W32/Sality.gen.c running rampant on network...
Has anyone seen this virus recently? Somehow this virus has entered our network and is dropping other trojans and rootkits such as the following:
+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)
The virus seemed to spread quickly today. We have various versions of McAfee Enterprise installed on the network. Some clients have 8.0, 8.5i, and 8.7i. The servers all have th latest 8.7i and the 04/13/09 McAfee DAT. Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa. Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans. We have flirted with disabling Autorun (on all drives) via GPO with no success.
Has anyone seen this or have any recommendations? Various online resources and contact seems to yield minimal results. Any information would be greatly appreciated.
+ NTRootKit-AB (Trojan)
+ RemAdm-ProcLaunch!171 (Remote Admin Tool)
+ Spam-Mailbot (Trojan)
The virus seemed to spread quickly today. We have various versions of McAfee Enterprise installed on the network. Some clients have 8.0, 8.5i, and 8.7i. The servers all have th latest 8.7i and the 04/13/09 McAfee DAT. Despite being protected with On-Access, Access Protection, and overflow protection, this virus seems to disable the client version and redistribute the virus to servers via mapped network drives and/or vise versa. Quite common is the autorun.inf which seems to initiate the virus from either the server or the client which kicks off various .pif files, infectious exes, other autorun.infs, and/or trojans. We have flirted with disabling Autorun (on all drives) via GPO with no success.
Has anyone seen this or have any recommendations? Various online resources and contact seems to yield minimal results. Any information would be greatly appreciated.
i recommend you to download trojan remover to fix this and all other existing rootkit threats. you can download a trial version of fully functional 30 days copy. follow this link. http://www.simplysup.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In case safe mode is corrupted too, you can try Roguefix which is a batch file that will remove a lot of root kits. I have had to use this first sometimes in safe mode before I could run a standard antivirus.
Also you could use something like BartPE if things are really rediculous. it is a bootable OS that runs in RAM. it has add ons that you can use to do things like virus scans.
Also you could use something like BartPE if things are really rediculous. it is a bootable OS that runs in RAM. it has add ons that you can use to do things like virus scans.
ASKER
Awesome feedback. We are proceeding with many examples including the ones mentioned here. A lot of the infected clients will not boot into Safe Mode at all in which case we are trying to run a couple mods/scripts to try to re-enable its functionality.
Roguefix is a text file that runs as a batch file. I have not found a single virus yet that prevented it from running. It usually allows you to be able to run Combofix afterwards.
ASKER
The Roguefix does not restore the Safe Mode functionality though.... the virus corrupts the computer and force it to load Windows normal mode to load itself in memory (Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt all Blue Screen) then the virus will actually kill the AVG removal tool.
yeah, Roguefix doesnt restore safe mode, but it can make it usable.
It can kill the virus that stops safe mode and the virus removal tool. At least ive seen it do it with other viruses
ASKER
How can we get safe mode restored -- that should be one of the first steps to be able to run a successful scan without the virus running in memory, for example. We've pondered BartPE. I am willing to open another expert question too.
ASKER
http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
^We found this site which works great for XP clients; however, I am thinking the keys are probably different on Windows Server 2003 SP1 and SP2?
^We found this site which works great for XP clients; however, I am thinking the keys are probably different on Windows Server 2003 SP1 and SP2?
ASKER
^We were able to export the keys from another Win2k SP2 Ent server and import them into the suspect servers to regain access to safe mode with command prompt for virus scans.
nice find. that can really come in handy
ASKER
McAfee 8.7i w/ AntiSpyware Module 8.7 with the latest DAT up until Friday 04/17 still would not clean the virus. It would detect but not clean. McAfee argued that it was running in memory, but we could replicate the issue on a clean image every time on multiple computers. If an infected USB drive was plugged into a clean machine or an infected drive mapped, the virus would jump immediately (or vise versa). McAfee would detect it, but fail to clean it as you could see the virus begin to spread across the machines.
We finally got our ticket escalated up to level 4 with McAfee after submitting the variant to AVERT w/ relative logs in which case early Friday morning they released a 04/17 beta Super DAT. We replicated the exact same scenario as before, however, with the newly applied new DAT McAfee 8.7i was able to not only detect the virus, but also clean it essentially stopping it from spreading which previous DATs were unable to do. They have a process of including the DATs in the next DAT interval, so hopefully if anyone runs across this virus it can actually be stopped with the latest McAfee DATs. In the meantime, I believe the beta Super DAT (at least on Friday) on their page will suffice in case they have no bundled it yet with the latest DAT release...
http://vil.nai.com/vil/virus-4d.aspx
^avvwin_xdatbeta.exe
We finally got our ticket escalated up to level 4 with McAfee after submitting the variant to AVERT w/ relative logs in which case early Friday morning they released a 04/17 beta Super DAT. We replicated the exact same scenario as before, however, with the newly applied new DAT McAfee 8.7i was able to not only detect the virus, but also clean it essentially stopping it from spreading which previous DATs were unable to do. They have a process of including the DATs in the next DAT interval, so hopefully if anyone runs across this virus it can actually be stopped with the latest McAfee DATs. In the meantime, I believe the beta Super DAT (at least on Friday) on their page will suffice in case they have no bundled it yet with the latest DAT release...
http://vil.nai.com/vil/virus-4d.aspx
^avvwin_xdatbeta.exe
ASKER
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-041814-2904-99&tabid=3
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3
^We ended up imaging the client machines. Any essential clients or servers that could not be duplicated, we followed Symantec's removal guide that also included specific registry keys to remove and/or fix.
We found that despite the machines being clean and up to date, registry key values detailed in the above Symantec links were added by the virus and/or related drops making the machine vulnerable to connect to the Internet and reinfect itself. While the McAfee software would now detect and clean On Access, the process would continue due to the vulnerability. Plus, if any new variants popped-up, we would be extremely susceptible to new infections.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3
^We ended up imaging the client machines. Any essential clients or servers that could not be duplicated, we followed Symantec's removal guide that also included specific registry keys to remove and/or fix.
We found that despite the machines being clean and up to date, registry key values detailed in the above Symantec links were added by the virus and/or related drops making the machine vulnerable to connect to the Internet and reinfect itself. While the McAfee software would now detect and clean On Access, the process would continue due to the vulnerability. Plus, if any new variants popped-up, we would be extremely susceptible to new infections.