W32/Sality.gen.c running rampant on network...
Posted on 2009-04-14
Has anyone seen this virus recently? Somehow this virus has entered our network and is dropping other trojans and rootkits such as the following:
+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)
The virus seemed to spread quickly today. We have various versions of McAfee Enterprise installed on the network. Some clients have 8.0, 8.5i, and 8.7i. The servers all have th latest 8.7i and the 04/13/09 McAfee DAT. Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa. Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans. We have flirted with disabling Autorun (on all drives) via GPO with no success.
Has anyone seen this or have any recommendations? Various online resources and contact seems to yield minimal results. Any information would be greatly appreciated.