Solved

Worm Problem Stratio.LB

Posted on 2006-10-29
32
342 Views
Last Modified: 2013-12-04
Hello

We got an very urgent problem. It seems that some of our clientpc's or the mailserver himself sends out the Stratio.LB worm. We use trendmicro ScanMail, Serverscan and officescan. We also tryed a few other virusscanners but none of these found the virus either. We allready tried to delete the virus manually. but we couldn't find it that way. Need some help quickly. our mailserver gets blocked bechause we're sending worms. Thanks
0
Comment
Question by:socom1985
  • 17
  • 15
32 Comments
 
LVL 38

Expert Comment

by:younghv
Comment Utility
socom1985,
Are you sure it is one of your hosts?
You could be a victim of a 'spoofing' attack.

What are the messages/symptoms you are seeing?
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
no im not sure..

when i send a message i get a reply.
Your message did not reach some or all of the intended recipients.

 Subject:      Aboverwaltung
Sent:      10/27/2006 4:53 PM

The following recipient(s) could not be reached:

  diethelm informatik on 10/27/2006 4:54 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <hermes.xxxxx.local #5.7.1 smtp;554 5.7.1 sendin us virus Worm.Stration.LB>


How can i find out if its a spoofing attack and how can i fix this?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
If you are getting those replies to messages that you a actually sending, it is probably NOT spoofing.
With spoofing, you normally get a lot of 'rejected' messages that you're sure you never sent.

What you are getting is a newly reported variation and if your AV and Anti-spyware Definition files haven't been updated today - do so.
You may have to re-boot to Safe Mode and run your scans.

This is the first time I've seen this variant, so will have to do some research to find out more.

Back later,

Vic
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
socom,
Looking around, it appears as though all of the major AV companies have definition updates of 27 or 28 October.
Make sure you have something at least that current, then do your 'Safe Mode' scan and clean up anything you can.

We may have to take further steps if you are actually infected.

Post back when you can.


Vic
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
Definitions are the latest. But trendmicro and any other Av doesnt seem to know this version of the virus.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
Update:

We disconnectet all the clients. It's still sending. we found a AV that knows the version www.eset.com. but it didn't find it either. running out of ideas..
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
If your AV is updated and you've done a scan in Safe Mode, the 'warning' you're getting may be a 'False Positive' from that particular Email Server.

Can you send any messages at all?
If you have an on-line (Yahoo, HotMail, etc) account - or know someone who does, try sending mail there.

In fact, try sending me a message: Computer_doc "at" bellsouth "dot" net and let's see what happens.


Vic
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
sometimes it woorks sometimes not i sent you the email
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
got the msg back with:


Your message did not reach some or all of the intended recipients.

 Subject:      testemail from socom
Sent:      10/29/2006 3:53 PM

The following recipient(s) could not be reached:

  computer_doc"at"bellsouth"dot"net on 10/29/2006 3:53 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <hermes.europa3000.local #5.7.1 smtp;554 5.7.1 sendin us virus Worm.Stration.LB>
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
socom,
I just got email notice that this post was updated - but no email from you yet.

Is your root domain .com, .mil, .gov, .org or what?

Is the error message you posted above coming from your Exchange Server or someone else's.

Back later.

Vic
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
OK -
Most folks around here don't put their literal email address in a post because of 'web trawlers' that will scarf up any they can find and start spamming you.

Replace the "at" with the symbol @
Replace the "dot" with simply a .

Try again.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
hehe. yes i've send the email wit @ and . i just changed it in the reply to, so he doesnt get spamed. its from somebody else (the reply) not from our exchange.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
i got .ch
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Thank you - sometimes it is hard for me to know how explicit I should make my comments.

Still no message from you.

I have seen 'other' Exchange Servers reject messages from our domains before and it has frequently been because of a 'False Positive'.
It is not uncommon for AV programs to rush out a new definition that will make these kinds of errors.

You might consider using one of your 'on-line' accounts to reach your contact on the other side of that server.
Let them know that messages from your regular accounts are being rejected and ask if they can work with you.

We have had that happen in the past and it has gone so far as our entire FQDN being blocked by an Exchange Server somewhere.

As long as you are convinced that your systems are clean, start working on the other end to get this resolved.

Good Luck,
Vic

(still no message at 1046 Hours Eastern Time (US))
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
The server blocks some messages some not. becaus we're acctualy sending the worm out. I see it in the queues that some odd emails beeing sent out. but no clients on the network..
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
How many computer are you talking about?
Do you have AV installed on all your computers?
Describe your AV/Security apps and give some more information about your network (nothing too specific - just in general).
OS, quantity, remote sites, etc.

Vic
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Author Comment

by:socom1985
Comment Utility
we got about 20 clients all winxp sp2 and like 8 Servers. The AV for the clients and the servers is deployed and updatet from one off the servers. We never had problems with this system until now. Do you need more specifications? Thanks for your help again.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I'm trying to figure out how this can be happening.
Let me recap:

You're sure that at least one of your workstations or servers is infected. (I would manually go to each one and do a Safe Mode scan.)

Your Exchange server is definitely blocking messages from 'some' of your computers (Can you identify which one(s) from the email headers?)
You could try having different people send email messages from all the different computer - or send a message with the 'Subject' being the name of the computer you're sending it from.

If the 'Safe Mode' scan doesn't get any results, you can try a couple more things.

If today is not a workday for you, you could shut down all of your systems except the Exchange Server and then bring them up one at a time.
Try to send a message from that one and see what happens.
Go through booting up each of your computers and sending a message until you get another hit.

If you get a hit, I would do a 'Hijack This' scan of that computer (details below).

Vic




Author: rpggamergirl
http://www.experts-exchange.com/M_3598771.html

Get the newest version of HJT:

(an already renamed hijackthis)
http://danborg.org/spy/hjt/alternativ.exe

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
I think that it is not on our network. I saw in the logs the following:

212.90.198.182, OutboundConnectionCommand, 30.10.2006, 09:12:50, SMTPSVC1, HERMES, -, 5422, 0, 4, 0, 0, RCPT, -, TO:<clyt@exxon.com>,
212.90.198.182, OutboundConnectionResponse, 30.10.2006, 09:12:57, SMTPSVC1, HERMES, -, 12578, 0, 42, 0, 0, -, -, 554 5.7.1 sendin us virus Worm.Stration.LB,


Looks like the destination server blocks all mails from us after this... So i think its a spoofing attack. We just got the relay to our two webservers open. We tried to disable all relay but we still got the same problem.

How can i fix this?

Thanks for your help.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
So. We're really sending the mails from inside. I don't know what sends them. I think it's the exchange himself or one of the other servers. Because we disconnected all clients. But no AV finds it. Help me plz. We can't send any email.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
What are the results of your AV scans of your servers?
I am showing Trend as having a fix for that worm.

Have you personally do a complete HDD scan of all of your servers?
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
yes i can run a job from one server and the clientservers scan the HDD's everything looks fine. Just found anotherone:

This is an SMTP protocol error log for virtual server ID 1, connection #13. The remote host "212.90.198.184", responded to the SMTP command "rcpt" with "554 5.7.1 sendin us virus Worm.Stration.LB  ". The full command sent was "RCPT TO:<nicuphillips@eur.3com.com>  ".  This will probably cause the connection to fail.

How can i find out which PC is sending this mails?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
If your scans aren't showing anything, then you will have to do what I suggested yesterday.
Shut them all down and turn them back up one at a time.

As you turn them up, send an email message.

Wait until the message is either delivered or rejected.

Don't stop the process when you find one.

Keep going with one computer at a time until you have cycled through all of them.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
We disconnectet all servers and clients until the DC and the exchange server. It is still sending the virus. We installed the same AV that our ISP got. Still no trace of the worm... Could it be an unknown backdoor to relay over our server? Im absolutly out of Ideas...
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
socom,
You can restart your Exchange Server in 'Safe Mode' (Server 2003?) by tapping the F8 key during boot up.
Run your AV scan in Safe Mode.

You did uninstall the old AV program before installing the new one - right?


Vic
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
Yes. Already did.
yes

I started message tracking on exchange. No sign of the Virus mail. Im starting to thing its an server in our DMZ...
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
If so, that would be a good thing (why we have DMZ's).

Same process to eliminate all the possibilities.
Make sure the AV program has the definitions to identify, then do a Safe Boot and Scan.
Take them one at a time.


Vic
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
Excange server is sending... I can't see the virus logs in the message tracking. Bit with netstat -a i see smpt connections to diffrent hosts. But no AV finds the virus..
any suggestions? Im 99% sure that the problem is there...
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Do you have a specific "Exchange Server" AV application running?
What is the name/version of it?
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
ClamWin newest version
Tried, Trendmicro and a few others
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
Comment Utility
I never heard of that, so just looked it up on Google.
Are you sure it is designed to work on an Exchange Server?

My experience has been that Mail Servers require a special application that is developed just for email.
I have used Symantec and McAfee products for many years, and both have a separate program to be installed on Exchange Servers.
0
 
LVL 1

Author Comment

by:socom1985
Comment Utility
I got trendmicro Scanmail for that. I also tried AVGscan for the mail. But the mails are not sended be the exchange service. there are sendet by the server via port 25 directly. I talked with the tech guy from my ISP. He said that it has to be something like this. He sees emails from us sended every minute. But i see only normal ones on the exchange. Every machine in the network is now blocked on port 25. exept the exchange server.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now