After a malware attack:
Rebuilding your system is the safest road to recovery

Dangerous software hides from repair tools: The IT Security Office recommends formatting one's hard drive followed by a complete software reinstallation in response to a system compromise. Modern malware relies on rootkits to hide itself from antivirus software and administrator analysis. Rootkits use a variety of techniques, such as executable encryption, alternate data streams, innocently-named files or registry keys, concealment in system restore points or patch clusters, or the use of portions of the disk not conventionally accessible to the operating system. These elaborate, and effective, concealment methods make it difficult or impossible to return a computer to a safe, functional state. Often removal of the malware can render the system nonfunctional. Worse yet, incomplete or ineffective removal means the attacker may regain control of the computer.

Complete reinstallation is necessary: A reinstallation includes not only the operating system, but also application software. It is important to realize that any application software currently on the computer may be tainted by the attacker and only trusted original sources should be used for reinstallation.

Back up essential files: Before reinstalling the operating system and any applications, it is important to preserve any data that may be lost during this process:

• Local e-mail boxes and address books
• Office documents such as Word, Excel, or PowerPoint
• Pictures and music
• Any other irreplaceable data

Copy these files to CD-ROM or USB drive. As many innocuous file types can actually carry hostile payload, it is important to virus scan these files from another system that is known to be clean.

Follow these steps to rebuild: Once you have copied irreplaceable data off the infected system, the operating system must be reinstalled. Many operating systems have features that allow one to upgrade or repair an existing copy. These methods are not sufficient to remove malware, in our experience. A general process for safely rebuilding an infected system is:

1. Boot the infected machine from the original operating system CD.
2. Select the drive to which you intend to reinstall.
3. Select the option in the installer that reformats that drive and installs a new copy of the operating system.
4. When the installation is complete, you will have a system that is well out of date on patches and critical updates. Before installing any applications, it is important to update the operating system to the most current patch level using Windows Update, OSX Software Update, etc. This process may require multiple steps and possibly several reboots.
5. If available for your platform, install CIT-supplied antivirus and firewall software. If your operating system has these capabilities already, be sure they are enabled.
6. Install the application software suites you commonly use; MS Office, Eudora, Firefox, etc., from either original installation media or from copies freshly downloaded from the vendor web sites. Application software will also most likely need patches.
7. Once these steps are complete, and you have virus scanned the files preserved from the original system, you may copy those back onto your machine and continue work.