Virus Mitigation

Posted on 2004-04-30
Medium Priority
Last Modified: 2006-11-17
I have a client that called and I think she has the netsky virus on her network.....
I have been removing viruses for well over 3 years but I have never removed one from a large network......
I am going to run the norton netsky fix tool.....this is great but I am thinking that she may have other viruses on her network.....
I am looking for suggestions on how to handle this...
she has 3 servers running win2k server......
17 nodes running win 98......
I ahve removed a bunch of spy ware from the 98 boxes....they all have AV software that is updated.
is it safe to run ad-aware on a server??? never done this before...
thye have norton antivirus corperate......seems to be updated.....so how did the virus get on there in the first place.....
The description she has given me is that she is recieving a lot of e-mail from various local e-mail addresses.....from people that don't work there any more.....I guess these could be spoofed addresses from another location but it seems to be coming from her mail server....can't tell til I get out there.....
Any Ideas on what to look for??
and suggestions on handling a virus in a network like this....

Question by:hawgpig

Accepted Solution

barcelona_blom earned 2000 total points
ID: 10959752
You should disconnect all the machines from the network to start with,

Then use this tool to scan every machine for the most common recent viruses.


LVL 38

Expert Comment

by:Rich Rumble
ID: 10960259
Stinger (above)will do the job pretty well. Ad-Aware will run fine on 2k server. I've had mixed results with Norton... and great experience with McAfee. While the stinger tool will find some of the most recent, it is not as updated as the regular AV, and sometimes won't find the VERY recent viri. I've seen stinger about 2 weeks behind before the next update.

The way viri get in, even with AV running is usually due to the AV being misconfigured. McAfee has what it call's ON-ACCESS scanning which is like it's name, when I click on Photoshop.exe McAfee first scan's the program, then allows me to open it. When I click a download, mcafee scan's the transmission, and when it finds code that matches a virus, it stop the DL mid-stream. I've found norton to allow the DL, and then MAYBE it will catch it when I click on it to open. McAfee has a broader list of "undesirables" than norton also. McAfee has a feature that finds keyloggers, password cracking tools, spy-ware etc... you have to enable "find potentially unwanted, and joke programs" for that feature to work. Norton's heuristics is alright at catching variants of viri, but not at catching these additional program types. For instance, you shouldn't be allowed to DL "John The Ripper"(a popular password cracker) and run it. McAfee will catch it very quickly, Norton will allow you to DL it, even though it's not a virus, it is potentially unwanted software.

Everyone will have their own experience's to share, and I'm sure someone has had the exact opposite experience than I... but try the stinger product to locate and eradicate the viri.
Then you need to patch the PC's against further infections. Start with Windows Update, then make sure Norton is  schedulling  DAILY scan's and DAILY updates. As well as set to scan the email's.

Lot's of spammers like the viri going around, as they recieve plenty of email address and send to all sort's of accounts, spammers keep the email they recieve vrom the viri as they can and do come from valid email address's- some think that spammers write them as well, they probably do.  Even if the employee is terminated, that doesn't mean a client didn't keep their address in their address book, there are ton's of ways to obtain address's.

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
To share tips on how to stay ALERT and avoid being the next victim - at least not due to your own poor cyber habits and hygiene!
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question