• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

Worm Problem Stratio.LB

Hello

We got an very urgent problem. It seems that some of our clientpc's or the mailserver himself sends out the Stratio.LB worm. We use trendmicro ScanMail, Serverscan and officescan. We also tryed a few other virusscanners but none of these found the virus either. We allready tried to delete the virus manually. but we couldn't find it that way. Need some help quickly. our mailserver gets blocked bechause we're sending worms. Thanks
0
socom1985
Asked:
socom1985
  • 17
  • 15
1 Solution
 
younghvCommented:
socom1985,
Are you sure it is one of your hosts?
You could be a victim of a 'spoofing' attack.

What are the messages/symptoms you are seeing?
0
 
socom1985Author Commented:
no im not sure..

when i send a message i get a reply.
Your message did not reach some or all of the intended recipients.

 Subject:      Aboverwaltung
Sent:      10/27/2006 4:53 PM

The following recipient(s) could not be reached:

  diethelm informatik on 10/27/2006 4:54 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <hermes.xxxxx.local #5.7.1 smtp;554 5.7.1 sendin us virus Worm.Stration.LB>


How can i find out if its a spoofing attack and how can i fix this?
0
 
younghvCommented:
If you are getting those replies to messages that you a actually sending, it is probably NOT spoofing.
With spoofing, you normally get a lot of 'rejected' messages that you're sure you never sent.

What you are getting is a newly reported variation and if your AV and Anti-spyware Definition files haven't been updated today - do so.
You may have to re-boot to Safe Mode and run your scans.

This is the first time I've seen this variant, so will have to do some research to find out more.

Back later,

Vic
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
younghvCommented:
socom,
Looking around, it appears as though all of the major AV companies have definition updates of 27 or 28 October.
Make sure you have something at least that current, then do your 'Safe Mode' scan and clean up anything you can.

We may have to take further steps if you are actually infected.

Post back when you can.


Vic
0
 
socom1985Author Commented:
Definitions are the latest. But trendmicro and any other Av doesnt seem to know this version of the virus.
0
 
socom1985Author Commented:
Update:

We disconnectet all the clients. It's still sending. we found a AV that knows the version www.eset.com. but it didn't find it either. running out of ideas..
0
 
younghvCommented:
If your AV is updated and you've done a scan in Safe Mode, the 'warning' you're getting may be a 'False Positive' from that particular Email Server.

Can you send any messages at all?
If you have an on-line (Yahoo, HotMail, etc) account - or know someone who does, try sending mail there.

In fact, try sending me a message: Computer_doc "at" bellsouth "dot" net and let's see what happens.


Vic
0
 
socom1985Author Commented:
sometimes it woorks sometimes not i sent you the email
0
 
socom1985Author Commented:
got the msg back with:


Your message did not reach some or all of the intended recipients.

 Subject:      testemail from socom
Sent:      10/29/2006 3:53 PM

The following recipient(s) could not be reached:

  computer_doc"at"bellsouth"dot"net on 10/29/2006 3:53 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <hermes.europa3000.local #5.7.1 smtp;554 5.7.1 sendin us virus Worm.Stration.LB>
0
 
younghvCommented:
socom,
I just got email notice that this post was updated - but no email from you yet.

Is your root domain .com, .mil, .gov, .org or what?

Is the error message you posted above coming from your Exchange Server or someone else's.

Back later.

Vic
0
 
younghvCommented:
OK -
Most folks around here don't put their literal email address in a post because of 'web trawlers' that will scarf up any they can find and start spamming you.

Replace the "at" with the symbol @
Replace the "dot" with simply a .

Try again.
0
 
socom1985Author Commented:
hehe. yes i've send the email wit @ and . i just changed it in the reply to, so he doesnt get spamed. its from somebody else (the reply) not from our exchange.
0
 
socom1985Author Commented:
i got .ch
0
 
younghvCommented:
Thank you - sometimes it is hard for me to know how explicit I should make my comments.

Still no message from you.

I have seen 'other' Exchange Servers reject messages from our domains before and it has frequently been because of a 'False Positive'.
It is not uncommon for AV programs to rush out a new definition that will make these kinds of errors.

You might consider using one of your 'on-line' accounts to reach your contact on the other side of that server.
Let them know that messages from your regular accounts are being rejected and ask if they can work with you.

We have had that happen in the past and it has gone so far as our entire FQDN being blocked by an Exchange Server somewhere.

As long as you are convinced that your systems are clean, start working on the other end to get this resolved.

Good Luck,
Vic

(still no message at 1046 Hours Eastern Time (US))
0
 
socom1985Author Commented:
The server blocks some messages some not. becaus we're acctualy sending the worm out. I see it in the queues that some odd emails beeing sent out. but no clients on the network..
0
 
younghvCommented:
How many computer are you talking about?
Do you have AV installed on all your computers?
Describe your AV/Security apps and give some more information about your network (nothing too specific - just in general).
OS, quantity, remote sites, etc.

Vic
0
 
socom1985Author Commented:
we got about 20 clients all winxp sp2 and like 8 Servers. The AV for the clients and the servers is deployed and updatet from one off the servers. We never had problems with this system until now. Do you need more specifications? Thanks for your help again.
0
 
younghvCommented:
I'm trying to figure out how this can be happening.
Let me recap:

You're sure that at least one of your workstations or servers is infected. (I would manually go to each one and do a Safe Mode scan.)

Your Exchange server is definitely blocking messages from 'some' of your computers (Can you identify which one(s) from the email headers?)
You could try having different people send email messages from all the different computer - or send a message with the 'Subject' being the name of the computer you're sending it from.

If the 'Safe Mode' scan doesn't get any results, you can try a couple more things.

If today is not a workday for you, you could shut down all of your systems except the Exchange Server and then bring them up one at a time.
Try to send a message from that one and see what happens.
Go through booting up each of your computers and sending a message until you get another hit.

If you get a hit, I would do a 'Hijack This' scan of that computer (details below).

Vic




Author: rpggamergirl
http://www.experts-exchange.com/M_3598771.html

Get the newest version of HJT:

(an already renamed hijackthis)
http://danborg.org/spy/hjt/alternativ.exe

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
socom1985Author Commented:
I think that it is not on our network. I saw in the logs the following:

212.90.198.182, OutboundConnectionCommand, 30.10.2006, 09:12:50, SMTPSVC1, HERMES, -, 5422, 0, 4, 0, 0, RCPT, -, TO:<clyt@exxon.com>,
212.90.198.182, OutboundConnectionResponse, 30.10.2006, 09:12:57, SMTPSVC1, HERMES, -, 12578, 0, 42, 0, 0, -, -, 554 5.7.1 sendin us virus Worm.Stration.LB,


Looks like the destination server blocks all mails from us after this... So i think its a spoofing attack. We just got the relay to our two webservers open. We tried to disable all relay but we still got the same problem.

How can i fix this?

Thanks for your help.
0
 
socom1985Author Commented:
So. We're really sending the mails from inside. I don't know what sends them. I think it's the exchange himself or one of the other servers. Because we disconnected all clients. But no AV finds it. Help me plz. We can't send any email.
0
 
younghvCommented:
What are the results of your AV scans of your servers?
I am showing Trend as having a fix for that worm.

Have you personally do a complete HDD scan of all of your servers?
0
 
socom1985Author Commented:
yes i can run a job from one server and the clientservers scan the HDD's everything looks fine. Just found anotherone:

This is an SMTP protocol error log for virtual server ID 1, connection #13. The remote host "212.90.198.184", responded to the SMTP command "rcpt" with "554 5.7.1 sendin us virus Worm.Stration.LB  ". The full command sent was "RCPT TO:<nicuphillips@eur.3com.com>  ".  This will probably cause the connection to fail.

How can i find out which PC is sending this mails?
0
 
younghvCommented:
If your scans aren't showing anything, then you will have to do what I suggested yesterday.
Shut them all down and turn them back up one at a time.

As you turn them up, send an email message.

Wait until the message is either delivered or rejected.

Don't stop the process when you find one.

Keep going with one computer at a time until you have cycled through all of them.
0
 
socom1985Author Commented:
We disconnectet all servers and clients until the DC and the exchange server. It is still sending the virus. We installed the same AV that our ISP got. Still no trace of the worm... Could it be an unknown backdoor to relay over our server? Im absolutly out of Ideas...
0
 
younghvCommented:
socom,
You can restart your Exchange Server in 'Safe Mode' (Server 2003?) by tapping the F8 key during boot up.
Run your AV scan in Safe Mode.

You did uninstall the old AV program before installing the new one - right?


Vic
0
 
socom1985Author Commented:
Yes. Already did.
yes

I started message tracking on exchange. No sign of the Virus mail. Im starting to thing its an server in our DMZ...
0
 
younghvCommented:
If so, that would be a good thing (why we have DMZ's).

Same process to eliminate all the possibilities.
Make sure the AV program has the definitions to identify, then do a Safe Boot and Scan.
Take them one at a time.


Vic
0
 
socom1985Author Commented:
Excange server is sending... I can't see the virus logs in the message tracking. Bit with netstat -a i see smpt connections to diffrent hosts. But no AV finds the virus..
any suggestions? Im 99% sure that the problem is there...
0
 
younghvCommented:
Do you have a specific "Exchange Server" AV application running?
What is the name/version of it?
0
 
socom1985Author Commented:
ClamWin newest version
Tried, Trendmicro and a few others
0
 
younghvCommented:
I never heard of that, so just looked it up on Google.
Are you sure it is designed to work on an Exchange Server?

My experience has been that Mail Servers require a special application that is developed just for email.
I have used Symantec and McAfee products for many years, and both have a separate program to be installed on Exchange Servers.
0
 
socom1985Author Commented:
I got trendmicro Scanmail for that. I also tried AVGscan for the mail. But the mails are not sended be the exchange service. there are sendet by the server via port 25 directly. I talked with the tech guy from my ISP. He said that it has to be something like this. He sees emails from us sended every minute. But i see only normal ones on the exchange. Every machine in the network is now blocked on port 25. exept the exchange server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 17
  • 15
Tackle projects and never again get stuck behind a technical roadblock.
Join Now