Solved

biggy.exe virus and u.exe virus

Posted on 2007-03-19
5
491 Views
Last Modified: 2013-12-09
There is a virus...biggy.exe and/or u.exe...that is shutting down servers. We have patched and cleaned the servers but it keeps coming back.  We use Symantec AV throughout.  Any thoughts on this today????  We have had no luck with virus update and/or definitions...

This is killing our network today...
0
Comment
Question by:Fragmented
5 Comments
 
LVL 42

Expert Comment

by:zephyr_hex
ID: 18752109
if it keeps coming back, then either you aren't getting the root of the problem or you are missing an infected computer.

first, are you referring to the corporate symantec AV?  if so, then i would recommend that you give their support line a call.

second, are you doing your scans in safe mode and is the AV stating it has cleaned the infection, or are there errors associated with the removal?
0
 

Author Comment

by:Fragmented
ID: 18752171
It is Symantec and we have been on the phone with them for support...with no luck.  The scanning is done in safe mode.  We have hit all our servers and it does keep coming back.  I didn't know if someone knew how it was getting in and a way to prevent that...

Thanks..
0
 
LVL 32

Expert Comment

by:willcomp
ID: 18752613
Take a look at this PAQ.  May be a bit more difficult on W2K server.  Many removal programs do not run on a server OS.

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_22390411.html
0
 
LVL 42

Expert Comment

by:zephyr_hex
ID: 18752615
how is symantec identifying the virus (what name does it associate with the virus) ?
0
 
LVL 6

Accepted Solution

by:
1r2d2c3po earned 500 total points
ID: 18924273
We just went throught that virus here as well. The virus is varient of rinbot. It will does a few things.

1. It attacks a buffer overrun in the SAV client itself (I think just 10.x clients). You need to go to 10.1.5 or later. It communicates on the same port as the SAV clients do. I believe 2867?? Not sure.

If you look at a systems processes(task manager), you will see a process running called "dnssvc.exe" sometimes 2 instances. You have to kill these processes first.

The root of C:\ might contain the U.exe file. If so, delete it.

Update to the latest client, and def. files.

Do a full system scan.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now