Rouge Nachi infected machine

[nfg]

Whenever we connect a non-patched machine on our LAN it gets infected within minutes with the Nachi virus. We feel we have cleaned and patched (with the latest DAT and Microsoft critical updates) all the machines that we know of. We ran the Microsoft scan to make sure they all have the necessary critical updates, yet somewhere there exists a rouge machine on our network that is infecting any new non-patched machine that plugs into it.
What technique or utility can we use to help track down this illusive source?
Thanks,
NFG

 

[mattmsudawg]

The way we have found infected computers is sniffing network traffic and sorting the results by ip address and type of traffic, being ping traffic. The computers that are infected will definately stand out in the results. Once you find the ip address, just do a nbtstat for that ip and it'll give you the computer name. Good luck!!

 

[FatesWebb]

have you blocked the port on the firewall to the internet?

FatesWebb

if you do what I suggested it is not my fault...

 

[nfg]

Thanks for the responses. We have blocked the ports on the firewall to the internet from all our locations but it is still being propagated either locally or over the VPN since all the ports on the VPN are open. What kind of sniffer did you use and did you find it by detection of ICMP packets?

 

[MUROMEC]

Hi,

Antivirus will help You to detect and clean infection, but not to stop it. You need to patch the hole.

You have 2 options.
1. Patch every machine and do not have unpatched computers on network! ;-)
2. Cut of the source of the infection.

Best way - from my point of view - is to patch all computers.
Use SMS server, if You have one. Or use SUS server.
It's best sollution, because You will solve system updates problem for the future issues, too.

If You want to monitor network traffic You can use Microsoft Network Monitor - SMS version Or Ethereal - its free.
But need understanding of protocols and network traffic.

Good luck,

Muromec

 

[abrannon]

You may still have it on a PC that was patched after the virus was installed. If you are running EPO schedule a Scan task to scan all files on all PC's, then review the reports and see if any of the patched PC's are infected.

Then you will need to clean the PC and reinstall the patch.

If this is not the cause of your problem I might suggest your traveling users, (Laptops) some of our traveling users brought the file into our domain with unpatched Laptops. In atleast two cases we were infected by Contractors using our network to get out to thiers.


We have stayed on top of the resent virus/worm attacks by keeping all of the PC's patched when possible (we have users on 5 continents), and by regularly scheduled Scans (All Files).

 

[bfralia]

We just went through this mystery about having the virus on our patched machines. Some of them are scanned overnight if they are left on.

Our solution was to download Stinger ver 1.8.7, register it to EPO 3.0.1 and deploy, then schedule a run during the most active part of the day, it removed Nachi from about six machines and knock on wood, they have stayed gone.

If you don't have epo then you can manually run the stinger on each machine. You could put it on a shared drive and have your users go out and do it.

Virus-scan was telling us it was blocking the TFTPzzzz files as they were coming into the machines. It wasn't telling us machines with 24 hour availability were infected during our nightly virus scan.

This was all a surprise because as a company we've been very lucky I guess. This is the only serious outbreak we've had.

 

[cottonpants]

I've been using Ethereal (

http://www.ethereal.com/download.html)

and just filtering ICMP traffic hitting my own (patched and protected) computer. I couldn't believe how many infected workstations were on our network. Even after cleaning everyone up, we still get new ones popping up every couple of days - usually laptops...