Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: SAV 10 is for the birds...

  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243

    SAV 10 is for the birds...

    ...working in a Windows shop, one of a dozen-and-a-half sites comprising a small multinational.

    We've had a virus outbreak that's actually spreading via unpatched Symantec AV 10 (I can't believe it). I can't find much good info on it, though we got the patch and are deploying it (in fits). Our shop is still running an older version of SAV, so our computers haven't been hit like some other sites. What I know is the offending file is one ctfcoms.exe and Google isn't giving me much. And I'm not sure how much the network guys know either. The word I get is 3-4 computers (maybe less) on a LAN and it's toast (maxed-out bandwidth). I get the impression it touches a vulnerable port and you're infected. It's not too inclined to infect VPN users though. Anybody else seeing this one out there?

    Our site's quiet for now, but we do have some SAV 10 users, mostly VPN. I've been making the rounds and turning up other stuff, like spyware (some rampant) and infected production tools, which run Windows sans AV because they are dedicated and not used as PC's ordinarily are.

    So what's everyone using out there in this combined threat environment to handle spyware and viruses?

    SAV anyone? Not me...

    Last edited by brokencrow; January 19th, 2007 at 04:09 AM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #2
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    brokencrow,
    we've been dealing with W32.Spybot.Worm. It appears as though it's along the lines of what you're dealing with. We patched up today and all seems well.
    I'm not so quick to dump SAV 10 yet though as I've been fairly content thus far with their product.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    It just came to me: W32.IRCbot (or somesuch). Symantec's got nice features, like the server console, but it's buggy (misses a number of PC's and doesn't accurately refresh). And it doesn't handle spyware, spyware handles it. The units that typically don't update are invariably infected with spyware.

    I wonder what the point is of running software that's so widely deployed and then so targeted? Like running IE. Is it branding?

    Got into a discussion with a co-worker over dumping IE for Firefox. She got rather heated making the point IE isn't more vulnerable because everybody uses it and gets targeted thus. Doh, aren't there better things to do than plugging holes in some name-brand company's software?

    Oh well, this job's fryin' me. 400+ PC's and a staff of three. And being on contract, I'm keeping some side work going in case I get dumped.

    Life in the real world: productivity gains.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    You might want to check out the following write-ups from SANS:

    http://isc.sans.org/diary.html?storyid=2038

    http://isc.sans.org/diary.html?storyid=2040

    There has been an upswing of these attacks.

    Cheers:
    DjM

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I like SAV...although havent upgraded to 10 yet...I have the software..for a couple of sites....but having been biten before by SAV on a network update..
    I am usually very wary of updating til a full server reinstall or new server rollout.

    I patch though

    this W32.IRCbot is very old...and this ctfcoms.exe appears to be associated with MS Office...

    Determining whether ctfmon.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from in WinTasks.
    http://www.liutilities.com/products/...ibrary/ctfmon/

    I like SAVs central management although I have been looking into PANDA as an alternate solution....the sales man I was taking to gave me a competitive upgrade quote...just a little higher than SAVs annual licensing.

    May do it next server OS upgrade....dont even want to risk those 2 fighting each other.

    MLF
    Last edited by morganlefay; January 19th, 2007 at 04:15 PM.
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    That's the confusion, MLF. Yes, ctfcom.exe is a legit (& common)
    system file. But ctfcoms.exe is NOT. Another case of social engineering.
    We have 150 or so remote users and have had to explicitly explain
    the difference between the two in our directions on updating SAV
    10. It's not really difficult to clean, unlike some recent rootkits I've
    dealt with that defy deletion attempts. But it wreaks havoc once
    inside a LAN with a lot of SAV 10 clients. Fortunately, most of what
    we run at our site is one of the older versions, and the SAV 10 clients
    we have are newer laptops often using VPN, which for whatever reason
    seem more immune.

    I'm working on contract in a newly-outsourced IT dep't. We've got a
    server guy coming in for three days this week to access and plan those
    upgrades. I wonder what they'll do for the AV, and just as importantly,
    spyware, which is quite common on many of our workstations. The spyware
    is often disabling SAV updates.

    What's your impression of the solutions for handing both viruses and spyware?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I have looked into PANDA...it appears to be an all round solution with central management. I hesitate on multiple software as they tend to fight each other causing other issues and chewing resourses...

    Also have been using SAV with MS Windows Defender...and so far no real issues

    Defender prompts for changes in services and startup programs...and its free
    no central management as of yet...then it may not be free anymore

    MLF
    Last edited by morganlefay; January 20th, 2007 at 03:56 PM.
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Any licensing issues with MS Windows Defender in the enterprise?
    My predecessor used it on some desktops. As for prompts for
    changes in services and startup programs, our users have limited
    acct's, so they may not see a lot of prompts, or feel duly guilty
    if they do.

    We've been using Spybot when we have to, and suffer no conflicts
    or issues with it, but of course, it's not running realtime.

    It's funny, but the network guys and our security "officer" seem to
    consider spyware a secondary issue of sorts. In the small business
    environment I came from, it was a primary cause of malfunctioning
    units. In fact, I'll be onsite tomorrow at an appraiser's office cleaning
    up some Golden Casino infection again because the owner can't keep
    his sons off those sites.

    Oh well, keeps me in wine, as you say.
    Last edited by brokencrow; January 20th, 2007 at 08:11 PM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  9. #9
    Junior Member
    Join Date
    Jan 2007
    Posts
    1

    How to get rid of the virus

    Here´s how I got rid of the virus where I work, we had about a thousand infected computers.
    First make sure, you have your Antivirus program updated and make sure you have a firewall on (we had a problem with the local firewalls on the computers that´s how we got the virus..).
    End all ctfcoms.exe processes running. Search for ctfcoms.exe (both hidden and systemfiles, we had the virus in C:\Program Files\Symantec Antivirus and C:\Windows\System32) and delete the files. Then, in regedit, search for ctfcoms.exe and delete everything you can find. That worked fine for us.
    I almost forgot, some of the infected computers also got problems with altered Startpages in IE and were not able to change it. You can fix that by editing the Local Computer Policy in User Configuration\Administrative Template\Windows Components\Internet Explorer\Disable changing home page settings.

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Yeah, that was pretty much the fix at the affected sites we had.
    We haven't seen cftoms.exe at our site yet. Hadn't heard about
    any problems with startpages either with this thing. Maybe that
    was/is a spyware problem?

    I guess I'm kinda surprised at the vulnerability of an AV app itself.
    Obviously, no app is bulletproof, but to see the havoc this thing
    caused at other sites startles me coming from an AV app itself.

    Cé la vie.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •