Re: Virus running through our network
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Wed, 18 May 2005 13:35:09 -0500
>From the description of what the Symantec technician said it sounds like the
infection relies on weak passwords and weak share permissions. Weak
passwords would be the biggest threat. Windows 2000 by default also gives
everyone full control access to a new share which then puts all your share
security on ntfs permissions. Windows 2000 also installs a number of
services by default that should be disabled such as IIS if not used.
Based on your description and what Symantec said I would do at least the
Make sure your antivirus is kept up to date AND scans ALL email attachments.
Keeping current with critical updates is great but that will only help
prevent malware that attacks operating system vulnerabilities such as
If at all possible do not allow your users to be local administrators.
Review administrator group membership on all your computers and for the
domain to make sure it is what you expect.
Use a password policy that enforces password complexity and require
passwords to be at least seven characters in length. If that is a big change
for your users be sure to educate them of changes ahead of time. You will
have to force users to change their passwords if you currently do not use
expiring passwords. User accounts can be configured to "change password at
Run the Microsoft Baseline Security analyzer on all your computers to check
for many vulnerabilities including very weak passwords and open share
permissions. It is free and available at the link below.
Read the free Microsoft Antivirus in Depth guide from the link below. It
explains how malwares work/propagate, how to deal with virus outbreaks, and
preventative actions for the future.
Review security practices at Technet Security that apply to your network,
applications, and operating systems. --- Steve
"Carl Gross" <CarlGross@discussions.microsoft.com> wrote in message
> Recently, the Backdoor.Trojan virus popped its head into our network. I
> restarted all the machines in safe mode and ran our anti-virus programs
> it appeared as though it got them (even on the machines that didn't pop up
> with a virus alert).
> When I spoke with the Symantec technician, he said it probably got through
> the network via our network shares. He suggested that it may have broken
> through our simple passwords onto each machine. I have W2K SP4
> that are up-to-date on their critical updates. Can the virus still run
> through with permissions like Domain Admins having full rights and Domain
> Users having R/W rights?