Dearest IT Professionals -
The internet, and therefore UVM, is in the midst of a high worm time for
Windows computers. If you are by job title an IT Professional or have
some percentage of your job position designated to IT support of your
department, and are involved in the cleanup of Windows workstations or
servers, please be sure to report any new information or questions about
worm cleanups to [log in to unmask] so that we can help to investigate.
If you need to refer a client/end user for assistance, please send them
directly to the Helpline or walk-in help (contact information is available
at www.uvm.edu/cit/help) since those services are designed to handle a
high volume of user questions.
That said, I have some advice (based on experience, practice, and job
function) for you as IT professionals attempting to clean up and prevent
- Make sure to clear out all temporary files (including offline and online
temporary internet files). COMIS uses Ccleaner (despite its crude name it
works very well) to clean up temporary files, including temp files for
Firefox, Opera, Media Player, eMule, Kazaa, Google Toolbar, Netscape,
Office XP, Nero, Adobe Acrobat, WinRAR, WinAce, and WinZip. I have used
it on a few machines and it seems to work very well. Product information
and download available at http://www.ccleaner.com/
- Make sure that ALL enabled accounts have strong passwords (not just the
account that is logged into most of the time). To view all enabled users,
check the Users and Passwords/User Accounts control panel.
- If no folders or printers are shared directly from the computer,
uninstall File and Printer Sharing for Microsoft Networks (via the network
settings control panel, local area connection, properties).
- Make sure all critical updates are installed and consider turning on
automatic updates if applicable.
- (If a WinXP computer) make sure Symantec Antivirus 9 was installed after
XP SP2 so that firewall ports are enabled for NORTON1/2 to push virus
definitions to the workstation.
- Make sure to search for known infected file names in the registry, and
remove only illegitimate entries (easier said than done, Google usually
helps with identifying if a key is valid or not). As always, be very
careful when making any changes to the registry! One wrong move can
result in the computer no longer booting to the Windows desktop.
- Check for any .exe and .bat files modified or created within the last
1-4 weeks (advanced search options). If any are found that you or your
client don't recognize, they might be infected so I recommend that you
quarantine them and send a request for help to [log in to unmask] with the
machine name and file name. Include file locations/paths (if applicable)
in your message. For example, if you suspect Badfile.exe is infected, and
you found it in the winnt\system32 folder, please reference the full path
and file name: C:\winnt\system32\badfile.exe . In order for us to act on
your request, the client computer must have had SAV 9 installed after
Windows XP SP2 so that we can remotely view the logs and quarantined files
of that computer.
- In addition to scheduling weekly Symantec Antivirus scans, I recommend
that known infected computers be restarted in safe mode with networking
and a Housecall scan (housecall.trendmicro.com) be run. If the machine's
IP address was removed from the network because of infection, please ask
that the IP address be turned back on, but be certain to only boot in safe
mode with networking (or safe mode with no networking) until the Housecall
scan confirms the computer is clean.
- If a computer still is not clean after you spend the time doing the
above, or if the client is willing to do so up front, I recommend that you
help them back up their data to another storage source, reimage the
computer, then install all patches (preferably from CD rather than
network!), SAV 9, and help them put their data back.
There is an exhaustive list of other specific troubleshooting tools and
tricks to be mentioned, particularly for other malware than worms, but I
am trying to make sure everyone is covering the basics when attempting to
clean a computer of worms since they are affecting the highest percentage
of computers at this time.