Solved

W32/Sality.gen.c  running rampant on network...

Posted on 2009-04-14
15
2,652 Views
Last Modified: 2013-11-22
Has anyone seen this virus recently?  Somehow this virus has entered our network and is dropping other trojans and rootkits such as the following:

+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)

The virus seemed to spread quickly today.  We have various versions of McAfee Enterprise installed on the network.  Some clients have 8.0, 8.5i, and 8.7i.  The servers all have th latest 8.7i and the 04/13/09 McAfee DAT.  Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa.  Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans.  We have flirted with disabling Autorun (on all drives) via GPO with no success.

Has anyone seen this or have any recommendations?   Various online resources and contact seems to yield minimal results.  Any information would be greatly appreciated.
0
Comment
Question by:CecilAdmin
15 Comments
 
LVL 1

Expert Comment

by:bigpadhakoo
Comment Utility
i recommend you to download trojan remover to fix this and all other existing rootkit threats. you can download a trial version of fully functional  30 days copy. follow this link. http://www.simplysup.com
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 300 total points
Comment Utility
this is a nasty virus that can sometime make you have to format.  Try these suggestions:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t215884.html

I have always liked Combofix, Malwarebytes, and rogueFix which is a batch file and have found needs to be run first before Combofix for nasty bugs.  

Remember, the virus will try to infect any media you connect to it, so consider it tainted and format it. Disable autorun.

AVG makes a Sality remover
http://free.avg.com/virus-removal.ndi-67769

Good luck.
0
 
LVL 11

Assisted Solution

by:xtreminator
xtreminator earned 200 total points
Comment Utility
SpyDLLRemover is effective solution to remove root kits from system.

ryan80 is right avg make sality remover, u need to run it in safe mode.

make weapon of these couple of tools and get rid off it .
0
 
LVL 12

Expert Comment

by:ryan80
Comment Utility
In case safe mode is corrupted too, you can try Roguefix which is a batch file that will remove a lot of root kits.  I have had to use this first sometimes in safe mode before I could run a standard antivirus.

Also you could use something like BartPE if things are really rediculous. it is a bootable OS that runs in RAM. it has add ons that you can use to do things like virus scans.
0
 

Author Comment

by:CecilAdmin
Comment Utility
Awesome feedback.  We are proceeding with many examples including the ones mentioned here.  A lot of the infected clients will not boot into Safe Mode at all in which case we are trying to run a couple mods/scripts to try to re-enable its functionality.
0
 
LVL 12

Expert Comment

by:ryan80
Comment Utility
Roguefix is a text file that runs as a batch file.  I have not found a single virus yet that prevented it from running.  It usually allows you to be able to run Combofix afterwards.
0
 

Author Comment

by:CecilAdmin
Comment Utility
The Roguefix does not restore the Safe Mode functionality though.... the virus corrupts the computer and force it to load Windows normal mode to load itself in memory (Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt all Blue Screen) then the virus will actually kill the AVG removal tool.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Expert Comment

by:ryan80
Comment Utility
yeah, Roguefix doesnt restore safe mode, but it can make it usable.
0
 
LVL 12

Expert Comment

by:ryan80
Comment Utility
It can kill the virus that stops safe mode and the virus removal tool.  At least ive seen it do it with other viruses
0
 

Author Comment

by:CecilAdmin
Comment Utility
How can we get safe mode restored -- that should be one of the first steps to be able to run a successful scan without the virus running in memory, for example.  We've pondered BartPE.  I am willing to open another expert question too.
0
 

Author Comment

by:CecilAdmin
Comment Utility
http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
^We found this site which works great for XP clients; however, I am thinking the keys are probably different on Windows Server 2003 SP1 and SP2?
0
 

Author Comment

by:CecilAdmin
Comment Utility
^We were able to export the keys from another Win2k SP2 Ent server and import them into the suspect servers to regain access to safe mode with command prompt for virus scans.
0
 
LVL 12

Expert Comment

by:ryan80
Comment Utility
nice find. that can really come in handy
0
 

Author Comment

by:CecilAdmin
Comment Utility
McAfee 8.7i w/ AntiSpyware Module 8.7 with the latest DAT up until Friday 04/17 still would not clean the virus.  It would detect but not clean.  McAfee argued that it was running in memory, but we could replicate the issue on a clean image every time on multiple computers.  If an infected USB drive was plugged into a clean machine or an infected drive mapped, the virus would jump immediately (or vise versa).  McAfee would detect it, but fail to clean it as you could see the virus begin to spread across the machines.

We finally got our ticket escalated up to level 4 with McAfee after submitting the variant to AVERT w/ relative logs in which case early Friday morning they released a 04/17 beta Super DAT.  We replicated the exact same scenario as before, however, with the newly applied new DAT McAfee 8.7i was able to not only detect the virus, but also clean it essentially stopping it from spreading which previous DATs were unable to do.  They have a process of including the DATs in the next DAT interval, so hopefully if anyone runs across this virus it can actually be stopped with the latest McAfee DATs.  In the meantime, I believe the beta Super DAT (at least on Friday) on their page will suffice in case they have no bundled it yet with the latest DAT release...

http://vil.nai.com/vil/virus-4d.aspx
^avvwin_xdatbeta.exe
0
 

Author Comment

by:CecilAdmin
Comment Utility
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-041814-2904-99&tabid=3
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3

^We ended up imaging the client machines.  Any essential clients or servers that could not be duplicated, we followed Symantec's removal guide that also included specific registry keys to remove and/or fix.

We found that despite the machines being clean and up to date, registry key values detailed in the above Symantec links were added by the virus and/or related drops making the machine vulnerable to connect to the Internet and reinfect itself.  While the McAfee software would now detect and clean On Access, the process would continue due to the vulnerability.  Plus, if any new variants popped-up, we would be extremely susceptible to new infections.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now