Solved

New Virus form of trojan.spexta u.exe and sock.exe files are left. Any ideas?

Posted on 2007-03-29
9
1,588 Views
Last Modified: 2013-11-22
A new virus is really doing a number on our computers. It basically makes the computer so slow that it is near unusable. I know it has a emailer built in because Symantec corporate 10.0.4 reports that it is scanning emails on some computers.  I first was flagged down by a secretary who was showing me on her computer that a virus had been found and removed by symantec. Thie virus was called   Trojan.Spexta and symantec said it had removed it. This was when the computer then became very very very slow.

I then opened the C: Drive and found a U.exe file and a Sock.exe file. The internet would no longer come up on a regular basis and the computer would literally crawl. I worked on this all day and could remove those two files but it appeared to come back within 5 minutes. This led me to believe a couple of things, either it had a file somewhere doing a redundant check or it was hitting our network so hard that it would become reinfected within 5 minutes. I believe it was the latter.

I phoned symantec support, in the past they have helped me fix problems like this on new viruses. The tech guy said he had just recieved a phone call with my exact problem and it was a 0 day virus that it had just came out.

So after a whole day of cursing and trying not to throw things I am very frustrated but This virus seems to give me tell tale signs of a couple of viruses but neither of them totally fit the bill. I now know the U.exe file is present before the Spexta virus. U.exe was the name of a file used it what I believe was the spybotsd worm that had tried to hit us earlier this year. Then almost immediately after getting a message about the spextra virus the sock.exe file is there and the computer begins to lag and grind to a halt. Internet problems begin almost immediately which tells me that there was something with the winsock may be happening. I remember a virus that placed a sock.exe file at the root drive before but cant remember the name now. I also know that this virus spreads very fast and attempts to email itself alot mroe times. It was killing our internal traffic. I also have noticed that on a couple computers that were not fully up to date the updates would not install. However this virus took out 1/3 of our completely updated computers.

I am home now and didnt bring the registry entries but when I ran hijackthis I came across a few new entries. However as soon as I remove them a few minutes later they reappear. I am guessing until the vunlerable spot is fixed the virus can keep coming.

I know its a long shot but I am wondering if someone has had this problem today or recently and found a solution. I would LOVE to hear about it.

Also the spexta virus appears in a different place then what is reported in all the fixes. The virus seems to attatch itself to office.exe this time around.All files except for this one appear at the root drive or C: in our case.

One last thing, I know the virus was hitting port 8080 which prevents it from coming in but not from spreading through our network. I have had to shutdown over 400 computers now and I have a feeling the virus is worse than we even know right now. I appreciate any help.
0
Comment
Question by:ItsChad
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:ItsChad
Comment Utility
Another thing I just thought of is that recently these computers had "Buffer overflow" error messages for symantec which I know was a vulnerability in the past but thought it was fixed.
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Windows XP SP2 comes with a built in firewall.

Is that enabled on the client computers (assuming you are using XP, of cause)

This should stop the virus/worm from further infecting clients.

http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Tolomir

0
 

Author Comment

by:ItsChad
Comment Utility
It is enabled on all computers. Thanks for the attempt at helpign though. I have noticed alot of IRC traffic on our network when I analyzed the traffic yesterday. Not sure if this is part of it or not.
0
 

Author Comment

by:ItsChad
Comment Utility
I now know the name of the virus it is cryptexe and is pretty nasty. AVG free just released two updates today that take care of it.

Thanks for the help
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:Jhowlett
Comment Utility
We were hit and hit hard.   I think I was the call before you in the SYmantec Poool, they tole me the saem thing, which was good luck with that.   Here is what we have been doing

First we patched people to symantec client security 10.1.1001  (the buffer unflow patch)   We have 10.2  doesnt work.  

We uninstalled Norton on the servers and installed Mcafee, Mcaffee still does not find it, but it does have a feature that doersnt allow executables tio run from tempfolders.  So it blocks it effectivily.  

On each of the servers we have installed a batch file that does this

rename c:\u.exe u100.exe
rename c:\u.txt u.exe
attrib u.exe +r

We called the batch file UX.bat.  It seems to work well for now.  

The desktops that have been infected, we have been ghosting and swapping for two days.  

Other files we have found to look for:
dllhst.exe
atrib.exe
eventmgr.exe
u.exe


Ont he desktop we have turned off system restore deleted out all the reg keys that point to these files.

I can't wait for August when my Symantec contract is up for renewal, and they ask me for MY 20 Grand, I am going to say with a straight face... "Good Luck with that"

  I will post more as I figure out more, good luck chief, we have been able to patch and clean some machines deleteing out temp folder under default user as well as any files we deem as garbage.   other wise is ghost and go.




0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Just a few remarks regarding symantec. It's not they are complete <insert swearword here>, but symantec is today one of the first AV solutions a virus is checked against during design phase.

So when symantec and others are unable to detect that malware, the virus is released.

---

Known for good detection / removal results and still rather unknown is kaspersky antivirus.

You should give it a try: http://usa.kaspersky.com/products/smb.php

Here is a free 30 days trial:  http://usa.kaspersky.com/downloads/trial-versions-smb.php

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
0
 
LVL 1

Accepted Solution

by:
Jhowlett earned 500 total points
Comment Utility
Here is what ended up working for us after working with Symantec almost a full week to the day of orginal call.  

They had us update from 10.0.100 to 10.0.1001.  That did not work.  Then they had us update to 10.0.2000 that helped al little but not for infected pc's.  

We called back today to speak with them again because, we just didnt feel comfortable with our current solution.   The tech told us we needed to get off the 10.0.XXX builds because they are the problem.   That had us install 10.1.5000 which did work well, except the servers were down, the SSC was inopertable, and none of the passwords stuck.  


They then had us download 10.1.6000 and said this was the newest they had.  Install this version, get the current updates, take off the network, boot to safe mode, do a full scan and have it remove it everything it finds.  Then Boot it up.  

You need to uninstall SSC from any computer and then install, then reinstall the SSC on that computer from the 10.1.6000 build.  


- FYI McAffee v85i has worked really well since we installed it on the few machines we were having issues getting Symantec installed on.  If that happens we ran nonav, then installed McAfee, let it scan, repair and delete, took mcafee, thne installed symantec 10.1.6000 and things have been well.

So in a nutshell if you are symantec corporate user get your hands on 10.6.6000 this is the best copy they have that also works in conjunction with the Microsoft patch released yesterday, and the one that is comming in the next few days from Microsoft.

- Have fun
0
 

Author Comment

by:ItsChad
Comment Utility
Hi
Sorry about the delay in responding it has been crazy times.

Not that I am glad you had it but sometimes it is nice to know we are not alone. We have the virus figured out but that is about it.

The first day I went and found that 3/4's of the computers at one site had it. I went through the joy of updating their antivirus to a version of symantec that would find most of the virus then run it in safemode. We did this and asked everyone to keep computers off, well someone turned it on unknown to us and after we gave everyone the go ahead to turn them on those few computers left on reinfected the site.

So the next day, I was able to go and do some port analyzation. I found the ports that were getting hard and I blocked them, one of them however was 8080 which isnt the best case scenario for ports to block but sometimes you have to ;) We also have a packetshaper and it showed up that IRC was getting bogged down with hits, I was able to discard all traffic from IRC and this saved the other sites within our network I now believe.

The files were hooking their selves to share folders on the network and spreading that way. We researched and blocked around 5 ports I believe. To get rid of the virus I had to upgrade everyones rights on all computers so they could delete from the windows/system32 folder. This allowed all of them to remove the virus without an administrator logging in.By doing this we have it contained and are just waiting for a fix from microsoft so we can unblock the ports.

I hope my jumbled paragraphs may help someone who runs into this nasty virus. It waisted about 4 days of my life I would like to have back :)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now