Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 02-19-2013, 06:35 PM
drjones drjones is offline
 
Join Date: May 2012
Posts: 889
drjones is on a distinguished road
Default Entire network hit with porn.exe / sexy.exe - AGAIN

Just got a call from a client I helped rid of the porn.exe/sexy.exe virus/worm and they are reinfected.

I'm pretty irritated/upset as I have them on a contract with GFI; each workstation has MAV and is pretty well patched.

Any tools/ideas/strategies for scanning the whole network or am I just up for lots of labor on this?

Is it safe to use a bootable rescue CD like Kaspersky on a Windows 2008 server?

Ugh...thank you.
Reply With Quote
  #2  
Old 02-19-2013, 07:55 PM
YeOldeStonecat's Avatar
YeOldeStonecat YeOldeStonecat is offline
 
Join Date: Nov 2011
Location: Southeast Connecticut
Posts: 7,979
YeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to behold
Default

Getting about 1 client a week whos office network gets hit with this one...
Seems to happen after someone opens an infected e-mail that has an attachment...those socially engineered e-mails with an attachment.

W32/Autorun.worm.aaeh
has lots of other names depending on which AV product you have. "changeup" seems to be a common family name.

Hides shared directories that have full read/write access to the user that caught the virus (so typically any domain user).

Easy virus to clean up....
and shares that it roasts on the server....just got to the root of that share via command prompt from the server and "attrib -r -a -s -h /s /d"
__________________
Resident "Geek on a Harley" doing IT in Southeast Connecticut
http://www.dynamic-alliance.com/
https://www.facebook.com/YeOldeStonecat
Reply With Quote
  #3  
Old 02-20-2013, 04:59 AM
lassenpc's Avatar
lassenpc lassenpc is offline
 
Join Date: Feb 2010
Location: Susanville CA USA
Posts: 221
lassenpc is an unknown quantity at this point
Default

Unsure about the bootable Kasperksy on 2008 (but if you have a full backup, why not?)

Stonecat is bang on with the fix, we had a public utility hit a few weeks ago with it, had to use the "attrib -r -a -s -h /s /d" for the root share, and for some reason all subfolders, but it still got the job done.

To shore things up on this end, we migrated them to Google Apps for their spam / phishing / virus-check-before-you-get-it benefits. That would be my only other suggesting, tightening up what ever email service or device you have handling such. Good luck!
__________________
Aaron Barnes, Owner
www.lassenpc.com
help@lassenpc.com
Reply With Quote
  #4  
Old 02-20-2013, 06:16 PM
pceinc pceinc is offline
 
Join Date: Aug 2010
Location: Maryland
Posts: 818
pceinc is on a distinguished road
Default

We had an MSP client hit with this today. Sometimes you're the bug and sometimes you're the windshield. When I told the owner that it can come from spam email such as ADP Payroll he knew exactly when it happened. He got such an email yesterday afternoon. The funny thing is, when the employees saw the filenames in the network shares under the owners name they clicked on it infecting their own machines. They were more concerned with what their boss may be up to than whether the files could actually be a virus.

Our cleanup consisted of immediately changing the network share permissions to read only. Scanned all machines with Hitman Pro, then manually removed some files left behind in the profile folder. Vipre actually started to quarantine the files as we were cleaning. We also ran the attrib command to get the files to show up on the server.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:01 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.