Detecting and removing worms and Trojans can be more difficult than removing other sorts of malicious code. With most viruses, you can run a scanner, remove the virus, and systems are good again. Trojans and worms can do so many things that detecting them means detecting all of the unwanted changes to your system (i.e., intrusion detection). This can mean noticing new files with current file modification dates, new open TCP/IP ports, new startup programs, and new registry changes. It is important for you to have a discovery and removal plan. Certain steps should be completed before others. With many of today’s Trojans (e.g., PrettyPark, Subseven, etc.), deleting malicious files before fixing the registry will result in a machine that doesn’t work. It’s important to follow these steps in order. You can make matters worse if you don’t.
If you have a good reason to believe that a PC or network has been compromised by a Trojan or worm, disable any related Internet connections. If you suspect just one PC, unplug its modem or network cord. If the entire network is experiencing problems, disable the Internet router. If it is an email worm, disabling Internet access will prevent further spreading outside of the local network. Also, if you have an email worm and an email server, disable the server. With Microsoft Exchange, this means stopping the Internet Mail Service and Information Store.
Some Trojans have
KILL routines that ...