Weird Server Permissions Issue.

[game_over]

For some reason the virus definitions have not been updating, even though when i have checked the logs, it as shown as Successful, with no errors.. leading me to believe they have been updating when they haven't... the virus definitions were 55 months old. I am updating them manually to each workstation and running a full scan.... yawnnn

[game_over]

Is there anyway i can find out where the virus originated from? e.g. someones USB stick.

[+BudMan MVC]

That might be tough! Most likely you would have to go through the machines and find out when by timestamps and logs of when the infection fist showed up on the machine..

The virus scanner is one part, but what about the MS patches that would of prevented the exploit remotely -- one method of the worm spreading. If your machines were patched - then the other machines got infected with one of the worms other methods. Putting itself on shares and then users running them, etc. Shared media with auto run enabled, etc.

Its been a common security practice for quite some time to disable auto run, it was a accident waiting to happen when it was first introduced years and years ago. It provides no real benefit while leaving a very LARGE GAPING hole in helping to preventing the spread of unwanted ware ;) Be it malicious in nature or not.

The first thing I do on any machine I ever touch is make sure auto run is disabled -- I do it just mostly the nagging it does every time you put in a CD or usb/flash drive/stick I do want to be bothered with asking me anything or for gosh sakes running something off the media.

Seems like you do not use any sort of central anti virus management -- something you will want to look into Im thinking ;)

If you need help getting it cleaned up -- just ask, there are many resources/tools out there for getting your network cleaned and secured from this nasty one.

[sc302 Veteran]

that is a nasty virus. there are a lot of articles and utilites that will help you get rid of it. being patched could help too. maybe you want to think of a wsus server and an enterprise antivirus/antimalware device/software.

[game_over]

We have McAfee Enterprise 8.7 (well we do now i have updated it) but the definitions were 55 months old. We have the EPO thing on the server and i thought it was being managed and updated regularly... when i eventually checked the workstation this morning to do a manual scan i got an error saying they were 55 months out of date, i checked logs on the server and there was no errors in updating so i have no idea what's been going on there.

I have now updated the software (manually) and updated the definitions (manually) ... i ran a full scan using this, then a full scan using Microsoft Malicious Software Removal Tool... tomorrow i'll be running anothert McAfee scan to make sure nothing has been left around, before i allow them back onto the network.

Do you think this should do it? or is there something else i need to do?

All machines have Windows XP Service Pack 3 - when i checked for the patch for this, it wasn't available. I'm guessing it's already patched with SP3.

I'll will definitely disable Auto-Run..

It doesn't look like it's infected Vista machines... It's on both servers and roughly 20 XP machines.

[sc302 Veteran]

as long as all pc's are patched this should not have happened. the patch should have been built into sp3. this would be a good time to enforce a wsus server (free from microsoft) and proper policies

[+BudMan MVC]

I agree the patch prevents the remote exploit (spreading without user involvement) - but it does not prevent infection from the user running infected code, or the machine auto running infection on media

Win32/Conficker has multiple propagation methods. These include the following:

* Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)

* The use of network shares

* The use of AutoPlay functionality

Once one machine is infected with it - it will place itself on shares it has access too for example, the user could see these files and run them and then infect their machine --- since the virus scanner was completely out of date, etc.

[game_over]

seems like mcafee is removing everything... i'm about half way there.

[game_over]

It's attacked services.exe on the server and virus scans don't seem to remove it.

[game_over]

I've added some workstations back to the network, but when certain users are trying to access some network shares they are getting errors:

Error loading DLL: .\RECYCLER\etc...etc\randomfilename.dll

Its as if it's trying to run when the network share is accessed. Where would the settings be to stop this.

I think it's more specific to individual user accounts. It's only happening to certain users. There is no Autorun.inf (that i can see) in the root of any of the network shares.

Edited September 30, 2009 by forcer

[sc302 Veteran]

you have to keep the pcs off the network until the virus is completely removed from all workstations/servers.

you can try this:

http://www.symantec.com/security_response/...-011316-0247-99

incase you are wondering why I sent you there

"The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers."

taken from here, and the above link was attached to this doc

http://www.symantec.com/norton/theme.jsp?t...=conficker_worm

[game_over]

Thanks i'll run that tool too.

This is what i'm doing:

Disconnect from network

Update McAfee

Update definitions

Install patch

run microsoft malicious software removal tool

run full mcafee scan

run symantec removal tool

i'm stressed now.

[game_over]

2 days later the virus is gone, no MRxSMB errors today so fingers crossed... but we're getting W32time errors in the event log saying the NTP server didn't respond.

can anyone tell me a reliable time source, i've tried a few?

[sc302 Veteran]

did you change your announce flags?

Set AnnounceFlags to 5. To do this, follow these steps:

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

In the right pane, right-click AnnounceFlags, and then click Modify.

In Edit DWORD Value, type 5 in the Value data box, and then click OK.

http://support.microsoft.com/kb/816042

look for the heading Configuring the Windows Time service to use an external time source about 1/3 down the page.

[+BudMan MVC]

There are lots of reliable time sources.

http://support.ntp.org/bin/view/Servers/WebHome

Scroll down a bit and you will see

The complete lists are available from the following links. For detailed information about a server click the hostname in the list.

* Public NTP Pool Time Servers

* Public NTP Secondary (stratum 2) Time Servers

* Public NTP Primary (stratum 1) Time Servers

So is your server syncing at all - or always failing? You need to make sure that port 123 UDP is open on your firewall(s)

edit:

Timesync is kind of a hobby of mine ;) Just something about the tech that I just like I guess.. Anyway not suggesting you change away from the built in services from windows for a work network, but on my home network I run the true ntp client on all boxes, be it windows or linux the ntp tools are much better suited for troubleshooting and status and stats vs the stuff in windows, even though w32tm can give you lots and lots of info to work with.

I like this monitor tool as well, here is a screen shot of the stats you can produce.

Not something you really need in a home setup ;) But I like to know my computers time are "correct".

edit2: btw if anyone interested you can grab the windows ntp client from here

http://www.meinberg.de/english/sw/ntp.htm

Along with that monitoring software.

Edited October 2, 2009 by BudMan

[game_over]

Thanks for the info, i'll be sure to give it a go.

I think i checked the AnnounceFlags registry entry and it didnt exist, if this is the case should i just create it?

Again thanks to the both of you for your help, it's appreciated and i've learned some stuff :)