|
-
March 25th, 2005, 07:21 PM
#1
Junior Member
New Virus
My company got hit with a new virus about 4 days ago and we can't seem to get rid of it. The AV's haven't come out with the def's for it yet. Any one heard of this yet or have a solution that might help out. Here is a website with more info:
http://www.antisource.com/article.ph...bc08-msdirectx
-
March 25th, 2005, 09:06 PM
#2
Hi,
Capture it in a zip file and send it to me via PM  I need to know what it does.
What operating systems are you running?
What symptoms are you experiencing?
How do you think it got in to start with (if you send it to me, I will know how it spreads)
Cheers
-
March 25th, 2005, 09:51 PM
#3
Junior Member
I don't readily have a copy of the file yet. I do know that it seems to be trying to connect to an IRC server and that for most of the incidents that we've found it's been coming across port 445 acccording to our IDS which is monitored by ISS. We are running Windows XP with all the latest patches due to our nifty patch link program and McAfee AV which of course is updated regularly too. Both McAfee and Microsoft have been notified of our situation and are currently try to devise a tool to combat this. So far we've found about 200 known infections across the US. We currently have it contained internally on the network due to the addition of ACL's and firewall modifications. I'll try to get the file for you as soon as possible....thanks
-
March 25th, 2005, 10:07 PM
#4
Junior Member
Also I forgot to mention above the symptoms...
regedit and taskmanager won't stay open...
Antivirus software crashes....
machine freezes...
I attached a file that I believe shows which AV company's have found something in their defs about the file...
-
March 25th, 2005, 10:33 PM
#5
Originally posted here by nihil
Capture it in a zip file and send it to me via PM I need to know what it does.
lol....eager for some infectious cyber-files nihil are we? me too...i like analyzing these critters. lol
Capture it and send it to AVERT here https://www.webimmune.net/default.asp
And like nihil...I'll take a copy too.
-
March 25th, 2005, 11:14 PM
#6
OK,
Schmit, if you know which machine it came in from just pull it from the net and leave it alone.......you may want to do some forensic analysis later? You need to pull the other known infecteds as well.......any idea of the route logic of the infections?
AV companies are very good but can be a bit slow in response time to make sure that they get things right............they have a corporate reputation to uphold 
We are expected to do things yesterday, which is why I tend to go for a "containment" approach, and try to find out what it does and how, rather than look for a perpetual solution. 
Good luck..................and Happy Easter............they do time these things well don't they?
-
March 25th, 2005, 11:27 PM
#7
Junior Member
Well...fortunately it doesn't appear to be doing any damage...more of a nuisance...hopefully we'll have a solution to this by Monday. I'm still trying to track down the darn file. We actually aren't sure which machine was infected first, but rest assured the infected are being pulled from the network as they show up. We aren't sure how it depicts which route it will take next either...hopefully that will be something else we can find out soon. Thanks for the advise though...and I'll keep you updated...oh...and get you and ric-o that file some time this year 
-
March 26th, 2005, 12:08 AM
#8
Hi schmit...........
In the mopping up operation please take a look here..........no personal or commercial connections, just a satisfied customer recommendation:
http://www.diamondcs.com.au/
Process Guard will protect AV and Firewall (software) and anything else for that matter.......
Look at the "products" bit and check out "RegistryProt" which is free............even to corporates
That has saved a few a$$es (a donkey, genet and mule) in my time It warns you if the registry is about to be changed, and how, and by what..........nice tool?
The other stuff is worthy of consideration as well..........
Good luck
-
March 26th, 2005, 05:03 AM
#9
Originally posted here by nihil
In the mopping up operation please take a look here..........no personal or commercial connections, just a satisfied customer recommendation:
http://www.diamondcs.com.au/
Good advise: we run Trojan Defense Suite 3 (TDS3) and love it! We use it for initial scans.
Look at the "products" bit and check out "RegistryProt" which is free............even to corporates
Hey wait a second...I thought you were a BillP Studios fan (re.; WinPatrol) lol. I actually found that I couldn't uninstall RegProt from an XP machine that I had installed WinPatrol on as well...maybe they were too busy fighting. ha ha.
Anyway, along with RegProt, WinPatrol is good too www.winpatrol.com
Agree with Nihil about containment first. Here's the approach we use in your type of situation....
1) Identify the victims: sometimes that involves quick reviews of firewall logs, IDS, etc and if widespread shutting down whole networks to contain the critter
2) Pull them off the net but keep them powered up -- tell user not to touch them
3) Quick assessment using tools off CD (original O/S tools could be corrupted): network ports open (OpenPorts and NETSTAT), processes running (PULIST by SysInternals) record this list down in text file, state of AV and firewall (versions, etc)
4) Connect victim PC up to private network: we have a 4 port hub in our security incident *jump bag* for just this use; hard code IP
5) Connect security laptop up to private network: hard code IP
6) Note: security laptop has a firewall protecting it from any attempted unsolicited connections from the victim PC
7) Start up packet sniffer to see what traffic the victim is spewing out if anything
8) Reboot victim PC into Knoppix (LIVE CD if you didn't know): this way you can bring up the file systems without bringing up the infected PC
10) Run Samba server in Knoppix and share out all drives
11) Scan shared drives (at root level) of victim PC using TDS3 and AV software: note that we scan the directories to most likely contain malware first to save time:
Windows = c:\winnt or c:\windows, c:\documents and settings, c:\program files
Linux = all bin and sbin directories; there are others as well but dont have them close to me right now...plus most incidents are infected Windows desktops
Now using the info we gained on the quick assessment we sometimes will to a port scan of all our networks looking for any of the suspicious listening ports that might have been found on victim PC to see if anyone else is exhibiting the same. Review firewall logs to see what IPs the victim visited prior to report of infection.
More advanced forensics work involve mounting the infected drives into a separate PC that already has a boot drive. Then scan through the various directories for evidence as to what happened, how the malware got in, what it did, files recently opened, etc etc.
Between Nihil's tips and these hopefully it will give you some good info for this incident and future ones. I wish you luck....the adrenalin is pumping isnt it?! While these are frustrating, they are also exciting and fun.
Keep us posted, I'm very curious what you got here.
-
March 28th, 2005, 09:13 PM
#10
Junior Member
Here's a quick update...
McAfee came up with two updates for us last night one at 1 AM and one at 5 AM...both of which hung in the process of installation. This morning the final one that they came up with....after being loaded, will prevent a machine from getting infected but will not clean a machine that's already infected. Thanks again for all the advise....
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
