Regrettably, I don’t get to see my folks as much as I’d like….there’s 500-odd miles and a sea between us, so it was a rare pleasure for my parents to visit me over Christmas for a few days.
After a day or so, my dad says to me, “Could you have a look at my laptop? Every now and then a strange Asian website keeps popping up. I thought I had a virus but the virus scanner says all is well.”
So I had a look….and yup, he had a trojan. Not a particularly nasty one and easily removed armed with instructions from the web. It was a variant of W32/Autorun-TR or Win32.Worm.Agent.QAL depending on your nomenclature. I have to recommend Avira’s Antivir Rescue System which is a bootable CD that will scan the hard disk for infection – download from here. It’s an essential item for every geek – the Rescue System picked up the virus straight away.
However, what was more interesting was (a) how did he get the virus and (b) why didn’t his (corporate) anti-virus software pick the virus up?
Dad’s an MD for a specialised engineering firm, so he travels a little. He’s reasonably technically-savvy but not an IT expert. It transpired that he’d been in China recently and had shared a USB memory stick with a local agent. This matched the modus operandi of the virus so that part of the mystery was solved.
What I couldn’t understand was, given the age of the virus (late 2008) and that the corporate antivirus software appeared to be working, why it hadn’t the trojan been picked up as soon as the USB stick was plugged in?
A little further digging revealed the problem….although the AV software was working, it hadn’t successfully installed new virus signatures in over a year – the last successful update was from mid-2008. The signatures seemed to download ok, but they never got installed into the AV engine properly. If I forced it to download updates, the activity bar would go to 100% and the window would close, so everything looked ok, but if I subsequently went to the dialog which showed the signature version, it was unchanged.
I’m not going to name which anti-virus software it was because I suspect part of the issue might be that my dad’s company hasn’t paid its annual licence and therefore isn’t entitled to updates. However, I think it’s very poor that there isn’t a warning on startup clearly saying, “Virus signatures are now 18 months out of date – system at risk”. If Dad had seen that 17 months ago, he would have been on to his IT dept straightaway to get the licences paid (or whatever remedial treatment is needed). A severe virus outbreak could literally put the company out of business, so I suspect someone will be starting 2010 with an important task from the MD.
As geeks, we often get asked to provide a little free support at Christmas and other holidays. While it may sometimes take us away from the drinks and the mince pies, it has to be our way of returning the favours that our friends and family do for us the rest of the time.
See you next year, Dad.