Solved

virus got through the network, infected one pc and put us on the blacklist

Posted on 2008-10-17
10
1,873 Views
Last Modified: 2013-12-09
On tuesday, one of my sites that I look after,  got infected with a number of viruses. Specifically, just one system was infected but after the virus came in, it started running some kind of spam engine. When I notified by the user that something strange was going on, I imediately pulled the network cable. There were hundreds of Symantec message send errors on the screen and there must have been a large number that got sent out because shortly after that, the users started getting some non delivery emails on some of the messages that they were sending out.

Anyway, all the computers are running the same version of SAV v10.0 including the windows 2003 server. The server has the workstations locked down to prevent disabling of the services. We are running our in-house email using exchange 2003 and the SAV is also configured for that. Updates are done every 4 hours

The users are running the same version of antivirus. This particular pc is running the latest version of Spybot also with the Teatimer in the tray.
So with these two programs running, I would expect that the user should not have had any issues with viruses but she did. It started when she opened an attachment regarding a plane ticket - E-ticket.zip. That is when her computer started to go crazy. (Someone in her office had booked her a plane ticket to Ottawa and she thought that this was the confirmation - an innocent mistake)

This morning, I just loaded an evaluation program of GFI MailSecurity. GFI MailEssentials is already installed. With the GFI MS, it is supposed to stop all viral attachments before they hit the users email.

I have all the log files from the infections if you would like to see them but the users computer is all cleaned up.

So my questions are;
1. with what she has running on her pc, should the antivirus program have caught this before it was too late?
2. should I be looking at a different corporate program?
3. this is the 2nd time that I have seen this happen so what can I do to reduce the possibility of this happening again.
0
Comment
Question by:johnbowden
  • 6
  • 4
10 Comments
 
LVL 10

Expert Comment

by:MadShiva
Comment Utility
1. Maybe, maybe not, without any more information it's hard to tell that.

2. Yes change your infrastructure, try open source, you will not have more virus. Or Keep your infrastructure and love be virused.


3. This is the only 2nd time that you see virus ?

0
 

Author Comment

by:johnbowden
Comment Utility
1. let me know if you would like to see the logs
2. please tell me more about the open source.
3. 2nd time that a network has been blacklisted because a pc on the network was infected with a spam program sending out 1000's of emails
0
 
LVL 10

Expert Comment

by:MadShiva
Comment Utility
1. Yes please give me the logs (the symantec log)

2. Virus don't work many time on open source because they don't have many users that use open source.

If you do a virus it's for targeting a lot of people, is for that, that the virus is targeted to outlook, etc, and will not work on other software.

The only think if you don't want more virus is to change for linux, the easy way without change for linux is to use open source software.

For the mail you have thunderbird.

3. You can use smtp autentification maybe he will block spam program, or just change the SMPT port to something that the spam program don't know.



0
 

Author Comment

by:johnbowden
Comment Utility
Here are the logs. Computer is clean according to Spybot, Symantec Antivirus and F-Secure online scan

Event Log
Event,Computer,User,Logged By,Date
Definition File Loaded,D1633WD1,SYSTEM,System,10/16/2008 9:04:39 AM
Definition File Loaded,D1633WD1,SYSTEM,System,10/16/2008 9:04:31 AM
Symantec AntiVirus Startup,D1633WD1,SYSTEM,System,10/16/2008 9:02:52 AM
Definition File Loaded,D1633WD1,SYSTEM,System,10/16/2008 9:02:44 AM
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,System,10/15/2008 4:20:28 PM
Definition File Loaded,D1633WD1,CFS\SYSTEM,System,10/15/2008 9:19:54 AM
Definition File Loaded,D1633WD1,CFS\tstonge,System,10/15/2008 9:19:47 AM
Symantec AntiVirus Startup,D1633WD1,SYSTEM,System,10/15/2008 9:14:43 AM
Definition File Loaded,D1633WD1,SYSTEM,System,10/15/2008 9:14:35 AM
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,System,10/15/2008 6:28:08 AM

Scan History
Computer,Status,Total files,Infected,Logged By,Started On,Completed
D1633WD1,Scan Complete,23723,0,Startup,10/16/2008 9:26:43 AM,10/16/2008 9:27:57 AM
D1633WD1,Scan Complete,913,0,Defwatch Scan,10/16/2008 9:04:36 AM,10/16/2008 9:05:35 AM
D1633WD1,Scan Complete,917,0,Defwatch Scan,10/15/2008 9:19:50 AM,10/15/2008 9:20:42 AM
D1633WD1,Scan Complete,23662,0,Startup,10/15/2008 9:15:35 AM,10/15/2008 9:19:08 AM


Backed Up Items
Risk,Filename,Original Location,Status,Date
Hacktool.Rootkit,rdl1.tmp,C:\Documents and Settings\user\Local Settings\Temp\,Infected,10/14/2008 1:56:24 PM
??????,RN67761263.zip,Mail System,Still contains 1 infected items,9/2/2008 12:18:50 PM
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Packed.Generic.182,rldC3.tmp,C:\WINDOWS\Temp\,Infected,10/14/2008 1:53:53 PM
Hacktool.Rootkit,figaro.sys,C:\WINDOWS\system32\dllcache\,Infected,10/14/2008 1:53:53 PM
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:22:59 PM
??????,Binaries2[1].cab,C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\AW563DXJ\,Still contains 1 infected items,10/14/2008 3:45:17 PM
??????,Binaries2.cab3,C:\Documents and Settings\user\Local Settings\Temp\,Still contains 1 infected items,10/14/2008 3:43:45 PM
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM

Quarantine
Risk,Filename,Original Location,Status,Date
??????,RN67761263.zip,Mail System,Still contains 1 infected items,9/2/2008 12:18:50 PM
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Trojan Horse,rldBE.tmp,C:\WINDOWS\TEMP\,Infected,10/14/2008 1:53:53 PM
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:23:23 PM
XPAntivirus,uninstall.exe,c:\program files\rhc9wej0ejdt\,Infected,9/10/2008 10:22:38 AM
Trojan.Pandex,lspr[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W9I7S5IJ\,Infected,10/14/2008 3:58:21 PM
Trojan.Blusod,scan[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PMNOHMN\,Infected,10/14/2008 3:58:16 PM
Trojan.Blusod,scan[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4PUB8XIJ\,Infected,10/14/2008 3:58:10 PM
Trojan.Pandex,lspr[1].exe,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3YY4PQJQ\,Infected,10/14/2008 3:58:04 PM
??????,Binaries2[1].cab,C:\Documents and Settings\tstonge\Local Settings\Temporary Internet Files\Content.IE5\AW563DXJ\,Still contains 1 infected items,10/14/2008 3:45:17 PM
??????,Binaries2.cab3,C:\Documents and Settings\tstonge\Local Settings\Temp\,Still contains 1 infected items,10/14/2008 3:43:46 PM
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
XPAntivirus,pphccwej0ejdt.exe,c:\windows\system32\,Infected,8/14/2008 8:19:08 PM
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM

Threat History
Risk,Action,Count,Filename,Threat Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description,Date
??????,Quarantined,1,E-ticket.zip,Compressed file,Mail System,D1633WD1,CFS\User,Still contains 1 infected items,Quarantine,Quarantine,Leave alone (log only),Auto-Protect scan,The file was quarantined successfully.,10/15/2008 1:23:23 PM
W32.Auraax,Quarantined,1,e-ticket.doc.exe,File; Compressed file,Mail System,D1633WD1,CFS\User,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,10/15/2008 1:22:59 PM
0
 

Author Comment

by:johnbowden
Comment Utility
Again, these were cleaned and the system had been scanned twice after this and shows clean

Spybot Report
14.10.2008 19:01:24 - ##### check started #####
14.10.2008 19:01:24 - ### Version: 1.6.0
14.10.2008 19:01:24 - ### Date: 10/14/2008 7:01:24 PM
14.10.2008 19:01:26 - ##### checking bots #####
14.10.2008 19:03:34 - found: Fraud.Antivirus2008 Uninstall settings
14.10.2008 19:06:30 - found: Delf.Spool.cn  Executable
14.10.2008 19:15:54 - ##### check finished #####

Fraud.Antivirus2008: [SBI $507892C0] Uninstall settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc9wej0ejdt

Delf.Spool.cn: [SBI $D357F13F]  Executable (File, nothing done)
  C:\WINDOWS\system32\delself.bat


--- Spybot - Search & Destroy version: 1.6.0  (build: 20080707) ---
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:johnbowden
Comment Utility
I also have the Autoruns and Hijackthis log files
0
 
LVL 10

Expert Comment

by:MadShiva
Comment Utility

I think that the best way is to clean all with ghost or something that restore your hard disk.

Just in case that the virus have change some file system.

Maybe not, but it's the fastest way, and the secure way.


You can't have trust of symantec or any antivirus.
0
 

Author Comment

by:johnbowden
Comment Utility
I did some reading on the open source antivirus software and it's pretty negative.
I'm just wondering if I need to change from Symantec to another product. I really haven't tried anything other than the CA product (and I really didn't like that software) so I'm hoping that I can get some suggestions as to alternatives to Symantec Corp Edition that would be easy to manage, be able to push down the software through a GPO, small foot print etc.
0
 

Author Comment

by:johnbowden
Comment Utility
I have opened a case with Symantec on this issue. As far as I'm concerned, I've taken all the correct steps to preventing this problem from happening, especially with the known viruses that infected the computer

Just an FYI, I had another machine at a different site get infected with Trojan.Metajuan and to get rid of it, I loaded the free version of AVG. Also, to confirm that it was gone, I went to the F-Secure site and ran a scan.

Why is the corp version of SAV not picking this up?

So, again, is there a better alternative than Symantec?

What about Kaspersky?
0
 
LVL 10

Accepted Solution

by:
MadShiva earned 125 total points
Comment Utility
Hi !

Yes Symantec is the worst antivirus. I didn't like that always symantec detect only false positive virus like tool "hack" like superscan etc. But not real virus. I don't have choice symantec is used in my company :(
In Last 2weeks someone have get the e-ticket virus that's old but symantec don't have detect it.

And like I say. If you use open source program but not the antivirus, for the client mail or for the web, and for the firewall. Maybe the virus can do some problem, but the firewall will block. And maybe the open source software will block the virus because the virus will use for example one exploit in microsoft outlook then if you don't use outlook it's safe.

 

You could also find the best antivirus with comparative test :


http://www.av-comparatives.org/

http://www.virusbtn.com/news/2008/09_02

Best Regards
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now