Re: Virus? - Disable .EXE, .COM, .LNK and group policy.
From: Zvi Netiv (support_at_replace_with_domain.com)
Date: 05/26/05
- Next message: Phil Weldon: "Re: Ooops!"
- Previous message: David H. Lipman: "Re: Backdoor.Lateda.C"
- In reply to: Brian Hoyt: "Virus? - Disable .EXE, .COM, .LNK and group policy."
- Next in thread: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Reply: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Reply: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 18:24:08 +0300
"Brian Hoyt" <hoyty@hoyty.com> wrote:
> First I want to say I am not interested in removing the problem as I can
> reimage machines, I am more interested in figuring out the cause and
> prevention methods.
Figuring out the cause and preventing reinfection requires that you find out how
what stung these computers entered the system.
> We have recently started seeing behavior on laptops that appears to be a
> virus, I am however having great problem tracking it down. The symptoms
> include but are limited to:
> Disable in registry .EXE, .LNK and .COM
Run www.invircible.com/download/fix_exe.reg. It's a registry merge file that
fixes the "shell open" command association that are stolen by many malware. In
stubborn cases, you will have to run the merge file in safe mode *with command
prompt* to regain control on your utilities, that will let you find out how that
malware initializes. Which is what you are after.
> Disable most (if not all) Group Policy settings
> Add a security warning on pressing CTRL-ALT-DEL on login screen that is
> random characters.
> Disable Shutdown from startup screen
> Disalbe display of proper icons, I belive this is related to the .LNK but it
> doesn't always happen.
The apparent disabling of the LNK association is the byproduct of stealing the
shell-open command from COM/EXE. There is none for LNK.
> Once this happens a user can login to a machine. Applications cannot be
> directly started but they can be started via opening an existing document for
> example. I have attempted to fix the registry to allow programs to run but I
> haven't had any luck.
This is why I offered the REG version of the fix file. The executable version
is www.invircible.com/download/fixregex.com
> Some background on the machines. The machines are of varied platforms of
> laptops and tablets. All are running custom images and the problem has
> ocurred across multiple images. The machines have Symantec Corporate
> Anti-Virus and Lavasoft Ad-Aware Plus running in realtime. They are all XP
> SP2 with patches within a month or two of recent.
Something that isn't always understood well enough: Real-time AV and
anti-spyware cannot stop malware that is being installed across the network,
*even* if the malware is know to the protection SW, and the definitions file is
the latest available. The reason is inherent to how AV work.
Seems that whatever that is, it enters through weakly protected shares, like
admin$. The random characters displayed at the login screen could be the
password guessing routine at work.
> These are all student machines so I don't get a lot of detail of cause. In
> almost all cases the machines either have AOL or AIM and sometimes it is the
> last thing the students ran. Most describe a burst of network traffic and
> then the problem ocurrs. In most cases they continue to work fine until they
> reboot and that is when all the links and applications stop working. In a
> few rare cases Ad-Aware catches the registry changes and I have been able to
> see some of them happen, I have not been able to find the cause though.
Could you elaborate on the changes that Ad-Aware caught?
> Any help or pointers on this much appreciated. If there are any further
> details I can offer let me know.
The following page and white paper could be worth reading:
www.invircible.com/item/53 describes general methods to deal with malware at the
PC level, and http://www.invircible.com/papers/IV4Enterprise.pdf takes it
further to the level of centralized real-time anti-malware command and control.
Regards, Zvi
-- NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
- Next message: Phil Weldon: "Re: Ooops!"
- Previous message: David H. Lipman: "Re: Backdoor.Lateda.C"
- In reply to: Brian Hoyt: "Virus? - Disable .EXE, .COM, .LNK and group policy."
- Next in thread: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Reply: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Reply: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
