We've seen this, unfortunately there are thousands of variants of this worm. First things first...
Make absolute sure you are completely cleaning a machine!!! No matter how much patching is done if the machine has already been compromised it WILL get reinfected. We found that Mcafee, even when up to date, would NOT catch this worm until we reverse engineered an infected machine and submitted samples of every file that was created. It may be worth your while to get one of those EXE files a clean machine and infect away...run etherpeek, filemon, regmon, etc. Took us a day, but saved us at least a week of running around trying to fix machines that were reinfected. Second: These are the vulnerabilites this worm is known to attack: DCOM RPC vulnerability -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx FYI, the version of the worm we got was using the vulnerability in MS04-011 Last: Try and find out what site/port these machines are connecting to and kill it via DNS - snoop the interface on an infected host to find out where it's going. As for the external vendors, what about quarantining the conference rooms - internet access only. If internal folks need to use it have them VPN back to the internal net, or designate certain confrooms as "external connectivity" only... -Alex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, November 22, 2004 12:28 PM To: ActiveDir (E-mail) Subject: [ActiveDir] virus/worm Hi all. I am having a serious issue with bot type worms that keep infecting my machines over and over. It doesn't matter that I'm fully patched and my virus defs are up to date. I use Symantec Corporate Edition 9.0 in a win2k mixed mode AD enviroment. My machines all have the most up to date patches and hot fixes. I have seen machines that are up to date in everything get reinfected time and time again. The worm is a varient of what Symantec calls Spybot.worm32. It usually creates a exe in system32 called Explorer.exe or 386.exe or svchosting.exe and no matter the defs it slips by Symantec. This is a posting perhaps better sent to a virus or Symantec list,but you guys seem really knowldgeable and I'd like to pick your collective brains about how to deal with this issue. I assume its getting in via laptop users wh take their pc's home at nite or some of our traveling sales guys,but if my desktops are up to date and patched,they should'nt get infected. No? Am I being naive? Finally,we are a liqour distributor and alot of times we have suppliers from other companies come in with laptops that give powerpoint presentations and access our internet connection. These guys are from elsewhere so they don't have accounts in our domain and thus log in locally. How can i protect myself against these guys? Management insits they be allowed to do their thing with their laptops on our network when they come in and since they don't log into our domain,I can't even push out a GPO and I'm at the mercy of these guys and what hteir IT dept did or did not do. Help! Thanks alot. If I can get a solution to just one of these 2 questions,I'll be a happy man. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
