Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trojan running thru network--what do I do? 1

Status
Not open for further replies.
kevotron

kevotron

Technical User
Aug 6, 2004
51
0
0
US
I have a windows 2003 20 user network with TrendMicro Antivirus serve suite. A number of users have emails today that have attachments saying "Outlook has blocked potentially unsafe attachment" they are .pif and .scr files--I have TrendMicro Antivirus set to send me alerts when there is any viral activity.I keep getting emails every 5 minutes or so saying

"Outbreak Alert!!
1 virus detected on 1 clients.


Client/Domain Name Virus Name Date/Time Action

Username File Name
TROJ_SMALL.AFG 4/7/2005 8:06:10 Infected file was successfully cleaned

Scanned by DCSScanned by DCS

It looks like it is running thru the network going from user to user. I am really not sure how to proceed, does anyone have any suggestions? I keep getting the warning emails, but it says the file has been cleaned--but if thats the case how come I keep getting more warnings?
 
Sort by date Sort by votes
I haven't used Trend Micro's product but if this is anything like Symantec's suite you should be able to run a complete network scan from the enterprise manager.

Also, you may not be infected with a virus. This could be an external attack where someone that has several people in your office on their mailing list is infected.
 
Upvote 0 Downvote
Is a scan of all machines out of the question? Is there a machine which has not been targetted? Do the emails you are receiving come in the dictionary order of the email address, eg a@blah.com, b@blah.com? Outlook XP and 2003 will block these files as far as I know but I don't think Outlook 2000 or earlier will. Start with those machines.
 
Upvote 0 Downvote
It may not be possible, but if you can pull the network connections and clean up the machines independently.


Steve

Life is like a Grapefruit, sort of orangey-yellow and dimpled on the outside, wet and squidgy in the middle, it's got pips inside too. Oh and some people have half a one for breakfast. Ford Prefect.

Want to do more with TGML Download Star
 
Upvote 0 Downvote
OK I wouldnt be suprised if this came from an email--we deal with the big 3 quite a bit and often get bizaare emails that seem to be randomly generated from somone's contacts (get stuff from auto companies by people who say they never sent it etc) Also the recent attack seems to be in random order, not alphabetic. Now with Trend Micro I cant find anything that allows a complete network scan--I ran a scan on the server and it came back OK. I got an email from the Trendmicro server saying that the Trojan had hit my machine, but that the infected file was successfully cleaned--I then ran I scan on my machine upon getting that warning and it said it was clean. I have run a scan on a couple of the machines that I got an email warning for and each has been clean. Should I still go to each machine individually and run a scan? I guess I am confused--if everthing is clean, how can this thing be propigatng across my network? If anyone can enlighten me that would be grand!
 
Upvote 0 Downvote
It may not be propigating from an internal source. You may be getting hit by an external source that is sending out messages every few moments.

I would still suggest going through your network to verify that nothing got through. It is time consuming to go machine to machine, but it is the best way to ensure your netwrok security.
 
Upvote 0 Downvote
I dont know if this has anything to do with it, but I have noticed on the router log that we have, as of about 2 weeks ago, been receiving "ping of death" alerts all coming from the same IP address now...

04/07/2005 11:52:01.496 Ping of death dropped
04/07/2005 11:50:54.816 Ping of death dropped
04/07/2005 11:32:01.512 Ping of death dropped
04/07/2005 11:30:54.848 Ping of death dropped
04/07/2005 11:18:21.512 Ping of death dropped

They stopped for a few days and then they started again today--any ideas, are they linked somehow?
 
Upvote 0 Downvote
I would add a rule to block all incoming traffic from that address.
 
Upvote 0 Downvote
When I pushed out the latest DCT from Trend this morning (577), I received about a 100 or so emails notifying me about this virus from most of my users. Trend immediately updated the DCT to 578...I'm suspecting that they might have had a false positive problem with this virus.
 
Upvote 0 Downvote
OK, excellent. I have blocked the port the PODs were coming on. Say, mjbianco--do you know if the Trendmicro Antivirus Suite has a "scan entire network" type option as was mentioned above for another server antivirus suite? I havemnt really seen anything like that in my perusal of the manual or in the software.
 
Upvote 0 Downvote
I'm assuming when you are saying suite, you are running ServerProtect on your servers and OfficeScan on your desktop clients? OfficeScan allows you to scan each computer on your network as long it's installed. Bascially, just open the web management console...should look something like this:
or Login - Choose Clients - Scan Now - Choose all of the computers you want to scan - Click Start.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
107
DrB0b
DrB0b
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
79
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
86
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
62
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
150
Yoko Littner
Yoko Littner

Part and Inventory Search

Sponsor

Back
Top