Re: New/Old Windows virus? Help required please.
- From: man.or.fish@xxxxxxxxx
- Date: 5 Jan 2007 00:54:34 -0800
William wrote:
on 04 Jan 2007, something possessed to write:
Hi,Without Windows updates, who knows what's lurking on there. In my
can't find anything on this on the net - virus websites, Mcaffee (for
what it's worth), Symantec etc, nor in newsgroups or anything so am a
bit stuck.
Basically a running and re-occuring exe called "Wind0wz.exe" was
running on this Windows 2003 server and the first we realised was when
the customer's internet access stopped.
What happened was that their Sonicwall firewall was reporting a
Synflood attack from this server - the server was flooding the entire
subnet on TCP port 2967 which filled up the NAT table on the Sonicwall,
effectively stopping any other traffic through it.
Only when we killed this exe did it stop. the exe popped up again later
so we put blocking rules on that TCP port to "effectively" stop it. We
have no knowledge of how to erradicate this problem and
spyware/malware/virus checking full sweeps have not detected it.
Current A/V is Symantec 10d and it was fully up to date.
As far as we are aware no other computers on the subnet have been
infected with this as nothing else is broadcasting in this way.
We also put a GP on the server blocking that exe but not sure if that's
going to work yet as the program runs as system and the GP setting to
block exes is under user configuration - not sure if "system" counts as
a user.
So, hope this helps someone else out there out if they get this - or
maybe someone's come across this before and can help us?
Oh - the only other thing was that the server had not windows updated
for ages and have 70 criticals which we're currently putting on.
Cheers
MoF.
experience, computer malware are often like roaches, the average user
will only notice one after an extensive infestation. Anyway, before you
do a clean wipe (which is probably the best policy), submit the file
Wind0wz.exe to virustotal at www.virustotal.com. It will scan the file
against several major AV vendors and give you results. It will also
submit the file to the AV vendors for analysis.
Regards,
Will
Cool well thanks for your comments both of you - i understand that you
can never be sure with a system that has had a virus/malware and the
only way to be sure is a full wipe/reinstall etc .... it's trying to
convince a customer they need to pay for it is the thing :/
The annoying thing re your virustotal.com comment is that we can't find
the exe. We've not deleted it so i can only think that it's a renamed
temporary file when it's launched and deletes itself when you kill the
program?? We've searched on a whole load of parts of the word Wind0wz
*d0w* etc etc but can't find it on the server! Great....what a life
people who create these things must lead - sad twats.
.
- References:
- New/Old Windows virus? Help required please.
- From: man . or . fish
- Re: New/Old Windows virus? Help required please.
- From: William
- New/Old Windows virus? Help required please.
- Prev by Date: Re: WHICH is the best Rootkit PREVENTION software ?
- Next by Date: Re: WHICH is the best Rootkit PREVENTION software ?
- Previous by thread: Re: New/Old Windows virus? Help required please.
- Next by thread: Re: New/Old Windows virus? Help required please.
- Index(es):
Relevant Pages
|
Loading
