Last weekend I got roped into helping one of my wife's work friends upgrade to a brand new PC. After a full afternoon of unpacking equipment, getting it all plugged in, and copying data from the old to the new computer, it was finally time to get her Internet access working. I'd forgotten how awful the era of dialup was as we got connected and began the arduously slow task of downloading the necessary Windows XP Updates. After 20 or 30 minutes of waiting we decided to go out for dinner. But when we came back, the computer was acting really strangely. The Updates were taking forever to download, and once downloaded they wouldn't install. Buttons like "Restart" were missing, and the installed virus scanner kept shutting off. The interface showed lots of traffic even when I wasn't doing anything. Great. Suspecting the worst, I finally offered to just take the system home and get it all patched up in the comfort of my own network. I should have known better than put an unprotected Windows box on the Internet, even for a minute.
Sure enough, as soon I turned on the computer and put it in a quarantined area on my home
network, it began spewing out billions of packets port 445. Sasser. Fantastic. Plus
some other stuff to port 13000 I didn't recognize. I tried cleaning the system up--I got
all the Windows XP updates installed, got the virus scanner all up to date, ran a Sasser
removal tool, ran a few full system virus scans. It found about 5 or 6 viruses, stuff
like W32.Spybot.Worm and W32.Bobax.C. However even after all the cleanup, the computer
was still spewing tons of 445 packets into the aether. I nuked some processes that I
didn't recognize (which did finally stop the packet storm), and removed them from the
registry so they wouldn't start up again. These were all things the virus scanners didn't
know about, I guess. After a little while of this, I realized I was running around a bit
half-cocked, turning things off, making changes--kind of like the infamous Whack-A-Mole
carnival game, where the little rodents keep popping their heads up faster than you can
hit them over the head with your mallet. Although I think I finally got the worst
offenders, who knows what else was lurking on the machine, or what permanent damage had
At this point, I realized I could just hand back the machine, but my conscience would
stand for nothing less than a full reinstall. So that's what I did--this time with the
benefits of a broadband connection and a NAT firewall. The key, it appears, for those
unlucky enough to not have a private network and firewall, is to enable Windows XP's
built-in Internet Connection Firewall (ICF) before ever plugging in a phone or
ethernet cable. Even this has problems, like apparently there's a brief period during
bootup where your interfaces are on, but ICF isn't, but this shouldn't be a problem for
Argh. I hate Windows.
The really sad thing here is, how are lay consumers expected to know that their brand new,
$1000-$2000 dollar PC is going to be compromised the second they connect to the Internet?
Shouldn't the computer come with a big, yellow warning label on the front of the box:
WARNING: Microsoft products loaded--seek professional assistance
before connecting to the Internet. A friend of mine at work always jokes that the
little "Intel Inside" sticker on the front of every PC is actually a warning label. Isn't
that the truth.
Here are some links that helped me out: