Since friday our users in the UK have started getting remote processes executed on their machines. the file is being executed from C:\WINDOWS\system32\2.exe
I have added a rule to our EPO server to find and delete this file as soon as it is created, as well as prevent it being executed, but the frequency of attack seems to be getting higher as our US office comes online, they are not managed by the EPO server.
Does anyone have any thoughts what the 2.exe file may be, and what other nasties may be being pushed onto our machines with it? more importantly, how we can prevent the issue moving forward without preventing us users ability to get access to the machines. our EPO management will stem the tide, but it only acts on a filename basis, so is by no means complete.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
could be a network worm of some sort , try uploading the file to www.virustotal.com to get a positive ID on it.
also make sure your machines are fully updated with regards to windows updates, as well as office / SQL server ,etc..
The usernames that the process is running under all appear to exist as users in our US office, i suspect that their machines have been infected, or their passwords compromised. there are no unprotected shares on the machines, and no one particular machine is affected, it seems to be hitting almost every machine in the office. Windows updates are pretty much up to date, or fully up to date on the machines, i shall try getting the file and uploading it to virustotal.com to get a positive ID on it, thanks for that, should hopefully prove usefull.
all other software is up to date on the machines.
indeed, i was hopefull of someone to identify it, further investigation has shown it to be trojan clamp that is causing ourr headaches. Gratefully we appear to have the problem under control here in the UK, and are now in the process of identifying and clearing the issues in the US, thanks to all experts who looked in, hopefully this information is usefull to someone. nsx106052, thanks for your input, im awarding you the points because you did identify what the file was, even though i was really looking for more information, the Trojan information took me two seconds on google to find.
There is now a lot of info available on this virus:
Basically you have to make a Software Restriction Policy in your group policy to block the known extentions, then write a logon script to remove the Run registry entries:
http://www.microsoft.com/s
http://support.microsoft.c
I essentially did exactly that through our EPO console, blocked any exe file from being created or run remotely unless it was one of our trusted applications, and also added blacklist entries for the relevant filenames / patterns to the antivirus detection so they were removed, we are still getting the odd problem here and there, but it seems to have removed futher infections from happening.
I dont have PSEXEC running. Im noticing that the file 2.exe is being created by different programs, its crazy. Im seeing:
%systemroot%\system32\
services.exe
svchost.exe
winlogon.exe
\WBEM\WinMgmt.exe
lsass.exe
The Blackberry desktop Manager
Outlook.exe
Winword.exe
Paperport.exe
DvzMsgr.exe
Wuauclt.exe
My 3rd party managerment system from Applied Systems
Ive been in contact with the AV company and I sent them the 2.exe and a full report of the system state of an infected machine. I have also noticed that in addition to this 2.exe, those machines have Vundo, which probably was just dropped teh same way 2.exe was.
2.exe is a trojan. It also reproduces like a worm across the network. It has infected 200 computers and 10 servers on my network. We have been working with Kaspersky to try to produce a cure. We were marked as being in the first group of 20 in the country to get infected. It reproduces itself in many places. One of which it favors is the restore points on every computer. It also uses processes such as psexesvc.exe; and lsas.exe to reproduce. We have been dealing with it for 2 weeks now and it continues to get worse! It is now keeping our servers cpu's spiked at 100% constantly. We are running very slow!!! Manually removing it only gives a couple hour window of breathing room.
Business Accounts
Answer for Membership
by: ellandrdPosted on 2009-03-02 at 05:10:21ID: 23773691
ACtually, i have blocked remote execution of exe files in the EPO console as well.. though that will prevent the issue from affecting us, it also prevents us doing some remote administration tasks.. can anyone shed light on what the 2.exe may be?