Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

W32/Sality.gen.c  running rampant on network...

Posted on 2009-04-14
15
2,656 Views
Last Modified: 2013-11-22
Has anyone seen this virus recently?  Somehow this virus has entered our network and is dropping other trojans and rootkits such as the following:

+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)

The virus seemed to spread quickly today.  We have various versions of McAfee Enterprise installed on the network.  Some clients have 8.0, 8.5i, and 8.7i.  The servers all have th latest 8.7i and the 04/13/09 McAfee DAT.  Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa.  Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans.  We have flirted with disabling Autorun (on all drives) via GPO with no success.

Has anyone seen this or have any recommendations?   Various online resources and contact seems to yield minimal results.  Any information would be greatly appreciated.
0
Comment
Question by:CecilAdmin
15 Comments
 
LVL 1

Expert Comment

by:bigpadhakoo
ID: 24136138
i recommend you to download trojan remover to fix this and all other existing rootkit threats. you can download a trial version of fully functional  30 days copy. follow this link. http://www.simplysup.com
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 300 total points
ID: 24136269
this is a nasty virus that can sometime make you have to format.  Try these suggestions:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t215884.html

I have always liked Combofix, Malwarebytes, and rogueFix which is a batch file and have found needs to be run first before Combofix for nasty bugs.  

Remember, the virus will try to infect any media you connect to it, so consider it tainted and format it. Disable autorun.

AVG makes a Sality remover
http://free.avg.com/virus-removal.ndi-67769

Good luck.
0
 
LVL 11

Assisted Solution

by:xtreminator
xtreminator earned 200 total points
ID: 24137041
SpyDLLRemover is effective solution to remove root kits from system.

ryan80 is right avg make sality remover, u need to run it in safe mode.

make weapon of these couple of tools and get rid off it .
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 
LVL 12

Expert Comment

by:ryan80
ID: 24138143
In case safe mode is corrupted too, you can try Roguefix which is a batch file that will remove a lot of root kits.  I have had to use this first sometimes in safe mode before I could run a standard antivirus.

Also you could use something like BartPE if things are really rediculous. it is a bootable OS that runs in RAM. it has add ons that you can use to do things like virus scans.
0
 

Author Comment

by:CecilAdmin
ID: 24140818
Awesome feedback.  We are proceeding with many examples including the ones mentioned here.  A lot of the infected clients will not boot into Safe Mode at all in which case we are trying to run a couple mods/scripts to try to re-enable its functionality.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 24140874
Roguefix is a text file that runs as a batch file.  I have not found a single virus yet that prevented it from running.  It usually allows you to be able to run Combofix afterwards.
0
 

Author Comment

by:CecilAdmin
ID: 24141834
The Roguefix does not restore the Safe Mode functionality though.... the virus corrupts the computer and force it to load Windows normal mode to load itself in memory (Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt all Blue Screen) then the virus will actually kill the AVG removal tool.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 24141971
yeah, Roguefix doesnt restore safe mode, but it can make it usable.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 24141980
It can kill the virus that stops safe mode and the virus removal tool.  At least ive seen it do it with other viruses
0
 

Author Comment

by:CecilAdmin
ID: 24142494
How can we get safe mode restored -- that should be one of the first steps to be able to run a successful scan without the virus running in memory, for example.  We've pondered BartPE.  I am willing to open another expert question too.
0
 

Author Comment

by:CecilAdmin
ID: 24142990
http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
^We found this site which works great for XP clients; however, I am thinking the keys are probably different on Windows Server 2003 SP1 and SP2?
0
 

Author Comment

by:CecilAdmin
ID: 24144364
^We were able to export the keys from another Win2k SP2 Ent server and import them into the suspect servers to regain access to safe mode with command prompt for virus scans.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 24147529
nice find. that can really come in handy
0
 

Author Comment

by:CecilAdmin
ID: 24177771
McAfee 8.7i w/ AntiSpyware Module 8.7 with the latest DAT up until Friday 04/17 still would not clean the virus.  It would detect but not clean.  McAfee argued that it was running in memory, but we could replicate the issue on a clean image every time on multiple computers.  If an infected USB drive was plugged into a clean machine or an infected drive mapped, the virus would jump immediately (or vise versa).  McAfee would detect it, but fail to clean it as you could see the virus begin to spread across the machines.

We finally got our ticket escalated up to level 4 with McAfee after submitting the variant to AVERT w/ relative logs in which case early Friday morning they released a 04/17 beta Super DAT.  We replicated the exact same scenario as before, however, with the newly applied new DAT McAfee 8.7i was able to not only detect the virus, but also clean it essentially stopping it from spreading which previous DATs were unable to do.  They have a process of including the DATs in the next DAT interval, so hopefully if anyone runs across this virus it can actually be stopped with the latest McAfee DATs.  In the meantime, I believe the beta Super DAT (at least on Friday) on their page will suffice in case they have no bundled it yet with the latest DAT release...

http://vil.nai.com/vil/virus-4d.aspx
^avvwin_xdatbeta.exe
0
 

Author Comment

by:CecilAdmin
ID: 24425013
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-041814-2904-99&tabid=3
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3

^We ended up imaging the client machines.  Any essential clients or servers that could not be duplicated, we followed Symantec's removal guide that also included specific registry keys to remove and/or fix.

We found that despite the machines being clean and up to date, registry key values detailed in the above Symantec links were added by the virus and/or related drops making the machine vulnerable to connect to the Internet and reinfect itself.  While the McAfee software would now detect and clean On Access, the process would continue due to the vulnerability.  Plus, if any new variants popped-up, we would be extremely susceptible to new infections.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Right-Click in Explorer Very Slow in Windows 10 3 122
Ransom.CRYPTXXX Activity 2 9 117
Possibility of Outlook running on Linux 6 279
Ransomeware 11 138
So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question