Viruses – I feel your pain

Well, it finally happened.  For the first time in my 20 year history at Microsoft, I had to reformat a computer because it got hit by a virus.

I’m not sure how the virus got inside the firewall, my guess is someone brought it inside on a laptop or something, but it happened.

You see, I was running an interim build of XP SP2, and wanted to update to the RC build.  So I uninstalled the interim build (we only support upgrading from public releases).

And my machine puked.  This happens; there was probably a bug in the interim build’s uninstaller, no big deal, it’s not like I’ve not done this dozens of times before.

So I figured I’d reinstall XP and re-install the patches.  Again, nothing new here.  I’ve done this dozens of times, its part of the cost of running interim builds.

But this time, things went horribly wrong.  Seconds after I installed the RTM bits, I got the dreaded “Access violation in LSASS.EXE at 0x00000023” that indicates I was infected with Sasser.

I tried about 6 different ways of removing this from my machine – reinstalling again, reinstalling clean, reinstalling into another partition.  Nothing worked, and I was left with wiping the machine.

Now I’m reinstalling windows again, after the reformat.  I guess I know what I’m going to be doing for the rest of the day L

The reality is that once I got infected I had no choice but to reformat my machine, I was just holding off on the inevitable.  Why would I have to reformat the machine?  Well, because there’s no way of knowing what the payload of the infection is.  It could have been an innocuous payload that popped up a “Hey, you got infected!” popup every 10 minutes – Annoying but harmless.  It could have been a rootkit that would use my machine as a doorway for hackers to gain access to the Microsoft corporate network.  And once you’re rooted, there is NO way of knowing that you’re rooted – A good root kit covers its tracks so that it is essentially undetectable. 

This is important:  IMHO, once you’ve confirmed that you’re infected with a virus, you really have no choice but to wipe the machine since you have no way of knowing what’s been compromised.  Hopefully you have a recent backup, or you have a way of saving your critical files before the reformat.  I recently saw a report (I’m not sure where now) that someone discovered a worm that was infecting the system restore partitions on some machines – these are backup partitions that are installed by OEM’s on machines with a copy of the image that they use to create the system – it’s a replacement for the OEM install CD that used to come with computers.  The worm was modifying the files on the master copy, so if you used the OEM’s “recover my system” procedure, you just re-infected your machine.  The only recourse from this one was to find a copy of a Windows CD and reinstall from that.

I’ve always been a staunch advocate of safe computing.  At my home network (with only 7 computers), before I installed broadband, I bought a hardware firewall (first a Netgear RO318, now a DLINK DI604 (a truly sweet piece of hardware btw)).  I made sure that all 7 machines were kept up-to-date on patches.  Every machine has antivirus installed on it and the signatures are kept up-to-date.  I was smug in my self-assured knowledge that I was safe because I was doing the right thing.  I berated my parents for not having a firewall on their broadband connections. 

So I’ve just had my first taste of what it feels like to be on the other side of the firewall.  And it leaves a very bitter taste in my mouth.

So as President Clinton once said: “I feel your pain”.



Comments (36)

  1. Todd Spatafore says:

    This is also a great example of why it is important that the firewall is enabled by default on SP2 even on a corporate LAN. People that are complaining and stating that they’ll just disable the firewall are in for a world of hurt. Protect the LAN, Protect the Host, and Protect the Application should be drilled into everyone that uses a computer.

  2. Scott says:

    I got hit once at work. Instead of reading my web based email in FireFox(bird at the time) like I usually do I read it in IE. It just so happened that I was debugging an application at the time and had the task mangaer open watching the processes. I opened the email and bink, another process popped up in task manager. I didn’t recognize it so I killed it. then I ran a scan and found a virus. Luckily it was just a VBScript virus that hadn’t fully installed itself and was cleanable.

    Now if you’ll all open you copies of "Writing Secure Code version 2" to page 723 and cross ridiculous excuse # 6 off your list… πŸ˜‰

  3. Arrgh! I take the time to enter in links and they get horribly munged by your weblogging app; .Text really needs preview functionality.

  4. First of all, I have to ask why you were running as a member of the Administrator to begin with. Why didn’t you log in as a member of the Users group and then use RunAs to launch the Service Pack install? Had you done this the worm wouldn’t have been able to write itself to your %WINDIR% directory. One would think a Microsoft employee would know better …

    The second thing to point out is that your statement that "IMHO, once you’ve confirmed that you’re infected with a virus, you really have no choice but to wipe the machine since you have no way of knowing what’s been compromised" is strictly speaking false. There are in fact excellent ways of ascertaining that files haven’t been tampered with, and some even <a href="">run on Windows</a>, though you have to pay for them. It’s too bad that Microsoft’s own (unsupported) <a href=";en-us;841290">File Checksum Integrity Verifier</a> is such a limited application, as a tool with Tripwire-like functionality is sorely needed on the Windows platform.

  5. Abiola: I wasn’t running as a member of the administrator group, it’s one of the first things I do when I get a machine.

    You’re right that .text needs to support some form of bbtext or formatted links in it’s comments, I’ve asked Scott about it πŸ™‚

    The worm didn’t have to infect the %WINDIR% directory. I don’t know what it infected, I just know the symptoms. It’s entirely possible that I didn’t even get infected it’s just that there was a machine that was aggressively probing my machine. It didn’t matter.

  6. Derek Simon says:

    The machine shouldn’t have been plugged into the network in the first place. Until the operating system, firewall and anti-virus software are installed and updated, plugging into the Ethernet jack on the wall just isn’t a good idea. If you have no choice but to perform a network install of a service pack, make sure that Windows XP’s firewall (or another commercial firewall product) is on prior to doing so.

    I do agree with you Larry on the "you really have no choice but to wipe the machine" principle.

  7. Don Newman says:

    I can understand getting the virus, happens to the best of us. The one thing I found odd is that a company the size of MS wouldn’t have a hard drive image to just install that already had all current patches. At least for the OS since I imagine the apps used probably vary quite a bit between departments and even users (especially coders).

  8. We do. I spaced originally and used the XP RTM CD I have in my office, but this morning I used RIS (Remote Installation Services) which installed the system over the net for me, with all the latest patches on it.

    The thing about RIS installs is that they wipe the machine, and it wasn’t until yesterday afternoon that I was willing to take the pain of reformatting the hard disk. Live and learn.

  9. Cesar Eduardo Barros says:

    Er… If there is a worm-infected machine somewhere in your network, shouldn’t you tell the network administrators?

    Then post here a story about how the worm got inside the firewall πŸ˜‰

  10. Cesar: The worm probably got inside the firewall because someone took their laptop in from outside the firewall.

    What’s more interesting is (a) why it apparently was able to spread inside the firewall, given that our IT department mandates (and enforces) that we be running the most recent patches and (b) our IT department aggresively scans for machines trying to spread the worm.

    I’ve got some emails out about that but I’m not holding a lot of hope out for figuring out what happened.

    Derek: The problem is: How do I get the patches for the machine without plugging it into the net (where the patches are). The machine has no floppy (it’s a laptop) and I have no CD burner available. I get the software on the machine from the net. It’s a horrid chick and egg problem caused by ubiquitous networking. The good news is that the RIS install above worked.

  11. Drew says:

    Probably one of the sasser variants. Pre-SP2, there is a window for the worm to hit before the firewall comes up (if it’s turned on at all). SP2 has the MS04-011 fix and also has a better firewall that should block the worm regardless.

    If this was a test machine, you might want to consider using Virtual PC. You can configure the VPCs to use NAT, so they don’t catch any of the nasties that run loose on corpnet. It’s how I’ve been testing upgrade/uninstall variations with old unpatched OS’s.

  12. Pavel Lebedinsky says:

    Abiola Lapite wrote:

    > First of all, I have to ask why you were running as a member of the Administrator to begin with…

    First of all, you need to realize that running as administrator vs. regular user is totally irrelevant here. LSASS is a system service so if at any time you have an unpatched version of LSASS running while connected to network, you are vulnerable. You don’t even need to log on to be infected.

  13. Thank you Pavel πŸ™‚ This is absolutely accurate.

    This is the difference between a trojan horse and a worm – a worm affects a system service and can infect your system regardless of the user logged into the console. A trojan can only mess with the user’s data.

    Running as a non admin fixes the trojan horse problem but it does nothing to fix the worm problem.

    That’s why so much effort is being expended to reduce the number of services that run as LocalSystem in XP.

  14. Pavel,

    I actually did do my homework before posting. The fact is that all five variants of Sasser identified thus far rely on the ability to write to %WINDIR% as well as [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun].

    Follow the links to, say, Symantec or Trend Micro’s bulletins from if you doubt I’m correct.

    The worst that SASSER variants can do on machines which haven’t been patched for the LSASS vulnerability is download themselves locally and cause a system crash – they can’t even run themselves after a reboot, as none of them even bother to write an entry into [HKCU] to run on startup.

  15. Random Reader says:


    You don’t understand. Sasser _has_ the ability to write to those locations. Why? Because it’s executing in the security context of LSASS. The currently logged on users, if any, are completely and utterly irrelevant.

    In regard to TripWire-style solutions, "rootkits" et al exist that are capable of avoiding even them. There are published methods of A) loading arbitrary code into kernel space and B) using that code to filter and report false information to apps querying such things as file sizes and data.

    TripWire-style things are good for auditing and forensic analysis, but not for guaranteeing integrity.

  16. "You don’t understand. Sasser _has_ the ability to write to those locations. Why? Because it’s executing in the security context of LSASS. The currently logged on users, if any, are completely and utterly irrelevant."

    Ah, I get what you’re driving at. Mea culpa.

    "In regard to TripWire-style solutions, "rootkits" et al exist that are capable of avoiding even them."

    Not if you create a database for all the critical system files while in a known good state. Run tripwire and record all the information it generates to a write-once medium like CD-R; then all you have to do even in the case where a rootkit’s been installed is boot up another operating system which can read the NTFS filesystem but can’t execute Windows binaries (like, oh, I dunno, Linux?) and compare the files on the hard drive to the information on your CD. A system compromise need *not* mean a total wipe and reinstall, though in Larry’s case the efforts involved in following the alternative route I’ve suggested probably wasn’t worth it.

  17. same Random Reader says:

    That’s a good point — I was looking only from the perspective of scheduled checks running under the same system. An offline comparison would of course work great.

  18. Saurabh Jain says:


    You dont have to reformat the harddisk to reinstall using RIS. Just uncheck that "Automatic Format" option.

  19. Didn’t realize that Saurabh. Doesn’t matter though, the machine had already been reformatted, and it had to be reformatted because of the worm πŸ™‚

    But good to know if I need to reinstall XP again.

  20. Florian says:

    I know that nowadays nobody cares about the differences between virii, worms and trojans anymore (and in some cases they’re getting blurred) and they get used interchangeably. But could you at least stick to one term after picking it? =)

  21. Fair ‘nuf Florian. Here’s what I’ll use from now on:

    Worm: Self replicating piece of code exploiting a vulnerability in a network facing component. It does NOT require user intervention to run.

    Virus: Self replicating piece of code that attaches itself to an executable and modifies that code. Different from a worm because the virus requires user intervention (typically by launching an infected program).

    Trojan: piece of code that replicates using social engineering. A trojan usually is a program that masquerades as one utility in an attempt to trick the user into downloading the program. Once downloaded it does not typically spread. In many cases, spyware is a trojan (IMHO, even addware like Gator which is spread intentionally by the distributor (like DivX)).

    And the reason I (and others) aren’t precise is because the line is very vague. Often times (ILOVEYOU for example), a virus spreads via the mechanisms normally associated with a trojan – ILOVEYOU required social engineering to get the offending code to run, but once the program was launched, it propogated itself like a virus).

  22. Cesar Eduardo Barros says:

    Wasn’t ILOVEYOU a worm? I don’t recall it infecting binaries.

  23. Nope – it required user intervention to activate. It didn’t attack binaries though, you’re right.

    Ok, so what was ILOVEYOU. It required user intervention to activate. It spread itself. It didn’t modify executables. But it wasn’t autonomous.

    Sasser and MS-Blaster (and SQL-Slammer) were all clearly worms because they were autonomous.

    As Florian said – it’s complicated πŸ™‚

  24. Random Reader says:

    In the classic definitions I remember, the key difference between "virus" and "worm" is that a worm is capable of spreading itself over a network. A virus is not network-aware.

    As far as ILOVEYOU, TechNet called it a virus, while most of the AV vendors say it’s a worm. Since CERT also says it’s a worm, I’d probably go with that.

    I couldn’t find any formal definitions on CERT’s site, but this page has some hints (see

    That "autonomous" definition differs from your own; going by the quotes on that page, ILOVEYOU is classed autonomous (as are all viruses).

    Anyway, yes, very fuzzy lines πŸ™‚

  25. Blue badger here. I followed the RC2 instructions to a T, and uninstalled RC1. Was prompty infected with Korgo. Bummer. I guess I need to reformat as well πŸ™

  26. Florian says:

    I know the lines have gotten blurry. I am not the one to jump on people for not using the technically correct term, so my comment was a little tongue-in-cheek. Unless you’re in the business of computer security or anti-virus software the difference doesn’t really matter anyway. It sure doesn’t for grandma. It just tends to bug me a little when different terms are used for the same thing in one thread/article/sentence by well-respected, tech savy people who have been in the industry long enough to understand the difference (note: not necessarily know, but understand). =)

    Also it seems that we have forgotten what the original definitions were. I noticed that my definitions differ from both Larry’s and Random’s.

  27. Cesar Eduardo Barros says:

    Looks like it’s really in the twilight zone between virus and worm.

    But I really think we should stop this subthread now.

  28. Centaur says:

    > I followed the RC2 instructions to a T, and

    > uninstalled RC1. Was prompty infected with

    > Korgo.

    So here’s what I would have done:

    * Download the standalone, so-called full cab version.

    * Unplug the network cable, physically.

    * Uninstall the previous SP or whatever is necessary.

    * Install the new SP from the full cab version.

    * Plug the cable back.

    This way, you are not exposed to the aggressive environment while your protection is down.

  29. Scott says:

    Looks like Slashdot feels your pain too Larry.

    One of the more interesting ideas, using a live Linux distro to download the patches and burn them to a CD before installing Windows. That would be an interesting idea. Maybe Microsoft could change the install process and use a special runtime/ftp process that downloads the patches and places them in a folder on the hard drive. Then the install can take the network down, finish installing the OS, and then install any patches necessary. After all that, then bring up the network.

    Of course that would only work on future products. πŸ™ You’re still screwed if you are re-installing.

  30. Yeah Scott, I noticed that yesterday. It was an interesting synergy.

    Actually if RIS as deployed at Microsoft has the ability to avoid reformatting the hard disk, then it might be an option.

    Also, don’t forget that for XP SP2 and beyond, the firewall is on from the get-go, which means that if you’ve got an SP2 slipstream CD, then you’re good to go. It didn’t help me, but…

    My personal recommendation for the /. crowd is the DI-604 btw. The best $45 I ever spent.

  31. Derek Simon says:

    "Derek: The problem is: How do I get the patches for the machine without plugging it into the net (where the patches are). The machine has no floppy (it’s a laptop) and I have no CD burner available. I get the software on the machine from the net. It’s a horrid chick and egg problem caused by ubiquitous networking."

    If the network can’t be trusted, then don’t trust it. It’s that simple. Download the updates/patches to an alternate machine, along with Microsoft Baseline Security Analyzer and the latest "". Then transfer the files to the fresh installation (via a USB drive, network cable, etc.), run the command-line version of MBSA specifying the local copy of "" and apply the updates/patches as need be. After that, make sure ICF is enabled and then, and only then, connect the computer to the network.

    Of course this method requires a secondary machine, but we’ve been using the method successfully for months with no problems whatsoever. Granted the procedure is a bit lengthier than the more direct (but security prone) route, but doing something half-assed is just that– half-assed.

  32. Don Newman says:

    The other option is employ a cheap DSL/Cable router using NAT. I’m sure the boys over in IT would have had one for you kicking around (if not somebody at home).

    Here is an odd question. For a company like Microsoft, how do you differentiate between IT and the rest of the staff? Do you ever find yourself explaining that you work in IT but not in the IT dept?

  33. Don: I work in development, not in IT. IT runs the network, development makes the products.

    Actually humorously enough, I have a DI-604 in my office, I’m using it to manage a private network for my Fjord work (

    But there are issues with NAT boxes and our internal deployment of IPSEC from what I understand – effectively I can’t firewall my office from the corp net πŸ™

  34. hxx says:

    It’s possible just unplugged all your network from Internet, or another Lan. And crash all floppies and CD-ROM drives. =D

  35. As long as you allow computers to enter or leave the network, it doesn’t work any more.

    Which makes things kind-of hard on the sales guys – they kinda like having laptops to do work when they’re out of the office.

Skip to main content