects in Windows programs are particularly vexing right now. You can take a brand new Windows computer out of the box and if you hook it up to the Internet without taking some prior precautions, it is likely to get infected within minutes. Think of these defects as broken windows on your computer. Anyone can crawl into your computer through the broken windows without you knowing it and without needing your help. A network connection is all that is needed. You do not need to open an e-mail attachment or download anything for your computer to become infected.
Similar defects in web browsers like Internet Explorer or e-mail clients like Outlook Express are allowing people or worms to crawl into your computer if you visit a malicious web site, click a malicious web link, or read a malicious e-mail message. You do NOT need to open an attachment or download any software for this to happen. Just clicking a link in e-mail, in an instant message, or on a web page is enough.
Once in, the criminals or their programs are free to do whatever they want...read your e-mail, delete your files, copy your passwords, steal your identity, attack other computers, and send SPAM.
People have written programs, called worms, that travel the Internet hopping from one computer to another through the same broken windows. These are troublesome but it is important to remember the worm is only doing what anyone else can do...walk right in and take over.
Microsoft regularly releases updates to fix these regularly discovered broken windows. This is typical of all computer software. Installing these updates will prevent worms and criminals from crawling into your computer but it will not kick them out if they are already in. Once a bad guy or his program climbs into your computer, things get difficult.
Anti-virus software watches over your computer as you start programs and read files. If it recognizes the program as a bad one, it will pop up a warning and keep it from running. However, the anti-virus software must be constantly updated to recognize the new bad programs that are released daily. If a new one comes along, the anti-virus software will let it walk right in without even blinking.
While anti-virus software is good at stopping recognized bad programs from running, it is not so good at removing them. This may happen if an unrecognized bad program is run (i.e. a new virus) or if it crawls in through a broken window. To get them out often requires specialized tools and/or procedures.
Firewalls protect computers whose windows are broken, whose locks (passwords) are weak, or whose doors are inadvertently left open by their owners or shipped open by vendors. Windows XP comes with a firewall. A firewall will keep worms and criminals from jumping through broken windows until you can install the latest updates to fix those broken windows. But don't think of a firewall as a panacea. Its only there as a patch for underlying failures. The underlying failures and/or operating practices must be corrected. In addition, if you permit malicious programs to run on your computer, for example by opening a malicious e-mail attachment, it may disable the firewall.
All of these things are interrelated and no one of them is as effective as the combination. Perhaps more importantly, operating practices can render all of them ineffective. Particularly not heeding the recommendation about refusing to run unknown programs. Running the wrong program can disable anti-virus software, firewalls, and any other safeguard you have on your computer.
A new class of unwanted software, sometimes known as Spyware or Adware, is often installed by the operator of a computer as a by product of other software installations. This type of unwanted software, which can be as compromising as more traditional worms and viruses, often requires specialized removal tools.
Risk of infection by any type of unwanted software can be reduced considerably by operating the computer using a safer account.
To clean a computer, you have to:
The cleanup steps above remove many common, widespread infections that are straight-forward in nature. However, to determine with any certainly whether a computer has been compromised or is "clean" involves an extremely tedious, complex, time consuming process that requires advance planning. Yes, even more tedious and complex than the steps above. See this CERT guide for more information on assessing a Windows computer's integrity.
If security and privacy are your utmost concerns, it is always safest to do a complete re-format and re-install after a computer has been compromised. If you do choose to take this step, it is extremely important to use the following procedure to keep from getting re-infected almost immediately:
With the prevalence of "viruses" today that provide third parties the ability to control infected, compromised computers, including the ability to log password keystrokes, it is strongly recommended that any passwords that may have been typed into an infected computer be changed. You must also keep in mind that other information, such as credit card numbers, personal documents, and electronic communications, may also have been intercepted.
If you have reason to believe you are the victim of identity theft or that your personal information was exposed, here are some resources and additional information: