Determing who/what pc is modifying files via a network drive

Hi I just dealt with a customer's windows 2003r2 server last night. They were infected with win32.pirate.b virus. That virus modifies all exe files and adds about 180k to the file. We were battling the issue and having a hard time identifying what system was causing these modifications. All of the pcs had a mapped drive letter to the server. The server showed no open files and just 1 or 2 sessions under computer management (we were fixing this after hours so there was very little pc use at the time), yet the files were being changed as soon as we restored them. Also the modified date of the files were not changing according to windows. I enabled file auditing and no events were created.

I saw similar issues with cryptowall at another site, there were no open files listed via computer management on the server, yet the files were clearly being modified while i was checking.

Does anyone know how the viruses are managing to modify a file without changing the modified date as well as going undetected in computer management, open files/sessions? Can anyone recommend an alternative way to identify what system has open files on a server. In the end we tracked the machine down by checking the registry of all computers. They had about 80 machines so it was tedious. In the past I had found using computer management/open files to be a reliable tool but the last few viruses I have encountered don't seem to show their activity on this screen.
Who is Participating?
Rob GConnect With a Mentor Microsoft Systems EngineerCommented:
There is a fairly good article on this here:
I wonder if one of these might work for the information you are trying to pull..?
andreasSystem AdminCommented:
are you sure the modifications are comming from the network and not from the server itself?

Test to diasconnect the server from any network connections, clean some files in the afected paths and wait to see if they become infected again.

This would also explain why you cant see the network sessions.

If the files keep intact without network, next would be to sniff the traffic on the lan port of the server to see which systems are communicationg with the server.

Does the server export any of those directories by ftp, NFS etc?
Rob GMicrosoft Systems EngineerCommented:
Assuming that you have a central AV installed.. Do you not see it in the management server?

you could do this really simple..

Just create a login script..
In the script have everyone reboot..
and delete the following files and keys..
Once you do that, you will likely have to figure out which user is getting popups of missing files or failed software launches.. But that should do it..  

%User Temp%\{random file name}.tmp - detected as PE_PARITE.A-O
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ "PINF"

Oh.. Also..
You can modify files through command prompt without changing dates, it's used when you backup a file, so that you know when it was last backed up or created.. depending on the script..
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Baran711Author Commented:
The changes were definitely  coming from the network. We have cleaned the infections and identified the pc causing the issue. That being said we need a way to identify the pc modifying the files in a better way moving forward. The built in session/open files doesn't seem to work with modern viruses
Rob GMicrosoft Systems EngineerCommented:
The AV doesn't see the changes of the files as an infection?
That's a major issue.. because the changes themselves likely are done through simple DOS commands which don't show the change..
I wonder if there is anything added to the code, like a 000000xa or something to that effect in which then you can scan for..
The question i guess i am asking..
Any idea what it added to the file, other then the size?
andreasSystem AdminCommented:
then instruct all users not to use the server but let the clients running and then sniff the network traffic. Or depending on how many clients you have turn off all clients and then only turn on one by one to check which one will introduce he problem.

finding the virus on the clients doesn't mean the server itself is clean. The server may even run another malware that only DROPS the thing you find in the exe files. You really should consider the server itself comromised too. Especially if you have logged on to one of the clients as domain admins or other accounts with higer privileges. This Worm also can spread by exploting windows security holes. So be sure your server and clients are up to date with all patches.
andreasSystem AdminCommented:
@rob Its a polymorphic virus. therefore any AV does NOT have a chance to detect the modified binaries, as each copy has a different coding. You only can detect changes if you have checksums of the clean files.
Run a trial using netwrix network auditor, you'll find your answers
Rob GMicrosoft Systems EngineerCommented:
Do you have a backup?
Since the virus is cleaned out, maybe just restore the entire drive?
Baran711Author Commented:
we are a bit off topic, the issue is already fixed and the discussion about AV or backup is irrelevant. I am simply looking for a better way to track down the source of problems like this in the future, i have hundreds of clients, its bound to happen again somewhere else. i will need to look into netwrix as trsteam suggested, that looks like the closest thing to what i am asking for so far.I just want to be able to pinpoint the system that is modifying the files as fast as possible next time. checking each machine isnt ideal.
Rob GMicrosoft Systems EngineerCommented:
I am pretty sure from a modification stand-point you could just use Microsoft Auditing in Group Policy. I am not 100% sure this is what you are looking for, or if it still exists, as the last time i used it was in 2k advanced server, but there are better tools 3rd party that will show more detail, i believe solarwinds LEM will do this in more detail, but it is a little expensive.

To do this through windows you can:
Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy
Start Explorer

Right click on the files/folders select Properties
Select the Security tab
Click the Advanced button
Select the Audit tab
Click Edit
Click Add
Select 'Everyone'
Click OK
Select the actions to audit such as 'List folder/read data'
Click OK
Click OK to all dialogs

The dialogue might be slightly different, and you may have to play with it a little to see if it still works in the Newer OS's but i am pretty sure this will do what you are looking for.. If it is still there..
Baran711Author Commented:
i did try enabling auditing, it only seemed to generate events when i looked at the directory. i assumed since the file modified date wasnt changing the audit trail wasnt firing either.
Baran711Author Commented:
thanks rob, i was using the built in windows one but i will check out the other 3 mentioned in that post.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.