I don't know it this link might be helpful but will post it anyway
I know this will give you info on the first virus only but it's good reading and it might give you some ideas on how its re occuring.
.
Hey guys,
I'm struggling a bit with a virus problem at work. We are using McAfee with an EPO orchestra to manage all of the hosts. Normally it's pretty good but atm we have a bit of an epidemic that McAfee is not handling at all well. We scheduled a network wide scan last night and found about 20 different machines that are infected with about 30 virus's. The most common of which is:
W32/Autorun.worm.h
Generic.dx!und
Generic Rootkit.g
Now I have no problem with removing them from a PC but they seem to re-appear within 30 minutes, obviously they are using some sort of vulnerability to penetrate our systems but I can't determine what it is. does anyone know how these virus's would typically enter a system that has no local account other then the systems administrator account which is password protected, all users have domain accounts which are limited to users which can not execute programs other then those which have been pre-installed by a network administrator, they can also not make system changes. The other issue is if I remove all these virus's from our local pc's we are an international company and we administer several countries from our site so the virus could very well be coming from overseas. Also Autorun has been disabled on USB drives.
I know there isn't much information to go on there but I can't really give any logs or netstats without breaching company policy.
Last edited by Mokilok; 25-11-10 at 04:54 PM.
Look Here -> |
I don't know it this link might be helpful but will post it anyway
I know this will give you info on the first virus only but it's good reading and it might give you some ideas on how its re occuring.
.
Last edited by mickstv; 26-11-10 at 08:45 AM. Reason: spelling etc only
Mokilok (25-11-10)
Does the network scan run on all hosts simultaneously or one at a time ?
Mickstv
Last edited by Mokilok; 25-11-10 at 08:35 PM.
yeah I was going to say if you could isolate one of the computers and clean then load a firewall with restrictive access you could see everything thats trying to gain access and hopefully locate the source that way.
The reinfection could still be internal. It would only take the antivirus to miss one file across the whole network to reinfect.
McAfee Labs Stinger might be of some use it might find the problem better then the full McAfee package ? depends on company policy.
Mickstv
Last edited by mickstv; 25-11-10 at 09:35 PM.
Mokilok (25-11-10)
EDIT if you use stinger it's like every antimalware package be careful what it delete's i've been caught in the past. I believe stinger has an option to report only so you should be able to check files first. But I wouldn't use Stinger as my first option but if you do, use in on a single pc disconnected from the network.
So I would recomend the firewall option first and see what you find.
Mickstv
Last edited by mickstv; 26-11-10 at 04:17 PM. Reason: adding to post
Do you have virus protection on your servers as well? We had a worm at work and it was exploiting a flaw in windows. You need to make sure you have all your machines patched but also do a search to see if you can find a windows patch for your worm. We then had to run around patching and scanning machines 1 by 1 and finally got on top of it.
Good luck.
Leroy
XCRUISER HDSR600HD twin sat and terrestrial receiver $OOS *
XCRUISER HDSR385 Avant - sold out$OOS UltraPlus DVB-T and DVB-S2 tuners $49 Remotes $OOS
Mokilok (26-11-10)
G'day Mokilok
may I suggest the following steps:
isolate/remove those infected PC's from the rest of the network.
scan user's home folders( if you have such) and network shared drives.
you can try to trace the time/origin of the infection by looking through your Mcafe virus scan logs.
one or more of the Trojans you listed had to be removed manually, so reimaging those infected PC's can be a good thing to do.
Good luck
cheers
"People who love sausage and people who believe in justice should never watch either of them being made" Otto Bismark
Mokilok (26-11-10)
Thanks for the response leeroy, Yes i have anti virus on the servers as well as all pc's in the business. All managed from the EPO which displays any machines that become non compliant, as a result I can be assured that all anti-virus on pc's and servers are up to date.
If they reappear on the next scan it could be that the virus checker is failing to clear the virus or else they are FALSE positives (especially those generic ones)
Best bet is to go to a machine boot off CD/DVD and clean the machine until no viruses are detected by multiple online systems. Also do a rootkit scan to check for anything else.
then put it back onto the network.
don't run anything just login into the network with a normal user level login
then run virus scanner repeatedly to see if it get re-infected
Odds are it won't
Post thought. I also use port monitoring software to see what ports are open on the machine or use netstat -a etc to see whats opening ports. To transmit to another machine some ports need to be opened so it might give you an idea on which ports to lock out.
Last edited by ocd_csv; 26-11-10 at 08:56 AM.
but if you looked at hidden os files on the drive you'll find autorun.inf there
Hi Mokilok
Is re imaging those infected PC 's a valid option for you?
"People who love sausage and people who believe in justice should never watch either of them being made" Otto Bismark
that's right you will find an autorun.inf we infact have them on every root directory and share on 3 servers now along with 20 pc's which will all also have an autorun in root directories, I can remove the virus's and in most cases they have been removed but without finding the original way they penetrated our systems I won't be able to prevent it from happening again.
Hi Baseel,
It's not unfortunately, we only keep image backups of critical systems. We do backup data but not 1:1 Images of systems, that would just be far too large with the kind of files my co-workers produce (30-40gig files). I've been looking into WDS and MDT a little as they seem to have a fairly efficient method of imaging but before I started here the systems were not really imaged.
Can I get some opinions here guys, Is a nameless session dangerous? I close them off but they keep re-opening. Also seems to be a few suss objects in netstat.
When I check the two open files they aren't listed, there is no files open that have nameless connections.
autorun eater should run in the background
it comes from flash drives
so much for antivirus eh?
although, my nod32 picks it up everytime my worker puts her silly usb stick in
shes always getting it
they has a infected box
[QUOTE=Mokilok;355914]Hi Baseel,
It's not unfortunately, we only keep image backups of critical systems. We do backup data but not 1:1 Images of systems, that would just be far too large with the kind of files my co-workers produce (30-40gig files). I've been looking into WDS and MDT a little as they seem to have a fairly efficient method of imaging but before I started here the systems were not really imaged.[/QUOTE
Hi Mokilok
so if get this right, there are work related files/ data that the users does keep on their workstations?
it's time consuming to clean each PC's and making sure that the infection doesn't re occur, so re imaging them will be faster and more efficient.
Have a look at this scenario:
Get one of those infected PC's, copy the data on it (if any) to a external HDD (not networked one)
Re install OS, drivers, office, work software, updates, corporate setting, etc..., use boot with a network boot disk to a shared network drive and use an ghost32.exe to ghost the C: partition.
The image created should be your SOE(Standard Operating Environment) which you can use to reimage any PC you have( providing they have similar hardware).
As for imaging any PC, just boot the PC with the network boot disk, map to where the original image (SOE) is located and re ghosted it.
Re imaging a PC with a 4.7 GB image takes about 10.-15 minutes over the network.
Sorry for the long post, but I only trying to help.
Cheers
"People who love sausage and people who believe in justice should never watch either of them being made" Otto Bismark
Mokilok (26-11-10)
Bookmarks