• IT Help Desk
• IT index
• IT policies
• IT units
• IT newsletter
• IT projects

IT Help Desk
Kansas State University
214 Hale Library
Manhattan, KS 66506
785-532-7722
helpdesk@k-state.edu

Learn more about

• Antivirus software
• Desktop search products
• eIDs
• E-mail risks
• Identity theft
• Mac security
• Mobile device security
• Passwords
• Phishing and scams
• PE_LUDER malware
• Realtime Block Lists
• Spam and filtering
• SIRT
• Spyware and adware
• Viruses
• Web risks
• Wireless security

Getting rid of PE_LUDER malware

by Harvard Townsend, IT security, Nov. 13, 2007

The PE_LUDER.CH malware and its associated worm WORM_SMALL.JBC have persisted at K-State for more than two months. It has proven to be effective at spreading itself and difficult to completely remove from an infected computer.

Part of the reason for the difficulty is because it runs as a process named SVCHOST.EXE and is automatically started every time the computer boots up. This malicious process uses the same name as a legitimate "Microsoft Service Host Process" in Windows, which is a common trick used to try to hide the existence of running malware. Consequently, Trend Micro OfficeScan cannot delete or quarantine this part of the malware automatically. The procedure for permanently removing SVCHOST.EXE (PDF format) is complicated, so contact your IT support person or the IT Help Desk for assistance.

Other reasons for PE_LUDER's persistence include:

• It spreads by trying to infect every disk drive connected to the computer, including the obvious hard drives, network drives, and USB thumb drives. But it can also can infect cameras, MP3 players, and even some types of printers because they also have Windows file systems, so infections may be lingering on devices not normally considered vulnerable.
• It is hiding in some compressed system files which may not get scanned completely depending on the configuration of your instance of Trend Micro OfficeScan. If the "maximum layers" setting for "Scan compressed files" is set to 2 or 3, it may not detect all instances of this malware. A setting of 6 is recommended. Again, ask your IT support person or the IT Help Desk for help with this configuration.
• Systems that have their configuration frozen with products like Deep Freeze, which is commonly used in campus computer labs, may not have the latest pattern files for Trend Micro OfficeScan that help prevent infection. If you use Deep Freeze or something similar, make sure it is configured to regularly "thaw" the configuration to update the pattern files.

What you can do

The most common means of spreading is via infected USB thumb drives, so you should be very cautious about putting someone else's thumb drive in your computer, or putting your thumb drive in someone else's computer. This is especially true of faculty who accept student assignments on thumb drives -- you should find another way to accept assignments, like K-State Online's File Dropbox feature.

While Trend Micro OfficeScan should prevent your computer from getting infected from a USB thumb drive, you can also help prevent this and future infections by turning off "AutoRun" capability on external drives. This is the convenient feature that automatically runs a CD when you insert it, or starts the process to download photos when you connect your digital camera. It's also the feature exploited by malware like PE_LUDER. See your IT support staff or the IT Help Desk for help on how to do this.

In Windows XP, a useful alternative to turning off AutoRun for all devices is to hold down the Shift key when you insert the drive into the USB port. This temporarily disables AutoRun when Windows detects the new drive.

Since this malware tries to inject itself into nearly every .EXE file it finds, it has rendered some systems unusable to the point of needing to be reformatted and all software and data re-installed. Please be diligent in helping purge the campus of this malware so others don't have to endure this headache.