This morning I was greeted with an alert that my Win7 system was infected with the MyDoom virus. The first two questions are how? and how do I remove it?
So I hop onto my linux system, google it, and am quickly directed to a Microsoft site. There I get the alert:
This article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Great. The first rule of dealing with a virus is shutting down the system so it can’t do any more harm and the first thing Microsoft says is that I need to turn the system back on so I can be sure I get the necessary information. Same thing when I want to download their malware removal tool – I need to use the infected system.
To be “fair” I only need to use a system running the same version of their OS. The problem is that I don’t have another system with the same version of their OS. This is a 64-bit Windows 7 system. My only other windows systems are a netbook running XP and a mothballed desktop that also runs 32-bit XP. I suspect this is the case in most other households – you only get one new system every few years and they’ll have different OS versions.
(Sidenote: all of my Linux systems are at the same version (Ubuntu 10.10). It makes a big difference when you can upgrade your system for free in an evening.)
Smart content is usually a Good Idea but there needs to be a way to say “no, wait, you’re wrong. I want this other content.”
How it happened
What I think may have happened (and this is little more than a guess) is:
- I decided to use the highly-regarded Windows 7 security tool when I initially set up the system
- I tried to install the Cisco VPN client to access the system at work
- Unknown to me that installer also installed a Semantic “endpoint” product that quietly disabled the existing security software. I’m sure the lawyers would claim that on page 37 of the third click-through license that I acknowledge this would happen. Yeah, sure. Whatever.
- The installer failed for unknown reasons. It might have left me without any protection, it might have left me with just ‘endpoint’ protection but no general protection.
- The system was left in this exposed state for a few months until I decided to update the virus protection on my netbook and decided to update the windows 7 box as well. That’s when I discovered that an unfamiliar security package was installed instead.
This was a false alarm. For unknown reasons firefox downloaded the contents of my gmail spam folder and it contained 60-odd viruses. For some reason two of the messages couldn’t be deleted and that was why I had the alarming message.
There was some collateral damage. I had finished running a full scan in ‘safe mode’ when I somehow triggered a firefox launch. (Probably for documentation provided online.) There’s no network connection so all of the cached session information failed to load… and that meant that they were removed from the session. So I had a fresh new session when I restarted firefox. Sigh. There went 20+ windows of things that were interesting enough to load but which I didn’t have time to read yet.