How To: Remove a worm virus from your computer
Internet worms are the most common type of virus infecting computers today. Internet worms spread across networks using email, Internet chat, peer-to-peer (P2P) file sharing networks and other methods. The names they are given are usually derived from some text within the worm program code, or within the message the worm sends. Examples of Internet worms include: Bagle, Blaster, Mimail, MyDoom, Netsky, Sasser, Sircam, Sober and Sobig. Sometimes a worm may be given different names by different anti-virus companies.
How worms spread
Using the Internet, worms can spread so rapidly that they may often go undetected by anti-virus software because the updates that would enable the software to detect the worm have not yet been developed or downloaded. Because of this, it's advisable to use an anti-virus product that updates frequently (like Kaspersky AntiVirus) which cuts the delay between a virus appearing and the updates arriving to a minimum. Free anti-virus products may only update once or twice a week, leaving your computer vulnerable during the critical period when a new worm is most active.
Even using the best anti-virus, it's a good idea to train the virus detector between your ears to recognize potential worms and avoid being tricked into activating them. But it's easy to be fooled, with the end result that you have a worm on your computer sending copies of itself to every address known to you.
An Internet worm has a number of common characteristics:
- It spreads across the Internet using email, instant messaging or peer-to-peer file sharing networks;
- It uses a trick - known as "social engineering" - to get you to open the email or run the file, which installs the worm on your computer and activates it;
- It may install one or several files on your computer, often masquerading as system files, or with randomly generated names to make removal more difficult;
- It installs entries in the system registry and other places to ensure that the worm is activated whenever you use your computer.
Problems removing worms
Unlike most viruses, worms do not usually modify or "infect" existing files on a computer. They are usually self-contained files, often dropped into system folders such as the Windows folder. Therefore, removing a worm from a computer should simply be a matter of identifying and deleting the files it installed, and the registry links that may be pointing to them. However, removal may be made more complicated because:
- The worm is active, so the files are in use and cannot be deleted;
- More than one worm process may be running, and they may act in such a way as to restart one another whenever they are stopped, making manual removal difficult;
- The registry links may have been made in such a way that if the worm files are removed, vital system processes are prevented from running, making Windows difficult to use, or unusable.
- Windows' System Restore has backed up the worm files and its registry changes, making it possible for the worm to be restored, and causing false alarms that the worm is still present on the computer because copies are found in the System Restore folder.
Virus scanners are good at detecting and removing the files belonging to worms, but they often do not repair or remove the registry changes correctly. Therefore an anti-virus program can sometimes do more harm than the worm, by removing it and leaving the computer unusable, or displaying various error messages when you use it.
The safest and most effective way to disinfect a computer that has been infected by an Internet worm is to use a dedicated removal tool. These tools are provided, free of charge, by several of the anti-virus software developers. Even if you have an anti-virus product on your computer that detects the worm, it may still be safer to remove it using one of these dedicated removal tools.
Avast! Virus Cleaner
The avast! Virus Cleaner provides a very easy way to remove a worm virus from your computer. Download avast! Virus Cleaner and then prepare to clean your computer.
Disable the on-access virus checking of your existing anti-virus (if any), and disable Windows System Restore. Then start Virus Cleaner running.
Virus Cleaner will first check to see if a worm is running, and terminate the process if necessary. It will then scan the hard disk looking for known worm files. If any are found, any registry entries that point to these files will be removed, and then the files themselves will be deleted. Any temporary but harmless files created by the worm will also be deleted. If any worm files could not be removed because they were in use, the computer will be restarted and then the files will be deleted.
At the time of writing, avast! Virus Cleaner is able to detect and remove the following worm viruses:
- Win32/Beagle (alias: Bagle)
- Win32/Blaster (alias Lovsan)
- Win32/Nachi (alias: Welchia)
- Win32/NetSky (alias: Moodown)
- Win32/Opas (alias: Opasoft, Opaserv)
- Win32/Parite (alias: Pinfi)
- Win32/Yaha (alias: Lentin)
Tip: If the system operation has been adversely affected by an earlier attempt to remove the worm, and you are unable to run any files of type .exe, rename the avast! Virus Cleaner to a .com file and then run it.
Kaspersky Labs Removal Tools
Kaspersky Labs, developers of the highly regarded Kaspersky AntiVirus, also has free virus removal tools for download from its website. Unlike the avast! Virus Cleaner, there is a separate remover for each virus.
At the time of writing, Kaspersky Labs has removers for the following malware, including some backdoors and trojans:
Remember to disable the on-access virus checking of your existing anti-virus (if any), and disable Windows System Restore before running the virus remover.