Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Viruses - I feel your pain

Viruses - I feel your pain

  • Comments 39

Well, it finally happened.  For the first time in my 20 year history at Microsoft, I had to reformat a computer because it got hit by a virus.

I’m not sure how the virus got inside the firewall, my guess is someone brought it inside on a laptop or something, but it happened.

You see, I was running an interim build of XP SP2, and wanted to update to the RC build.  So I uninstalled the interim build (we only support upgrading from public releases).

And my machine puked.  This happens; there was probably a bug in the interim build’s uninstaller, no big deal, it’s not like I’ve not done this dozens of times before.

So I figured I’d reinstall XP and re-install the patches.  Again, nothing new here.  I’ve done this dozens of times, its part of the cost of running interim builds.

But this time, things went horribly wrong.  Seconds after I installed the RTM bits, I got the dreaded “Access violation in LSASS.EXE at 0x00000023” that indicates I was infected with Sasser.

I tried about 6 different ways of removing this from my machine – reinstalling again, reinstalling clean, reinstalling into another partition.  Nothing worked, and I was left with wiping the machine.

Now I’m reinstalling windows again, after the reformat.  I guess I know what I’m going to be doing for the rest of the day L

The reality is that once I got infected I had no choice but to reformat my machine, I was just holding off on the inevitable.  Why would I have to reformat the machine?  Well, because there’s no way of knowing what the payload of the infection is.  It could have been an innocuous payload that popped up a “Hey, you got infected!” popup every 10 minutes – Annoying but harmless.  It could have been a rootkit that would use my machine as a doorway for hackers to gain access to the Microsoft corporate network.  And once you’re rooted, there is NO way of knowing that you’re rooted – A good root kit covers its tracks so that it is essentially undetectable. 

This is important:  IMHO, once you’ve confirmed that you’re infected with a virus, you really have no choice but to wipe the machine since you have no way of knowing what’s been compromised.  Hopefully you have a recent backup, or you have a way of saving your critical files before the reformat.  I recently saw a report (I’m not sure where now) that someone discovered a worm that was infecting the system restore partitions on some machines – these are backup partitions that are installed by OEM’s on machines with a copy of the image that they use to create the system – it’s a replacement for the OEM install CD that used to come with computers.  The worm was modifying the files on the master copy, so if you used the OEM’s “recover my system” procedure, you just re-infected your machine.  The only recourse from this one was to find a copy of a Windows CD and reinstall from that.

I’ve always been a staunch advocate of safe computing.  At my home network (with only 7 computers), before I installed broadband, I bought a hardware firewall (first a Netgear RO318, now a DLINK DI604 (a truly sweet piece of hardware btw)).  I made sure that all 7 machines were kept up-to-date on patches.  Every machine has antivirus installed on it and the signatures are kept up-to-date.  I was smug in my self-assured knowledge that I was safe because I was doing the right thing.  I berated my parents for not having a firewall on their broadband connections. 

So I’ve just had my first taste of what it feels like to be on the other side of the firewall.  And it leaves a very bitter taste in my mouth.

So as President Clinton once said: “I feel your pain”.



  • This is also a great example of why it is important that the firewall is enabled by default on SP2 even on a corporate LAN. People that are complaining and stating that they'll just disable the firewall are in for a world of hurt. Protect the LAN, Protect the Host, and Protect the Application should be drilled into everyone that uses a computer.
  • I got hit once at work. Instead of reading my web based email in FireFox(bird at the time) like I usually do I read it in IE. It just so happened that I was debugging an application at the time and had the task mangaer open watching the processes. I opened the email and bink, another process popped up in task manager. I didn't recognize it so I killed it. then I ran a scan and found a virus. Luckily it was just a VBScript virus that hadn't fully installed itself and was cleanable.

    Now if you'll all open you copies of "Writing Secure Code version 2" to page 723 and cross ridiculous excuse # 6 off your list... ;)
  • Arrgh! I take the time to enter in links and they get horribly munged by your weblogging app; .Text really needs preview functionality.
  • First of all, I have to ask why you were running as a member of the Administrator to begin with. Why didn't you log in as a member of the Users group and then use RunAs to launch the Service Pack install? Had you done this the worm wouldn't have been able to write itself to your %WINDIR% directory. One would think a Microsoft employee would know better ...

    The second thing to point out is that your statement that "IMHO, once you’ve confirmed that you’re infected with a virus, you really have no choice but to wipe the machine since you have no way of knowing what’s been compromised" is strictly speaking false. There are in fact excellent ways of ascertaining that files haven't been tampered with, and some even <a href="">run on Windows</a>, though you have to pay for them. It's too bad that Microsoft's own (unsupported) <a href=";en-us;841290">File Checksum Integrity Verifier</a> is such a limited application, as a tool with Tripwire-like functionality is sorely needed on the Windows platform.
  • Abiola: I wasn't running as a member of the administrator group, it's one of the first things I do when I get a machine.

    You're right that .text needs to support some form of bbtext or formatted links in it's comments, I've asked Scott about it :)

    The worm didn't have to infect the %WINDIR% directory. I don't know what it infected, I just know the symptoms. It's entirely possible that I didn't even get infected it's just that there was a machine that was aggressively probing my machine. It didn't matter.
  • The machine shouldn't have been plugged into the network in the first place. Until the operating system, firewall and anti-virus software are installed and updated, plugging into the Ethernet jack on the wall just isn't a good idea. If you have no choice but to perform a network install of a service pack, make sure that Windows XP's firewall (or another commercial firewall product) is on prior to doing so.

    I do agree with you Larry on the "you really have no choice but to wipe the machine" principle.
  • I can understand getting the virus, happens to the best of us. The one thing I found odd is that a company the size of MS wouldn't have a hard drive image to just install that already had all current patches. At least for the OS since I imagine the apps used probably vary quite a bit between departments and even users (especially coders).
  • We do. I spaced originally and used the XP RTM CD I have in my office, but this morning I used RIS (Remote Installation Services) which installed the system over the net for me, with all the latest patches on it.

    The thing about RIS installs is that they wipe the machine, and it wasn't until yesterday afternoon that I was willing to take the pain of reformatting the hard disk. Live and learn.
  • Er... If there is a worm-infected machine somewhere in your network, shouldn't you tell the network administrators?

    Then post here a story about how the worm got inside the firewall ;-)
  • Cesar: The worm probably got inside the firewall because someone took their laptop in from outside the firewall.

    What's more interesting is (a) why it apparently was able to spread inside the firewall, given that our IT department mandates (and enforces) that we be running the most recent patches and (b) our IT department aggresively scans for machines trying to spread the worm.

    I've got some emails out about that but I'm not holding a lot of hope out for figuring out what happened.

    Derek: The problem is: How do I get the patches for the machine without plugging it into the net (where the patches are). The machine has no floppy (it's a laptop) and I have no CD burner available. I get the software on the machine from the net. It's a horrid chick and egg problem caused by ubiquitous networking. The good news is that the RIS install above worked.

  • Probably one of the sasser variants. Pre-SP2, there is a window for the worm to hit before the firewall comes up (if it's turned on at all). SP2 has the MS04-011 fix and also has a better firewall that should block the worm regardless.
    If this was a test machine, you might want to consider using Virtual PC. You can configure the VPCs to use NAT, so they don't catch any of the nasties that run loose on corpnet. It's how I've been testing upgrade/uninstall variations with old unpatched OS's.
  • Abiola Lapite wrote:

    > First of all, I have to ask why you were running as a member of the Administrator to begin with...

    First of all, you need to realize that running as administrator vs. regular user is totally irrelevant here. LSASS is a system service so if at any time you have an unpatched version of LSASS running while connected to network, you are vulnerable. You don't even need to log on to be infected.
  • Thank you Pavel :) This is absolutely accurate.

    This is the difference between a trojan horse and a worm - a worm affects a system service and can infect your system regardless of the user logged into the console. A trojan can only mess with the user's data.

    Running as a non admin fixes the trojan horse problem but it does nothing to fix the worm problem.

    That's why so much effort is being expended to reduce the number of services that run as LocalSystem in XP.
  • Pavel,

    I actually did do my homework before posting. The fact is that all five variants of Sasser identified thus far rely on the ability to write to %WINDIR% as well as [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].
    Follow the links to, say, Symantec or Trend Micro's bulletins from if you doubt I'm correct.

    The worst that SASSER variants can do on machines which haven't been patched for the LSASS vulnerability is download themselves locally and cause a system crash - they can't even run themselves after a reboot, as none of them even bother to write an entry into [HKCU] to run on startup.
  • Abiola,

    You don't understand. Sasser _has_ the ability to write to those locations. Why? Because it's executing in the security context of LSASS. The currently logged on users, if any, are completely and utterly irrelevant.

    In regard to TripWire-style solutions, "rootkits" et al exist that are capable of avoiding even them. There are published methods of A) loading arbitrary code into kernel space and B) using that code to filter and report false information to apps querying such things as file sizes and data.

    TripWire-style things are good for auditing and forensic analysis, but not for guaranteeing integrity.
Page 1 of 3 (39 items) 123