Re: [Nelsonlab-sysops] Computer Virus/Worm Infection: W32/SillyFDC-N; Spreads Via Removable Media (USB Flash Disks, CDs, DVDs, ...)

[Andrew H. <hel...@cs...>]

No, it was not successful in removing the worm, though it may not be as 
much of a problem for external computers as long as the firewall is on.

We can still try this approach:

     Install a second copy of windows onto the C drive, then run the
     virus checker again on the original windows directory.  From there
     it should be capable of removing the worm's files, but might still
     leave some registry keys lying around in the original windows
     directory.

... if that fails, then it is time to reinstall Windows XP, the Affy 
software, and all of the other software that is needed on that machine. 
That will probably be a major undertaking... :P  If this is necessary, 
then we need to ensure that the firewall is enabled and configured 
sufficiently well that no one wants to turn it off.  Also, we'll need to 
ensure that the virus scanner scans all removable devices that get plugged 
in.

----
Andy


On Thu, 19 Feb 2009, Bret Harry wrote:

> Hey Andy,
>
> Was the virus-checker successful, should I order a glue gun?
>
> -bret
>
> On Mon, Feb 16, 2009 at 08:03:02PM -0800, Andrew Helsley wrote:
>> Hi all,
>>
>> If you have ever plugged your removable storage device into the
>> HG5605Affy-SN01 computer (Windows XP, hooked up to the Affy scanner on 5th
>> floor Gonda at the end of the building), it may be now be infected with
>> the W32/SillyFDC-N worm:
>>
>>  	http://www.sophos.com/security/analyses/viruses-and-spyware/w32sillyfdcn.html
>>
>> Click "More Information" to find a list of files and registry keys that
>> can indicate the presence of the worm.  FYI: Where the website writes
>> <Windows> and <System>, this usually means C:\WINDOWS\ and
>> C:\WINDOWS\system\ respectively.
>>
>> This appears to be a rather nasty worm to eradicate.  Sophos has not been
>> able to successfully remove it thus far, so a full system re-install may
>> be required.  This worm spreads by infecting removable drives with an
>> "autorun.inf" file.  Consequently, any windows machines that you may have
>> plugged your device into (either prior to or after connecting to the
>> machine mentioned above) are also potentially infected and should be
>> checked.
>>
>> I am quite certain that this virus was installed onto this computer as a
>> result of plugging in a USB flash device, and/or made its way off of the
>> computer via a USB flash device.  Virus scan logs indicate its presence on
>> two drives lettered "H" and "I" which are not currently plugged into the
>> machine and are definitely not the usual CD/DVD drives (since those are
>> still plugged in and labeled "F" and "G").
>>
>> Please run a virus checker on your removable drives and any computers they
>> may have come into contact with as soon as possible.  You should probably
>> log in to a non-privileged account before plugging in the removable device
>> for checking it, as you may infect a machine in the process of plugging in
>> the device (isn't autorun convenient and wonderful?).  You might be able
>> to get a Linux/Mac person to mount the device and look for any
>> "Autorun.inf" files at the root of the device.  It should not affect these
>> machines since they do not automatically execute such files.  Except for
>> special circumstances, such a file should not exist on your flash drive.
>> If found, the file could probably be deleted on the Linux box/Mac prior to
>> checking it for infection on the PC.
>>
>> Unfortunately, I do not have any information as to when this infection
>> started and the symptoms of infection do not necessarily arise soon after
>> infection, so please be diligent about checking the machines and USB
>> storage devices that you have control over.  If you cannot check your
>> device right now, please consider using it under quarantine (avoid
>> connecting to file shares, creating CDs/DVDs, or working with known-clean
>> USB flash drives) until such time as you are able to check/repair it.
>> This may mean unplugging from the network until it can be checked.
>>
>> If possible, I would like to propose that people avoid plugging personal
>> removable devices into computers that are hooked up to common lab
>> infrastructure such as this, particularly if they regularly use the
>> storage device with Microsoft Windows.  Besides the fact that infection
>> may necessitate a re-install of the operating system and specialized
>> applications for driving the hardware, such computers serve as places
>> where viruses can propagate very quickly to other lab members' machines.
>>
>> --------
>> regards,
>> Andy
>>
>> Andrew Helsley
>> Programmer/Analyst
>> Computing Technologies Research Lab (CTRL)
>> David Geffen School of Medicine at UCLA
>> Email:  hel...@cs...
>> Office: 1 (310) 206-6556  (shared)
>> Phone:  1 (213) 591-0420  (cell phone)
>> AIM:    morgaladh
>> Jabber: andrew.helsley at gmail dot com
>>
>>
>> ------------------------------------------------------------------------------
>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
>> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
>> -Strategies to boost innovation and cut costs with open source participation
>> -Receive a $600 discount off the registration fee with the source code: SFAD
>> http://p.sf.net/sfu/XcvMzF8H
>> _______________________________________________
>> Nelsonlab-sysops mailing list
>> Nel...@li...
>> https://lists.sourceforge.net/lists/listinfo/nelsonlab-sysops
>

--------
regards,
Andy

Andrew Helsley
Programmer/Analyst
Computing Technologies Research Lab (CTRL)
David Geffen School of Medicine at UCLA
Email:  hel...@cs...
Office: 1 (310) 206-6556  (shared)
Phone:  1 (213) 591-0420  (cell phone)
AIM:    morgaladh
Jabber: andrew.helsley at gmail dot com
WWW:	http://www.cs.ucr.edu/~helsleya