Has anyone seen this virus recently? Somehow this virus has entered our network and is dropping other trojans and rootkits such as the following:
+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)
The virus seemed to spread quickly today. We have various versions of McAfee Enterprise installed on the network. Some clients have 8.0, 8.5i, and 8.7i. The servers all have th latest 8.7i and the 04/13/09 McAfee DAT. Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa. Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans. We have flirted with disabling Autorun (on all drives) via GPO with no success.
Has anyone seen this or have any recommendations? Various online resources and contact seems to yield minimal results. Any information would be greatly appreciated.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
this is a nasty virus that can sometime make you have to format. Try these suggestions:
http://www.bleepingcompute
I have always liked Combofix, Malwarebytes, and rogueFix which is a batch file and have found needs to be run first before Combofix for nasty bugs.
Remember, the virus will try to infect any media you connect to it, so consider it tainted and format it. Disable autorun.
AVG makes a Sality remover
http://free.avg.com/virus-
Good luck.
In case safe mode is corrupted too, you can try Roguefix which is a batch file that will remove a lot of root kits. I have had to use this first sometimes in safe mode before I could run a standard antivirus.
Also you could use something like BartPE if things are really rediculous. it is a bootable OS that runs in RAM. it has add ons that you can use to do things like virus scans.
The Roguefix does not restore the Safe Mode functionality though.... the virus corrupts the computer and force it to load Windows normal mode to load itself in memory (Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt all Blue Screen) then the virus will actually kill the AVG removal tool.
http://blog.didierstevens.
^We found this site which works great for XP clients; however, I am thinking the keys are probably different on Windows Server 2003 SP1 and SP2?
McAfee 8.7i w/ AntiSpyware Module 8.7 with the latest DAT up until Friday 04/17 still would not clean the virus. It would detect but not clean. McAfee argued that it was running in memory, but we could replicate the issue on a clean image every time on multiple computers. If an infected USB drive was plugged into a clean machine or an infected drive mapped, the virus would jump immediately (or vise versa). McAfee would detect it, but fail to clean it as you could see the virus begin to spread across the machines.
We finally got our ticket escalated up to level 4 with McAfee after submitting the variant to AVERT w/ relative logs in which case early Friday morning they released a 04/17 beta Super DAT. We replicated the exact same scenario as before, however, with the newly applied new DAT McAfee 8.7i was able to not only detect the virus, but also clean it essentially stopping it from spreading which previous DATs were unable to do. They have a process of including the DATs in the next DAT interval, so hopefully if anyone runs across this virus it can actually be stopped with the latest McAfee DATs. In the meantime, I believe the beta Super DAT (at least on Friday) on their page will suffice in case they have no bundled it yet with the latest DAT release...
http://vil.nai.com/vil/vir
^avvwin_xdatbeta.exe
http://www.symantec.com/bu
http://www.symantec.com/se
^We ended up imaging the client machines. Any essential clients or servers that could not be duplicated, we followed Symantec's removal guide that also included specific registry keys to remove and/or fix.
We found that despite the machines being clean and up to date, registry key values detailed in the above Symantec links were added by the virus and/or related drops making the machine vulnerable to connect to the Internet and reinfect itself. While the McAfee software would now detect and clean On Access, the process would continue due to the vulnerability. Plus, if any new variants popped-up, we would be extremely susceptible to new infections.
Business Accounts
Answer for Membership
by: bigpadhakooPosted on 2009-04-14 at 02:08:30ID: 24136138
i recommend you to download trojan remover to fix this and all other existing rootkit threats. you can download a trial version of fully functional 30 days copy. follow this link. http://www.simplysup.com