spybot.worm

[HTRegz]

Hey Hey,

You really need to be able to post more than one attachment on a single post.


Anyways if anyone is interested, here's copies of the virus we're dealing with... Inside the Zip file is a password protected rar.. the rar's password is 'antionline'... I just don't want anyone to blame me if they infect themselves... There's also a text file... I'm not sure if it's an error log or a breakdown of one of the files.. I'm taking it home to analyze tonight.. but fukerz.exe or whatever the file is called (late and about to miss my bus so I'm in a hurry) was an executable on hand at one point....

I'm outta here

Peace,
HT

[halv]

ok update time:

It looks like we were being hit by a new variant of the spybot.worm. Nortons did not detect it during the initial infection, but it was preventing the virus from turning the machine into a zombie terminal. We DID have some systems that were not patched and were infected. Those systems have been cleaned / patched / updated.

Fsecure.com did find the new variant (woo hoo). Once we knew what we were dealing with, the cleaning process was simple on most of the machines.

We also updated our firewall traffic to stop any chance of reinfection from infected machines. We think we found the point of origin, but since we can't prove who was sitting at the system at the time, and we know it was not malicious on the users end, there is little we can do.

We do plan on impleminting a proxy server with a whitelist of approved sites for business use since users have to use the internet in the course of their job.

fun fun fun.

~Halv