Kama Sutra Worm Is A Bitch

[MrControversial]

I'm cleaning up the last remnants of the Kama Sutra worm in my network. I have $3,000 worth of Antivirus protection on my network and still had computers acting all funny. One even slowed to the point where it could do nothing. On investigation, the worm had disabled/uninstalled the antivirus software and had run amock. I think the problem PC was the source of the worm on our network.

I ended up having to download the worm removal and then reinstall the software to get everything working as normal. Last week, within hours, 95% of the computers on my network were infected. Due to a flaw in the worm, it doesn't affect some computers. Just wanted to give you guys a heads up. You may have it and not know it due to newer hardware/current AV software. If your PC is slowing to a crawl and you don't have AV software, this may be the reason.

Just a heads up.

 

[JEDIYoda]

So I gather from what you are saying you had all possible safeguards in place to and including educating the users concerning opening unknown attachments and surfing onto unknown sites etc?

Just asking becuase a worm only gets imbedded in your network or system becuase somebody....

I have never had any issues with worms, trojans or viruses where they could not be traced back to user carelessness.

I understand its a pita dealing with stuff like that. Good Luck!!

 

[atybimf]

When I read the thread title, I though you meant you had a tough time doing some sorta kama sutra position called the "worm" :disgust:

 

[ribbon13]

Originally posted by: atybimf
When I read the thread title, I though you meant you had a tough time doing some sorta kama sutra position called the "worm" :disgust:

well, I was going to link to said book in illustrated edtion along with its companion the Perfumed Garden in the same hardback...

but my favorite catalog is going out of business

 

[batmanuel]

Originally posted by: atybimf
When I read the thread title, I though you meant you had a tough time doing some sorta kama sutra position called the "worm" :disgust:

Is that similar to to the position that caused that one guy's uncle to break his neck on "Clerks".

 

[poisonthewell]

Originally posted by: batmanuel

Originally posted by: atybimf
When I read the thread title, I though you meant you had a tough time doing some sorta kama sutra position called the "worm" :disgust:

Is that similar to to the position that caused that one guy's uncle to break his neck on "Clerks".

I believe he was merely sitting on the toilet . . . if so we are all in trouble. My how this got OT quickly.

 

[MercenaryForHire]

Pssh. That, along with all those other BS omghi2u.jpg.pif.scr.exe email attachments, got neatly nuked right at the border of the corporate network.

- M4H

 

[Jiggz]

I'm not sure if I what got two days ago was the Kama Sutra or some Trojans. Anyways, after a regular scan by my Anti Spyware software, it reported a 1 rootkit-trojan malware. This anti spyware software is good since it reports the number of traces on the identified malware. Well, the reported traces was 9,980! To clean the infected files, it took almost 48 hours! And then after that I scanned again and this time it reported the same malware with 891 traces. Again this took almost 4 hours to clean up. Then for the third scan it found the same malware with 590 traces. It took almost 3 hours to clean. So I got smart. checked the session log and found out the malware was residing in the restore files. So I disabled the Restore Option in XP. Scanned again and the malware was identified again with 300+ traces. After clean up, I scanned again and this time it was clean. Rootkits are a PITA since you can not even manually delete the files even in DOS mode. It's also hidden that's why the AV software didn't catch it either. Anyways, I was getting ready to switch the hdd with clone hdd but then the malware got cleaned and the system was back to norm.

 

[BFG10K]

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

 

[Joemonkey]

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

 

[Malladine]

Originally posted by: Joemonkey
under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

true enough.

 

[Homerboy]

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

TECHNICALLY the stupid database we use (along with Joemonkey) requires PowerUser or better. In the long run their is hardly a difference so Admin rights it is...

I have 70+ "admins" with free reign on their PCs and files on the network. Happy joy!

 

[CVSiN]

Originally posted by: Malladine

Originally posted by: Joemonkey
under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

true enough.

yup its true..

 

[n0cmonkey]

Originally posted by: Joemonkey

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

Most applications that require administrator to run are broken. Don't use them, find something better.

 

[Joemonkey]

Originally posted by: n0cmonkey

Originally posted by: Joemonkey

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

Most applications that require administrator to run are broken. Don't use them, find something better.

yes, lets throw away the $100,000 piece of software

 

[n0cmonkey]

Originally posted by: Joemonkey

Originally posted by: n0cmonkey

Originally posted by: Joemonkey

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

Most applications that require administrator to run are broken. Don't use them, find something better.

yes, lets throw away the $100,000 piece of software

If the designers didn't see fit to pay attention to basic best practices, then yes. Or demand your money back because the software is defective.

 

[Joemonkey]

Originally posted by: n0cmonkey

Originally posted by: Joemonkey

Originally posted by: n0cmonkey

Originally posted by: Joemonkey

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

Most applications that require administrator to run are broken. Don't use them, find something better.

yes, lets throw away the $100,000 piece of software

If the designers didn't see fit to pay attention to basic best practices, then yes. Or demand your money back because the software is defective.

perhaps the software is 10 years old and there are no alternatives?

 

[Homerboy]

yes, lets throw away the $100,000 piece of software

You mean the $100k one that we pay $50K year in support/licensing fees on? That we have over 400000 accounts in dating back to 1999 with countless pages of notes and complicated financial records... that would be nearly impossible to switch to another database. Yes they have us by the short hairs... they could extort us for $1M a year and we'd likely have to pay it.

All hail my predecessors.

 

[n0cmonkey]

Originally posted by: Joemonkey
perhaps the software is 10 years old and there are no alternatives?

Then it's long over due for an upgrade. There are almost always alternatives.

Requiring that normal programs be run as admin is stupid.

 

[Homerboy]

Then it's long over due for an upgrade. There are almost always alternatives.

Requiring that normal programs be run as admin is stupid.

While there are alternatives to what he (and I for that matter) are using, it is impossible to switch databases. There is no option to "convert" the data from 1 to the other, it is virtually impossible (well nothing is IMPOSSIBLE) but this is about as close as you can come.

 

[MrControversial]

Originally posted by: JEDIYoda
So I gather from what you are saying you had all possible safeguards in place to and including educating the users concerning opening unknown attachments and surfing onto unknown sites etc?

Just asking becuase a worm only gets imbedded in your network or system becuase somebody....

I have never had any issues with worms, trojans or viruses where they could not be traced back to user carelessness.

I understand its a pita dealing with stuff like that. Good Luck!!

All safeguards were in place. Our system catches 99% of viruses on the network. I have an anti-spam filter that filters out 90% of spam, but still some get through. You CANNOT filter out 100% of SPAM. I even filter out executables as attachments. I simply don't allow them. However, this one virus got through in a spam email likely having to do with medical stuff such as drugs and what not. Since we have a Pharmacy onsite and we are a medical facility I cannot reject mails with that subject matter.

The worm attacks the antivirus program and cripples it. It either doesn't run, runs incorrectly without updating definitions or is uninstalled completely. I got the virus last week and Symantec just put the fix up this week. I had to call Symantec customer support just to download a program that did a brute-force uninstall of all antivirus programs. I then had to reinstall it all over again. Out of 80 PC's, less than 10 were actually affected. There's a flaw in the virus where it only affects older PC's. The majority of the PC's on our network are kinda new.

 

[MrControversial]

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

Don't have a friggin' choice. The numbnuts where I work insist on using old software that isn't fully NT/2K/XP compatible. So I had to give them local admin priviledges in order to run the program. Plus it's payroll stuff. I have do damn near get an executive order just to upgrade software.

I work for a non-prof. Often I had to do what was cheap over what was right. I'm sure I could use all kinds of registry hacks to make that happen, but in my experience that causes all kinds of unintended consequences.

 

[MrControversial]

Originally posted by: Joemonkey

Originally posted by: BFG10K

On investigation, the worm had disabled/uninstalled the antivirus software and had run amock.

The only way it could've done that is if the computer in question was running under administrator privileges. Why would you allow such a thing?

under certain circumstances, software companies require you to let people run as local administrator to work properly. Homerboy can back me up on how annoying this is.

ADP Payroll for the win! Why they don't respect Windows security and they still require dial-up is beyond me. It's a total bitch to administer!

 

[BFG10K]

under certain circumstances, software companies require you to let people run as local administrator to work properly.

Then get rid of the software as it's an obvious security risk. A Windows box running under a restricted account is far safer than some third party anti-virus software that operates the box under administrative privileges.

 

[mechBgon]

I even filter out executables as attachments. I simply don't allow them. However, this one virus got through in a spam email likely having to do with medical stuff such as drugs and what not. Since we have a Pharmacy onsite and we are a medical facility I cannot reject mails with that subject matter.

If you haven't already done so, research this worm. You'll see that it uses some rather uncommon filetypes. Block these: UUE, UU, B64, BHX, HQX, MIM.

The worm attacks the antivirus program and cripples it. It either doesn't run, runs incorrectly without updating definitions or is uninstalled completely. I got the virus last week and Symantec just put the fix up this week.

For the record, Symantec's had virus definitions available for Blackworm since January 17th, as you can see here: http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html If your virus definitions were being updated daily, you'd be covered from at least January 18th onwards. If you aren't having the PCs re-scan every day during lunch, you might want to get onboard with that.

If you have Symantec Corporate, figure out how to use the administration console to monitor, task and update your antivirus installations. If the worm had knocked down your antivirus software back a couple weeks ago, you'd be alerted to that when you looked at your central monitoring console (which, being a sysadmin, you look at every couple hours... right? :evil: ). Also, if you haven't done so already, turn on all the goodies like heuristics and compressed-file scanning.

I'll also suggest you try out Microsoft Baseline Security Analyzer, it's free and very useful. If you're logged on as a Domain Administrator, you can scan the whole network from your PC.

BTW if you are assuming an email attack brought this on, then check your email server's antivirus software to ensure that it's updating frequently (as in, every half-hour perhaps), and that it likewise is using all the options such as heuristics and compressed-file scanning.