Bug that infected Royal Melbourne Hospital is a Qbot worm
Update: Royal Melbourne Hospital is reimaging all of its PCs running Windows XP after it was discovered that the bug that infected its systems on the weekend is a new variant of the Qbot or Qakbot worm, a known piece of malware that exploits a security vulnerability in XP.
A source at Royal Melbourne told Pulse+IT that the malware particularly affected the pathology department, where the majority of PCs run on XP and the laboratory information system runs on Windows Server 2003.
The source said the worm had infected other machines in the hospital running newer operating systems, but when it infected an XP machine, it effectively “killed” it. However, the hospital also has a few PCs attached to aged medical equipment running on Windows NT that are still working fine.
It is understood that the emergency department system had to go offline over the weekend but is back up and running. However, the source said there was still a lot of work left to check the hundreds of different software applications used in the hospital.
“They have ensured that we've got the right virus scan and the software in place to stop the infection but it will take weeks to get it all cleaned up,” the source said.
Information security experts from the state and territory health departments are aware of the issue and are taking action, the chief information security officer (CISO) at eHealth NSW, Gilbert Verdian, said.
“We are working with the anti-virus vendors to find out exactly what it is,” Mr Verdian told Pulse+IT. “It's a variant of an old virus so we are trying to figure out how bad it is, why it wasn't picked up and do something proactive on our end so we don't get it.”
While Windows XP is still used to varying extents in health facilities throughout the country – many older medical devices and bespoke software will not work with newer operating systems – most health departments have or are phasing it out. It is not widely used in NSW, Mr Verdian said.
“We kicked off a program about two years ago to get rid of it and we've done quite a lot of that work. There's not many left out there.”
It is not yet known where the worm first gained entry, but one of its main features is its ability to evolve and it seems to have bypassed the hospital's antivirus protections.
Melbourne Health issued a statement yesterday saying most computers were now clear of the bug and IT staff were working to restore the remaining Windows XP computers as quickly as possible.
“As of 10am [November 19], many programs affected by the virus are up and running including pathology and pharmacy,” Melbourne Health said.
According to Sophos, Qbot or Qakbot is a worm that can steal passwords, log keystrokes and perform remote FTP commands.
It affects not just Windows XP but Windows Server 2003, Windows Server 2008, Windows NT and Windows 7.
Trend Micro says it has been around since at least 2009 and is best known for trying to infect banking systems.
The security software vendor says the malware has the ability to block access to antivirus sites and delete itself if found running on a virtual machine.
This story was updated on Friday, January 21 to include more information on the steps being taken by Melbourne Health to clear the virus.
Posted in Australian eHealth