What is the reasons of spreading viruses in LAN ?

Hi all of security experts !
I work now in microsoft  netowrk that conatins about 800 PCs win2000 and XP and controlled by DC .

I need to know

1.generally what is the reasons of spreading viruses in LAN ?

2.as  technician members we have limited rights in doamin and we about 8 persons , how can we control 800 PCs ? the persons that has administrator rights is the administrator of network .

we have now Blaster virus in the network and it reinfects all PCs
how can we stop its spreading ? we have no antivirus firewall

3.does Remote Assistant need to administrator rights in network ?
4.can administrator make full scan for viruses on  IP range ?

post references if you can please

nader alkahtaniNetwork EngineerAsked:
Who is Participating?
trywaredkConnect With a Mentor Commented:
*** 1. I agree with JOSEPH_MORE if your question is about why it is possible for the virus to spread, but maybe your questioin is why we have all these vira. Nobody knows, why do we have burglars, hackers, spyware and virus. Well maybe someone like to look at a fire, it's an illness he/she can be cured for, but untill then, maybe he/she starts some fires, just to be able to see it, and know - hey - I did this on my own - chears - chears, or in my opnion, start to see a doctor. The number of vira produced by "normal" people expanded after macros in word could be done in visual basic. That gave a lot of users knowledge about how to make a script.

*** 2. I agrree with JOSEPH_MORE - if you are supposed to do something, you must have the network-permissions to do it.

*** About blaster you have to find out which version of the blaster it is, and do the solution on all computers on the network
But it does'nt help if you don't install a virusscanner on each computer after have it stopped.

Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:

If you get's an ActiveX error, when loading the HouseCall web page:

If you want to secure your company's workstations in the future, consider to purchase OfficeScan:

If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from

Virus Information Alliance (VIA)

Review of the best antivirus solutions:

SoftScan puts an end to virus and spam threats from the Internet

*** About a firewall ask your domain administrator to install it immidiately between the internet and the local area network of your servers and computers

*** 3. I agrree with JOSEPH_MORE - if you are supposed to do something, you must have the network-permissions to do it.

*** 4. Administrator can make full scan for viruses with the Trend micro virus suite
I'm using it, and did'nt have any of my servers or computers infected since we purchased it about 4 years ago.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
Joseph_MooreConnect With a Mentor Commented:
Here are my thoughs on your questions. This will be mostly my opinion, but this is what I do, so I think I have an informed opinion on these topics.
1) Virii spread for lots of reasons, unfortunately. A) Unpatched machines. This is a given. With Windows machines, you MUST stay up-to-date on patches. There is a need to test new patches, and I do feel that you need a couple of machines that get patches the DAY they come out to see if they work or not. But don't do this for all machines. Try the new patches for a few days, and keep an eye on newsgroups/forums (like Bugtraq) and virus sites (like SARC from Symantec) to know of the latest vulnerabilities being released against unpatched machines. Virii have come out 48 hours after a vulnerability has been announced before. Stay up on patches and the forums where vulnerabilities and virii are discussed. When new patches are approved on your test machines (a couple days testing to a week at most is what I do), then roll the patches out to all clients. SUS is an easy way of doing this. Make backups of important machines before patching them, just in case! Be safe when patching, but DO patch.
B) No antivirus software on all nodes; or antivirus software that is NOT updated with the latest definitions; or antivirus software that is installed but is NOT running due to software failure, corruption, it being turned off (I've seen that before!), or a dozen other reasons. People think that since they just HAVE antivirus software they are safe, but when it doesn't run or if the definitions are 2 years old, it does NOT help! Educate users that if they do get a virus OR a antivirus notification (if the antivirus software caught something) to inform someone IMMEDIATELY. The faster you know there might be a bug in the LAN, the better. What also goes with this is notification when something is caught. The antivirus programs can all be configured to alert someone that stuff is going on. Use those alerts. Pay attention to them.
C) Security practices that are not sufficient, like misconfigured firewalls that have open ports that should not be open. Machines that are NOT even firewall protected, that the Internet can access. IDS is a great thing to run that sniffs the traffic and can tell you of a virus moving around the LAN.
D) STUPID E-MAIL PRACTICES!!!!!! Why are users opening file attachments that are .EXE files????? WHAT IS WRONG WITH THEM???!?!?!!!? Come on! If you can't strip out all executible file types before they get to the user mailboxes, then train your users to NOT open the attachments! Sorry, but even I have users who still open e-mailed programs (in ZIP files). Users will do this. And now with many virii sending themselves as ZIP files (a file extension that many places DO allow through), there is an even greater threat. So, I guess this should go in the antivirus section, but I will put it here anyway. Antivirus on all mail servers also, that scans the e-mail before delivery to the user mailboxes. As well as antivirus on the client machines JUST IN CASE. There are so many e-mail virii that have their own mail engines to spread. It's a crazy time we are living in, with e-mail virii!
E) A new one for my company is antivirus scanning on all Proxy servers, to avoid a user getting a trojan downloaded onto their machine from a malatious webpage. Sure, the user workstation antivirus software should catch it, but why not add another layer of security by having the proxy scan?
F) Users. Users are a big reason why virii spread. I know, we can't get rid of them, so we have to lock down, secure, patch, scan, and protect at basically every other point on the LAN so that whatever stupid thing the users do, we have that area covered.

Ok next question.
2)Your Administrator can Delegate Authority to your crew of 8 to do many admin-style tasks, using Group Policy. It just depends on how much power your staff needs, as opposed to how much work the Admin wants to do himself/herself. Compile a lists of tasks you cannot do, present it to the Admin, and remind the Admin that 800 machines need you to do this, unless the Admin wants to handle all of that. Just bury the Admin in numbers, and you will get more power. That is a lot of machines, IMHO.

For Blaster, start here:
You need to patch all 800 machines. Even 1 unpatched machine can try and spread Blaster, clog up network bandwidth, and continue the cycle of destruction.

3) You can add in Group Policy what users/groups can respond to a Remote Assistance requests. I forget where just now, but I remember seeing it. So, the Admin could add your group of 8 to this GP right.

4) Well, with the right tools, you could do your own scanning even without Administrator-level rights. Some tools (things like Retina from eEye) do need Administrator-level access to be able to scan the Registry of the remote machines, but without Admin rights, it can still tell you a lot. But, that doesn't have to stop you from running a port scan for the MyDoom port 3127 using something like NMAP. If you get a hit on this port, it is probably a MyDoom-infected machine, since that port isn't used for anything in Windows or normal apps. Admin rights make scanning with certain tools a whole lot easier, but there are a lot of tools out there that can give you all kinds of info, and Admin rights are not needed.

Good luck. Hope this helps
But this is not all, you also have to protect you against spyware


Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:

SpyFerret detects & removes spyware

Bazooka Adware and Spyware Scanner v1.13.01

Automatic check of your browser for parasites, adware and spyware
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

trywaredkConnect With a Mentor Commented:
Remember to install new hotfixes from microsoft. It can be done automatically

About Windows Update (SUS)

Download and install Microsofts automatic update server (also known as SUS)
trywaredkConnect With a Mentor Commented:
After you've done all the above, then test your new security settings:

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!

How to recover an already compromised system, visit the CERT Coordination Center:

Rich RumbleConnect With a Mentor Security SamuraiCommented:
Patching your system's is how you will keep from being infected, as joseph pointed out, you'll need the M$ blaster patch. You mentioned you have XP machines.... XP will kindly store a virus for you in System Restore, this is undiesirable, disable system restore. Apply the patch linked above, run a Standalone Virus scanner, McAfee and Norton both offer these, and they can scan you entire lan, one class C subnet at a time.

If you have a M$ network, and no AV.... you are going to get hit with much worse than Blaster... 800 M$ and no av... unheard of... wow
These can get rid of the virus for you...
Use a program lik GFI network scanner to audit you subnets and see what machines aren't patched, it's best to run as an administrator.

You have to keep up with patches... as stated above. M$ makes it easy to schedule these patches daily... But you do need AV also, because of sooo many M$ machines. Some believe (I know I do) that anti-virus companies have been responsible for certain viri, and I'll even bet M$ has had a hand in a few.
Ever wonder why, a virus is launched... but doesn't really do too much? I mean, it spreads like wild-fire (like blaster did) and yet has no real payload... the next itteration does, because someone reverse's the code, and then changes what the virus is intentions are. Remember the one that was directed at the Whithouse web site, it used a Static IP address... not DNS... so the DDOS was easy to avoid... why code a whimpy virus... why not get greedy, get CC numbers, spammers code viri to procure more email address... well thats the theory anyway.
Rich RumbleSecurity SamuraiCommented:
Should of linked these... how to turn off system restore so that each time you start your PC it won't reinfect itself
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.