The passwords are srong which is why its not getting anywhere and the users who are local admins are getting locked out from bad logon attempts.
Renaming the admin accounts is not going to stop the worm from going out on those ports and flood my network and bring everything to a crawl. I need to know how to stop it from getting in to begin with and it seems that patching and up dated AV defs don't help. According to Symantec, this worm had defintions for it since last year. so why am i getting infected with todays defs? I sent a sample to Symantec today. still, this has happened alot with different worms and i can't be brought to my knees having my staff run around to 50+ pc's. Also, the constant barrage of outgoing calls on ports 54321,6667,445, et al brings the whole network to a slooow crawl. everytime this happens, I can't just wait for a dat file from Symantec. And honestly, I don't think a different AV product will help. They all have their issues and one from corp X will take care of this issue but fail on another new worm. And having 2 or more AV's running on a client will probably slow the system down as much as a virus would. i need to do something proactive and I don't thin taking users out of the local admin groups on their boxes and renaming the local admin accounts will help. The worm will still flood my network and i've seen worms that run as local system. I can't be the only one with this problem. Or the only admin so inept(well,maybe :)). there's just got to be a way. At first it was if you were patched and up to date,you were good. Now that doesn't seem to work. Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 3:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort 1)I get numerous logon hits on my DC's. Some accounts are Admins,some are just regular users who get locked out. None of the attempts succeed. Check the Event Logs on the clients that got infected. If it is trying to get into the systems using passwords it is going after the local Administrator account and this won't show up on your DC. 2)The system I ran the exe was an WinXP sp1 fully MS patched(system restore disabled) and up to date via Symantec Corporate Edition 9.0. Still it got infected. Unless you this was run by someone with only User level rights this makes perfect sense, think about it. The virus uses exploits to get to the system and then executes itself. If you copy it to the system and then run it it doesn't matter if it is patched, you ran it. Have you uploaded the file to Symantec and have you downloaded the Rapid Release definitions? How strong are the passwords on your desktops? Rename the local administrator account on the desktops, this should prevent it from getting to the machines in this manner. https://submit.symantec.com/platinum/ Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, December 01, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort I get numerous logon hits on my DC's. Some accounts are Admins,some are just regular users who get locked out. None of the attempts succed. I ran the exe on a clean patched up to date box while running filemon and regmon. The exe is wupdmngr.exe which creates a process called faxze.exe. It tries to "set information" on the index.dat file in tempoaray internet settings\content.ie5\ and in \cookies\ in the logged on user's profile(why it does that i have no idea) it also queries your internet history. I don't understand why it does that as well. What could it get from there? also it queries wininet.dll and imm32.dll and ws2help.dll and wsock32.dll in the systemroot and adds the usual entries to the "run" and "run services" reg keys in HKLM. It then tries to go out on port 54321. Some other varients which symantec calls w32.spybot.worm go out on ports 445 or 6667. The system I ran the exe was an WinXP sp1 fully MS patched(system restore disabled) and up to date via Symantec Corporate Edition 9.0. Still it got infected. I'm just looking for a clue as to how to stop this thing. I need a proactive solution and staring at the output of filemon or regmon isn't getting me any closer. I need an intrusion prevention system not an IDS. I can look at my firewall logs and see the machine this thing is coming from but I can't spen all day cleaning these things up every other week. I thought perhaps via GPO's and making sure no one was in the local admin group of their client and creating custom mobile groups via Symantec for continous live update would help. But if Symantec is not catching it,being up to date doesn't seem to help. All my boxes are not XP so my Win2k clients can't use the restricted software adm. And i'm sure there are viruses clever enough to get local system access even if executed by a regular user. What solution do I have? thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort I have Snort deployed in 28 offices, logging to a MS SQL server and we view alerts using BASE. I have a lot of custom virus signatures and would be willing to share of you want them. It works good to quickly identify who is spreading the worms. As far a fully patched machines getting infected check your passwords on those machines. One of the "features" of Randex is "Attempts to log on as an administrator to a random IP address that is protected by weak passwords. If successful, the worm will then copy itself to the remote computer and execute itself." Also Symantec has a problem disassembling some of these viruses and that can cause them to take longer to release defs. I keep a copy of Kapersky just so I can get a second opinion when I find suspicious files. Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
