Security Recommendations / Worm Clean-Up

Security Recommendations

• have complete critical and recommended Windows Update and Office Update patches (updating automatically if possible).

• be running a personal firewall with tight settings (i.e. no trusted networks/hosts that don't have to be [e.g. local file/mail server, DNS hosts]; no in/out access for any programs not necessary [discover this by blocking everything, and allow one program at a time to access the network]).
  DO NOT AUTOMATICALLY CLICK 'OK' FOR EVERY PROGRAM THAT WANTS TO ACCESS THE NETWORK OR ACT AS A SERVER, OR YOU MIGHT AS WELL NOT RUN A FIREWALL!

• be running the very latest Microsoft Security Essentials (updating automatically every day), or other anti-virus software.

• be running some spyware / adware removal packages (Ad-Aware, SpyBot) to help ensure no keyboard loggers, etc, have been installed.

• Do not to open e-mail attachments unless it was requested or expected. If possible, do not use Outlook / Outlook Express as your default mail reader; alternatives with far fewer security holes are Eudora, Mozilla, Mozilla Thunderbird, Netscape 7, Pine.

• Do not use Internet Explorer as your default browser; alternatives with far fewer security holes are Mozilla, Mozilla Firefox, Opera, and Chrome. If you must use IE, set the Internet zone security level to 'High'. You must still use IE for Windows Update.

• Do not run software that has been downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

• All accounts and file shares should have strong passwords (14+ characters, mixed upper/lower case, digits, punctuation) to deter dictionary-based attacks.

• Do not use the 'Administrator' account, or an account with 'Administrator' rights, as your normal login; instead, use a regular user account, with a good password.

• Make sure 'Java' and 'Flash Player' are kept up to date NOTE: Flash Player has to be updated in each browser separately.

• Run a application that checks that your other applications are up to date. Secunia Personal Software Inspector (PSI) works well.

• For other ideas, see Protecting Your Family's Computers at the SANS Internet Storm Center.

1. Firewalls and Antivirus Applications for Basic Protection
2. To Do and Do Not
3. Safe at Any Speed Online
4. Securing Your Network Configuration or Home LAN Security
5. Are Cookies Really GUID for You?
6. Invisible Internet Browsing
7. HOSTS File: Wholesale Blocking
8. IM Insecure
9. Batting Clean-up
10. PC Pesticides

• Computer Viruses (includes how to detect and remove them)
• E-mail Attachments
• Benefits and Risks of P2P File Sharing

• Microsoft Security Bulletin / Exploits (complete list of MSBs and exploits for them)

Worm / Adware / Spyware Manual Removal Instructions

It is recommended (necessary?) to reboot the infected system in Safe Mode to be able to run NAV, as most recent malware will kill the common anti-virus programs and firewalls.

It also seems that even machines running current patches are being infected. Removing the infection does not prevent the system from being re-infected (almost immediately in some cases); make sure your patches and NAV are up to date, run a personal firewall (even the Windows XP SP2 firewall should deter most external attackers), and make sure that all accounts have good passwords (see above) on them, as one of the methods used by the current malware to spread is via accounts / file shares with weak passwords.

The following manual procedure to remove infections was originally provided courtesy of Jim Charters, Systems and Networks, Department of Geology, and is subject to the following conditions:

That neither Jim Charters, nor the Department of Geology, nor Computer and Network Services, are liable for any consequences of following these steps.

It should be stressed that the registry should be backed up before making changes to it.

Here's the general procedure:

• Malware often checks for an active network connection before commencing its activities, so you will need to find the source of the problem while the system has network (and probably Internet connectivity so PING etc., will work). Rebooting a blocked host may cause the malware activity to cease, until it is booted on an unblocked IP with Internet access.

  Determine what process / filename is responsible for the undesirable activity. You can add the process ID to the columns shown in the task manager to help with the mapping of PIDs to process names.

  If the system is acting as a server (SMTP / FTP / HTTP / P2P), 'netstat -a -n -o' will show the process and what port(s) it has open. Add '-b' to see the filename associated with each connection (this is very slow!).

  Scanning activity is unlikely to be seen by 'netstat'. Instead use a packet sniffer and/or process monitor ('Ethereal', 'TCPView', 'ProcessExplorer') to determine the source of the packets. It is very handy to have a CD with these and other tools, critical patches, etc. A sample is available here.

• Bring a CD that has the clean up tools and critical patches (both W2K and XP) on it.

  The following "Critical" patches all need to be applied. This list does not include "Moderate" or "Important" patches.

         MS03-041 823182
         MS03-042 826232 (W2K only)
         MS03-043 828035
         MS03-044 825119
         MS03-049 828749 (W2K only)
         MS04-007 828028
         MS04-004 832894
         MS04-008 832359 (W2K only)
         MS04-011 835732
         MS04-012 828741
         MS04-013 837009
         MS04-022 841873
         MS04-023 840315
         

  [NOTE: this list is NOT up to date!!!]

• Physically disconnect system from the network.

• Logon as the local Administrator

• Disable System Restore (XP only) [you must be Administrator] This is very important to do.
  • Click Start, then Programs, then Accessories, then Windows Explorer.
  • Right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
  • Click Apply.
  • Click Yes to remove all restore points.
  • Click OK.

• Reboot system in 'Safe' mode - no networking.

• Log on as the local Administrator

• Terminate the offending process (called 'XXX' hereafter). (The utils 'pslist.exe', 'psservices.exe' and 'fport.exe' on the CD can be used to list out running processes and services. 'fport.exe' will list out what programs have network connections. The 'pskill.exe' program can be used to kill off a running process. These must be run from the CMD command prompt.)

• Delete all occurrences of 'XXX' on all local hard drives. Deleteing it with wildcards can also get the stuff XP sticks in the prefetch.

• Run the Norton FixKorgo.exe and any other Norton clean up tools from the CD-ROM. It may be necessary to us the pslist.exe and pskill.exe tools to kill the running virus/worm before the clean up tools can repair the computer.

• Run the McAfee stinger.exe tool from the CD-ROM

• Scan the system with NAV and spyware removal tools.

• Install all of the patches in proper order (oldest to newest) from the CD-ROM.

• Install NAV, a personal firewall (if desired), adware/spyware removal tools if on the clean-up CD.

• Edit the 'hosts' file(s):

         (W2K) "type C:\WINNT\system32\drivers\etc\hosts"
         (XP)  "type C:\WINDOWS\system32\drivers\etc\host"
         

  which may have been modified so that 127.0.0.1 has been set as the IP number of a lot of useful things (like "windowsupdate.microsoft.com", "www.symantec.com", etc.).
  It should only contain "127.0.0.1 localhost" and nothing else. Use 'Notepad' to remove anything else.

• Make a backup copy of the registry.

• Use 'regedit' to remove all keys that reference 'XXX'.

  Some helpful hints from Rouben Tchakhmakhtchian (UTSC Computing & Networking Services):

  With regards to registry entries, most viruses nowadays create relatively random entries (and filenames) in:

  • Software\Microsoft\Windows\CurrentVersion\Run
  • Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  • Software\Microsoft\Windows\CurrentVersion\RunServices

  under both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER and possibly several entries under HKEY_USERS (.DEFAULT) in particular, which is the default user's profile.

  Under Windows 2000/XP, the presence of a 'RunServices' key in the registry usually is an indicator of a virus infection, since in 90% of the cases that registry key is not present when the OS is first installed. 'RunServices' is a backwards-compatibility feature, because that's how system services were started in Windows 9x series, if one can at all claim that Windows 9x was capable of running services.

  Another setting worth checking out is:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

  The entry to look for is a string value named 'Userinit'. It should normally be 'c:\windows\system32\userinit.exe,' (note the comma at the end). The original W32.Funner virus (that spread through MSN) used to copy itself under 'c:\windows\system32\userinit32.exe', and modifies this entry as well. The neat thing about this, is that the virus can load itself even in safe mode. Watch out for these.

• Reset system passwords.

• Power down.

• Reconnect the network cable.

• Reboot.

• Check that there is no 'XXX' process running.

• Enable system restore on XP if everything looks OK.

• Insure you can visit the Symantic, McAfee, MicroSoft and MSCD web sites:
  • http://securityresponse.symantec.com/
  • http://vil.nai.com/VIL/newly-discovered-viruses.asp
  • http://www.microsoft.com/security/bulletins/default.mspx
  • http://metroconnect.mscd.edu/

  If NOT, verify network connectivity with "nslookup 147.153.15.11" and "ping clem.mscd.edu".

  Reboot and re-test the above URL's

• Reboot again to make a system restore point.

• Install Windows Update and Office Update recommended/optional patches. Update personal firewall, anti-virus, adware/spyware removal tools.