Solved

Unable to kill virus - suspect netsky variant -

Posted on 2004-04-19
10
548 Views
Last Modified: 2012-08-13
Win2k3 domain (4 servers)
Exchange 2k
20 users
Have recently installed GFI mailsweeper software as supicious of mails etc and it has shown returned messages to a user we do not have called "SALES37314939" (see below). This user has sent 2730+ messages in the past 6 days (since we switched the GFI on) -

"To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject: IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME TO: fields in the email addresses - Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:"

We cannot find any reference to this use in our AD or our exchange or on any server registry. I cannot find it in adsiedit (although there is no search facility so I may have missed it)
We have taken every PC and server off the network and booted them in safe mode - then run mcafee/ ca and norton netsky "fixers" which have yielded 6 occurences on the mail server and nothing else.

My own belief is that there is a rogue smtp service (which is how netsky is supposed to run) somewhere on my network - this is kind of bourne out by the fact that no mails were sent over the weekend.

Any ideas for tracking this down would be appreciated







0
Comment
Question by:BuckChrisBuck
  • 6
  • 4
10 Comments
 

Author Comment

by:BuckChrisBuck
ID: 10860081
In addition, I have just done a text search for "SALES37314939" across c$ for the mail server and have found 7332 files in the badmail subdir in exchange, 3x358mb files in a log directory and 40x5mb files in the mdbdata directory.
0
 
LVL 6

Expert Comment

by:acmp
ID: 10867012
Does you AV softwrae identify the emails a Netsky?

The latest netsky (netsky.w) uses a file called 'C:\WINDOWS\VisualGuard.exe' maybe you could search your network for that.

If you know what version of the virus you are getting you can use http://vil.nai.com to find the details then look up what the actual virus file is called.

If you're not sure of the version maybe you could scan your exchange server with stinger (http://vil.nai.com/stinger), it should report the version (and clean it too).

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10867167
Thanks for your response.
We have already run the stinger having booted in safe mode on not only the servers but all computers on our network over a one hour period last week.
We believe that it is both netsky.p and netsky.b as we have found indtances of both but even when trying to remove manually by changing regsitry keys as per the instructions, we cannot do it (the keys are already correct). The stinger did find 6 occurences of netsky on the exchange server and cleaned them but I believe that the smtp server sending out is not on the server as not emails were sent over the weekend.
Any other thoughts?

Thanks

Chris
0
 
LVL 6

Expert Comment

by:acmp
ID: 10867389
I use a kixtart script (ww.kixtart.org) that runs at logon that looks for some virus files and stops the user from logging on if it finds them.  This helps to locate problems on the network (I have 400+ PC's)

Netsky.p users:
FVProtect.exe
userconfig9x.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

To run it's self,

Netsky.b uses:
SERVICES.EXE (not the system folder version)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

Maybe you could use kixtart (or another script) to find these files on your PC's. Then clean any that are infected.

You could try something like...

<code>
   dir %windir%\fvprotect.exe
   if not errorlevel 2 goto Alertp

   dir %windir%\services.exe
   if not errorlevel 2 goto Alertb

   goto end

   :Alertp
      echo.
      echo you have netsky.p call your administrator
      Pause
      goto end
   :Alertb
      echo.
      echo you have netsky.b call your administrator
      Pause
   :end
</code>

Put this in a login script, if the files exist the error level is 0 so the script continues, if they don't exist it generates a level of 2 and will then do the notice. you could include a 'net send' command to send an alert to yourself.

Alternativly you could change the %windir% to \\[pc name]\admin$ and run the script from your PC. this assumes you have the admin$ share on your clients and you have access to them, of course you'll change hte [pc name] to the correct netbios name for the pc you want to check.

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10879589
Thanks acmp, I put your idea to work- I needed to amend slightly adding a c: at the top so it checked locally and I also added a net name command in so that I cold easily see who was what.....
No dice however - all users logged on and none giving me any issues or showing these files.
According to my gateway, at 13:13:43 today my rogue user sent out 910 emails each to different addresses all the same size.
Frustrating problem this one.......
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:acmp
ID: 10887081
Do the outgoing emails have any useful information in the headers?  Maybe you could post one for us to look at?

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10888940
Have switched gateway to capture all inbound and outbound emails so I will post one as soon as we get it (they are random and usually about 900 in 1 second - cannot yet find a trigger. Chris
0
 

Author Comment

by:BuckChrisBuck
ID: 10898132
OK - Here is the header from one of 910 mails sent out this morning

Received: from lamb2k4.lambsbricks.com ([192.168.80.2]) by lambgate.lambsbricks.com with Microsoft SMTPSVC(6.0.3790.0);
       Tue, 13 Apr 2004 13:38:49 +0100
-----Original Message-----
From: MAILER-DAEMON@mail.clicknames.net
[mailto:MAILER-DAEMON@mail.clicknames.net]
Sent: 21 April 2004 19:07
To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE
GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject:
IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_
CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME
TO: fields in the email addresses - failure notice


Hi. This is the qmail-send program at mail.clicknames.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ian@ianloncaster.com>:
Sorry, I couldn't find any host named ianloncaster.com. (#5.1.2)

--- Below this line is a copy of the message.

Return-Path: <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
Received: (qmail 26787 invoked by uid 1002); 21 Apr 2004 18:06:50 -0000
Delivered-To: forwarding-info@launchselect.com
X-Envelope-To: info@launchselect.com
X-Forwarding-To: info@launchselect.com
Received: (qmail 26541 invoked from network); 21 Apr 2004 18:05:46 -0000
Received: from host81-136-136-205.in-addr.btopenworld.com (HELO hwgdc1.hurstwoodgroup.com) (81.136.136.205)
  by mail.clicknames.net with SMTP; 21 Apr 2004 18:05:46 -0000
Received: from hwgdc1.hurstwoodgroup.com ([192.168.254.253]) by hwgdc1.hurstwoodgroup.com with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 18:25:21 +0100
Received: by hwgdc1.hurstwoodgroup.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-182020-7889.MMD@hurstwoodgroup.com; Wed, 21 Apr 2004 18:20:20 +0100
Return-path: <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
Received: from mailforwarding.ukip.com (unverified [212.36.99.14]) by UKIPMAILSERVER.1anetworks.net
 (Vircom SMTPRS 3.1.293.1) with ESMTP id <B0003815281@UKIPMAILSERVER.1anetworks.net> for <hurstw2@ukip.co.uk>;
 Wed, 21 Apr 2004 15:21:35 +0100
Received: from pythagoras.zen.co.uk (pythagoras.zen.co.uk [212.23.3.140])
 by mailforwarding.ukip.com (8.12.8/8.12.8) with ESMTP id i3LEMWBx027231
 for <info@hurstwooddevelopments.co.uk>; Wed, 21 Apr 2004 15:22:33 +0100
Received: from [217.155.151.65] (helo=dc1.LPC.local)
 by pythagoras.zen.co.uk with smtp (Exim 4.30)
 id 1BGIYN-0003fn-Oa; Wed, 21 Apr 2004 14:18:21 +0000
Received: from dc1.LPC.local ([10.0.0.5]) by dc1.LPC.local with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 15:16:37 +0100
Received: by dc1.LPC.local (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-151536-6058.MMD@lpc1.co.uk; Wed, 21 Apr 2004 15:15:36 +0100
Received: from ultra26.uk2net.com (actually host 126.208.4.212.in-addr.arpa) by dswu27 with SMTP (XT-PP) with ESMTP; Wed, 21 Apr 2004 15:03:51 +0100
Received: from host81-136-205-30.in-addr.btopenworld.com ([81.136.205.30] helo=hwgdc1.hurstwoodgroup.com)
 by ultra26.uk2net.com with esmtp (Exim 4.30)
 id 1BGIJP-0002yK-8n
 for ken@mcafferty.co.uk; Wed, 21 Apr 2004 15:03:17 +0100
Received: from hwgdc1.hurstwoodgroup.com ([192.168.254.253]) by hwgdc1.hurstwoodgroup.com with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 13:46:33 +0100
Received: by hwgdc1.hurstwoodgroup.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-134547-7846.MMD@hurstwoodgroup.com; Wed, 21 Apr 2004 13:45:47 +0100
Received: from mailforwarding.ukip.com (unverified [212.36.99.14]) by UKIPMAILSERVER.1anetworks.net
 (Vircom SMTPRS 3.1.293.1) with ESMTP id <B0003811835@UKIPMAILSERVER.1anetworks.net> for <hurstw2@ukip.co.uk>;
 Wed, 21 Apr 2004 13:23:04 +0100
Received: from lambgate.lambsbricks.com ([82.108.24.211])
 by mailforwarding.ukip.com (8.12.8/8.12.8) with ESMTP id i3LCGIiB017804
 for <info@hurstwooddevelopments.co.uk>; Wed, 21 Apr 2004 13:16:22 +0100
Received: from lamb2k4.lambsbricks.com ([192.168.80.2]) by lambgate.lambsbricks.com with Microsoft SMTPSVC(6.0.3790.0);
  Tue, 13 Apr 2004 13:38:49 +0100
Subject: RE: Residential sites needed
Date: Wed, 10 Mar 2004 17:20:21 +0100
Message-ID: <A80C581440B0F241B39BF659FF6B863F01C058@lamb2k4.lambsbricks.com>
X-MS-Has-Attach:
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----_=_NextPart_001_01C406BB.95DFFEFD"
X-MS-TNEF-Correlator:
Thread-Topic: Residential sites needed
Thread-Index: AcQGufjfKgvKAFHQTS+QtrGOCGuBogAACJtQAABa6vA=
From: "Sales" <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
content-class: urn:content-classes:message
---------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
LVL 6

Accepted Solution

by:
acmp earned 250 total points
ID: 10916088
The first IP in the list is a private address, 192.169.0.2, does this match your IP range?

The second IP (81.136.136.205) looks like a valid BT Openworld address.

The whole message look like a normal NDR (non delivery response) from mail.clicknames.net.

I'm not convinced that you have a virus. If I had to guess I'd say that you are either being used as a mail relay or someone is spooifing emails from your domain for spamming. the subject 'Residential sites needed' just sounds spammy to me.

Maybe you could check your email server is relay free at http://www.abuse.net/relay.html. You may want to create an account (free) for a proper test, but the anonymous test may give some useful results

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 11004397
I have fixed this. Using the trend scanner seems to be the only way to get rid in our situation - once again we shut everything down - turned off the ethernet switches (to stop network activity) booted every machine in safe mode and ran Trend.
No virus activity for 2 weeks now so I guess this is a closed call. Thanks acmp for your help. You did not solve the problem, but would like to give you some points anayway for being so helpful.
I was unable to get the relay thing working - I tried several times but the registration email never came through so maybe the service has stopped - Chris
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now