[Nelsonlab-sysops] Computer Virus/Worm Infection: W32/SillyFDC-N; Spreads Via Removable Media (USB Flash Disks, CDs, DVDs, ...)

[Andrew H. <hel...@cs...>]

Hi all,

If you have ever plugged your removable storage device into the 
HG5605Affy-SN01 computer (Windows XP, hooked up to the Affy scanner on 5th 
floor Gonda at the end of the building), it may be now be infected with 
the W32/SillyFDC-N worm:

 	http://www.sophos.com/security/analyses/viruses-and-spyware/w32sillyfdcn.html

Click "More Information" to find a list of files and registry keys that 
can indicate the presence of the worm.  FYI: Where the website writes 
<Windows> and <System>, this usually means C:\WINDOWS\ and 
C:\WINDOWS\system\ respectively.

This appears to be a rather nasty worm to eradicate.  Sophos has not been 
able to successfully remove it thus far, so a full system re-install may 
be required.  This worm spreads by infecting removable drives with an 
"autorun.inf" file.  Consequently, any windows machines that you may have 
plugged your device into (either prior to or after connecting to the 
machine mentioned above) are also potentially infected and should be 
checked.

I am quite certain that this virus was installed onto this computer as a 
result of plugging in a USB flash device, and/or made its way off of the 
computer via a USB flash device.  Virus scan logs indicate its presence on 
two drives lettered "H" and "I" which are not currently plugged into the 
machine and are definitely not the usual CD/DVD drives (since those are 
still plugged in and labeled "F" and "G").

Please run a virus checker on your removable drives and any computers they 
may have come into contact with as soon as possible.  You should probably 
log in to a non-privileged account before plugging in the removable device 
for checking it, as you may infect a machine in the process of plugging in 
the device (isn't autorun convenient and wonderful?).  You might be able 
to get a Linux/Mac person to mount the device and look for any 
"Autorun.inf" files at the root of the device.  It should not affect these 
machines since they do not automatically execute such files.  Except for 
special circumstances, such a file should not exist on your flash drive. 
If found, the file could probably be deleted on the Linux box/Mac prior to 
checking it for infection on the PC.

Unfortunately, I do not have any information as to when this infection 
started and the symptoms of infection do not necessarily arise soon after 
infection, so please be diligent about checking the machines and USB 
storage devices that you have control over.  If you cannot check your 
device right now, please consider using it under quarantine (avoid 
connecting to file shares, creating CDs/DVDs, or working with known-clean 
USB flash drives) until such time as you are able to check/repair it. 
This may mean unplugging from the network until it can be checked.

If possible, I would like to propose that people avoid plugging personal 
removable devices into computers that are hooked up to common lab 
infrastructure such as this, particularly if they regularly use the 
storage device with Microsoft Windows.  Besides the fact that infection 
may necessitate a re-install of the operating system and specialized 
applications for driving the hardware, such computers serve as places 
where viruses can propagate very quickly to other lab members' machines.

--------
regards,
Andy

Andrew Helsley
Programmer/Analyst
Computing Technologies Research Lab (CTRL)
David Geffen School of Medicine at UCLA
Email:  hel...@cs...
Office: 1 (310) 206-6556  (shared)
Phone:  1 (213) 591-0420  (cell phone)
AIM:    morgaladh
Jabber: andrew.helsley at gmail dot com