Re: Virus? - Disable .EXE, .COM, .LNK and group policy.

• Previous message: David H. Lipman: "Re: Backdoor.Lateda.C"
• In reply to: Brian Hoyt: "Virus? - Disable .EXE, .COM, .LNK and group policy."
• Next in thread: Brian Hoyt: "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
• Reply: Brian Hoyt: "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 May 2005 07:15:56 -0700

Brian Hoyt wrote:

> First I want to say I am not interested in removing the problem as I
> can reimage machines, I am more interested in figuring out the cause
> and prevention methods.
>
> We have recently started seeing behavior on laptops that appears to be
> a
> virus, I am however having great problem tracking it down. The
> symptoms include but are limited to:
> Disable in registry .EXE, .LNK and .COM
> Disable most (if not all) Group Policy settings
> Add a security warning on pressing CTRL-ALT-DEL on login screen that
> is random characters.
> Disable Shutdown from startup screen
> Disalbe display of proper icons, I belive this is related to the .LNK
> but it doesn't always happen.
>
> Once this happens a user can login to a machine. Applications cannot
> be directly started but they can be started via opening an existing
> document for
> example. I have attempted to fix the registry to allow programs to
> run but I haven't had any luck.
>
> Some background on the machines. The machines are of varied platforms
> of
> laptops and tablets. All are running custom images and the problem
> has
> ocurred across multiple images. The machines have Symantec Corporate
> Anti-Virus and Lavasoft Ad-Aware Plus running in realtime. They are
> all XP SP2 with patches within a month or two of recent.
>
> These are all student machines so I don't get a lot of detail of
> cause. In almost all cases the machines either have AOL or AIM and
> sometimes it is the
> last thing the students ran. Most describe a burst of network traffic
> and
> then the problem ocurrs. In most cases they continue to work fine
> until they
> reboot and that is when all the links and applications stop working.
> In a few rare cases Ad-Aware catches the registry changes and I have
> been able to see some of them happen, I have not been able to find the
> cause though.
>
> Any help or pointers on this much appreciated. If there are any
> further details I can offer let me know.

Cause can be any number of malware programs. This is pretty common
behavior even with av. A lot of stuff comes in through the kids
clicking on links sent in AIM, as you suspected. As you well know, the
user has to practice Safe Hex as well as have current av/antispyware
protection, and these kids just won't do that. Spend some time looking
in the forums here:

http://aumha.net
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.bleepingcomputer.com

You'll get a good idea of how broad your question really is and why I
can't give you a specific answer.

Prevention? Lock down your workstations completely by using a domain and
Group Policy, Deep Freeze, etc. If this isn't possible - perhaps the
students own the laptops and you don't have the control over them you
would need - then you either have to have a Large Stick (financial
incentive) with the parents or just do what you've been doing - image
the boxen and charge the parents for your time. Keep the rest of your
school's networks isolated from the laptops.

I help the tech god at my kid's school and we have a laptop program for
7th & 8th graders. Because we are a private school, we can be pretty
firm about what happens if the kids install cr*p and get a virus. If
you are a public school, you probably don't have that ability. The
public elementary schools here basically do nothing for the kids'
computers - quite a few of my clients have children with laptops in the
public schools and that is how I know this.

If you want any more information about how we manage our laptop program,
do post back.

Good luck,

Malke

-- 
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

• Previous message: David H. Lipman: "Re: Backdoor.Lateda.C"
• In reply to: Brian Hoyt: "Virus? - Disable .EXE, .COM, .LNK and group policy."
• Next in thread: Brian Hoyt: "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
• Reply: Brian Hoyt: "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]