Worms everywhere...

I'm back on Mordion now, after a day of fighting to bring it back to functionality. The problem turned out to be a set of trojans/worms, but I still haven't sorted out how they got there -- I don't open attachments, I don't use MS email/web clients, and none of the stuff I downloaded online came up as infected when I ran the scans. :-/

I had noticed that my 'net connection was going unusually slow, with frequent timeouts, my hard drive was constantly spinning, and something was clearly eating up processor power. I assumed that it was just software bloat, which was stupid given this is a 1.2GHz system with 256 megs of memory and I don't run *that* much software... Then, while talking to Parrish Monday night, it dawned on me that the behavior was very much like what one would expect from an infected system. After a bit more monkeying around, I tried to install Norton AntiVirus.

Big mistake, but one that confirmed my suspicion that something was seriously wrong. AV had issues installing, which was the first sign of trouble; the second was that upon the usual post-installation reboot, my ability to access .exe files vanished. Ack! I tried Matt's suggestion of checking to make sure that nothing had associated .exe with another program: nope. I could still run .com/.bat with no problem, and .exe called in a specific way within other programs worked, but overall XP had gone malfunctional.

I grabbed the XP installer from my server (where I always keep a working copy), copied it temporarily to Mordion's hard drive, and tried running it. No luck, of course: Setup is an .exe. The autorun worked if I just opened that directory, so Setup would start, but then the sub-component that would do the actual installation failed. Obviously I'd have to boot it from CD, but how?

The problem with writing to CD wasn't that the hardware couldn't, but that I couldn't start Nero (as it is an .exe) and the internal CD burning program within XP had died. Out of desparation, I renamed Nero.exe to Nero.com and managed to start it that way early Tuesday morning, which paved the way for the first step in repairing the system. I burned a copy of XP (I couldn't find my XP install CD, unsurprisingly) to CD and tried booting with it.

Nope, no luck. I had forgotten that MS has a few tweaks to prevent people from doing exactly what I was trying to do (make a cold-bootable copy) and, in the process, also forgot how to get around it. At hat point, Mordion decided it didn't like network access anymore, however, so I couldn't just look the instructions up online or on my server. Whoops. My tower server, meanwhile, is in the corner of a room filled with familial messes, meanwhile, and there was no way I wanted to wade over to look it up. So I grabbed my Clie, and used *it* to Google for the instructions instead. I already had the necessary files, the question was what weird settings would be necessary to make a CD with them bootable.

A few minutes later, I had my instructions, and Nero happily created a bootable XP CD for me. Yay! I clean-installed the OS, then successfully put AntiVirus on it. The initial scan revealed the problem: 91 different infected programs! The computer had SoBig D & E, Kwbot F, Backdoor.sdbot F, and Backdoor.OptixPro.12 all resident in subdirectories of the old copy of Windows -- they were probably all running when my system was acting up, too. No wonder it was so screwed up.

After reinstalling programs and drivers (with Norton AntiVirus running this time) things are mostly back to normal, luckily. Looking up info on the various infections Mordion had, my suspicion is that either there are security issues at the TMobile wireless network (there certainly were on Berkeley's wifi), or something got in via KazaaLite (though I'm not sure how) *or* the IE involvement in Earth Station 5 allowed things to infiltrate my system. Specifics for Kwbot in particular point to the P2P networks as the most likely suspects, in any event.

Now, to see if I can burn a copy of Knoppix, and get to work downloading some other form of Linux now that my system isn't a huge wreck. I had forgotten what fun it is (well, aside from the caffeine overload -- 2 liters of Coca-Cola in ~10 hours was a mistake) to be challenged by a computer and come out on top. I remember greatly enjoying the learning curve with Linux back in 2001, so I'm going to repartition and get things rolling again as soon as I can. That probably won't be until the weekend, though -- I'm going out to see 42nd Street in San Francisco Wednesday night, then I have two appointments on Friday morning followed by going to see Ian Anderson (!) at a small venue Friday night. Woo, fun week!

Posted by moggy at September 23, 2003 09:09 PM | TrackBack