Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Virus Evades Panda & Kapersky

  1. #1

    Virus Evades Panda & Kapersky

    It looks like I've got a pesky infection on my hands that I can't get to go away.

    Yesterday I was checking one of our client's servers, and found that its memory was getting eaten up by many, many multiple update.exe processes that were running in the background. A google search quickly revealed this:

    Process File: update or update.exe
    Process Name: Downloader.W32.Gen

    Description:
    update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.

    Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
    (Link)

    So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.

    You can kill the processes, but they immediately crank right back up.

    So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.

    So what should I do now? Before someone says "scan in safe mode", please note that's a last resort (though life would be a lot easier if I could). I work on these client machines remotely through RDC, so if I rebooted into safe mode, I'd lose access to the machine. If push comes to shove, we can send someone out there to do it in person, but that's a last resort.

    What's funny is the client still has no clue they're infected. I just happened upon it while checking up on the server. That being the case, I hope I can get it cleaned out before they discover they have been infected -- just makes us look that much better when we fix problems before they know they have them!

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    There is an obvious problem ...how does spyware get on a server???

    the server is being used to surf the internet...to have these types of files\infections on it.

    Once you get it cleaned you may want to "advise" them ..that servers should not be used to "surf the net"


    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    AngelicKnight

    If you know the file paths you can try...Killbox It's a little utility that you can run and type in the infected file paths and at reboot will delete the files...


    Luck

    Edit: Here is some information on Bargain Buddy
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Personally I would be very carefull trying to clean a live production server....cause one oops...and you may fluck it up more then it is already

    The box should be backed up...taken offline and cleaned

    Again...how does this type of infection get on a server in the first place??

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Yeah, this is a potentially sensitive issue because it's a key server on the network, one that they can't afford a lot of downtime on, so the idea is to avoid rebooting if at all possible. My first question was how it got on there in the first place too...No idea...The server is not used for web surfing, so that one has me scratching my head.

    We managed to get rid of it though, I think. That update.exe is definitely designed to look like Windows Update. It's stored in C:\ in a gibberish-looking directory just like what Windows Update creates, except there were TONS of these directories, each with an update.exe (about 1.25GB worth of these directories!). We finally managed to kill all the processes and delete all the directories, so that cleaned it out manually. The question left now is --- Is there another program somewhere on the computer that's going to recreate these processes at some point?

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    just makes us look that much better when we fix problems before they know they have them!
    Not in this case my friend... This is called a teaching opportunity. Mistress LeFay is, as usual, absolutely correct when she asks "How did this get on the server"....

    You can't clean this properly without safe mode... But you can't use safe mode remotely... You can't try talking them through it... The box has to come down - server or not. If this is only spyware then the downing of the box will teach them a lesson. If it's the downloader then the box really needs to be redone from scratch... a bigger lesson... Because it costs them more... right

    In this case you will look just fine by finding a problem they didn't know they had. The fixing is the lesson they need...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    The problem may be gone for now...but if you ever do have to reboot that server...theres is a good chance it will come back...again and again and again until it is properly fixed.

    Tiger is right...downing the box will teach them the lesson....

    with a full reinstall...and the cost associated...I am sure someone will be looking into the "cause"


    My .02 cdn

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Thanks guys, I'm definitely going to recommend taking that server down for further investigation. I don't know what all they use this server for, but I know it's running SQL, so it must have something to do with their company database management.

  9. #9
    Junior Member
    Join Date
    May 2002
    Posts
    17
    If they need a reason for you to take the server down just simply tell them that they where running SQL and that there is a possibility that their DB might be compromised.

    But I totally agree that the server should be downed.

    If you can find the last backup done that wasn't infected, this should give you a general timeline of when and how.

    GL on the server.

  10. #10
    Originally posted here by morganlefay
    There is an obvious problem ...how does spyware get on a server???

    the server is being used to surf the internet...to have these types of files\infections on it.

    Once you get it cleaned you may want to "advise" them ..that servers should not be used to "surf the net"


    MLF
    I disagree with this assumption. It could have been introduced from a user clicking an email somewhere else on the network and then wormed it's way onto the server through an exploit. Ever hear of Code Red?

    The best thing to do would be to find a temporary replacement, and take down the production server. Clean it, and turn it back on. Personally, I would not copy anything from the prod server to the temp server, you do have all your code in a repository somewhere, right? You do have back ups of the databases, right?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •