August 6th, 2004, 02:51 AM
Pinfi virus detection
This virus from 2001 is kicking my butt right now. I believe I have at least one rogue system on my network infected with it and it has found nearly every open share and infected files. Our detection tactics are so geared toward worms that create SYN traffic or BO attacks. Since the virus is infecting files through mapped drives there seems to be virtually no way of tracking it through sniffers or the like. Out of our 12,000 users we have identified around 200 systems that are not running managed AV clients and we are tracking those down. I am sure the infected systems are within this group but would like to find the virus asap. Only Trend seems to list a possible port opened by the virus, 30167 but due to the behaviour of the virus it is not always active to avoid detection. Has anyone found a good way of dealing with this sort of threat? Thanks for any input.
August 6th, 2004, 04:29 PM
Well, judging from what I read briefly contained in the links you provided, it doesn't seem to attack AV. According to this it appends to all .exe & .scr files it can access with remote network shares. Depending on how your shares are setup is the issue here, is everyone allowed to access these? If so you may have trouble, if your somewhat restrictive on who can share and what they can do, doesn't look like it will spread that quickly.
Now your AV, I know Symantec CE, has the ability to do remote installs. Being that this virus won't attack the AV, just push out managed clients to your infected systems. Update them, poof. You can even create a new group for them under SSC 8.1 X and have it set to scan immediately on new virus definitions, thereby fixing theirself!
August 6th, 2004, 07:24 PM
Yeah, that really did point out some problems we had with permissions, but at the same time a few users with admin privelages got infected and that pointed out a misconfiguration in the Symantec config. I'm concentrating right now on 200 or so systems that are not responding not remote install for Symantec. We are going to down those PC's by either remote shutdown or killing their network port and if found disabling their user ID's. We're trying to flush out those systems that are rogue builds or have been under somebody's desk for 2 years.
August 6th, 2004, 08:10 PM
Do you mean these system will not take a remote install?
Originally posted here by xmbalmr
I'm concentrating right now on 200 or so systems that are not responding not remote install for Symantec.
If so, what error message are you gettting back?
Are you trying to install the "NT Client" or the "AV Server"?