Win32 Virus Removal

Computerworld - Many people are worried about H1N1 this flu season, but I'm more concerned about a different kind of virus right now. My company is dealing with an outbreak of the Conficker worm, which uses some fairly sophisticated techniques to evade detection and removal. Meanwhile, some cleverly designed spam is getting past our filters as well. Both of these problems are examples of evolving network threats that present some challenges to the security team.

How did we get infected by Conficker? Computerworld has reported that this worm is infecting 50,000 computers every day and as of October had passed the 7 million-victim milestone. Some observers say that number will double by the end of this month. The worm takes advantage of a Microsoft security hole that, if not patched, leaves computers open to infection.

In my company, the use of USB thumb drives is prevalent, and the worm is infecting these portable storage devices and taking advantage of the autorun feature of Windows to spread. It then proceeds to take over the processor, shut down services and generally make the infected computer unusable. Of course, there's a patch for that (the worm has been around for over a year, and so has the patch), and Microsoft's removal tool for malicious software can clean it -- but as always, patching needs more attention in my company. I still maintain that a good patching program would save us a lot of time and trouble, since we would have to expend only a little bit of effort upfront while avoiding a lot of work later in cleaning up problems. What's more, regular patching creates a generally more stable environment. But it will take time to get there. In the meantime, we have to deal with this outbreak.

The Conficker worm has gotten a lot of press, having infected some high-profile organizations such as military organizations and government agencies around the world. It uses some fairly sophisticated techniques to contact its controllers, avoid detection and spread itself, as well as random-seeming Web sites to update itself. It propagates via USB drives, networks and peer-to-peer software. It's easy to get, and hard to kill.

So, we've been chasing this annoying beastie, and cleaning it when we find it, but it keeps coming back. It's a persistent bug. Of course, when something like this happens, it helps my case by focusing attention on the importance of patching and proactive security measures, but that makes me feel slightly guilty, as if there should have been more I could have done to avoid the situation in the first place. I think it's unfortunate that it sometimes takes a security incident to get people to realize the risks the business is taking.