Thursday, April 9, 2009

Virus strikes while reinstalling Windows

I heard more than one security expert preach "disconnect your machine while reinstalling Windows" I never really believed it until now. Is it really possible to be infected while reinstalling Windows? In short the answer is 'YES'

Recently at work we were rebuilding a Server with Windows Server 2003. Upon installation routine completion we attempted the usual configuration most system administrators can do in their sleep. This time however we couldn't access Task Manager. Windows kept saying its been disabled by your Administrator. Being the geeky technical types we checked Active Directory Group Policies and a bunch of other security policies. We must have spent just under an hour on all these other items before we saw the light and decided to scan for viruses. Remember this Server was just freshly rebuilt, we have not even browsed the Internet on it.

20 minutes after we initiated a scan we confirmed an infection. Needless to say we were blown away. When dust settled the reality of the situation hit us hard. "Oh my god" we have a worm loose on our network. It's actively scanning vulnerable machines. Panic set it and like good little fire fighters we set gears in motion looking for other Servers with similar symptoms. Took us several days to track down a handful of other Servers infected with same virus strain.

There you have it "Proof" you can be infected while reinstalling Windows. When you think about it. Makes total sense, I mean reinstalling from original Windows Recovery CD your going back in time potentially erasing years of security, years of painful and diligent patching.

Needless to say we've changed our practices... but only after learning the hard way.

No comments:

Post a Comment