-
March 31st, 2006, 04:55 PM
#1
Virus Evades Panda & Kapersky
It looks like I've got a pesky infection on my hands that I can't get to go away.
Yesterday I was checking one of our client's servers, and found that its memory was getting eaten up by many, many multiple update.exe processes that were running in the background. A google search quickly revealed this:
Process File: update or update.exe
Process Name: Downloader.W32.Gen
Description:
update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.
Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
(Link)
So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.
You can kill the processes, but they immediately crank right back up.
So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.
So what should I do now? Before someone says "scan in safe mode", please note that's a last resort (though life would be a lot easier if I could). I work on these client machines remotely through RDC, so if I rebooted into safe mode, I'd lose access to the machine. If push comes to shove, we can send someone out there to do it in person, but that's a last resort.
What's funny is the client still has no clue they're infected. I just happened upon it while checking up on the server. That being the case, I hope I can get it cleaned out before they discover they have been infected -- just makes us look that much better when we fix problems before they know they have them!
-
March 31st, 2006, 05:13 PM
#2
There is an obvious problem ...how does spyware get on a server???
the server is being used to surf the internet...to have these types of files\infections on it.
Once you get it cleaned you may want to "advise" them ..that servers should not be used to "surf the net"
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
March 31st, 2006, 05:16 PM
#3
AngelicKnight
If you know the file paths you can try...Killbox It's a little utility that you can run and type in the infected file paths and at reboot will delete the files...
Luck
Edit: Here is some information on Bargain Buddy
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
March 31st, 2006, 05:27 PM
#4
Personally I would be very carefull trying to clean a live production server....cause one oops...and you may fluck it up more then it is already
The box should be backed up...taken offline and cleaned
Again...how does this type of infection get on a server in the first place??
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
March 31st, 2006, 05:44 PM
#5
Yeah, this is a potentially sensitive issue because it's a key server on the network, one that they can't afford a lot of downtime on, so the idea is to avoid rebooting if at all possible. My first question was how it got on there in the first place too...No idea...The server is not used for web surfing, so that one has me scratching my head.
We managed to get rid of it though, I think. That update.exe is definitely designed to look like Windows Update. It's stored in C:\ in a gibberish-looking directory just like what Windows Update creates, except there were TONS of these directories, each with an update.exe (about 1.25GB worth of these directories!). We finally managed to kill all the processes and delete all the directories, so that cleaned it out manually. The question left now is --- Is there another program somewhere on the computer that's going to recreate these processes at some point?
-
March 31st, 2006, 05:46 PM
#6
just makes us look that much better when we fix problems before they know they have them!
Not in this case my friend... This is called a teaching opportunity. Mistress LeFay is, as usual, absolutely correct when she asks "How did this get on the server"....
You can't clean this properly without safe mode... But you can't use safe mode remotely... You can't try talking them through it... The box has to come down - server or not. If this is only spyware then the downing of the box will teach them a lesson. If it's the downloader then the box really needs to be redone from scratch... a bigger lesson... Because it costs them more... right
In this case you will look just fine by finding a problem they didn't know they had. The fixing is the lesson they need...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 31st, 2006, 05:57 PM
#7
The problem may be gone for now...but if you ever do have to reboot that server...theres is a good chance it will come back...again and again and again until it is properly fixed.
Tiger is right...downing the box will teach them the lesson....
with a full reinstall...and the cost associated...I am sure someone will be looking into the "cause"
My .02 cdn
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
March 31st, 2006, 06:07 PM
#8
Thanks guys, I'm definitely going to recommend taking that server down for further investigation. I don't know what all they use this server for, but I know it's running SQL, so it must have something to do with their company database management.
-
March 31st, 2006, 06:50 PM
#9
If they need a reason for you to take the server down just simply tell them that they where running SQL and that there is a possibility that their DB might be compromised.
But I totally agree that the server should be downed.
If you can find the last backup done that wasn't infected, this should give you a general timeline of when and how.
GL on the server.
-
March 31st, 2006, 07:02 PM
#10
Member
Originally posted here by morganlefay
There is an obvious problem ...how does spyware get on a server???
the server is being used to surf the internet...to have these types of files\infections on it.
Once you get it cleaned you may want to "advise" them ..that servers should not be used to "surf the net"
MLF
I disagree with this assumption. It could have been introduced from a user clicking an email somewhere else on the network and then wormed it's way onto the server through an exploit. Ever hear of Code Red?
The best thing to do would be to find a temporary replacement, and take down the production server. Clean it, and turn it back on. Personally, I would not copy anything from the prod server to the temp server, you do have all your code in a repository somewhere, right? You do have back ups of the databases, right?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|