• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2672
  • Last Modified:

W32/Sality.gen.c running rampant on network...

Has anyone seen this virus recently?  Somehow this virus has entered our network and is dropping other trojans and rootkits such as the following:

+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)

The virus seemed to spread quickly today.  We have various versions of McAfee Enterprise installed on the network.  Some clients have 8.0, 8.5i, and 8.7i.  The servers all have th latest 8.7i and the 04/13/09 McAfee DAT.  Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa.  Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans.  We have flirted with disabling Autorun (on all drives) via GPO with no success.

Has anyone seen this or have any recommendations?   Various online resources and contact seems to yield minimal results.  Any information would be greatly appreciated.
0
CecilAdmin
Asked:
CecilAdmin
2 Solutions
 
bigpadhakooCommented:
i recommend you to download trojan remover to fix this and all other existing rootkit threats. you can download a trial version of fully functional  30 days copy. follow this link. http://www.simplysup.com
0
 
ryan80Commented:
this is a nasty virus that can sometime make you have to format.  Try these suggestions:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t215884.html

I have always liked Combofix, Malwarebytes, and rogueFix which is a batch file and have found needs to be run first before Combofix for nasty bugs.  

Remember, the virus will try to infect any media you connect to it, so consider it tainted and format it. Disable autorun.

AVG makes a Sality remover
http://free.avg.com/virus-removal.ndi-67769

Good luck.
0
 
xtreminatorCommented:
SpyDLLRemover is effective solution to remove root kits from system.

ryan80 is right avg make sality remover, u need to run it in safe mode.

make weapon of these couple of tools and get rid off it .
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
ryan80Commented:
In case safe mode is corrupted too, you can try Roguefix which is a batch file that will remove a lot of root kits.  I have had to use this first sometimes in safe mode before I could run a standard antivirus.

Also you could use something like BartPE if things are really rediculous. it is a bootable OS that runs in RAM. it has add ons that you can use to do things like virus scans.
0
 
CecilAdminAuthor Commented:
Awesome feedback.  We are proceeding with many examples including the ones mentioned here.  A lot of the infected clients will not boot into Safe Mode at all in which case we are trying to run a couple mods/scripts to try to re-enable its functionality.
0
 
ryan80Commented:
Roguefix is a text file that runs as a batch file.  I have not found a single virus yet that prevented it from running.  It usually allows you to be able to run Combofix afterwards.
0
 
CecilAdminAuthor Commented:
The Roguefix does not restore the Safe Mode functionality though.... the virus corrupts the computer and force it to load Windows normal mode to load itself in memory (Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt all Blue Screen) then the virus will actually kill the AVG removal tool.
0
 
ryan80Commented:
yeah, Roguefix doesnt restore safe mode, but it can make it usable.
0
 
ryan80Commented:
It can kill the virus that stops safe mode and the virus removal tool.  At least ive seen it do it with other viruses
0
 
CecilAdminAuthor Commented:
How can we get safe mode restored -- that should be one of the first steps to be able to run a successful scan without the virus running in memory, for example.  We've pondered BartPE.  I am willing to open another expert question too.
0
 
CecilAdminAuthor Commented:
http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
^We found this site which works great for XP clients; however, I am thinking the keys are probably different on Windows Server 2003 SP1 and SP2?
0
 
CecilAdminAuthor Commented:
^We were able to export the keys from another Win2k SP2 Ent server and import them into the suspect servers to regain access to safe mode with command prompt for virus scans.
0
 
ryan80Commented:
nice find. that can really come in handy
0
 
CecilAdminAuthor Commented:
McAfee 8.7i w/ AntiSpyware Module 8.7 with the latest DAT up until Friday 04/17 still would not clean the virus.  It would detect but not clean.  McAfee argued that it was running in memory, but we could replicate the issue on a clean image every time on multiple computers.  If an infected USB drive was plugged into a clean machine or an infected drive mapped, the virus would jump immediately (or vise versa).  McAfee would detect it, but fail to clean it as you could see the virus begin to spread across the machines.

We finally got our ticket escalated up to level 4 with McAfee after submitting the variant to AVERT w/ relative logs in which case early Friday morning they released a 04/17 beta Super DAT.  We replicated the exact same scenario as before, however, with the newly applied new DAT McAfee 8.7i was able to not only detect the virus, but also clean it essentially stopping it from spreading which previous DATs were unable to do.  They have a process of including the DATs in the next DAT interval, so hopefully if anyone runs across this virus it can actually be stopped with the latest McAfee DATs.  In the meantime, I believe the beta Super DAT (at least on Friday) on their page will suffice in case they have no bundled it yet with the latest DAT release...

http://vil.nai.com/vil/virus-4d.aspx
^avvwin_xdatbeta.exe
0
 
CecilAdminAuthor Commented:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-041814-2904-99&tabid=3
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3

^We ended up imaging the client machines.  Any essential clients or servers that could not be duplicated, we followed Symantec's removal guide that also included specific registry keys to remove and/or fix.

We found that despite the machines being clean and up to date, registry key values detailed in the above Symantec links were added by the virus and/or related drops making the machine vulnerable to connect to the Internet and reinfect itself.  While the McAfee software would now detect and clean On Access, the process would continue due to the vulnerability.  Plus, if any new variants popped-up, we would be extremely susceptible to new infections.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now