Fighting a worm

Today I wanted to install PHP 5 + Apache 2 on my brother's laptop because he wanted to learn some (PHP) programming. While I was fighting with the PHP install process (the Windows PHP installer does not come with an Apache module?!) the Apache Start Menu entries where suddenly filled with myriads of executables like "Britney Spears Sexy archive.doc.exe" (to name one of the more harmless sounding - I don't want to risk becoming linked under the false keywords in google...). A quick search showed that all folders, which have something to do with up-/downloads have been spammed with these files. Simply deleting them did not help - after rebooting they appeared again.

At least I now knew that some program was executed at windows startup which created all these files - probably some kind of worm. The strange thing was, that this particular box was behind a masquerading server for quite some time, so nobody should have been able to directly connect to this computer from the net to exploit some windows bug. And my brother did only download the PHP and Apache installers and some MP3s lately and did not open any attachments (and he is using Mozilla Thunderbird, so no Outlook exploits either).

So I started googling for all currently running processes. For some harmless Windows built-in exes, google linked me to subpages of http://www.neuber.com/taskmanager/process/. Follwing the links on the page, I found Security Task Manager. This app lists all currently running processes - just like Windows Task Manager - and additionaly displays information like possible threats, full path of the executables, program description (when available) and a list of all character strings in the file. Very handy indeed. It also has a quarantine function, which moved the executable to a isolated folder and removes all (hidden) autostart entries for the file (and does a backup, so everything can be restored, if the process later proves to be harmless).

A file called FVProtect.exe was located as the most possible dangerous running program and quarantining proved that it really was the delinquent. A quick internet search showed that it was the executable of a known worm called W32.Netsky.P@mm and Symantac provided a handy removal tool, so all is now well again...

I just don't know, how this worm infacted the computer in the first time. Maybe through the ads ICQ displays at startup?

This completly took away the time I had set aside for writing the next part of my Sorting in Mono series, so no post on insertion sort today...