Solved

Virus found ????

Posted on 2004-09-07
19
429 Views
Last Modified: 2010-04-11

 I am using windows 2000 server SP4. I have Mcafee virus scan enterprise 7.1. and it is upto date.

From 2 days i watching one file with name "Good Music" type is screen saver, i am suspecting it is a virus. Even i scanned the file but the antivirus isnt displaying virus alert.
How should i confirm that this is a virus infected file or not ??

0
Comment
Question by:javeed_ccna
  • 7
  • 7
  • 4
  • +1
19 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 11994791
try an on-line scanner http://housecall.trendmicro.com/housecall/start_corp.asp
Use a spyware remove to make sure it's not spyware: Download / install / update / run Ad-aware (www.lavasoftusa.com) and Spybot Search and Destroy (http://security.kolla.de)

Type the exact name of the file into google and see what it comes up with
0
 

Author Comment

by:javeed_ccna
ID: 11994877

I already perform adware, but still that file is coming, not only in this server, i found this file in all servers and workstations..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11995320
Hi javeed_ccna,

Is there any new software that you've installed? and did this file do any harm so far? cos i've searched thru my payload directory, i've seen none "good music.scr"

cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 11995883

From 2 days only i am getting this file.  Today my clients complaint that when they try to open the file their systems got hanged. And i deleted the file lot of times but again that will is appearing.

 It spread all workstations.

 I didnt install any new software ??  
0
 

Author Comment

by:javeed_ccna
ID: 11996078

The problem is it is spreading all over the network ..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996329
Hi javeed_ccna,

Do you have appropraite firewall to block the sender? Is the whole computer network connected to the internet? If it's spreading and the net service is not the essential service in your system, I suggest to stop for the time being, do a clean up, try to locate from which group of ip, after which allow re-open the network to internet with limited access (trusted sites only, the rest block), so as to stop the spreading and potential danger until a solution or cause is found.

cheers,
Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996344
and one more thing: NEVER try to open the unknown exe file... always make sure it's ok before do anything to it. It'll be wise to inform your users regarding this too.

Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996354
Finally, what is the exact filename? maybe i can check?

cheers,
Luis
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11996447
Pull down a standalone virus scanner, eg Stinger - http://vil.nai.com/vil/stinger/
I'm assuming your AV system itself is infected and mis-reporting things, so you need a seperate one to clear these things up.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 4

Expert Comment

by:gemchest
ID: 11996490
Sorry javeed i forgot one point, not only that if that file can comprimise your virus scanner, there's also a possibility of a new virus ... There's too much small bugging virus lately.. Anyway, if possible tell me the name and location of the file....

Cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 11996856


The name of the file is  " good music ". it is using media player icon.

 We dont have internet connection before, but from one month onwards we got new line for internet with limited access. And also we are using PIX firewalls.

 I downloaded the stringer tool but i could not run it properly.. any how i will try to run it again..

 
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11997906
So i suppose you're saying the file name is good music.scr? This file is in which location? Is all the affected terminals have this file at the same location?

cheers
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12003511

There is no particular location for that file, it is appearing any folder. Even i coulnt confirm whether that is a virus. but it is appearing almost all PC's and all servers.

Last night i use stringer tool, that isnt detecetd any virus. but when i run stringer on my Exchange server it found 1200 virus infected files in Quarantine  folder in C:  drive. that means that folder is using by Antivirus (McAfee) on my server for uncleaned files so we cannt  consider it as a virus infected server.

The file that is spreading, it is appearing as a Windows media player file. In properties i found the type is Screen Saver

any solutions..
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12004387
Could you send me the file - tim_holman@hotmail.com.  I have a known clean / quarantine machine I can look this up on...

Alternatively, clean build a standalone machine and scan the virus on there.

If it's not a virus, is it possible someone is manually copying this across to people to shares they have access to ?  Is Kazaa or any other P2P software in use on the network ?

For example, if Good Music appears in the system32 folder, then only domain administrators/local administrators/person using that machine/system account could ever put it there.  It may help hone this down further and identify the source.
0
 

Author Comment

by:javeed_ccna
ID: 12004430

Dear Tim,

I sent the file to your email id,
by the way i dont have any Kazaa or P2P S/W.
And this file is not locating on any particular folder. I found this file in various normal data folders.

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12004643
This is a worm - ClamWin detects this as Worm.NewWife.

As for removal, I used www.clamwin.org to detect and clean (free open-source virus scanner).



0
 
LVL 4

Expert Comment

by:gemchest
ID: 12005103
Great one Tim,

hmm... seems to be a new variant or something, I've not seen this name before or it's portfolio (on its activities)...
Clamwin seems that they dont have the description (or i've missed it!)

cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12013852
Dear Timm,,

its a great and thanks to u people..

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12025302
Have you managed to remove it OK ?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now