Solved

Virus found ????

Posted on 2004-09-07
19
434 Views
Last Modified: 2010-04-11

 I am using windows 2000 server SP4. I have Mcafee virus scan enterprise 7.1. and it is upto date.

From 2 days i watching one file with name "Good Music" type is screen saver, i am suspecting it is a virus. Even i scanned the file but the antivirus isnt displaying virus alert.
How should i confirm that this is a virus infected file or not ??

0
Comment
Question by:javeed_ccna
  • 7
  • 7
  • 4
  • +1
19 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 11994791
try an on-line scanner http://housecall.trendmicro.com/housecall/start_corp.asp
Use a spyware remove to make sure it's not spyware: Download / install / update / run Ad-aware (www.lavasoftusa.com) and Spybot Search and Destroy (http://security.kolla.de)

Type the exact name of the file into google and see what it comes up with
0
 

Author Comment

by:javeed_ccna
ID: 11994877

I already perform adware, but still that file is coming, not only in this server, i found this file in all servers and workstations..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11995320
Hi javeed_ccna,

Is there any new software that you've installed? and did this file do any harm so far? cos i've searched thru my payload directory, i've seen none "good music.scr"

cheers,
Luis
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:javeed_ccna
ID: 11995883

From 2 days only i am getting this file.  Today my clients complaint that when they try to open the file their systems got hanged. And i deleted the file lot of times but again that will is appearing.

 It spread all workstations.

 I didnt install any new software ??  
0
 

Author Comment

by:javeed_ccna
ID: 11996078

The problem is it is spreading all over the network ..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996329
Hi javeed_ccna,

Do you have appropraite firewall to block the sender? Is the whole computer network connected to the internet? If it's spreading and the net service is not the essential service in your system, I suggest to stop for the time being, do a clean up, try to locate from which group of ip, after which allow re-open the network to internet with limited access (trusted sites only, the rest block), so as to stop the spreading and potential danger until a solution or cause is found.

cheers,
Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996344
and one more thing: NEVER try to open the unknown exe file... always make sure it's ok before do anything to it. It'll be wise to inform your users regarding this too.

Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996354
Finally, what is the exact filename? maybe i can check?

cheers,
Luis
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11996447
Pull down a standalone virus scanner, eg Stinger - http://vil.nai.com/vil/stinger/
I'm assuming your AV system itself is infected and mis-reporting things, so you need a seperate one to clear these things up.
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996490
Sorry javeed i forgot one point, not only that if that file can comprimise your virus scanner, there's also a possibility of a new virus ... There's too much small bugging virus lately.. Anyway, if possible tell me the name and location of the file....

Cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 11996856


The name of the file is  " good music ". it is using media player icon.

 We dont have internet connection before, but from one month onwards we got new line for internet with limited access. And also we are using PIX firewalls.

 I downloaded the stringer tool but i could not run it properly.. any how i will try to run it again..

 
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11997906
So i suppose you're saying the file name is good music.scr? This file is in which location? Is all the affected terminals have this file at the same location?

cheers
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12003511

There is no particular location for that file, it is appearing any folder. Even i coulnt confirm whether that is a virus. but it is appearing almost all PC's and all servers.

Last night i use stringer tool, that isnt detecetd any virus. but when i run stringer on my Exchange server it found 1200 virus infected files in Quarantine  folder in C:  drive. that means that folder is using by Antivirus (McAfee) on my server for uncleaned files so we cannt  consider it as a virus infected server.

The file that is spreading, it is appearing as a Windows media player file. In properties i found the type is Screen Saver

any solutions..
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12004387
Could you send me the file - tim_holman@hotmail.com.  I have a known clean / quarantine machine I can look this up on...

Alternatively, clean build a standalone machine and scan the virus on there.

If it's not a virus, is it possible someone is manually copying this across to people to shares they have access to ?  Is Kazaa or any other P2P software in use on the network ?

For example, if Good Music appears in the system32 folder, then only domain administrators/local administrators/person using that machine/system account could ever put it there.  It may help hone this down further and identify the source.
0
 

Author Comment

by:javeed_ccna
ID: 12004430

Dear Tim,

I sent the file to your email id,
by the way i dont have any Kazaa or P2P S/W.
And this file is not locating on any particular folder. I found this file in various normal data folders.

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12004643
This is a worm - ClamWin detects this as Worm.NewWife.

As for removal, I used www.clamwin.org to detect and clean (free open-source virus scanner).



0
 
LVL 4

Expert Comment

by:gemchest
ID: 12005103
Great one Tim,

hmm... seems to be a new variant or something, I've not seen this name before or it's portfolio (on its activities)...
Clamwin seems that they dont have the description (or i've missed it!)

cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12013852
Dear Timm,,

its a great and thanks to u people..

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12025302
Have you managed to remove it OK ?
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question