Solved

Super stubborn virus/worm problem, possibly W32/Rbot-II

Posted on 2004-09-13
14
1,358 Views
Last Modified: 2011-10-03
We've been fighting a major virus problem for several days now.  

The closest thing we have found that matches our symptoms is a virus found on Sophos called W32/Rbot-II,  http://www.sophos.com/virusinfo/analyses/w32rbotii.html.

Unfortunately, we have been unsucessful in our attempts to remove this (if it is truly the problem) virus/worm.  

Here are the details on our problem:

System:
Windows 2000 Server with Exchange 2003
McAfee Groupshield and Netshield running with latest engine and DAT
All Microsoft critical updates have been installed.

Symptoms:
1) IPC$, ADMIN$ shares disappear.  When re-shared they disappear after about 2 minutes.

2) Exploring network resources (network neighborhood) causes the error "Server not configured for transactions" for all computers on the network.

3) HTTP traffic on our LAN degrades after about 5 minutes.  First style sheets are lost, then entire pages.  HOWEVER, Google and MSNSearch will continue to work and no they are not cached pages.  In fact, all things Google are available via HTTP.

4) Upon disconnecting the server's network cable, HTTP access is immediately restored to the entire LAN.  Plug it back in and traffic stops after about 5 minutes or so.

5) The program "Sygate.exe" is found in the following registry keys:
     HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
     HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Whenever these keys are deleted they are restored after about 30 seconds.  This happens without closing the registry editor.  ALSO, there is no file by the name "sygate.exe" on the server, nor have we ever installed a Sygate firewall.

5)  After some time, McAfee NetShield will be disabled.  Groupshield is unaffected.

6)  Does not appear to be related to our Exchange 2003 software.  We have disabled all services related to Exchange, plugged the network cable back into the jack and after about 5 minutes the LAN begins to lose HTTP access.  Shares still disappear.

Corrective steps that have failed:

1)  Virus scanners:  We've run nearly everyone you can think of in both normal and safe modes.  We've disabled services for NetShield before running other software.  Scanners we have run include Sophos, Panda, Symantec, AVG both online versions and downloaded trial versions.

2)  Worm Removal Tools:  Have run numerous removal tools with no success.

3)  At one point, Panda's online scanner found the virus GAOBOT.GEN and removed it from three files.  This corrected the problem UNTIL we rebooted the server.  The problem came right back and Panda can no longer find GAOBOT.

4) Adaware does not remove it.

5) From time to time, scanners have found GAOBOT, NETSKY and some others I don't remember the names of.

6) Workstations are periodically probed for the LSASS exploit vulnerability.  Also, the I/Frame vulnerability has been tested by something trying to access the server.  These two problems were caught and stopped by Panda's network based virus software.

So, there you have it.  It's a tough one.  Been through all manner of Experts Exchange posts and what feels like 10,000 different scanning sessions and it's still there.  

HELP!  Relieve this burden from me all ye Experts so wise.  

Save me from a total system rebuild (though by now we would have been better off had we done that).







0
Comment
Question by:chowpok
  • 5
  • 2
  • 2
  • +2
14 Comments
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
1. Make sure that your virus definition file is up-to-date.

2. Disable System Restore , then scan all files

3. Following the instructions to delete the value from the registry:
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.daz.html#removalinstructions

also have a look at "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder":

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q263/4/55.ASP&NoWebContent=1

0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!
When you are attempting to remove this.
You should disconnect all your computers from the Internet, and from each other -
physically: make sure your network cable is unplugged.
Go through removal procedures on each computer, probably in safe mode.
If the workstations on your network are running Win XP - disable XP's built-in Firewall
and install a third party firewall (Sygate, ZoneAlarm, Agnitum Outpost, are free) -
XP's built-in firewall is virtually useless at dealing with outbound traffic.
Install a firewall on your workstations no matter what OS their running.
AS yuzh noted above: disable system restore - and make sure
the option to show all files and folders is enabled.
Download and run a2 Anti-Trojan (it's free), update it before you run it:
(it has an option to "destroy" files, which I've had some success with).
http://www.gatesofdelirium.com/ee/tools/
Make sure after you have performed removal procedures that you clean out ALL
temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
Also, make sure you empty your "Recycle Bin".
When you're searching a computer for suspicious files, make sure you pay attention to prefetch, dllcache, and
all temp folders - some of these things like to hide in these places - but, search the entire computer.
Let us know.

Good luck!
RF
0
 
LVL 3

Expert Comment

by:4ceReconSniper
Comment Utility
try using avast anti virus www.avast.com its free, powerful customizable and requires low resources. Ive used it for years and up to now no virus problems check my pc with norton no problems
0
 

Author Comment

by:chowpok
Comment Utility
Sorry for the delay in getting back to all of you on this.

Splitting the points is fine with me.  You guys did give it a good try and I appreciate your help.  In fact, cleaning out temp files and such recommended by rossfingal may have eliminated some other problems we were having.  But ultimately, we tracked down the problem discussed here ourselves:

The file is called "SYGATE.EXE".  It cloaks itself as a protected operating system file.  To find it we had to uncheck "Hide protected operating system files" under Windows Explorer/Tools/Options/View, then perform a search starting at C: and include all sub-folders.  We found it located in the folder C:\Recycler.

Getting rid of this thing was a tremendous pain in the bootocks, a point of pride for its creator I'm sure.  Deleting the registry entries mentioned in my original posting (point 5 above) for Sygate did not correct it.  You could actually watch the virus re-write the entries that we had just deleted moments before from the registry.  

No virus scanner we tried ever detected it, including AVAST recommended above.  We tried just about every scanner on the market.

After deleting the file and its attendant registry entries, the system stopped DOS'ing our network and all network shares were restored.  We are now back in business, but at a somewhat compromised state.

After fixing the Sygate problem, we then downloaded and ran the "Microsoft Baseline Security Analyzer 1.2.1".  It found all manner of holes that the normal Windows Update doesn't find.  Apparently, the virus has a facility to fool Windows Update into thinking all certain critical patches have already been installed.

We changed from McAfee NetShield to Symantec Corporate Edition (for our entire network) since NetShield let this stuff through in the first place.  Each day Symantec finds and deletes numerous copies of Netsky variants B, C, D, P and an occasional Beagle.J and W with a MyDoom.M ever so often.  All of these are found in the C:\WINNT\TEMP folder.  And yes, we have run all the Symantec worm removal tools in both safe and normal modes and these things still show up.  

Now, we're just waiting for good day to totally wipe this system and start over.

Again, thanks for all of your help.  Hopefully, this will help someone else out there who may run across the same problem.
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
I think it should be PAQ and refund.

Cheers!

yuzh

PS: Symentec Antivirus Corprate Edition 8.x can handle the virus.
     
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 500 total points
Comment Utility
Hi!

I agree with yuzh.

Regards!
RF
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:chowpok
Comment Utility
That's a big 10-4 there good buddies!

0
 

Author Comment

by:chowpok
Comment Utility
Just to clarify:  No scanner we tried removed the Sygate.exe virus, including Symantec Corporate 9.  We could only find it manually.  

We did not try Symantec version 8.x.
0
 

Expert Comment

by:anitahughes
Comment Utility
We have the same issue and are having trouble deleting the files winupdate.exe and sygate.exe in the c:\windows\system32 folder. Even in safe mode we cannot set the attributes to -h (after finding them as system OS files) so we can delete them. Everytime we remove all entries from the registry they reappear within minutes.

How do you delete these files?

As of today, Symantec don't have anything on sygate.exe

Tks
0
 

Author Comment

by:chowpok
Comment Utility
My guess is that you may not be finding all instances of the virus(es).  Our Sygate.exe was hiding out in the Recycler.  

Make sure that you search for the suspect files starting at the root of C and the root of any other logical drives you have on the system.  

Also, IT IS CRITICAL that you have the following settings applied to Windows Explorer before you start searching -- Under Tools/Folder Options/View:

   - Select "Show hidden files and folders"
   - UNSELECT "Hide protected operating system files"

These settings will allow you to see everything once you start searching.

You may also need to stop the process for Sygate.exe before the system will permit deletion.

NOTE:  We never changed any file attributes.  Once we set Windows Explorer properly, the stinking varmint finally revealed itself.

The moment we deleted Sygate from the Recycler folder, the registry stopped being re-written and all was well.  There was much rejoicing!

Hope you will be able to rejoice soon too.

Good Luck!
0
 

Expert Comment

by:anitahughes
Comment Utility
Thanks for that...worked well and was able to delete the file sygate.exe etc. Removed all entries from the registry, temp folders and recycle bin

Then also ran the Cleanup v312 program as advised and rebooted. Wthin about 15mins, sygate was back. FYI...

1. we are installing XP critical updates and latest patches PRE sp2.
2. critical updates on Win2000 with sp4.
3. At the firewall we have blocked 135, 4444 and 888 inbound and outbound...any others you suggest?

Do you think that because there are some infected computers on the network they attempt to re-infect when they detect the PC is back online?

Should we inspect and deal with every computer offline (unplugged from the network)?

Would changing passwords on all computers stop this thing?

I know these are a lot of questions....just wanting to get a precise handle on how you dealt with this problem?

Tks


0
 

Author Comment

by:chowpok
Comment Utility
I guess it could spread over the network, though we did not experience this problem.  On the other hand, I think you are wise to isolate any machine from the network you think might be infected.  

Make sure you run the Microsoft Baseline Security Analyzer on your server.  It's a super-duper Windows Update that runs locally on your machine instead of over the internet.  You'll find it here:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Some of these viruses fool Windows Update into thinking you have installed patches when in fact you have not.  They're very sneaky.  The Security Analyzer is not fooled.  We discovered numerous patches that were NOT installed, despite the fact that WE RAN Windows Update more times than I care to count.

So, these are the next steps I would take are:

1.  Download the Security Analyzer.
2.  Disconnect your server from the network.  We pulled the cable (made an "air gap") on ours just to make sure.
3.  Get rid of Sygate.exe again.
4.  Wait a few minutes and see if it comes back.  If it does, keep looking for it.  It's still on your local system somewhere.  You can rule out infection from another machine because the server is disconnected.  
5.  Run the Security Analyzer and patch as indicated.  Of course, to get the patches you're going to need to connect to the Internet.  Would be best if you could do this without other, possibly infected, machines on your network muddying up the waters.  

Once you've got the server cleaned up, you can use the Security Analyzer to scan other machines on your network.  It's very handy.


0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now