• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Elminating Worm from Network

S

SpanishFry

Platinum Member
Hi. I work for a small copmany that has 2 file servers and about 15 workstations permanently on our network,. We also do a lot of OEM stuff so we can have 50 extra PCs on the network on any one time. I'm a
new hire so I'm not exactly positive on the network layout. I recently discovered we have the W32/sdbot.gen.o worm on just about all of the PCs here and it finds its way onto the new computers as soon as they're hooked up. The worm manifests itself as smsc.exe . Another tech blocked the port it was using on our firewall but it's still going strong. What would be the best way to completely remove it from the network? Thanks.
 
Here is the info from McAfee on you virus. By the looks of it you need to clean up the security on the network/machines. The easiest way to keep a worm from spreading is good security on ALL of your machines. I am going to guess there are some holes in your security measures and the worm is using those vuneralbilities to spread itself.

John

---------------------------------------
Network Propagation

The worm's file share propagation relies on target systems being accessible for one of two reasons:
Poor security on target systems
The credentials of the user logged on to an infected system are sufficient to access other systems on the network

The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the 'C$' and/or 'C' shares on that machine. The following accounts are used for the connection (with no passwords):

Administrator
Owner
Guest

NOTE: The virus assumes the privileges of the currently authenticated user. If a blank password is insufficient on the target system, the current credentials could be sufficient to gain access on a remote system.

If successful, the worm will copy itself onto that share in one of the following locations (ie. Windows startup folder):

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
\WINNT\Profiles\All Users\Start Menu\Programs\Startup
\WINDOWS\Start Menu\Programs\Startup
\Documents and Settings\All Users\Start Menu\Programs\Startup

Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

-----------------------------------------------------------------

Removal Instructions

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.
net share c$ /delete
net share d$ /delete
net share e$ /delete
net share ipc$ /delete
net share admin$ /delete
 
generaly procedure...

don't plug any new machines in until it is completely gone.

patch all machines/servers and then run removal tool.

you've already got the firewall covered.

once it is completely off, then you can return to business as usual.
 
Do you not have an antivirus solution?

Unplug every machine from the network (or kill power to the switch) to keep the worm from spreading. Go to every PC and do a complete virus scan/clean on it. I would personally rebuild every machine, as I dont trust any machine that has been compromised for an extended length of time. Especially if the port the virus uses was opened inbound on the firewall.

Why was the port opened inbound on the firewall? If your firewall admin is opening a lot of inbound ports to your internal network, that's defeating a big purpose of having a firewall in place anyways.
 
OK. We have Panda on every machine but it fails to detect the worm for some reason, even with the newest definitions. Not exactly sure if an inbound port was open, but the outbound port it was reporting back to was closed and the subnet (Korean) being used was closed as well. I'll look into some better AV solutions and make a suggestion I guess. Thanks
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top