?
Solved

Virus found ????

Posted on 2004-09-07
19
Medium Priority
?
439 Views
Last Modified: 2010-04-11

 I am using windows 2000 server SP4. I have Mcafee virus scan enterprise 7.1. and it is upto date.

From 2 days i watching one file with name "Good Music" type is screen saver, i am suspecting it is a virus. Even i scanned the file but the antivirus isnt displaying virus alert.
How should i confirm that this is a virus infected file or not ??

0
Comment
Question by:javeed_ccna
  • 7
  • 7
  • 4
  • +1
19 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 11994791
try an on-line scanner http://housecall.trendmicro.com/housecall/start_corp.asp
Use a spyware remove to make sure it's not spyware: Download / install / update / run Ad-aware (www.lavasoftusa.com) and Spybot Search and Destroy (http://security.kolla.de)

Type the exact name of the file into google and see what it comes up with
0
 

Author Comment

by:javeed_ccna
ID: 11994877

I already perform adware, but still that file is coming, not only in this server, i found this file in all servers and workstations..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11995320
Hi javeed_ccna,

Is there any new software that you've installed? and did this file do any harm so far? cos i've searched thru my payload directory, i've seen none "good music.scr"

cheers,
Luis
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:javeed_ccna
ID: 11995883

From 2 days only i am getting this file.  Today my clients complaint that when they try to open the file their systems got hanged. And i deleted the file lot of times but again that will is appearing.

 It spread all workstations.

 I didnt install any new software ??  
0
 

Author Comment

by:javeed_ccna
ID: 11996078

The problem is it is spreading all over the network ..
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996329
Hi javeed_ccna,

Do you have appropraite firewall to block the sender? Is the whole computer network connected to the internet? If it's spreading and the net service is not the essential service in your system, I suggest to stop for the time being, do a clean up, try to locate from which group of ip, after which allow re-open the network to internet with limited access (trusted sites only, the rest block), so as to stop the spreading and potential danger until a solution or cause is found.

cheers,
Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996344
and one more thing: NEVER try to open the unknown exe file... always make sure it's ok before do anything to it. It'll be wise to inform your users regarding this too.

Luis
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996354
Finally, what is the exact filename? maybe i can check?

cheers,
Luis
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11996447
Pull down a standalone virus scanner, eg Stinger - http://vil.nai.com/vil/stinger/
I'm assuming your AV system itself is infected and mis-reporting things, so you need a seperate one to clear these things up.
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11996490
Sorry javeed i forgot one point, not only that if that file can comprimise your virus scanner, there's also a possibility of a new virus ... There's too much small bugging virus lately.. Anyway, if possible tell me the name and location of the file....

Cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 11996856


The name of the file is  " good music ". it is using media player icon.

 We dont have internet connection before, but from one month onwards we got new line for internet with limited access. And also we are using PIX firewalls.

 I downloaded the stringer tool but i could not run it properly.. any how i will try to run it again..

 
0
 
LVL 4

Expert Comment

by:gemchest
ID: 11997906
So i suppose you're saying the file name is good music.scr? This file is in which location? Is all the affected terminals have this file at the same location?

cheers
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12003511

There is no particular location for that file, it is appearing any folder. Even i coulnt confirm whether that is a virus. but it is appearing almost all PC's and all servers.

Last night i use stringer tool, that isnt detecetd any virus. but when i run stringer on my Exchange server it found 1200 virus infected files in Quarantine  folder in C:  drive. that means that folder is using by Antivirus (McAfee) on my server for uncleaned files so we cannt  consider it as a virus infected server.

The file that is spreading, it is appearing as a Windows media player file. In properties i found the type is Screen Saver

any solutions..
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12004387
Could you send me the file - tim_holman@hotmail.com.  I have a known clean / quarantine machine I can look this up on...

Alternatively, clean build a standalone machine and scan the virus on there.

If it's not a virus, is it possible someone is manually copying this across to people to shares they have access to ?  Is Kazaa or any other P2P software in use on the network ?

For example, if Good Music appears in the system32 folder, then only domain administrators/local administrators/person using that machine/system account could ever put it there.  It may help hone this down further and identify the source.
0
 

Author Comment

by:javeed_ccna
ID: 12004430

Dear Tim,

I sent the file to your email id,
by the way i dont have any Kazaa or P2P S/W.
And this file is not locating on any particular folder. I found this file in various normal data folders.

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 2000 total points
ID: 12004643
This is a worm - ClamWin detects this as Worm.NewWife.

As for removal, I used www.clamwin.org to detect and clean (free open-source virus scanner).



0
 
LVL 4

Expert Comment

by:gemchest
ID: 12005103
Great one Tim,

hmm... seems to be a new variant or something, I've not seen this name before or it's portfolio (on its activities)...
Clamwin seems that they dont have the description (or i've missed it!)

cheers,
Luis
0
 

Author Comment

by:javeed_ccna
ID: 12013852
Dear Timm,,

its a great and thanks to u people..

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12025302
Have you managed to remove it OK ?
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question