?
Solved

Stration/Warezov worm

Posted on 2006-11-03
6
Medium Priority
?
2,170 Views
Last Modified: 2012-05-05
I've been listed in the http://cbl.abuseat.org web site because of this Virus (Stration/Warezov worm).  I'm using trend micro office scan and Trend Micro Server Protect.

I'm unable to identifiy the computer infected...  Any idea how to resolve this issue?

Thanks!
0
Comment
Question by:polycorjsp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 3

Expert Comment

by:silganit
ID: 17869701
There is a good chance these are not coming from you Viruse like Stration likes to hide where it is comeing from by going through the address book of the infect computer and listing that person as the sender as an example let say that bob computer is infected the viruse will go in to the address book find an e-mail addres and then start send out infected e-mail except the e-mail are from Steve no ever expects bob computer as the sender.

the fact that you are running Trend Micros tell me that you are probly not infected I too run Trend Micro and we are stopping this bug befor it get in to the system with Mail scan so I know that as long as your patten file is up to date it will detect and remove the bug. if your manitence is current I would suggest that you upgrade to officescan 7.3 this will provide you with spyware and viruse protection for both your workstation and servers.
0
 
LVL 16

Accepted Solution

by:
legalsrl earned 2000 total points
ID: 17873902
Sorry to be a downer on silganit's point......Trend Micro, like most AV solutions are very vulnerable to the Stration worm as most of the standard suites allow any process to send traffic over Port 25 (SMTP) hence the blacklisting.

I would suggest deploying a firewall and only allowing known processes like outlook.exe and msimn.exe to send traffic through Port 25

This would then stop the worm from sending itself out and spamming everyone.

I see 7 or 8 new detections of this virus every day, so I'm not surprised you've become infected if you are using Trend Micro.

McAfee VirusScan Enterprise 8.0 features port blocking so only known processes can send mail over that port.

Deploy the firewall and see which clients flash up their alert screens and then you know which clients are infected.

Does the Trend Micro package you have offer you a firewall ?  If so, I'll tell you how to deploy and configure it.

If not, I'll tell you how to deploy another firewall.

How many clients do you have on the network ?

When you've found an infected client you can run the vcleaner tool from avg

http://www.grisoft.com/doc/112/lng/us/tpl/tpl01

and that will remove the Stration virus.

As to how you became infected, it's probably a user clicking on a new variants attachment and installing the virus.

Let me know how you get on

Cheers
Si
0
 
LVL 3

Expert Comment

by:silganit
ID: 17875218
if you are using officescan 7.3 it has a firewall feature and I beg the differ about trend we have been using this product for years and have not gotten an infection for that fact I can produce logs that show the stration bug being deleted before it gets in to our network. so i know it works.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 16

Expert Comment

by:legalsrl
ID: 17875935
silganit,

I'm disagreeing with you about the use of Trend in the other post, so I'm not going to waste the question asker's time here.

Point to question if anyone's interested

http://www.experts-exchange.com/Applications/Viruses/Q_22047299.html

Polycorp.....any news on your problem ?

Thanks
Si
0
 

Author Comment

by:polycorjsp
ID: 17880726
Hi legalsrl,

I have 160 computers in 4 different location (4 domain controller - 1 DC and 3 child domain)...  we are all connected together with a VPN connection.  I really don't know were to start...  Do I have to go on each computer or can I build a script that will install the software and run it???

Please help! :)
0
 

Author Comment

by:polycorjsp
ID: 17881503
Thanks for the hyperlink.  I've build a script and execute the program and no more listed.

Thanks!
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question