Virus found ????

try an on-line scanner http://housecall.trendmicro.com/housecall/start_corp.asp
Use a spyware remove to make sure it's not spyware: Download / install / update / run Ad-aware (www.lavasoftusa.com) and Spybot Search and Destroy (http://security.kolla.de)

Type the exact name of the file into google and see what it comes up with

I already perform adware, but still that file is coming, not only in this server, i found this file in all servers and workstations..

Hi javeed_ccna,

Is there any new software that you've installed? and did this file do any harm so far? cos i've searched thru my payload directory, i've seen none "good music.scr"

cheers,
Luis

From 2 days only i am getting this file.  Today my clients complaint that when they try to open the file their systems got hanged. And i deleted the file lot of times but again that will is appearing.

 It spread all workstations.

 I didnt install any new software ??  

The problem is it is spreading all over the network ..

Hi javeed_ccna,

Do you have appropraite firewall to block the sender? Is the whole computer network connected to the internet? If it's spreading and the net service is not the essential service in your system, I suggest to stop for the time being, do a clean up, try to locate from which group of ip, after which allow re-open the network to internet with limited access (trusted sites only, the rest block), so as to stop the spreading and potential danger until a solution or cause is found.

cheers,
Luis

and one more thing: NEVER try to open the unknown exe file... always make sure it's ok before do anything to it. It'll be wise to inform your users regarding this too.

Luis

Finally, what is the exact filename? maybe i can check?

cheers,
Luis

Pull down a standalone virus scanner, eg Stinger - http://vil.nai.com/vil/stinger/
I'm assuming your AV system itself is infected and mis-reporting things, so you need a seperate one to clear these things up.

Sorry javeed i forgot one point, not only that if that file can comprimise your virus scanner, there's also a possibility of a new virus ... There's too much small bugging virus lately.. Anyway, if possible tell me the name and location of the file....

Cheers,
Luis

The name of the file is  " good music ". it is using media player icon.

 We dont have internet connection before, but from one month onwards we got new line for internet with limited access. And also we are using PIX firewalls.

 I downloaded the stringer tool but i could not run it properly.. any how i will try to run it again..

 

So i suppose you're saying the file name is good music.scr? This file is in which location? Is all the affected terminals have this file at the same location?

cheers
Luis

There is no particular location for that file, it is appearing any folder. Even i coulnt confirm whether that is a virus. but it is appearing almost all PC's and all servers.

Last night i use stringer tool, that isnt detecetd any virus. but when i run stringer on my Exchange server it found 1200 virus infected files in Quarantine  folder in C:  drive. that means that folder is using by Antivirus (McAfee) on my server for uncleaned files so we cannt  consider it as a virus infected server.

The file that is spreading, it is appearing as a Windows media player file. In properties i found the type is Screen Saver

any solutions..

Could you send me the file - tim_holman@hotmail.com.  I have a known clean / quarantine machine I can look this up on...

Alternatively, clean build a standalone machine and scan the virus on there.

If it's not a virus, is it possible someone is manually copying this across to people to shares they have access to ?  Is Kazaa or any other P2P software in use on the network ?

For example, if Good Music appears in the system32 folder, then only domain administrators/local administrators/person using that machine/system account could ever put it there.  It may help hone this down further and identify the source.

Dear Tim,

I sent the file to your email id,
by the way i dont have any Kazaa or P2P S/W.
And this file is not locating on any particular folder. I found this file in various normal data folders.

Great one Tim,

hmm... seems to be a new variant or something, I've not seen this name before or it's portfolio (on its activities)...
Clamwin seems that they dont have the description (or i've missed it!)

cheers,
Luis

Dear Timm,,

its a great and thanks to u people..

Have you managed to remove it OK ?