Viruses - I feel your pain

Well, it finally happened.  For the first time in my 20 year history at Microsoft, I had to reformat a computer because it got hit by a virus.

I’m not sure how the virus got inside the firewall, my guess is someone brought it inside on a laptop or something, but it happened.

You see, I was running an interim build of XP SP2, and wanted to update to the RC build.  So I uninstalled the interim build (we only support upgrading from public releases).

And my machine puked.  This happens; there was probably a bug in the interim build’s uninstaller, no big deal, it’s not like I’ve not done this dozens of times before.

So I figured I’d reinstall XP and re-install the patches.  Again, nothing new here.  I’ve done this dozens of times, its part of the cost of running interim builds.

But this time, things went horribly wrong.  Seconds after I installed the RTM bits, I got the dreaded “Access violation in LSASS.EXE at 0x00000023” that indicates I was infected with Sasser.

I tried about 6 different ways of removing this from my machine – reinstalling again, reinstalling clean, reinstalling into another partition.  Nothing worked, and I was left with wiping the machine.

Now I’m reinstalling windows again, after the reformat.  I guess I know what I’m going to be doing for the rest of the day L

The reality is that once I got infected I had no choice but to reformat my machine, I was just holding off on the inevitable.  Why would I have to reformat the machine?  Well, because there’s no way of knowing what the payload of the infection is.  It could have been an innocuous payload that popped up a “Hey, you got infected!” popup every 10 minutes – Annoying but harmless.  It could have been a rootkit that would use my machine as a doorway for hackers to gain access to the Microsoft corporate network.  And once you’re rooted, there is NO way of knowing that you’re rooted – A good root kit covers its tracks so that it is essentially undetectable. 

This is important:  IMHO, once you’ve confirmed that you’re infected with a virus, you really have no choice but to wipe the machine since you have no way of knowing what’s been compromised.  Hopefully you have a recent backup, or you have a way of saving your critical files before the reformat.  I recently saw a report (I’m not sure where now) that someone discovered a worm that was infecting the system restore partitions on some machines – these are backup partitions that are installed by OEM’s on machines with a copy of the image that they use to create the system – it’s a replacement for the OEM install CD that used to come with computers.  The worm was modifying the files on the master copy, so if you used the OEM’s “recover my system” procedure, you just re-infected your machine.  The only recourse from this one was to find a copy of a Windows CD and reinstall from that.

I’ve always been a staunch advocate of safe computing.  At my home network (with only 7 computers), before I installed broadband, I bought a hardware firewall (first a Netgear RO318, now a DLINK DI604 (a truly sweet piece of hardware btw)).  I made sure that all 7 machines were kept up-to-date on patches.  Every machine has antivirus installed on it and the signatures are kept up-to-date.  I was smug in my self-assured knowledge that I was safe because I was doing the right thing.  I berated my parents for not having a firewall on their broadband connections. 

So I’ve just had my first taste of what it feels like to be on the other side of the firewall.  And it leaves a very bitter taste in my mouth.

So as President Clinton once said: “I feel your pain”.