Worms on Campus: What’s In Your Pocket?

a worm morphing into a USB cable, slithering toward an apple

Earlier this week, various computer lab classrooms on the 4th, 6th and 9th floors were infected with a worm called W32.Downadup (more commonly known as Conficker), so anyone who plugged into a computer anywhere should scan any device they plugged in (be it USB or mobile phone) as well as any computers they may have connected them to afterwards. In short,anyone who has used a campus computer should get their devices checked out as soon as possible. If you think that just having an Antivirus on your computer will keep you from possible infection, think again. This particular worm is very easy to spread, especially by USB and almost everyone on campus has one.

Transmission

Inconvenient? Yes. Irriscreenshot of "AutoPlay"tating? Very, but this worm wouldn’t deal nearly as much damage if it weren’t so easy to spread. On an infected computer, Conficker will copy itself into an infected computer the second the AutoPlay program runs. More specifically, Conficker will create a ‘.inf’ (short for Setup Information File) on any USB device connected to an infected computer. Generally, inf files are text files used by Windows to install software in drivers – in this case, used to install the worm on new computers. The Auto Play setting can be disabled on a computer, but that’s a moot point if a user opens the infected USB anyway.

Another method used and abused by this worm is social engineering. Students in the computer systems major probably already know this, but social engineering can include anything from calling a person and pretending to be an IT worker to get a password to a developer making an application to manipulate people into giving them their banking information. In the event a computer isn’t infected though Auto Play, Conficker can disguise an executable file as a folder by changing the icon to look like a folder, leading users to unknowingly infect their computers.

What’s the Risk?

There are multiple versions of this worm floating around the net and nearly all of them make it difficult for infected computers to detect and/or remove them. Most version of Conficker disable Windows update and blocks users from visiting anti-malware sites but nastier versions take it a step further, disabling safe mode and killing any anti-virus, patch or diagnostic processes it comes across it. While most symptoms of the Conficker worm only affect the computer, the defining issue for students is this worm’s ability to corrupt flash drives. That project you’ve been working on all semester? Gone. It can’t be stressed enough. Back up your work.

Symptoms of Infection

Symptoms can include slow internet, forced redirection to ‘not safe for work’ sites, disabled folder options (unable to view hidden folders), and potential damage to USB drives. While most symptoms of the Conficker worm only affect the computer and whatever network it’s on, the defining issue for students is this worm’s ability to corrupt flash drives. Students have reported missing files and folders, new files that they didn’t add and occasionally a completely corrupted flash drive.

While it’s unknown whether or not the school at large has been infected, it should be common practice for anyone using portable storage devices to routinely check for viruses and malicious programs. So for the people to stick their drive in the nearest computer without taking any security precautions, the question remains, what are you carrying?

Sources:

  • en.wikipedia.org/wiki/Conficker
  • http://www.usbvirus.com/usb_virus/remove-usb-worm-virus.html
  • http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
  • http://www.symantec.com/connect/blogs/autoplay-worms
  • http://www.f-secure.com/v-descs/worm_w32_autorun.shtml

Image Sources:

  • http://canerator.deviantart.com/art/USB-virus-139656994
  • http://www.zdnet.fr/i/edit/ne/2009/04/autorun-windows7.jpg

Leave a Reply

Your email address will not be published. Required fields are marked *