Solved

New Virus form of trojan.spexta u.exe and sock.exe files are left. Any ideas?

Posted on 2007-03-29
9
1,594 Views
Last Modified: 2013-11-22
A new virus is really doing a number on our computers. It basically makes the computer so slow that it is near unusable. I know it has a emailer built in because Symantec corporate 10.0.4 reports that it is scanning emails on some computers.  I first was flagged down by a secretary who was showing me on her computer that a virus had been found and removed by symantec. Thie virus was called   Trojan.Spexta and symantec said it had removed it. This was when the computer then became very very very slow.

I then opened the C: Drive and found a U.exe file and a Sock.exe file. The internet would no longer come up on a regular basis and the computer would literally crawl. I worked on this all day and could remove those two files but it appeared to come back within 5 minutes. This led me to believe a couple of things, either it had a file somewhere doing a redundant check or it was hitting our network so hard that it would become reinfected within 5 minutes. I believe it was the latter.

I phoned symantec support, in the past they have helped me fix problems like this on new viruses. The tech guy said he had just recieved a phone call with my exact problem and it was a 0 day virus that it had just came out.

So after a whole day of cursing and trying not to throw things I am very frustrated but This virus seems to give me tell tale signs of a couple of viruses but neither of them totally fit the bill. I now know the U.exe file is present before the Spexta virus. U.exe was the name of a file used it what I believe was the spybotsd worm that had tried to hit us earlier this year. Then almost immediately after getting a message about the spextra virus the sock.exe file is there and the computer begins to lag and grind to a halt. Internet problems begin almost immediately which tells me that there was something with the winsock may be happening. I remember a virus that placed a sock.exe file at the root drive before but cant remember the name now. I also know that this virus spreads very fast and attempts to email itself alot mroe times. It was killing our internal traffic. I also have noticed that on a couple computers that were not fully up to date the updates would not install. However this virus took out 1/3 of our completely updated computers.

I am home now and didnt bring the registry entries but when I ran hijackthis I came across a few new entries. However as soon as I remove them a few minutes later they reappear. I am guessing until the vunlerable spot is fixed the virus can keep coming.

I know its a long shot but I am wondering if someone has had this problem today or recently and found a solution. I would LOVE to hear about it.

Also the spexta virus appears in a different place then what is reported in all the fixes. The virus seems to attatch itself to office.exe this time around.All files except for this one appear at the root drive or C: in our case.

One last thing, I know the virus was hitting port 8080 which prevents it from coming in but not from spreading through our network. I have had to shutdown over 400 computers now and I have a feeling the virus is worse than we even know right now. I appreciate any help.
0
Comment
Question by:ItsChad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:ItsChad
ID: 18821181
Another thing I just thought of is that recently these computers had "Buffer overflow" error messages for symantec which I know was a vulnerability in the past but thought it was fixed.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18821767
Windows XP SP2 comes with a built in firewall.

Is that enabled on the client computers (assuming you are using XP, of cause)

This should stop the virus/worm from further infecting clients.

http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Tolomir

0
 

Author Comment

by:ItsChad
ID: 18822572
It is enabled on all computers. Thanks for the attempt at helpign though. I have noticed alot of IRC traffic on our network when I analyzed the traffic yesterday. Not sure if this is part of it or not.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ItsChad
ID: 18823658
I now know the name of the virus it is cryptexe and is pretty nasty. AVG free just released two updates today that take care of it.

Thanks for the help
0
 
LVL 1

Expert Comment

by:Jhowlett
ID: 18824029
We were hit and hit hard.   I think I was the call before you in the SYmantec Poool, they tole me the saem thing, which was good luck with that.   Here is what we have been doing

First we patched people to symantec client security 10.1.1001  (the buffer unflow patch)   We have 10.2  doesnt work.  

We uninstalled Norton on the servers and installed Mcafee, Mcaffee still does not find it, but it does have a feature that doersnt allow executables tio run from tempfolders.  So it blocks it effectivily.  

On each of the servers we have installed a batch file that does this

rename c:\u.exe u100.exe
rename c:\u.txt u.exe
attrib u.exe +r

We called the batch file UX.bat.  It seems to work well for now.  

The desktops that have been infected, we have been ghosting and swapping for two days.  

Other files we have found to look for:
dllhst.exe
atrib.exe
eventmgr.exe
u.exe


Ont he desktop we have turned off system restore deleted out all the reg keys that point to these files.

I can't wait for August when my Symantec contract is up for renewal, and they ask me for MY 20 Grand, I am going to say with a straight face... "Good Luck with that"

  I will post more as I figure out more, good luck chief, we have been able to patch and clean some machines deleteing out temp folder under default user as well as any files we deem as garbage.   other wise is ghost and go.




0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18824335
Just a few remarks regarding symantec. It's not they are complete <insert swearword here>, but symantec is today one of the first AV solutions a virus is checked against during design phase.

So when symantec and others are unable to detect that malware, the virus is released.

---

Known for good detection / removal results and still rather unknown is kaspersky antivirus.

You should give it a try: http://usa.kaspersky.com/products/smb.php

Here is a free 30 days trial:  http://usa.kaspersky.com/downloads/trial-versions-smb.php

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18824402
0
 
LVL 1

Accepted Solution

by:
Jhowlett earned 500 total points
ID: 18861995
Here is what ended up working for us after working with Symantec almost a full week to the day of orginal call.  

They had us update from 10.0.100 to 10.0.1001.  That did not work.  Then they had us update to 10.0.2000 that helped al little but not for infected pc's.  

We called back today to speak with them again because, we just didnt feel comfortable with our current solution.   The tech told us we needed to get off the 10.0.XXX builds because they are the problem.   That had us install 10.1.5000 which did work well, except the servers were down, the SSC was inopertable, and none of the passwords stuck.  


They then had us download 10.1.6000 and said this was the newest they had.  Install this version, get the current updates, take off the network, boot to safe mode, do a full scan and have it remove it everything it finds.  Then Boot it up.  

You need to uninstall SSC from any computer and then install, then reinstall the SSC on that computer from the 10.1.6000 build.  


- FYI McAffee v85i has worked really well since we installed it on the few machines we were having issues getting Symantec installed on.  If that happens we ran nonav, then installed McAfee, let it scan, repair and delete, took mcafee, thne installed symantec 10.1.6000 and things have been well.

So in a nutshell if you are symantec corporate user get your hands on 10.6.6000 this is the best copy they have that also works in conjunction with the Microsoft patch released yesterday, and the one that is comming in the next few days from Microsoft.

- Have fun
0
 

Author Comment

by:ItsChad
ID: 18886432
Hi
Sorry about the delay in responding it has been crazy times.

Not that I am glad you had it but sometimes it is nice to know we are not alone. We have the virus figured out but that is about it.

The first day I went and found that 3/4's of the computers at one site had it. I went through the joy of updating their antivirus to a version of symantec that would find most of the virus then run it in safemode. We did this and asked everyone to keep computers off, well someone turned it on unknown to us and after we gave everyone the go ahead to turn them on those few computers left on reinfected the site.

So the next day, I was able to go and do some port analyzation. I found the ports that were getting hard and I blocked them, one of them however was 8080 which isnt the best case scenario for ports to block but sometimes you have to ;) We also have a packetshaper and it showed up that IRC was getting bogged down with hits, I was able to discard all traffic from IRC and this saved the other sites within our network I now believe.

The files were hooking their selves to share folders on the network and spreading that way. We researched and blocked around 5 ports I believe. To get rid of the virus I had to upgrade everyones rights on all computers so they could delete from the windows/system32 folder. This allowed all of them to remove the virus without an administrator logging in.By doing this we have it contained and are just waiting for a fix from microsoft so we can unblock the ports.

I hope my jumbled paragraphs may help someone who runs into this nasty virus. It waisted about 4 days of my life I would like to have back :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question