Wednesday, September 13, 2006

MS06-040: The worm that can't be cured

The writing in this InfoWorld column is not to my tastes, but there's an interesting story here: Enterprise Mac | InfoWorld | Sequelae of that seldom-seen, irrelevant, could only happen on Windows worm | August 25, 2006 05:44 PM | By Tom Yager.

Yager is a Mac Enterprise software writer (surprisingly, one exists). He experimented with a Windows server and was infected by the "MS06-040" worm. Since then he's been writing about the sequelae. He quotes a SANS article:
You really cannot and
* Even if you delete the keys that start the malware,
* your settings will be mangled, e.g. a test infection with the wgareg.exe:
* created 17 new registry keys
* modified 77 other keys including keys used for firewalls, sharing of files, etc.
* That was just the infection itself, no follow up, no communications with the C & C
* Like any bot it is unpredictable in what the C & C caused the bot to do
I wonder how NAV handles this. I've been unimpressed by NAV, though my current XP solution, Windows OneCare (or whatever it's called) has it's own issues.

The bottom line is that in the new XP world backups are increasingly important -- because if you get infected you'll need to wipe everything, restore data only to some safe location, cleanse the data, then restore the data -- if that can be done. Hmm. Maybe the better solution is to restore the data to an OS X machine and forget XP.

I wish I knew how many NAV users who think they don't have a problem are infected, I have no idea how common that is.

No comments: