Re: [Nelsonlab-sysops] Computer Virus/Worm Infection: W32/SillyFDC-N; Spreads Via Removable Media (USB Flash Disks, CDs, DVDs, ...)

[Bret H. <ja...@ga...>]

Hey Andy,

Was the virus-checker successful, should I order a glue gun?

-bret

On Mon, Feb 16, 2009 at 08:03:02PM -0800, Andrew Helsley wrote:
> Hi all,
> 
> If you have ever plugged your removable storage device into the 
> HG5605Affy-SN01 computer (Windows XP, hooked up to the Affy scanner on 5th 
> floor Gonda at the end of the building), it may be now be infected with 
> the W32/SillyFDC-N worm:
> 
>  	http://www.sophos.com/security/analyses/viruses-and-spyware/w32sillyfdcn.html
> 
> Click "More Information" to find a list of files and registry keys that 
> can indicate the presence of the worm.  FYI: Where the website writes 
> <Windows> and <System>, this usually means C:\WINDOWS\ and 
> C:\WINDOWS\system\ respectively.
> 
> This appears to be a rather nasty worm to eradicate.  Sophos has not been 
> able to successfully remove it thus far, so a full system re-install may 
> be required.  This worm spreads by infecting removable drives with an 
> "autorun.inf" file.  Consequently, any windows machines that you may have 
> plugged your device into (either prior to or after connecting to the 
> machine mentioned above) are also potentially infected and should be 
> checked.
> 
> I am quite certain that this virus was installed onto this computer as a 
> result of plugging in a USB flash device, and/or made its way off of the 
> computer via a USB flash device.  Virus scan logs indicate its presence on 
> two drives lettered "H" and "I" which are not currently plugged into the 
> machine and are definitely not the usual CD/DVD drives (since those are 
> still plugged in and labeled "F" and "G").
> 
> Please run a virus checker on your removable drives and any computers they 
> may have come into contact with as soon as possible.  You should probably 
> log in to a non-privileged account before plugging in the removable device 
> for checking it, as you may infect a machine in the process of plugging in 
> the device (isn't autorun convenient and wonderful?).  You might be able 
> to get a Linux/Mac person to mount the device and look for any 
> "Autorun.inf" files at the root of the device.  It should not affect these 
> machines since they do not automatically execute such files.  Except for 
> special circumstances, such a file should not exist on your flash drive. 
> If found, the file could probably be deleted on the Linux box/Mac prior to 
> checking it for infection on the PC.
> 
> Unfortunately, I do not have any information as to when this infection 
> started and the symptoms of infection do not necessarily arise soon after 
> infection, so please be diligent about checking the machines and USB 
> storage devices that you have control over.  If you cannot check your 
> device right now, please consider using it under quarantine (avoid 
> connecting to file shares, creating CDs/DVDs, or working with known-clean 
> USB flash drives) until such time as you are able to check/repair it. 
> This may mean unplugging from the network until it can be checked.
> 
> If possible, I would like to propose that people avoid plugging personal 
> removable devices into computers that are hooked up to common lab 
> infrastructure such as this, particularly if they regularly use the 
> storage device with Microsoft Windows.  Besides the fact that infection 
> may necessitate a re-install of the operating system and specialized 
> applications for driving the hardware, such computers serve as places 
> where viruses can propagate very quickly to other lab members' machines.
> 
> --------
> regards,
> Andy
> 
> Andrew Helsley
> Programmer/Analyst
> Computing Technologies Research Lab (CTRL)
> David Geffen School of Medicine at UCLA
> Email:  hel...@cs...
> Office: 1 (310) 206-6556  (shared)
> Phone:  1 (213) 591-0420  (cell phone)
> AIM:    morgaladh
> Jabber: andrew.helsley at gmail dot com
> 
> 
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Nelsonlab-sysops mailing list
> Nel...@li...
> https://lists.sourceforge.net/lists/listinfo/nelsonlab-sysops