Backdoor-JZ, MultiDropper FL, W32/Deborm.worm 1

[bolla]

Hi everybody.
I have these virus in my network.
I got the McAfee anti-virus and it updated. The last update was today. Then I think it not an antivirus version problem.
W32/Deborm.worm and MultiDropper created some file like "~2.EXE.VIR" in the startup folder for all users in the machine. And these files have 0 KB. When I run a scan on the machine with these VIR files, the antivirus detect nothing. But a popup windows appears saying that the antivirus have detect a file called "~2.exe.vir1" infected by W32/Deborm.worm and can not clean the file, and can not deleted it.
My feelings is, the computer is not infected, but there is one computer which is the source which try to infected the other but the virus is not resident on the target computer but just on the source.
Because I read the caracteristics of these virus, and I have no keys in the registry which can allow me to think that the machine is infected by one of these virus. No folder called Litmus for Backdoor. I am very wondering, because after all the search I can not remove these virus in the network.
Thanks for reading and I hope you will have a answer.

 

[BuckeyeComputers]

How many systems are on this network?.... the best practice is to remove all computers from the network and shutdown and unplug the system to clear the memory..disable any system restore programs... boot to safemode and scan systems...(files that cannot be quarenteed or deleted are usually in use) then restart and return to the network

 

[bolla]

The network has approximatively, 200 machines: servers, computers.
And with 3 sites, where people works. Then it is not possible to have the acceptance of the head of departement to shutdown all the system.
I prefer another solution, this one will not be possible.
But for the news, I found a folder called Litmus on 3 servers and the key in the registry, the folder was recently created. I deleted them. But on the machines which show every time the message of infection, till now, we have no folder called litmus
Thanks

 

[KimberTech]

http://vil.mcafee.com/dispVirus.asp?virus_k=100143

"This is a NetBIOS worm that propagates via copying itself to accessible file shares on machines on the local subnet. It drops other (backdoor) malware on compromised machines."

As noted in the post above, you need to disconnect these machines from the network. If you don't, the virus will reinfect a clean machine every time you reconnect.

You will also have to find the malware backdoor programs that the virus has dropped, like the
W32/Deborm.worm IRC backdoor trojan you mentioned in your post.

Look at this link for more info:

http://vil.nai.com/vil/content/v_98963.htm

You also need to change the shares on the network and make sure they are password protected, and patched with the microsoft security patches as applicable.

Your head of department is just going to have to understand that you cant get this out unless you shut each network down for a little while....

Do the server first, and then do each machine and reconnect it.
The actual amount of time you will have things down should not be that long.

Good Luck!

Kimber



Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[manarth]

"As noted in the post above, you need to disconnect these machines from the network. If you don't, the virus will reinfect a clean machine every time you reconnect."

Kimber: it was my assumption that if the machine was disconnected, cleaned, then password protected (and updates applied!) the machine should then be safe from reinfection (except by the server).

I'm sure bolla would prefer to restore this one PC at a time, rather than shut the entire network down.

I thought that even the servers could be disconnected, cleaned, secured, and reconnected one at a time to avoid system downtime.

of course, I have (so far!) managed to avoid actual infection, so I've never had to perform CPR on my system

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[KimberTech]

Marc,

Theoretically speaking, you should be able to do what you have stated.

That said, things don't always work as they should.

This virus is a pain in the neck, because it isn't just ONE virus.

&quot;This is a NetBIOS worm that propagates via copying itself to accessible file shares on machines on the local subnet. It drops other (backdoor) malware on compromised machines.&quot;

IMHO, the OPTIMAL way to rid the network is as I described.
Because I don't know what malware or other garbage it has dropped, I have advised this way.

I used to have exactly the opinion you have stated, until I had to deal with Opaserv on a network recently. ( I did not set this one up.)
I have since changed all of my virus removal techniques so I can remove once and not redo my work.

In a lot of cases, you are absolutely correct.

Giving advice on TT, I always go the safe route.
I don't want to have someone come back and tell me that they did as I have advised and the virus got loose again, due to a missing patch or for any reason. I also know that time is money, and that there could very well be back door access to this company's data.

Most of the time I clean the server, and create mutilple disks so I can scan a dozen or so units at a time. Once those are completed, they reattach and you can patch from the server or whatever. It really doesnt take that long. User batch one is already back to work while you do the second one, and this network is divided into three sites, so that helps.

Each to his own, based on the product they are using, and experience.
I am the last one to say my method is always the best....I just try harder than most people to do a really good job.

Kimber



Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[manarth]

good old theory vs practice

Thanks Kimber - as mentioned, I've never suffered from actual infection, so I've avoided the recovery process so far...I may just try infecting my test lan to get some RW experience! And I agree, safe vs sorry, every time.


<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[KimberTech]

Ahhh experience....

If it were money I would be rich

If you do want to get good, you have to play with the little beggars....and you find out all the stuff nobody posts on the AV sites.
They don't tell you what happens when you combine three virus types on one unit do they?

But that is another thread for another day...

Hopefully bolla can come back to Tek-Tips and tell us the experience on this challenge so we may all learn something.



Have Fun!

 

[bolla]

Hi everybody,
your participation are very helpful.Then what we decide is to enumerate the number of the infected machines, disconnect them, clean them and applied the update.
What's new?
I remarked that the virus do not infected the machine which are protected by the pin code. We are migrating to a new system with the smart card when you want to login.
Then the virus just infected the machines which are in the old legacy system.
Then thanks again.
I will let you know
Have a good day