Solved

Unable to kill virus - suspect netsky variant -

Posted on 2004-04-19
10
549 Views
Last Modified: 2012-08-13
Win2k3 domain (4 servers)
Exchange 2k
20 users
Have recently installed GFI mailsweeper software as supicious of mails etc and it has shown returned messages to a user we do not have called "SALES37314939" (see below). This user has sent 2730+ messages in the past 6 days (since we switched the GFI on) -

"To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject: IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME TO: fields in the email addresses - Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:"

We cannot find any reference to this use in our AD or our exchange or on any server registry. I cannot find it in adsiedit (although there is no search facility so I may have missed it)
We have taken every PC and server off the network and booted them in safe mode - then run mcafee/ ca and norton netsky "fixers" which have yielded 6 occurences on the mail server and nothing else.

My own belief is that there is a rogue smtp service (which is how netsky is supposed to run) somewhere on my network - this is kind of bourne out by the fact that no mails were sent over the weekend.

Any ideas for tracking this down would be appreciated







0
Comment
Question by:BuckChrisBuck
  • 6
  • 4
10 Comments
 

Author Comment

by:BuckChrisBuck
ID: 10860081
In addition, I have just done a text search for "SALES37314939" across c$ for the mail server and have found 7332 files in the badmail subdir in exchange, 3x358mb files in a log directory and 40x5mb files in the mdbdata directory.
0
 
LVL 6

Expert Comment

by:acmp
ID: 10867012
Does you AV softwrae identify the emails a Netsky?

The latest netsky (netsky.w) uses a file called 'C:\WINDOWS\VisualGuard.exe' maybe you could search your network for that.

If you know what version of the virus you are getting you can use http://vil.nai.com to find the details then look up what the actual virus file is called.

If you're not sure of the version maybe you could scan your exchange server with stinger (http://vil.nai.com/stinger), it should report the version (and clean it too).

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10867167
Thanks for your response.
We have already run the stinger having booted in safe mode on not only the servers but all computers on our network over a one hour period last week.
We believe that it is both netsky.p and netsky.b as we have found indtances of both but even when trying to remove manually by changing regsitry keys as per the instructions, we cannot do it (the keys are already correct). The stinger did find 6 occurences of netsky on the exchange server and cleaned them but I believe that the smtp server sending out is not on the server as not emails were sent over the weekend.
Any other thoughts?

Thanks

Chris
0
 
LVL 6

Expert Comment

by:acmp
ID: 10867389
I use a kixtart script (ww.kixtart.org) that runs at logon that looks for some virus files and stops the user from logging on if it finds them.  This helps to locate problems on the network (I have 400+ PC's)

Netsky.p users:
FVProtect.exe
userconfig9x.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

To run it's self,

Netsky.b uses:
SERVICES.EXE (not the system folder version)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

Maybe you could use kixtart (or another script) to find these files on your PC's. Then clean any that are infected.

You could try something like...

<code>
   dir %windir%\fvprotect.exe
   if not errorlevel 2 goto Alertp

   dir %windir%\services.exe
   if not errorlevel 2 goto Alertb

   goto end

   :Alertp
      echo.
      echo you have netsky.p call your administrator
      Pause
      goto end
   :Alertb
      echo.
      echo you have netsky.b call your administrator
      Pause
   :end
</code>

Put this in a login script, if the files exist the error level is 0 so the script continues, if they don't exist it generates a level of 2 and will then do the notice. you could include a 'net send' command to send an alert to yourself.

Alternativly you could change the %windir% to \\[pc name]\admin$ and run the script from your PC. this assumes you have the admin$ share on your clients and you have access to them, of course you'll change hte [pc name] to the correct netbios name for the pc you want to check.

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10879589
Thanks acmp, I put your idea to work- I needed to amend slightly adding a c: at the top so it checked locally and I also added a net name command in so that I cold easily see who was what.....
No dice however - all users logged on and none giving me any issues or showing these files.
According to my gateway, at 13:13:43 today my rogue user sent out 910 emails each to different addresses all the same size.
Frustrating problem this one.......
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 6

Expert Comment

by:acmp
ID: 10887081
Do the outgoing emails have any useful information in the headers?  Maybe you could post one for us to look at?

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10888940
Have switched gateway to capture all inbound and outbound emails so I will post one as soon as we get it (they are random and usually about 900 in 1 second - cannot yet find a trigger. Chris
0
 

Author Comment

by:BuckChrisBuck
ID: 10898132
OK - Here is the header from one of 910 mails sent out this morning

Received: from lamb2k4.lambsbricks.com ([192.168.80.2]) by lambgate.lambsbricks.com with Microsoft SMTPSVC(6.0.3790.0);
       Tue, 13 Apr 2004 13:38:49 +0100
-----Original Message-----
From: MAILER-DAEMON@mail.clicknames.net
[mailto:MAILER-DAEMON@mail.clicknames.net]
Sent: 21 April 2004 19:07
To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE
GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject:
IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_
CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME
TO: fields in the email addresses - failure notice


Hi. This is the qmail-send program at mail.clicknames.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ian@ianloncaster.com>:
Sorry, I couldn't find any host named ianloncaster.com. (#5.1.2)

--- Below this line is a copy of the message.

Return-Path: <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
Received: (qmail 26787 invoked by uid 1002); 21 Apr 2004 18:06:50 -0000
Delivered-To: forwarding-info@launchselect.com
X-Envelope-To: info@launchselect.com
X-Forwarding-To: info@launchselect.com
Received: (qmail 26541 invoked from network); 21 Apr 2004 18:05:46 -0000
Received: from host81-136-136-205.in-addr.btopenworld.com (HELO hwgdc1.hurstwoodgroup.com) (81.136.136.205)
  by mail.clicknames.net with SMTP; 21 Apr 2004 18:05:46 -0000
Received: from hwgdc1.hurstwoodgroup.com ([192.168.254.253]) by hwgdc1.hurstwoodgroup.com with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 18:25:21 +0100
Received: by hwgdc1.hurstwoodgroup.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-182020-7889.MMD@hurstwoodgroup.com; Wed, 21 Apr 2004 18:20:20 +0100
Return-path: <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
Received: from mailforwarding.ukip.com (unverified [212.36.99.14]) by UKIPMAILSERVER.1anetworks.net
 (Vircom SMTPRS 3.1.293.1) with ESMTP id <B0003815281@UKIPMAILSERVER.1anetworks.net> for <hurstw2@ukip.co.uk>;
 Wed, 21 Apr 2004 15:21:35 +0100
Received: from pythagoras.zen.co.uk (pythagoras.zen.co.uk [212.23.3.140])
 by mailforwarding.ukip.com (8.12.8/8.12.8) with ESMTP id i3LEMWBx027231
 for <info@hurstwooddevelopments.co.uk>; Wed, 21 Apr 2004 15:22:33 +0100
Received: from [217.155.151.65] (helo=dc1.LPC.local)
 by pythagoras.zen.co.uk with smtp (Exim 4.30)
 id 1BGIYN-0003fn-Oa; Wed, 21 Apr 2004 14:18:21 +0000
Received: from dc1.LPC.local ([10.0.0.5]) by dc1.LPC.local with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 15:16:37 +0100
Received: by dc1.LPC.local (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-151536-6058.MMD@lpc1.co.uk; Wed, 21 Apr 2004 15:15:36 +0100
Received: from ultra26.uk2net.com (actually host 126.208.4.212.in-addr.arpa) by dswu27 with SMTP (XT-PP) with ESMTP; Wed, 21 Apr 2004 15:03:51 +0100
Received: from host81-136-205-30.in-addr.btopenworld.com ([81.136.205.30] helo=hwgdc1.hurstwoodgroup.com)
 by ultra26.uk2net.com with esmtp (Exim 4.30)
 id 1BGIJP-0002yK-8n
 for ken@mcafferty.co.uk; Wed, 21 Apr 2004 15:03:17 +0100
Received: from hwgdc1.hurstwoodgroup.com ([192.168.254.253]) by hwgdc1.hurstwoodgroup.com with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 13:46:33 +0100
Received: by hwgdc1.hurstwoodgroup.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-134547-7846.MMD@hurstwoodgroup.com; Wed, 21 Apr 2004 13:45:47 +0100
Received: from mailforwarding.ukip.com (unverified [212.36.99.14]) by UKIPMAILSERVER.1anetworks.net
 (Vircom SMTPRS 3.1.293.1) with ESMTP id <B0003811835@UKIPMAILSERVER.1anetworks.net> for <hurstw2@ukip.co.uk>;
 Wed, 21 Apr 2004 13:23:04 +0100
Received: from lambgate.lambsbricks.com ([82.108.24.211])
 by mailforwarding.ukip.com (8.12.8/8.12.8) with ESMTP id i3LCGIiB017804
 for <info@hurstwooddevelopments.co.uk>; Wed, 21 Apr 2004 13:16:22 +0100
Received: from lamb2k4.lambsbricks.com ([192.168.80.2]) by lambgate.lambsbricks.com with Microsoft SMTPSVC(6.0.3790.0);
  Tue, 13 Apr 2004 13:38:49 +0100
Subject: RE: Residential sites needed
Date: Wed, 10 Mar 2004 17:20:21 +0100
Message-ID: <A80C581440B0F241B39BF659FF6B863F01C058@lamb2k4.lambsbricks.com>
X-MS-Has-Attach:
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----_=_NextPart_001_01C406BB.95DFFEFD"
X-MS-TNEF-Correlator:
Thread-Topic: Residential sites needed
Thread-Index: AcQGufjfKgvKAFHQTS+QtrGOCGuBogAACJtQAABa6vA=
From: "Sales" <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
content-class: urn:content-classes:message
---------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
LVL 6

Accepted Solution

by:
acmp earned 250 total points
ID: 10916088
The first IP in the list is a private address, 192.169.0.2, does this match your IP range?

The second IP (81.136.136.205) looks like a valid BT Openworld address.

The whole message look like a normal NDR (non delivery response) from mail.clicknames.net.

I'm not convinced that you have a virus. If I had to guess I'd say that you are either being used as a mail relay or someone is spooifing emails from your domain for spamming. the subject 'Residential sites needed' just sounds spammy to me.

Maybe you could check your email server is relay free at http://www.abuse.net/relay.html. You may want to create an account (free) for a proper test, but the anonymous test may give some useful results

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 11004397
I have fixed this. Using the trend scanner seems to be the only way to get rid in our situation - once again we shut everything down - turned off the ethernet switches (to stop network activity) booted every machine in safe mode and ran Trend.
No virus activity for 2 weeks now so I guess this is a closed call. Thanks acmp for your help. You did not solve the problem, but would like to give you some points anayway for being so helpful.
I was unable to get the relay thing working - I tried several times but the registration email never came through so maybe the service has stopped - Chris
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISA & antivirus 10 75
Preferred Cloud Managed Anti-Virus? 4 91
Full list of ransomwares to date 6 124
"k" and "i" wont work in a dell lap top 5 17
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now