Home Office: Protect Yourself From Worms

What a pain! Last month I spent more than two hours on the phone (on my dime, no less) helping my brother-in-law, David, shake loose the W32.Blaster.Worm. (FYI: The worm goes by other names: MSBlaster, Blaster, and Lovesan.) It was a messy, time-consuming job but we finally nailed it. The killer is, the whole thing could have been avoided. This week I'll give you some guidelines, articles, and tips for avoiding the next attack--maybe.

One thing before we continue: If you're using Windows 98, ME, 95 or, heaven help you, 3.1, you're exempt from this wormish angst. This is a Win XP, 2000, NT, and Windows Server 2003 problem. I urge you to upgrade to XP immediately so you can join in the fun. And if you run into Blaster's author, lemme know so we can dispatch him (or her) quickly and humanely.

Note: If you're too busy to read the entire newsletter right now, please take a sec and grab Microsoft's patch. It will protect you from Blaster. (If you applied the patch before August 13, do it again; Microsoft issued a newer patch.) There's a link on the page for XP, NT, W2K, and server patch editions. BTW, if you're using XP, the vast majority of you have the 32-bit version (not the 64-bit).

Blaster 10, Bass 0

The worm was brilliantly constructed. It didn't do any harm to the PC; instead, the payload was simply cycling the system off and then back on every 60 seconds or so. It was like playing a video game: I had a minute to talk David through the removal tasks before the worm shut down his PC. Part of the problem was having him do things quickly--bring up the Task Manager, for example, and find and kill msblast.exe, a worm component. As brothers-in-law go, David's good with lots of things; fiddling with the inner workings of XP certainly ain't one of them.

Blaster's Road to Infamy

I think it's worthwhile to give you a little background on the Blaster worm and tell you about a few other nasties.

The first hint that Blaster was causing trouble came in mid-August. We carried a story--"Self-Propagating Worm Spreads"--that was a clear warning. The story outlines how the worm works and refers to an article in which Microsoft raised the alarm about a security flaw. Had I not been asleep at the wheel, I might have written about this sooner and saved us all some grief.

Protection Tip: Take care of yourself. Check the PCWorld.com News page every couple of days and see what's cooking. Alternatively, you can pop over to the CERT Coordination Center every so often.

There's a good chance we're going to get hit with a worm that's even clever than Blaster. In "Next-Gen Windows Worms Will Be Smarter," you'll learn that Blaster was poorly written and didn't do as much damage as it could have, and how the next worm could be as damaging as the Code Red worm of 2001.

Just a few days after I dealt with Blaster, a variant reared up: Blaster-B. As I write this newsletter, it's still a low risk, but worth knowing about. The fine points are in "New Blaster Variant Surfaces."

Dig This: Check out my pick for Freeware of the Week. A program can't get much smaller or more efficient than NaDa ... only one byte! It works with every operating system, has no spyware or adware, and performs the same function as programs costing hundreds of dollars: nothing! [With thanks to Carl Siechert.]

Pointing a Finger at Microsoft

What's amazing is that Microsoft released patches in mid-July to deal with a series of security flaws that Blaster ultimately used. But many IT types are unhappy with the company because some of the security patches apparently didn't work on all versions of Windows 2000. The grisly details are in "Did Microsoft Misstep Nurture Blaster?"

OTOH, Microsoft put together a useful FAQ that does an exemplary job of helping to sort out Blaster's dangers. "What You Should Know About the Blaster Worm" talks about firewall protection--something everyone must have, whether on a dial-up or broadband connection. Microsoft has an article on this subject, too.

If you have no experience with a firewall (and even if you do) take a look at our "Step-By-Step: Bulletproof Your PC With a Software Firewall." It'll help you get the most out of your firewall.

Dig This: Can you tell the difference between a programmer and a serial killer? (And I'm not talking about someone who destroys communication ports.) Take the test and see if you beat my eight out of ten score.

More Worries

Yet another danger you should know about is the W32.Mimail worm. It started making its way across the Internet in August, spreading grief in a zipped attachment. The problem is that, by default, some antivirus programs don't look inside zipped files.

If you want an example of the right way to protect a computer system, read "Slammer Lessons Prove Valuable." The Boston hospital profiled in this story didn't feel much of an impact from the Blaster worm. Why? It paid close attention to security issues--and watched for patches as they were released. You'll feel good after you read about it.

Protection Tip: The scanning process will take longer, but I recommend you set your antivirus program to check all archived files. You'll find a way to do it in either the Options or Preferences menu of the program.

Tips From the Trenches

I talked with computer consultants Rod Ream, Graeme J. W. Smith, George Siegel, and Toby Scott--guys who work the trenches--and asked them for tricks they use when fixing a client's PC. I wheedled from them this handful of tips:

Test Your System. Grab a copy of Steve Gibson's DCOMbobulator, a free tool that simulates a buffer overrun to let you safely test your system and verify that it's patched against the latest Microsoft Windows exploit. It'll also tell you if you're vulnerable to worms similar to the nefarious Blaster. As with most of Gibson's stuff, it's small, fast to download, and doesn't need to install--just click it and it runs.

Don't Restore Viruses. If your system's been infected, Win XP and ME's System Restore tool may have backed up a virus in the System volume information folder or in _RESTORE. You'll want to disable System Restore before scanning if you suspect you're infected. Do it by selecting Control Panel, System, System Restore, then checking "Turn Off System Restore." Make sure to turn Restore back on after the scan. BTW, it's not necessary to disable System Restore each time you scan.

Turn Back the Clock. If you're struck by a time-based worm or virus, try resetting your PC's clock back by a year. It may give you enough time to do an antivirus scan or install a patch.

Blast the Blaster. Just running a Blaster removal tool may not help if your system is already infected. To get rid of the worm, first install the Microsoft patch, then run any of the half-dozen removal tools available on most antivirus sites.

Save Those Patches. Try to make the time to burn all of Microsoft's patches onto a CD. I promise that if you have to reinstall Windows, having the patches available will make the process go more quickly.

Get Daily Updates. Set your antivirus program to update daily. That seems obvious, I know, but you'd be surprised how many people have their antivirus programs set for weekly updates. (Sorry, you'll have to hunt around in Options or Preferences to see how it's done.)

Dig This: Want to be a hit at any geeky party or computer trade show? Walk in wearing a Blue Screen of Death T-shirt. Yes, it's true--you can wear your favorite error message.

Sign up to have Steve Bass's Home Office Newsletter e-mailed to you each week.