My network got hit with a new virus starting Tuesday March 15th. I first noticed our internet access running slower than normal. Not slowing in the download upload sense, but slower in the name resolution sense. My DNS servers WOULD resolve the names, but not consistently and their responsiveness was very slow. It's important to note that my DNS servers are located off site at two of our other locations, but still on the private network. I was getting the same thing with public DNS servers as well.
I took a look at my pix firewall and noticed 5 internal computer nailing tcp port 445. Took a look at those boxes and found this process. msnsched.exe Remember it well. This process was the culprit. I couldn?t end it, so after booting in safe mode, I removed the exe which was located in windows\system32... or winnt\system32 (depending on the OS installed) and removed any mention of it in the registry. Obvious RUN and run services spot in the registry. After rebooting normally the process would start right back up. As it turns out the computer was in fact clean, but it was being RE-Infected by the other 5 machines. By the time I figured this out, I had about 20 of my 45 workstations infected with this process.
(side note) I have about 45 boxes on my private network, and about 300 nationwide. The virus did not spread to any of my other sites/subnets and strangely enough did not spread to ALL of my private boxes, only about half of em.
How to get rid of it?
Step 1. Buy a Mt.Dew and prepare yourself for a long night.
Step 2. Shut down and disconnected the network cable from all infected computers.
You can see which one's are infected by looking at the firewall logs. Don't worry, it's obvious, over the course of the day, those 20 boxes created about 8million hits.
Step 3. Boot all infected computers in safe mode, delete the msnsched.exe files, and all registry mentions of it. After you've cleaned them, cold kill them. (that means don't shut down properly, simply yank the power cord. That'll stop the process from re-infecting the system during shut down in case it's still running in the memory.
Step 4. LEAVE THE COMPUTERS OFF AND UNPLUGGED.
Step 5. Keep monitoring that firewall and shut down, unplug all the workstations 'causing traffic until the network is quiet again.
Step 6. Make sure you've cleaned and disabled all infected computers. This is vitally important. If you have just 1 workstation on and infected, all the other ones will get re-infected in a matter of milliseconds.
Step 7. Bring the computers back up one by one while constantly monitoring those firewall logs and processes. I had one of my techs monitor the cisco logs each time I brought one of the machines back up.
Step 8. Go home, have a beer and pray it doesn't happen again the next day.
I don't know how it got into the network, but I do know that it does not spread via e-mail. One of the infected machines wasn't used all day, wasn't even logged in... it was just on and plugged into the network.
(operating systems affected)
Windows 2000 sp4
Windows XP sp1
I'm not sure if it hits XP sp2 boxes or not. After I had the network cleaned I ran a windows updated on all my machines just to be sure. To be honest, all of the systems infected were severely out of date on their patches.
There is 0 information about the process out there. google, microsoft, symantec, metacrawler, lycos... they all came up blank when I searched for the msnsched.exe process. I'm putting this out there in hopes that if this... this whatever it is hits any other networks, this forum post will come up in a google search.
Dan Dutrizac
Systems Administrator
I took a look at my pix firewall and noticed 5 internal computer nailing tcp port 445. Took a look at those boxes and found this process. msnsched.exe Remember it well. This process was the culprit. I couldn?t end it, so after booting in safe mode, I removed the exe which was located in windows\system32... or winnt\system32 (depending on the OS installed) and removed any mention of it in the registry. Obvious RUN and run services spot in the registry. After rebooting normally the process would start right back up. As it turns out the computer was in fact clean, but it was being RE-Infected by the other 5 machines. By the time I figured this out, I had about 20 of my 45 workstations infected with this process.
(side note) I have about 45 boxes on my private network, and about 300 nationwide. The virus did not spread to any of my other sites/subnets and strangely enough did not spread to ALL of my private boxes, only about half of em.
How to get rid of it?
Step 1. Buy a Mt.Dew and prepare yourself for a long night.
Step 2. Shut down and disconnected the network cable from all infected computers.
You can see which one's are infected by looking at the firewall logs. Don't worry, it's obvious, over the course of the day, those 20 boxes created about 8million hits.
Step 3. Boot all infected computers in safe mode, delete the msnsched.exe files, and all registry mentions of it. After you've cleaned them, cold kill them. (that means don't shut down properly, simply yank the power cord. That'll stop the process from re-infecting the system during shut down in case it's still running in the memory.
Step 4. LEAVE THE COMPUTERS OFF AND UNPLUGGED.
Step 5. Keep monitoring that firewall and shut down, unplug all the workstations 'causing traffic until the network is quiet again.
Step 6. Make sure you've cleaned and disabled all infected computers. This is vitally important. If you have just 1 workstation on and infected, all the other ones will get re-infected in a matter of milliseconds.
Step 7. Bring the computers back up one by one while constantly monitoring those firewall logs and processes. I had one of my techs monitor the cisco logs each time I brought one of the machines back up.
Step 8. Go home, have a beer and pray it doesn't happen again the next day.
I don't know how it got into the network, but I do know that it does not spread via e-mail. One of the infected machines wasn't used all day, wasn't even logged in... it was just on and plugged into the network.
(operating systems affected)
Windows 2000 sp4
Windows XP sp1
I'm not sure if it hits XP sp2 boxes or not. After I had the network cleaned I ran a windows updated on all my machines just to be sure. To be honest, all of the systems infected were severely out of date on their patches.
There is 0 information about the process out there. google, microsoft, symantec, metacrawler, lycos... they all came up blank when I searched for the msnsched.exe process. I'm putting this out there in hopes that if this... this whatever it is hits any other networks, this forum post will come up in a google search.
Dan Dutrizac
Systems Administrator
Facebook
Twitter