virus got through the network, infected one pc and put us on the blacklist
On tuesday, one of my sites that I look after, got infected with a number of viruses. Specifically, just one system was infected but after the virus came in, it started running some kind of spam engine. When I notified by the user that something strange was going on, I imediately pulled the network cable. There were hundreds of Symantec message send errors on the screen and there must have been a large number that got sent out because shortly after that, the users started getting some non delivery emails on some of the messages that they were sending out.
Anyway, all the computers are running the same version of SAV v10.0 including the windows 2003 server. The server has the workstations locked down to prevent disabling of the services. We are running our in-house email using exchange 2003 and the SAV is also configured for that. Updates are done every 4 hours
The users are running the same version of antivirus. This particular pc is running the latest version of Spybot also with the Teatimer in the tray.
So with these two programs running, I would expect that the user should not have had any issues with viruses but she did. It started when she opened an attachment regarding a plane ticket - E-ticket.zip. That is when her computer started to go crazy. (Someone in her office had booked her a plane ticket to Ottawa and she thought that this was the confirmation - an innocent mistake)
This morning, I just loaded an evaluation program of GFI MailSecurity. GFI MailEssentials is already installed. With the GFI MS, it is supposed to stop all viral attachments before they hit the users email.
I have all the log files from the infections if you would like to see them but the users computer is all cleaned up.
So my questions are;
1. with what she has running on her pc, should the antivirus program have caught this before it was too late?
2. should I be looking at a different corporate program?
3. this is the 2nd time that I have seen this happen so what can I do to reduce the possibility of this happening again.
Anyway, all the computers are running the same version of SAV v10.0 including the windows 2003 server. The server has the workstations locked down to prevent disabling of the services. We are running our in-house email using exchange 2003 and the SAV is also configured for that. Updates are done every 4 hours
The users are running the same version of antivirus. This particular pc is running the latest version of Spybot also with the Teatimer in the tray.
So with these two programs running, I would expect that the user should not have had any issues with viruses but she did. It started when she opened an attachment regarding a plane ticket - E-ticket.zip. That is when her computer started to go crazy. (Someone in her office had booked her a plane ticket to Ottawa and she thought that this was the confirmation - an innocent mistake)
This morning, I just loaded an evaluation program of GFI MailSecurity. GFI MailEssentials is already installed. With the GFI MS, it is supposed to stop all viral attachments before they hit the users email.
I have all the log files from the infections if you would like to see them but the users computer is all cleaned up.
So my questions are;
1. with what she has running on her pc, should the antivirus program have caught this before it was too late?
2. should I be looking at a different corporate program?
3. this is the 2nd time that I have seen this happen so what can I do to reduce the possibility of this happening again.
ASKER
1. let me know if you would like to see the logs
2. please tell me more about the open source.
3. 2nd time that a network has been blacklisted because a pc on the network was infected with a spam program sending out 1000's of emails
2. please tell me more about the open source.
3. 2nd time that a network has been blacklisted because a pc on the network was infected with a spam program sending out 1000's of emails
1. Yes please give me the logs (the symantec log)
2. Virus don't work many time on open source because they don't have many users that use open source.
If you do a virus it's for targeting a lot of people, is for that, that the virus is targeted to outlook, etc, and will not work on other software.
The only think if you don't want more virus is to change for linux, the easy way without change for linux is to use open source software.
For the mail you have thunderbird.
3. You can use smtp autentification maybe he will block spam program, or just change the SMPT port to something that the spam program don't know.
2. Virus don't work many time on open source because they don't have many users that use open source.
If you do a virus it's for targeting a lot of people, is for that, that the virus is targeted to outlook, etc, and will not work on other software.
The only think if you don't want more virus is to change for linux, the easy way without change for linux is to use open source software.
For the mail you have thunderbird.
3. You can use smtp autentification maybe he will block spam program, or just change the SMPT port to something that the spam program don't know.
ASKER
Here are the logs. Computer is clean according to Spybot, Symantec Antivirus and F-Secure online scan
Event Log
Event,Computer,User,Logged
Definition File Loaded,D1633WD1,SYSTEM,Sys
Definition File Loaded,D1633WD1,SYSTEM,Sys
Symantec AntiVirus Startup,D1633WD1,SYSTEM,Sy
Definition File Loaded,D1633WD1,SYSTEM,Sys
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,S
Definition File Loaded,D1633WD1,CFS\SYSTEM
Definition File Loaded,D1633WD1,CFS\tstong
Symantec AntiVirus Startup,D1633WD1,SYSTEM,Sy
Definition File Loaded,D1633WD1,SYSTEM,Sys
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,S
Scan History
Computer,Status,Total files,Infected,Logged By,Started On,Completed
D1633WD1,Scan Complete,23723,0,Startup,1
D1633WD1,Scan Complete,913,0,Defwatch Scan,10/16/2008 9:04:36 AM,10/16/2008 9:05:35 AM
D1633WD1,Scan Complete,917,0,Defwatch Scan,10/15/2008 9:19:50 AM,10/15/2008 9:20:42 AM
D1633WD1,Scan Complete,23662,0,Startup,1
Backed Up Items
Risk,Filename,Original Location,Status,Date
Hacktool.Rootkit,rdl1.tmp,
??????,RN67761263.zip,Mail
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Packed.Generic.182,rldC3.t
Hacktool.Rootkit,figaro.sy
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:22:59 PM
??????,Binaries2[1].cab,C:
??????,Binaries2.cab3,C:\D
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM
Quarantine
Risk,Filename,Original Location,Status,Date
??????,RN67761263.zip,Mail
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Trojan Horse,rldBE.tmp,C:\WINDOWS
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:23:23 PM
XPAntivirus,uninstall.exe,
Trojan.Pandex,lspr[1].exe,
Trojan.Blusod,scan[1].exe,
Trojan.Blusod,scan[1].exe,
Trojan.Pandex,lspr[1].exe,
??????,Binaries2[1].cab,C:
??????,Binaries2.cab3,C:\D
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
XPAntivirus,pphccwej0ejdt.
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM
Threat History
Risk,Action,Count,Filename
??????,Quarantined,1,E-tic
W32.Auraax,Quarantined,1,e
Event Log
Event,Computer,User,Logged
Definition File Loaded,D1633WD1,SYSTEM,Sys
Definition File Loaded,D1633WD1,SYSTEM,Sys
Symantec AntiVirus Startup,D1633WD1,SYSTEM,Sy
Definition File Loaded,D1633WD1,SYSTEM,Sys
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,S
Definition File Loaded,D1633WD1,CFS\SYSTEM
Definition File Loaded,D1633WD1,CFS\tstong
Symantec AntiVirus Startup,D1633WD1,SYSTEM,Sy
Definition File Loaded,D1633WD1,SYSTEM,Sys
Symantec AntiVirus Shutdown,D1633WD1,SYSTEM,S
Scan History
Computer,Status,Total files,Infected,Logged By,Started On,Completed
D1633WD1,Scan Complete,23723,0,Startup,1
D1633WD1,Scan Complete,913,0,Defwatch Scan,10/16/2008 9:04:36 AM,10/16/2008 9:05:35 AM
D1633WD1,Scan Complete,917,0,Defwatch Scan,10/15/2008 9:19:50 AM,10/15/2008 9:20:42 AM
D1633WD1,Scan Complete,23662,0,Startup,1
Backed Up Items
Risk,Filename,Original Location,Status,Date
Hacktool.Rootkit,rdl1.tmp,
??????,RN67761263.zip,Mail
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Packed.Generic.182,rldC3.t
Hacktool.Rootkit,figaro.sy
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:22:59 PM
??????,Binaries2[1].cab,C:
??????,Binaries2.cab3,C:\D
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM
Quarantine
Risk,Filename,Original Location,Status,Date
??????,RN67761263.zip,Mail
??????,98676512.zip,Mail System,Still contains 1 infected items,9/5/2008 10:04:50 AM
Trojan Horse,rldBE.tmp,C:\WINDOWS
??????,E-ticket.zip,Mail System,Still contains 1 infected items,10/15/2008 1:23:23 PM
XPAntivirus,uninstall.exe,
Trojan.Pandex,lspr[1].exe,
Trojan.Blusod,scan[1].exe,
Trojan.Blusod,scan[1].exe,
Trojan.Pandex,lspr[1].exe,
??????,Binaries2[1].cab,C:
??????,Binaries2.cab3,C:\D
??????,UPS_E9712.zip,Mail System,Still contains 1 infected items,8/5/2008 12:21:27 PM
XPAntivirus,pphccwej0ejdt.
??????,WW_671282.zip,Mail System,Still contains 1 infected items,8/13/2008 10:31:43 AM
Threat History
Risk,Action,Count,Filename
??????,Quarantined,1,E-tic
W32.Auraax,Quarantined,1,e
ASKER
Again, these were cleaned and the system had been scanned twice after this and shows clean
Spybot Report
14.10.2008 19:01:24 - ##### check started #####
14.10.2008 19:01:24 - ### Version: 1.6.0
14.10.2008 19:01:24 - ### Date: 10/14/2008 7:01:24 PM
14.10.2008 19:01:26 - ##### checking bots #####
14.10.2008 19:03:34 - found: Fraud.Antivirus2008 Uninstall settings
14.10.2008 19:06:30 - found: Delf.Spool.cn Executable
14.10.2008 19:15:54 - ##### check finished #####
Fraud.Antivirus2008: [SBI $507892C0] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWAR
Delf.Spool.cn: [SBI $D357F13F] Executable (File, nothing done)
C:\WINDOWS\system32\delsel
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
Spybot Report
14.10.2008 19:01:24 - ##### check started #####
14.10.2008 19:01:24 - ### Version: 1.6.0
14.10.2008 19:01:24 - ### Date: 10/14/2008 7:01:24 PM
14.10.2008 19:01:26 - ##### checking bots #####
14.10.2008 19:03:34 - found: Fraud.Antivirus2008 Uninstall settings
14.10.2008 19:06:30 - found: Delf.Spool.cn Executable
14.10.2008 19:15:54 - ##### check finished #####
Fraud.Antivirus2008: [SBI $507892C0] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWAR
Delf.Spool.cn: [SBI $D357F13F] Executable (File, nothing done)
C:\WINDOWS\system32\delsel
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
ASKER
I also have the Autoruns and Hijackthis log files
I think that the best way is to clean all with ghost or something that restore your hard disk.
Just in case that the virus have change some file system.
Maybe not, but it's the fastest way, and the secure way.
You can't have trust of symantec or any antivirus.
ASKER
I did some reading on the open source antivirus software and it's pretty negative.
I'm just wondering if I need to change from Symantec to another product. I really haven't tried anything other than the CA product (and I really didn't like that software) so I'm hoping that I can get some suggestions as to alternatives to Symantec Corp Edition that would be easy to manage, be able to push down the software through a GPO, small foot print etc.
I'm just wondering if I need to change from Symantec to another product. I really haven't tried anything other than the CA product (and I really didn't like that software) so I'm hoping that I can get some suggestions as to alternatives to Symantec Corp Edition that would be easy to manage, be able to push down the software through a GPO, small foot print etc.
ASKER
I have opened a case with Symantec on this issue. As far as I'm concerned, I've taken all the correct steps to preventing this problem from happening, especially with the known viruses that infected the computer
Just an FYI, I had another machine at a different site get infected with Trojan.Metajuan and to get rid of it, I loaded the free version of AVG. Also, to confirm that it was gone, I went to the F-Secure site and ran a scan.
Why is the corp version of SAV not picking this up?
So, again, is there a better alternative than Symantec?
What about Kaspersky?
Just an FYI, I had another machine at a different site get infected with Trojan.Metajuan and to get rid of it, I loaded the free version of AVG. Also, to confirm that it was gone, I went to the F-Secure site and ran a scan.
Why is the corp version of SAV not picking this up?
So, again, is there a better alternative than Symantec?
What about Kaspersky?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2. Yes change your infrastructure, try open source, you will not have more virus. Or Keep your infrastructure and love be virused.
3. This is the only 2nd time that you see virus ?