Friday, November 7, 2008

Why do I have to format and reinstall Windows after my computer is infected with a virus?

For many virus, worm, or Trojan computer infections, either the UITS Support Center or the University Information Security Office (UISO) will tell you that you must reformat your hard drive (i.e., erase Windows) and reinstall Windows from scratch. You are sometimes told to do this even when your antivirus program can remove the virus, or when the companies that make antivirus programs have tools available to delete the infection.

UITS tells you this because there's a threat beyond the virus, worm, or Trojan itself. Most current infections leave the computer open to further compromise. The virus or worm itself is merely the carrier of something else that might be more malicious. Following are examples:

* W32.Mytob.JI@mm
* W32.Spybot.WON
* W32.Bobax.AJ@mm
* PWSteal.Reoxtan

The first two examples actively open a backdoor, through which other malicious programs can be loaded. The third turns an infected computer into a proxy, which allows someone to direct Internet traffic through in order to obscure the source of the traffic. The last installs a monitor that attempts to capture passwords and uploads them to some remote computer.

In all these sample cases, you can remove the infection (the virus) itself, but problems remain:

* In the W32.Mytob.JI@mm and W32.Spybot.WON cases, something else separate from the worm can be installed. A backdoor can let anything in, and that's how these two worms function. Removing the backdoor does not address what may have come through it in the time between infection and removal; those are separate problems.

* W32.Bobax.AJ@mm and PWSteal.Reoxtan modifies registry entries and files, and those changes cannot be undone by Symantec's antivirus products. The user must manually restore the information.

* PWSteal.Reoxtan also keeps password and other information it steals on a text file on the infected computer. Unless these files are found and deleted, they are a security risk. Any future infection that allows access to files on the infected computer will allow access to the password(s) in that text file.

So it is entirely possible to suffer negative effects even after cleaning your computer with an antivirus program. Many current infections follow the pattern of the four examples above; it is extremely rare for a virus, worm, or Trojan not to allow for or leave any further compromise. In the case of infections that install backdoors, since it's difficult or nearly impossible to determine what came through before the backdoor was removed, it's impossible to determine how compromised a computer is. For security's sake, the worst must be assumed. That is why UITS and UISO require you to erase your Windows installation and reinstall it: It's the only way to guarantee no further compromises remain.

No comments:


My blog is worth $74235.05.
How much is your blog worth?