Recently, a fellow faculty member called me, and told me that there was something wrong with his notebook computer. His computer access to the university’s wireless network had been suspended because of the excessive bandwidth his computer was utilizing while on the network. He did not understand what could be wrong as he had name brand antivirus software installed on his computer, which he updated “once or twice a week”. On further inquiry, I also found that he did not have a firewall on his computer. I invited him to bring his notebook over to my office and we would find out what his problem was.
Suspicious that he had at least one major virus on his computer, I decided to put together a bundle of software to check out his computer. While waiting for him to arrive, I burned the software to a CD.
Normally, when someone informs me that he thinks that he may have a virus on his computer, I will ask if he has internet access, and can get online. If he can get online, I always ask him to run one of the several excellent and free online virus scanning utilities. My perennial first choice is Trend Micro’s Housecall (housecall.antivirus.com), arguably the most popular free online virus scan. Housecall does not require registration, and is constantly updated. Housecall is also offering at the same location the new “beta” version of is online scan, which also includes spyware and other malware threat detection, which is what I now recommend. Housecall requires Internet Explorer, as it uses Microsoft’s ActiveX utility, lacking on most other browsers. If for some reason Housecall does not run, or the user has a browser other than Internet Explorer, then I suggest that he runs Panda’s free online scan, available at www.pandasoftware.com. Panda requires that a user registers prior to the scan, and will likely receive a follow-up email soliciting business for Panda’s excellent antivirus software.
Occasionally, an online scan will identify malware, but is unable to remove it. Many of the antivirus publishers offer several free utilities that will remove specific viruses and Trojans. In addition to Panda, which offers these utilities (click on “Repair Utilities” in the left column), another company with a selection of free utilities for the removal of specific viruses and Trojans is Eset Software, available for download at www.nod32.com.
While these resources are reliable, many of the recent crop of viruses and other malware are especially nasty and self protecting, in that they block internet access to the major antivirus websites, and do not allow Housecall or other online scans to run. Being aware of this fact, and the likelihood that my faculty member has one of these newer threats on his computer, I prepared the CD.
On my computer I downloaded the old mainstays of Ad-Aware (www.lavasoftusa.com) and Spybot Search & Destroy (www.safer-networking.org), along with their latest update files. I also downloaded Microsoft’s Anti-Spyware (www.microsoft.com/security, you may have to “search” for “spyware”). My reason for including several anti-spyware utilities in my bundle was that many of the newer viruses and Trojans also install spyware, zombies, or other parasites on an infected computer, and these utilities are good at detecting and removing that malware.
To complete the bundle, I downloaded Stinger, a very popular free-standing antivirus utility from McAfee (vil.nai.com/vil/stinger). Stinger is a free utility that detects over 50 of the most common and damaging viruses and Trojans, as well as almost all of their known variants, and is small enough to fit on a floppy disc. As has been said before, several of the recent viruses protect themselves by preventing antivirus and other beneficial software from running, and Stinger is one of those products that has been explicitly targeted. For this reason, McAfee had renamed the product, first with a numeral, in the form of Stinger1 and Stinger2, but several of the endemic Sober worms now prevent anything beginning with “sting” from running. The latest iteration of Stinger has the filename s-t-i-n-g-e-r.exe to circumvent the restrictions imposed by the current generation of Sober worms.
When he arrived at my office, I booted up his computer, and inserted my recently burned CD with the bundle of utilities. Since his access to the network had been curtailed, there was no use attempting to run my typical first choice solution, Housecall or other online scan. I ran Stinger from the CD, and it took a while to run, as he had a large and nearly full hard drive. Stinger detected 17 worms and viruses on his computer, all variants of the Sober worm, a breed of malware which would clearly account for the volume of illicit network activity reported by the IT department, as Sober tried to propagate itself thousands of times, to other computers. Stinger removed 16 of the 17 Sober infections, leaving one that required additional work. Once identified, by type and version, I was able to download a free standing killer from both Panda and Eset, which worked.
I installed and manually updated Ad-Aware and Spybot, and scanned for spyware, fortunately only finding and removing some minor items. I installed Microsoft’s Anti-Spyware, which I did not update, as we were not online at that time, but which was updated and run successfully at a later time.
The Sober worm had destroyed the ability of his antivirus software to function by killing its scan engine. Normally, I would reinstall the antivirus software and update it, but his antivirus software was out of date, and nearly worthless. Together, we decided that Trend’s PC-Cillin Internet Security Suite 2005, with its integral antivirus, firewall, spyware protection, wireless intrusion detection, and other features was most appropriate for him, so we obtained a copy and installed it, after uninstalling his obsolete antivirus software. The PC-Cillin was configured to automatically update every three hours while online, far better than the manual “once or twice weekly” he alleged to have performed previously.
The sad lesson is that the five hours I spent cleaning his machine of viruses, scanning for spyware, uninstalling his obsolete antivirus, and purchasing and installing new software need not have happened. If he had updated his antivirus software more frequently, or utilized its integral automatic update which could have been configured for properly frequent antivirus updates, and had a firewall on his computer capable of protecting it, he would not likely have become infected with 17 copies and variants of the Sober worm. If he had been aware that he should not click on suspicious email attachments, he would not have been infected by Sober, as that method is its typical vector of infection.
A painful and stressful lesson for him, and the “moral of the story” for you.
For more information on the Tulsa Computer Society click here