Last weekend I got roped into helping one of my wife's work friends upgrade to a brand
new PC. After a full afternoon of unpacking equipment, getting it all plugged in, and
copying data from the old to the new computer, it was finally time to get her Internet
access working. I'd forgotten how awful the era of dialup was as we got connected and
began the arduously slow task of downloading the necessary Windows XP Updates. After 20
or 30 minutes of waiting we decided to go out for dinner. But when we came back, the
computer was acting really strangely. The Updates were taking forever to download, and
once downloaded they wouldn't install. Buttons like "Restart" were missing, and the
installed virus scanner kept shutting off. The interface showed lots of traffic even when
I wasn't doing anything. Great. Suspecting the worst, I finally offered to just take the
system home and get it all patched up in the comfort of my own network. I should have
known better than put an unprotected Windows box on the Internet, even for a minute.
Sure enough, as soon I turned on the computer and put it in a quarantined area on my home network, it began spewing out billions of packets port 445. Sasser. Fantastic. Plus some other stuff to port 13000 I didn't recognize. I tried cleaning the system up--I got all the Windows XP updates installed, got the virus scanner all up to date, ran a Sasser removal tool, ran a few full system virus scans. It found about 5 or 6 viruses, stuff like W32.Spybot.Worm and W32.Bobax.C. However even after all the cleanup, the computer was still spewing tons of 445 packets into the aether. I nuked some processes that I didn't recognize (which did finally stop the packet storm), and removed them from the registry so they wouldn't start up again. These were all things the virus scanners didn't know about, I guess. After a little while of this, I realized I was running around a bit half-cocked, turning things off, making changes--kind of like the infamous Whack-A-Mole carnival game, where the little rodents keep popping their heads up faster than you can hit them over the head with your mallet. Although I think I finally got the worst offenders, who knows what else was lurking on the machine, or what permanent damage had been done.
At this point, I realized I could just hand back the machine, but my conscience would stand for nothing less than a full reinstall. So that's what I did--this time with the benefits of a broadband connection and a NAT firewall. The key, it appears, for those unlucky enough to not have a private network and firewall, is to enable Windows XP's built-in Internet Connection Firewall (ICF) before ever plugging in a phone or ethernet cable. Even this has problems, like apparently there's a brief period during bootup where your interfaces are on, but ICF isn't, but this shouldn't be a problem for dialup users.
Argh. I hate Windows.
The really sad thing here is, how are lay consumers expected to know that their brand new, $1000-$2000 dollar PC is going to be compromised the second they connect to the Internet? Shouldn't the computer come with a big, yellow warning label on the front of the box: WARNING: Microsoft products loaded--seek professional assistance before connecting to the Internet. A friend of mine at work always jokes that the little "Intel Inside" sticker on the front of every PC is actually a warning label. Isn't that the truth.
Here are some links that helped me out: