Sircam on my server

Printable View

September 4th, 2002, 08:03 PM
soia

Sircam on my server

I am currently running Norton AntiVirus on Corporate edition 7.6. I have it set up with the central server monitoring all of my machines and email notification when any machine is infected with any virus. The current problem im having with one of my machines is that every couple of days ill get an email notification saying that i have W32.sircam.worm@mm on my machine. It attacks an older directory i have on there and it goes right for the rundll32.exe file. Thankfully that rundll32.exe file is not the one being used its from NT 4.0 and it is not the current os on the machine. Now i got all the sircam tools to remove the sircam virus from the machine and followed all details to remove the virus. I cant seem to get rid of the virus though. I deleted that rundll32.exe that got infected but i still get the same notification for the sircam virus. What could i possibly do to remove the virus from this machine????

Any help would be much appreciated.
Thanx

-SOIA
September 4th, 2002, 08:17 PM
DarkGuardian

Did you remove all of the quarantined files? If I remember correctly, if there are still files quarantined, the server will still complain that the machine has a virus.
September 4th, 2002, 08:19 PM
soia

All quarantined files have been removed. I was told to do that and when i did it i still keep getting the same virus notification.
September 4th, 2002, 08:21 PM
Mahakaal

Try this link. Hope it helps :)
September 4th, 2002, 08:31 PM
soia

Tried the link out and checked out what it said. Still nothing.
September 6th, 2002, 09:20 PM
bArGuS_4_$

You may want to set up a Honey Pot to find out if another machine is hosting Sircam. Sircam is a worm and thus can propagate itself. It may be accessing a share or going through a known security hole on your system.

When did NAV kick off saying it found and what process caught it? Manual, realtime, scheduled? What location did it find it in? A share?
September 6th, 2002, 09:27 PM
soia

It wasn't in a share it was just a folder that it found somehow. It keeps catching it with realtime monitoring. How do you set up a honey pot??? What is a honey pot????
September 7th, 2002, 12:41 AM
vanquisher

Everything ya ever wanted to know about "honeypots" !

http://www.enteract.com/~lspitz/honeypot.html

... hope this helps...
September 9th, 2002, 03:04 PM
Sgt_B

Try this site out, its a removal tool from Symantec.
http://www.symantec.com/avcenter/ven...oval.tool.html

Hope this helps!
September 9th, 2002, 03:16 PM
soia

Tried the removal tool. wouldnt find anything.
September 9th, 2002, 03:26 PM
bArGuS_4_$

If you do not mind, what is the directory where the malicious code is being found?
September 9th, 2002, 03:30 PM
Sgt_B

What happens if you do a manual scan on the machine. Does Norton pick anything up? or is the AMS just sending you an email for fun? I've ran into this once or twice with Norton's console, where the "same virus" keeps popping up on the same machine. Keep in mind there was no virus present on that machine, Norton just kept reporting the same thing over and over again.
My problem went away by itself. It drove me nuts for a while though.

I'll check on Symantec's site to see if anything regarding this is there.
September 9th, 2002, 03:35 PM
soia

bargus_4_$: The virus is found on an old directory with an old version of Windows NT 4.0 in that directory. Now nt 4 is not installed in the machine, the machine is Windows 2000 server. It says that the rundll32 is infected but i deleted that file.

SgtB: tried manual scan and came up with nothing.
September 9th, 2002, 03:50 PM
DjM

Have you tried contacting Symantec's Technical Support? I have had to use them on various occasions and they are usually pretty good. Might be worth a try.

Cheers:
September 9th, 2002, 03:52 PM
bArGuS_4_$

Where did it find the virus? Directory location if you do not mind. Did it locate the virus in any other places?

If it found the virus in an old directory, a manual scan does not report the virus and you are not running any exclusions in the manual scan (scanning all files with no exclusions), and it appears to pop-up everytime new defs arrive, and the scan type in the log indicates manual, and (running out of breath and "ands") the virus was found before on your system and a different action was performed other than left alone then it is possible that you are not infected.

Verify first but this could be it...
in NAVCE there is an option in the Symantec System Center all tasks->NAV-->Quarantine Options I believe that says what to do when new virus definitions arrive. Scan quarantined items. Sometimes when new defs arrive if a worm (which is totally malicious and unrepairable EVER!!!) Is continually attempted to be repaired....New defs-->scan quarantine--> cannot clean (becuase it is a worm) --->Cannot quarantine (because it no longer exists or is in quarantine)--->action left alone.

I recommend you investigate but if you feel this is the case 1) change the option for NAV/SAV 2) delete items in quarantine (manually) 3) delete all log files.

Hope that helps
September 9th, 2002, 05:52 PM
mohaughn

have you tried a scanner from a different vendor to see if you get the same results. I always recommend to anybody that you totally rebuild a system after it has been compromised. Whether it is by a script kiddie, virus, trojan.. whatever.. The only sure way to know that your system is the way it should be is to reinstall.