Virus sending download.trojan -- need help tracking source

[sjvtech]

Recently our network, every day, several of our computers pop up a message from Norton Antivirus Corporate edition saying "Download.trojan" has been detected and quarantined. The file is always C:\Winnt\system32\.pif

It seems to me that some machine(s) (who's antivirus somehow has failed) is trying to send out a virus to these other machines who reject it because of current virus definitions but I CAN'T FIND THE SOURCE. It is driving me insane. I scan the machines and I come up with nothing, Symantec's website only offers infomration about the download.trojan virus but not virus's that may use it or try to send it out. I need to know what virus I'm looking for so I can isolate it on the network and get rid of it.

Recently a couple of comptuers have registered W32.spybot.worm, but I can't seem to find any computer that actually has that active on it now and I don't know how to scan the network to find it. I thought perhaps I had found something but it may be a dead end.

In the system32 folder of some of my machines, there are several files labled TFTP#### where # is a number... I'm not 100% sure but I think thi might have something to do with my virus problem but I don't know enough about tftp to know if these files are just random and not a problem or if I need to delete them every place I find them... I scan them and they don't have viruses but I believe they might have some corolation because I know that W32.spybot.worm has something to do with these files as well.

All I have are pieces... i need some help pulling them together to solve this once and for all. Any help or suggestions are greatly appreciated.

 

[eyec]

try this to completely remove the trojan.

about the only way to track the source would require checking the server logs against the detection times for the affected machines. once you find a correlation check the files that were either emailed or downloaded by the machine just prior to the detection.

instead, you may just want to ensure all machines have the latest definitions after you remove any remnants of this trojan.

good luck.

 

[sjvtech]

Im not sure what you mean by "check the server logs"... what server logs are you refering to?

Maybe I wasn't clear. What happens is this. Suddenly, about 10-15 computers pop up a Norton Antivirus message that lists that a file called ".pif" in the C:\WINNT\System32 folder has been accessed and this file has a virus. Apparently these 10-15 computers on our network are missing a windows patch... however Norton still stops and quarantines the virus all the same.

When this happens, I have tried to check the detection times against audit logs to see if a computer has been turned on close to the time that the virus is detected (working under the assumption that a computer is being turned and at that moment is trying to send out the virus) but have not had any luck when trying that.

I have also tried using netstat to see what computers might be trying to connect to the computers that receive the virus notification, but when I used the netstat command there was no record of anything beyond the normal connections.

The download.trojan virus that is being detected in the ".pif" file isn't the problem... the computers sucessfully stop that... the problem is the computer trying to send it out, periodically every day. I need to know what virus trys to use a "download.trojan" inside of a file called ".pif" so that I can have a better chance of isolating the offending computer.

We've got several hundred computers on our site, I just need a way to narrow down the search.

 

[eyec]

it does not give you any other name before the .pif?

did you try the downloader removal from the link i gave?

 

[sjvtech]

No there is no name before the .pif the file is only named .pif... and the downloader remover file doesn't work.. probably because there is nothing to remove. These computers don't have a virus because Norton Antivirus already takes care of it. I'm looking for the computer SENDING the virus.

 

[eyec]

ok, are the machines that send the warning message all on the same subnet?

are they always the same machines or do they vary?

have you tried an alternate spyware program, i.e. spybot s&d?

 

[zarkon4]

See the following, we were hit with this and it was a
big pain in the butt to remove from our network.

thread83-948390

 

[eyec]

if it is the virus zarkon4 points to then i can tell you that you need to find the machine that has the c.bat in the Registry and there is your culprit.

 

[sjvtech]

Now it's WORSE!

I went through following the directions listed in the other thread.

Sure enough there was a c.bat file in the system folder of many of these machines... it was very easy to pinpoint which machines had this. However I did not find any of the other files (I assume that the virus detection software probably stopped them... since it was catching the .pif file it couldn't download the other virus).

However when I deleted the c.bat, all of my users that had the c.bat file started restarting with a message about lsass.exe having an error and the system will now reboot!!

Now my users are restarting randomly for no particualr reason. I checked the registry and I don't see anything out of the ordinary. What could be the problem now?

 

[eyec]

did you disable the System Restore Point? if not, you probably loaded the original virus.

hate to say it, but you are back @ square 1.

 

[sjvtech]

These are NOT XP machines, they are windows 2000. No system restore point to worry about.

Also I would assume Norton would have caught the virus again if it were back, and in addition, this restarting thing never happened before, this is the first time this happened.

The only file that was on my computers was c.bat, there wasn't even any references to that or any of the other files listed in the post in the registry so all I had to do was delete c.bat... but once I did that, the machines started getting lsass.exe errors (and it's not Isass, I checked that, it's the real Lsass) and restarting periodically.