Solved

Unable to kill virus - suspect netsky variant -

Posted on 2004-04-19
10
552 Views
Last Modified: 2012-08-13
Win2k3 domain (4 servers)
Exchange 2k
20 users
Have recently installed GFI mailsweeper software as supicious of mails etc and it has shown returned messages to a user we do not have called "SALES37314939" (see below). This user has sent 2730+ messages in the past 6 days (since we switched the GFI on) -

"To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject: IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME TO: fields in the email addresses - Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:"

We cannot find any reference to this use in our AD or our exchange or on any server registry. I cannot find it in adsiedit (although there is no search facility so I may have missed it)
We have taken every PC and server off the network and booted them in safe mode - then run mcafee/ ca and norton netsky "fixers" which have yielded 6 occurences on the mail server and nothing else.

My own belief is that there is a rogue smtp service (which is how netsky is supposed to run) somewhere on my network - this is kind of bourne out by the fact that no mails were sent over the weekend.

Any ideas for tracking this down would be appreciated







0
Comment
Question by:BuckChrisBuck
  • 6
  • 4
10 Comments
 

Author Comment

by:BuckChrisBuck
ID: 10860081
In addition, I have just done a text search for "SALES37314939" across c$ for the mail server and have found 7332 files in the badmail subdir in exchange, 3x358mb files in a log directory and 40x5mb files in the mdbdata directory.
0
 
LVL 6

Expert Comment

by:acmp
ID: 10867012
Does you AV softwrae identify the emails a Netsky?

The latest netsky (netsky.w) uses a file called 'C:\WINDOWS\VisualGuard.exe' maybe you could search your network for that.

If you know what version of the virus you are getting you can use http://vil.nai.com to find the details then look up what the actual virus file is called.

If you're not sure of the version maybe you could scan your exchange server with stinger (http://vil.nai.com/stinger), it should report the version (and clean it too).

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10867167
Thanks for your response.
We have already run the stinger having booted in safe mode on not only the servers but all computers on our network over a one hour period last week.
We believe that it is both netsky.p and netsky.b as we have found indtances of both but even when trying to remove manually by changing regsitry keys as per the instructions, we cannot do it (the keys are already correct). The stinger did find 6 occurences of netsky on the exchange server and cleaned them but I believe that the smtp server sending out is not on the server as not emails were sent over the weekend.
Any other thoughts?

Thanks

Chris
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:acmp
ID: 10867389
I use a kixtart script (ww.kixtart.org) that runs at logon that looks for some virus files and stops the user from logging on if it finds them.  This helps to locate problems on the network (I have 400+ PC's)

Netsky.p users:
FVProtect.exe
userconfig9x.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

To run it's self,

Netsky.b uses:
SERVICES.EXE (not the system folder version)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

Maybe you could use kixtart (or another script) to find these files on your PC's. Then clean any that are infected.

You could try something like...

<code>
   dir %windir%\fvprotect.exe
   if not errorlevel 2 goto Alertp

   dir %windir%\services.exe
   if not errorlevel 2 goto Alertb

   goto end

   :Alertp
      echo.
      echo you have netsky.p call your administrator
      Pause
      goto end
   :Alertb
      echo.
      echo you have netsky.b call your administrator
      Pause
   :end
</code>

Put this in a login script, if the files exist the error level is 0 so the script continues, if they don't exist it generates a level of 2 and will then do the notice. you could include a 'net send' command to send an alert to yourself.

Alternativly you could change the %windir% to \\[pc name]\admin$ and run the script from your PC. this assumes you have the admin$ share on your clients and you have access to them, of course you'll change hte [pc name] to the correct netbios name for the pc you want to check.

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10879589
Thanks acmp, I put your idea to work- I needed to amend slightly adding a c: at the top so it checked locally and I also added a net name command in so that I cold easily see who was what.....
No dice however - all users logged on and none giving me any issues or showing these files.
According to my gateway, at 13:13:43 today my rogue user sent out 910 emails each to different addresses all the same size.
Frustrating problem this one.......
0
 
LVL 6

Expert Comment

by:acmp
ID: 10887081
Do the outgoing emails have any useful information in the headers?  Maybe you could post one for us to look at?

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 10888940
Have switched gateway to capture all inbound and outbound emails so I will post one as soon as we get it (they are random and usually about 900 in 1 second - cannot yet find a trigger. Chris
0
 

Author Comment

by:BuckChrisBuck
ID: 10898132
OK - Here is the header from one of 910 mails sent out this morning

Received: from lamb2k4.lambsbricks.com ([192.168.80.2]) by lambgate.lambsbricks.com with Microsoft SMTPSVC(6.0.3790.0);
       Tue, 13 Apr 2004 13:38:49 +0100
-----Original Message-----
From: MAILER-DAEMON@mail.clicknames.net
[mailto:MAILER-DAEMON@mail.clicknames.net]
Sent: 21 April 2004 19:07
To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE
GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject:
IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_
CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME
TO: fields in the email addresses - failure notice


Hi. This is the qmail-send program at mail.clicknames.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ian@ianloncaster.com>:
Sorry, I couldn't find any host named ianloncaster.com. (#5.1.2)

--- Below this line is a copy of the message.

Return-Path: <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
Received: (qmail 26787 invoked by uid 1002); 21 Apr 2004 18:06:50 -0000
Delivered-To: forwarding-info@launchselect.com
X-Envelope-To: info@launchselect.com
X-Forwarding-To: info@launchselect.com
Received: (qmail 26541 invoked from network); 21 Apr 2004 18:05:46 -0000
Received: from host81-136-136-205.in-addr.btopenworld.com (HELO hwgdc1.hurstwoodgroup.com) (81.136.136.205)
  by mail.clicknames.net with SMTP; 21 Apr 2004 18:05:46 -0000
Received: from hwgdc1.hurstwoodgroup.com ([192.168.254.253]) by hwgdc1.hurstwoodgroup.com with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 18:25:21 +0100
Received: by hwgdc1.hurstwoodgroup.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-182020-7889.MMD@hurstwoodgroup.com; Wed, 21 Apr 2004 18:20:20 +0100
Return-path: <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
Received: from mailforwarding.ukip.com (unverified [212.36.99.14]) by UKIPMAILSERVER.1anetworks.net
 (Vircom SMTPRS 3.1.293.1) with ESMTP id <B0003815281@UKIPMAILSERVER.1anetworks.net> for <hurstw2@ukip.co.uk>;
 Wed, 21 Apr 2004 15:21:35 +0100
Received: from pythagoras.zen.co.uk (pythagoras.zen.co.uk [212.23.3.140])
 by mailforwarding.ukip.com (8.12.8/8.12.8) with ESMTP id i3LEMWBx027231
 for <info@hurstwooddevelopments.co.uk>; Wed, 21 Apr 2004 15:22:33 +0100
Received: from [217.155.151.65] (helo=dc1.LPC.local)
 by pythagoras.zen.co.uk with smtp (Exim 4.30)
 id 1BGIYN-0003fn-Oa; Wed, 21 Apr 2004 14:18:21 +0000
Received: from dc1.LPC.local ([10.0.0.5]) by dc1.LPC.local with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 15:16:37 +0100
Received: by dc1.LPC.local (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-151536-6058.MMD@lpc1.co.uk; Wed, 21 Apr 2004 15:15:36 +0100
Received: from ultra26.uk2net.com (actually host 126.208.4.212.in-addr.arpa) by dswu27 with SMTP (XT-PP) with ESMTP; Wed, 21 Apr 2004 15:03:51 +0100
Received: from host81-136-205-30.in-addr.btopenworld.com ([81.136.205.30] helo=hwgdc1.hurstwoodgroup.com)
 by ultra26.uk2net.com with esmtp (Exim 4.30)
 id 1BGIJP-0002yK-8n
 for ken@mcafferty.co.uk; Wed, 21 Apr 2004 15:03:17 +0100
Received: from hwgdc1.hurstwoodgroup.com ([192.168.254.253]) by hwgdc1.hurstwoodgroup.com with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 13:46:33 +0100
Received: by hwgdc1.hurstwoodgroup.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id MSG04212004-134547-7846.MMD@hurstwoodgroup.com; Wed, 21 Apr 2004 13:45:47 +0100
Received: from mailforwarding.ukip.com (unverified [212.36.99.14]) by UKIPMAILSERVER.1anetworks.net
 (Vircom SMTPRS 3.1.293.1) with ESMTP id <B0003811835@UKIPMAILSERVER.1anetworks.net> for <hurstw2@ukip.co.uk>;
 Wed, 21 Apr 2004 13:23:04 +0100
Received: from lambgate.lambsbricks.com ([82.108.24.211])
 by mailforwarding.ukip.com (8.12.8/8.12.8) with ESMTP id i3LCGIiB017804
 for <info@hurstwooddevelopments.co.uk>; Wed, 21 Apr 2004 13:16:22 +0100
Received: from lamb2k4.lambsbricks.com ([192.168.80.2]) by lambgate.lambsbricks.com with Microsoft SMTPSVC(6.0.3790.0);
  Tue, 13 Apr 2004 13:38:49 +0100
Subject: RE: Residential sites needed
Date: Wed, 10 Mar 2004 17:20:21 +0100
Message-ID: <A80C581440B0F241B39BF659FF6B863F01C058@lamb2k4.lambsbricks.com>
X-MS-Has-Attach:
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----_=_NextPart_001_01C406BB.95DFFEFD"
X-MS-TNEF-Correlator:
Thread-Topic: Residential sites needed
Thread-Index: AcQGufjfKgvKAFHQTS+QtrGOCGuBogAACJtQAABa6vA=
From: "Sales" <IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com>
content-class: urn:content-classes:message
---------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
LVL 6

Accepted Solution

by:
acmp earned 250 total points
ID: 10916088
The first IP in the list is a private address, 192.169.0.2, does this match your IP range?

The second IP (81.136.136.205) looks like a valid BT Openworld address.

The whole message look like a normal NDR (non delivery response) from mail.clicknames.net.

I'm not convinced that you have a virus. If I had to guess I'd say that you are either being used as a mail relay or someone is spooifing emails from your domain for spamming. the subject 'Residential sites needed' just sounds spammy to me.

Maybe you could check your email server is relay free at http://www.abuse.net/relay.html. You may want to create an account (free) for a proper test, but the anonymous test may give some useful results

acmp<><
0
 

Author Comment

by:BuckChrisBuck
ID: 11004397
I have fixed this. Using the trend scanner seems to be the only way to get rid in our situation - once again we shut everything down - turned off the ethernet switches (to stop network activity) booted every machine in safe mode and ran Trend.
No virus activity for 2 weeks now so I guess this is a closed call. Thanks acmp for your help. You did not solve the problem, but would like to give you some points anayway for being so helpful.
I was unable to get the relay thing working - I tried several times but the registration email never came through so maybe the service has stopped - Chris
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question