This month I will cover computer worms. Over the years I have removed a lot of different types virus infections by far the toughest are worm infections. WORM stands for “Write Once Read Many”. It will attach itself by making copies to anything the creator wanted to infect like a cd-rom, thumb drive, network drive or email as an attachment. Once on your machine the payload as we techies call it, will execute whatever it was designed to do. The most recent one I came across was attempting to steal banking information. These types of infections are very clever and you need to be up to date on the latest detection and removal techniques.
I will go over a few of them in this blog so let’s get started. Must I say it? Have good antivirus with Signature based and Heuristic detection. Here at TOSS we have an antivirus solution that does just that, the technologies I mentioned have been around for awhile but not until recently has it become stable enough to really do what it says it does. Please remember that antivirus will not solve all issues you may run into and virus makers know this. You should include a good malware detector like Malwarebytes. This product has the ability to detect malware hidden in what seem to be safe programs and/or add-ons that you knowingly download and install.
Removing worms from a network involves many defenses that must be in place to stop the spreading. First is try to determine if the virus is known yet, this could give you clues on how it is moving around as most of them need to communicate back to a central server. You can find some very useful info on different worms and how to remove them here. Make sure to scour firewall logs for suspicious connections and close any holes regarding ports. Most recently P2P (peer to peer) networks have been utilized for the worms communication. The communication can be encrypted through port 443, but it must go out and find the host. In order to do this the worm must ping DNS for its connection, so DNS logs are critical to finding the worm. Here is a how-to from Microsoft on how to view your DNS logs.
Next check event viewer under security to determine any unusual activity. Don’t forget domain policies, these can be used to stop users from reinfecting the network by turning off USB ports or burning a CD and locking down network permissions to read only. Then and only then are you ready to do system wide virus scanning focusing on PCs showing signs of worm infection. The more information you can find on the particular infection the better the tools/utilities for removal will become.
Written By: Pete Thornhill
Engineer, TOSS C3