Solved

Virus found ????

Posted on 2004-09-07
19
430 Views
Last Modified: 2010-04-11

 I am using windows 2000 server SP4. I have Mcafee virus scan enterprise 7.1. and it is upto date.

From 2 days i watching one file with name "Good Music" type is screen saver, i am suspecting it is a virus. Even i scanned the file but the antivirus isnt displaying virus alert.
How should i confirm that this is a virus infected file or not ??

0
Comment
Question by:javeed_ccna
  • 7
  • 7
  • 4
  • +1
19 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 11994791
try an on-line scanner http://housecall.trendmicro.com/housecall/start_corp.asp
Use a spyware remove to make sure it's not spyware: Download / install / update / run Ad-aware (www.lavasoftusa.com) and Spybot Search and Destroy (http://security.kolla.de)

Type the exact name of the file into google and see what it comes up with
0
 

Author Comment

by:javeed_ccna
ID: 11994877

I already perform adware, but still that file is coming, not only in this server, i found this file in all servers and workstations..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11995320
Hi javeed_ccna,

Is there any new software that you've installed? and did this file do any harm so far? cos i've searched thru my payload directory, i've seen none "good music.scr"

cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 11995883

From 2 days only i am getting this file.  Today my clients complaint that when they try to open the file their systems got hanged. And i deleted the file lot of times but again that will is appearing.

 It spread all workstations.

 I didnt install any new software ??  
0
 

Author Comment

by:javeed_ccna
ID: 11996078

The problem is it is spreading all over the network ..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996329
Hi javeed_ccna,

Do you have appropraite firewall to block the sender? Is the whole computer network connected to the internet? If it's spreading and the net service is not the essential service in your system, I suggest to stop for the time being, do a clean up, try to locate from which group of ip, after which allow re-open the network to internet with limited access (trusted sites only, the rest block), so as to stop the spreading and potential danger until a solution or cause is found.

cheers,
Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996344
and one more thing: NEVER try to open the unknown exe file... always make sure it's ok before do anything to it. It'll be wise to inform your users regarding this too.

Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996354
Finally, what is the exact filename? maybe i can check?

cheers,
Luis
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11996447
Pull down a standalone virus scanner, eg Stinger - http://vil.nai.com/vil/stinger/
I'm assuming your AV system itself is infected and mis-reporting things, so you need a seperate one to clear these things up.
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 4

Expert Comment

by:gemchest
ID: 11996490
Sorry javeed i forgot one point, not only that if that file can comprimise your virus scanner, there's also a possibility of a new virus ... There's too much small bugging virus lately.. Anyway, if possible tell me the name and location of the file....

Cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 11996856


The name of the file is  " good music ". it is using media player icon.

 We dont have internet connection before, but from one month onwards we got new line for internet with limited access. And also we are using PIX firewalls.

 I downloaded the stringer tool but i could not run it properly.. any how i will try to run it again..

 
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11997906
So i suppose you're saying the file name is good music.scr? This file is in which location? Is all the affected terminals have this file at the same location?

cheers
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12003511

There is no particular location for that file, it is appearing any folder. Even i coulnt confirm whether that is a virus. but it is appearing almost all PC's and all servers.

Last night i use stringer tool, that isnt detecetd any virus. but when i run stringer on my Exchange server it found 1200 virus infected files in Quarantine  folder in C:  drive. that means that folder is using by Antivirus (McAfee) on my server for uncleaned files so we cannt  consider it as a virus infected server.

The file that is spreading, it is appearing as a Windows media player file. In properties i found the type is Screen Saver

any solutions..
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12004387
Could you send me the file - tim_holman@hotmail.com.  I have a known clean / quarantine machine I can look this up on...

Alternatively, clean build a standalone machine and scan the virus on there.

If it's not a virus, is it possible someone is manually copying this across to people to shares they have access to ?  Is Kazaa or any other P2P software in use on the network ?

For example, if Good Music appears in the system32 folder, then only domain administrators/local administrators/person using that machine/system account could ever put it there.  It may help hone this down further and identify the source.
0
 

Author Comment

by:javeed_ccna
ID: 12004430

Dear Tim,

I sent the file to your email id,
by the way i dont have any Kazaa or P2P S/W.
And this file is not locating on any particular folder. I found this file in various normal data folders.

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12004643
This is a worm - ClamWin detects this as Worm.NewWife.

As for removal, I used www.clamwin.org to detect and clean (free open-source virus scanner).



0
 
LVL 4

Expert Comment

by:gemchest
ID: 12005103
Great one Tim,

hmm... seems to be a new variant or something, I've not seen this name before or it's portfolio (on its activities)...
Clamwin seems that they dont have the description (or i've missed it!)

cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12013852
Dear Timm,,

its a great and thanks to u people..

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12025302
Have you managed to remove it OK ?
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now