It looks like I've got a pesky infection on my hands that I can't get to go away.

Yesterday I was checking one of our client's servers, and found that its memory was getting eaten up by many, many multiple update.exe processes that were running in the background. A google search quickly revealed this:

Process File: update or update.exe
Process Name: Downloader.W32.Gen

Description:
update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.

Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.

(Link (http://www.liutilities.com/products/wintaskspro/processlibrary/update/))

So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.

You can kill the processes, but they immediately crank right back up.

So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.

So what should I do now? Before someone says "scan in safe mode", please note that's a last resort (though life would be a lot easier if I could). I work on these client machines remotely through RDC, so if I rebooted into safe mode, I'd lose access to the machine. If push comes to shove, we can send someone out there to do it in person, but that's a last resort.

What's funny is the client still has no clue they're infected. I just happened upon it while checking up on the server. That being the case, I hope I can get it cleaned out before they discover they have been infected -- just makes us look that much better when we fix problems before they know they have them!

There is an obvious problem ...how does spyware get on a server???

the server is being used to surf the internet...to have these types of files\infections on it.

Once you get it cleaned you may want to "advise" them ..that servers should not be used to "surf the net"


MLF

AngelicKnight

If you know the file paths you can try...Killbox (http://www.bleepingcomputer.com/files/killbox.php) It's a little utility that you can run and type in the infected file paths and at reboot will delete the files...


Luck

Edit: Here is some information on Bargain Buddy (http://articles.networktechs.com/431-p1.php)

Personally I would be very carefull trying to clean a live production server....cause one oops...and you may fluck it up more then it is already

The box should be backed up...taken offline and cleaned

Again...how does this type of infection get on a server in the first place??

MLF

Yeah, this is a potentially sensitive issue because it's a key server on the network, one that they can't afford a lot of downtime on, so the idea is to avoid rebooting if at all possible. My first question was how it got on there in the first place too...No idea...The server is not used for web surfing, so that one has me scratching my head.

We managed to get rid of it though, I think. That update.exe is definitely designed to look like Windows Update. It's stored in C:\ in a gibberish-looking directory just like what Windows Update creates, except there were TONS of these directories, each with an update.exe (about 1.25GB worth of these directories!). We finally managed to kill all the processes and delete all the directories, so that cleaned it out manually. The question left now is --- Is there another program somewhere on the computer that's going to recreate these processes at some point?

just makes us look that much better when we fix problems before they know they have them!

Not in this case my friend... This is called a teaching opportunity. Mistress LeFay is, as usual, absolutely correct when she asks "How did this get on the server"....

You can't clean this properly without safe mode... But you can't use safe mode remotely... You can't try talking them through it... The box has to come down - server or not. If this is only spyware then the downing of the box will teach them a lesson. If it's the downloader then the box really needs to be redone from scratch... a bigger lesson... Because it costs them more... right ;)

In this case you will look just fine by finding a problem they didn't know they had. The fixing is the lesson they need... :D

The problem may be gone for now...but if you ever do have to reboot that server...theres is a good chance it will come back...again and again and again until it is properly fixed.

Tiger is right...downing the box will teach them the lesson....

with a full reinstall...and the cost associated...I am sure someone will be looking into the "cause"


My .02 cdn

MLF

Thanks guys, I'm definitely going to recommend taking that server down for further investigation. I don't know what all they use this server for, but I know it's running SQL, so it must have something to do with their company database management.

If they need a reason for you to take the server down just simply tell them that they where running SQL and that there is a possibility that their DB might be compromised.

But I totally agree that the server should be downed.

If you can find the last backup done that wasn't infected, this should give you a general timeline of when and how.

GL on the server.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274643#post895689) by morganlefay
There is an obvious problem ...how does spyware get on a server???

the server is being used to surf the internet...to have these types of files\infections on it.

Once you get it cleaned you may want to "advise" them ..that servers should not be used to "surf the net"


MLF

I disagree with this assumption. It could have been introduced from a user clicking an email somewhere else on the network and then wormed it's way onto the server through an exploit. Ever hear of Code Red?

The best thing to do would be to find a temporary replacement, and take down the production server. Clean it, and turn it back on. Personally, I would not copy anything from the prod server to the temp server, you do have all your code in a repository somewhere, right? You do have back ups of the databases, right?

I disagree with this assumption. It could have been introduced from a user clicking an email somewhere else on the network and then wormed it's way onto the server through an exploit. Ever hear of Code Red?

Well.....why does that so called user have those kind of prilledges on the network\server...to be able to run an exe on a server...

I am sorry.....can you explain???

I have seen worms infect open shares...because the users have full control rights to them....

Users on networks should not have administrative access to a server....

MLF

Personally I agree with TS (and everyone else) that the box needs to come down, but just as important, the end users need to know WHY it is comming down, and I dont think I would go out of my way to make it painless.

Remotely dealing with this issue is a bad idea at best.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274643#post895720) by morganlefay
Well.....why does that so called user have those kind of prilledges on the network\server...to be able to run an exe on a server...

I am sorry.....can you explain???

I have seen worms infect open shares...because the users have full control rights to them....

Users on networks should not have administrative access to a server....

MLF

The user doesn't need access to the server for a worm to infect a server with a known exploit. Code Red spread across the internet via an exploit in the IIS service. I certainly had no special access to an internet server out on the web, but if I was infected with Code Red, and the server was not patched, I would infect it, without my knowing it. All on Port 80.

http://www.cert.org/advisories/CA-2001-19.html

Look up Reatle too. I had three servers that I use get infected with that, and those servers have never been connected to the Internet, their browsers were never configured. There are 6 people with access to the servers, and none with admin access. Reatle came into my company's network via an email sent to a user in Singapore, and within 12 hours, computers all over the internal network were infected. Obviously the server admins were lax in applying security patches, but hey, stuff gets missed from time to time.

It's not just about network shares, and shell access / remote desktop access anymore. If a worm can take advantage of an exploit in the OS, it can spread without a user having access to the system in any shape or form.

after you clean your server up, i would suggest that you implement proper security access controls because someone has too many privliages on your network to allow this to get on a production device.

If I might chime in here....

JC: Yep... Theoretically you are correct... But... 99% of the time non-publicly available servers are compromised by their idiot admins/users using the server like it was a workstation... and running in the context of an administrator...

That's the point dear Mistress LeFay is trying to, quite correctly, make... in her roundabout way... :D

My point exactly.

I highly doubt that the problem the OP had was infected by a worm....because I have seen this before on many a workstation...although never on a server

A quick google search

Process File: update or update.exe
Description:

update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.

Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.



From
http://www.liutilities.com/products/wintaskspro/processlibrary/update/

AFAIK....this happened through clickty click click click...whether on a website or in an email....does not matter.

Usually this kind of program can not infect unless someone with admin privledges clickity clicked it


and the server was not patched

Well...there we find the problem and why your server became infected in the first place...sloppy admin policy

Proper patching, monitoring etc should slowdown and\or prevent this from happening.

Filtering of email , AUP, monitoring of the network and the constant OS, Application and AV updates

Yes infections do happen...but can be easily contained if your network is properly configured.

Yes its a constant battle....

Keeps me in wine ;)

MHO..as always :cool:

MLF

Yeah that's why I pointed out "Bargain Buddy", it's a Browser Highjacker, remember that stupid parrott (Bonzi) that was around a few years ago, kids loved it, so everyone downloaded it along with the baggage.....

MLF is correct, a user had too much free time and too many rights....

What is Bargain Buddy?
Bargain Buddy AKA Cashback by Bargain Buddy is a piece of adware that allows you to receive a rebate on purchases from participating merchants. Relevant ads are displayed as popups by the Bullseye Network portion of the software while it has a BHO (browser hijacker object) component to handle 404 errors in the form of a web site called Navisearch. All of these products are part of the Bargain Buddy package run by eXact Advertising.

PC Hell (http://www.pchell.com/support/bargainbuddy.shtml)

[i]
So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.

You can kill the processes, but they immediately crank right back up.

So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.[/B]

Going back to the orginal post, it really isnt that unusual for one AV snaner to miss an infection, while another picks right up on it. I have had McAfee has blown right past a number of invections, and Norton's AV has caught them. Or both have missed them and Housecall has gotten them. McAfee did surprize me in completely missing a older, well known infection.

Case and point for tighing up access to that server and locking it down a bit.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274643#post895748) by morganlefay
I highly doubt that the problem the OP had was infected by a worm....because I have seen this before on many a workstation...although never on a server

<snip>

MHO..as always :cool:

MLF

I agree with what you said to the original poster, but I was simply stating and giving a personal example of how your assumption could be wrong. Yes, daily patching and email monitoring, and AUP, and all that will help. However, there are more ways to infect a host than by allowing a user to open a browser.

I was simply posting an alternative that I have experienced in the past.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274643#post895741) by Tiger Shark
If I might chime in here....

JC: Yep... Theoretically you are correct... But... 99% of the time non-publicly available servers are compromised by their idiot admins/users using the server like it was a workstation... and running in the context of an administrator...

That's the point dear Mistress LeFay is trying to, quite correctly, make... in her roundabout way... :D

Again, if you look back to the infection rates of Code Red and Slammer, you'll see that 99% is a little high.... :)

you'll see that 99% is a little high....

If you are _determined_ to miss a perfectly valid point then never mind!!!!!!!

I SAID...

But... 99% of the time non-publicly available servers

Do I need to put special emphasis on the words "non-publicly available" or is your level of comprehension sufficient to grasp what is being said...

Slammer and Code Red are ancient bloody history and their infections were predominantly against _publicly available_ servers.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=274643#post895814) by Tiger Shark
If you are _determined_ to miss a perfectly valid point then never mind!!!!!!!

I SAID...



Do I need to put special emphasis on the words "non-publicly available" or is your level of comprehension sufficient to grasp what is being said...

Slammer and Code Red are ancient bloody history and their infections were predominantly against _publicly available_ servers.

Hey, I ain't hating against anyone. I saw your point, and my point was that Code Red and Slammer were against more than just _publicly avaliable_ servers. Corporations around the world got hit and hit hard with both, and many more (and by that I mean their internal networks, not just their POP's). Why is you and MLF decide to cut out only a tiny portion of what I post and argue against that? I think my point is _perfectly_ valid too, but you both seem to have missed it.

I'm not here to get "Anti-Points", I know you both have a ton more than me. I'm not here to "rock the boat". I'm here because I have an interest in computer security, and what I saw MLF post was technically correct, and yet still possibly wrong. In the context of the original post, it probably is correct, however, I'm still trying to get MLF to admit that worms, viruses, attacks can occur even in a correctly administered network / server configuration.

Again, if you look back to the infection rates of Code Red and Slammer, you'll see that 99% is a little high....

Well I wasnt one of those 99%........I guess that puts me in the 1 %

1%....of ALL the computers in the world :confused:

I think thats GOOD!!! :cool:

MLF

I saw MLF post was technically correct, and yet still possibly wrong. In the context of the original post, it probably is correct



jcjzbrfay you are totally right..it is possible....but I have seen that file....many times on WSes and with spyware infections....

With the multiple processes like that.....that server has been compromised for a while.... and has not been restarted.....and is unpatched..and someone is not using it correctly as the server it is.....

I have seen this before ..so I "assumed"

And I beleive I am correct in my remote wireless troubleshooting assumption

Although I could be wrong .............not

MHO as always :cool:

MLF

Code red and Slammer were _worms_. They travel on their own without human intervention so their attack vector can _only_ be successful in the case of bad admin practices, (no patching or no other mitigation).

That either worm managed to pass from the public internet to the trusted neywork in _any_ situation is a sign that the admins should have been fired in my opinion. Because it indicates that there was a pathway from an untrusted segment to the trusted network... Not only was there a pathway but the pathway was the same as the pathway from the public internet to the public server... That is absolutely begging for a worm on your private network and it is completely amateur administration... :rolleyes:

I already agreed that what you said is _possible_... Clearly, because as you note, so many people got hammered by them... But you are pushing ahead with a point that, whilst well made, is redundant... This isn't a worm. It is a very common symptom of slack admins again that we see all the time... So I'm having a hard time understanding why you simply won't let it go if you say "you aren't trying to "rock the boat"... Your point was taken, noted and, in this situation, dismissed as highly improbable.

BTW, like Mistress LeFay, I too seem to be a one percenter... :cool: