VSE 8.0i not working the way it should

[TigerDivision]

Hi all!

Today the VSE 8.0i on our mail server intercepted a virus called W32/Sdbot.worm!ftp and was deleted. However it somehow managed to release its payload by inserting in the Run command a statement in order to connect to an ftp server in order to download the worm. This already occurred on another occassion. Why did it manage to do what it did even though it was intercepted by VSE and deleted?
Has anyone encountered this strange behaviour before?

Thanks

 

[VictorySabre]

I could be wrong on this, but I think the virus detected is just the FTP script component of the worm. (

http://vil.nai.com/vil/content/v_128082.htm)

The worm may already be installed and running on your PC and all VirusScan did was just detect and remove that component, but not the entire worm.

Have you tried a full On-Demand Scan of the PC to see if there are traces of the worm stored and running on that PC? Is your PC fully patched with the required Microsoft security patches, in case the variant of the worm you have exploits a vulnerability that Microsoft has released patches for it already.

 

[TigerDivision]

Thanks for your post. Yes I did a full on-demand scan and nothing was found. Also the server has the latest MS security patches installed on it.
Very weird indeed!

Thanks

 

[bugguy51]

Have seen several of the same phenomenon on my network--most notably a recurring Vundo infection that's successfully cleaned 4-5 times a day from specific machines. Would seem to usually be a secondary infection from an unknown multidropper variant, but be aware I've rebuilt a couple of machines that have been successfully rootkitted.

The Bug Guy