Real problems removing a "set" of virii

I would have gone about it in the same way as I described for the Virtumonde trojan. The method details are posted here:

[thread]88342[/thread]

Hi Everyone.

I'm looking for a little help here. I have a windows 2003 server (W2K3 SP1 with all hotfixes and patches) It has Sophos AV installed, up to date. It is one of 24.

One day Sophos starts going nuts telling me that Mal/GenericA and Basine/C. This nasty little blighter comes in the form of 3 files, copy.exe, host.exe and autorun.inf. (ALL HSR bits set)

It couldn't clean them up, so I removed the network cable, and dropped the server down to command line safe mode and ran a full system scan with latest defs using sav32cli.

So it found and removed these infections. Started it up without the network cable in, and it was all fine, all gone, or so I thought.

Put the network cable in, went home. Overnight came back and the virus had come back and deleted 300 times (I kid you not!) I am not sure where this infection comes from (This machine sits on a 100 user domain) I have tried a bit of rudimentory security, ie removing the everyone group from the shares etc, but I can't go too far because it runs an exceptionally custom piece of software that I really really cant risk breaking.

It has also managed to infect a NT4 BDC. This is just as bad, but NT4 is now retired and support for it is non existant. Also have Sophos on this machine.

Now Sophos tech support have been about as useful as a chocolate tea pot. Any suggestions. No other machines (except these two) on the network seems to have it, according to the Sophos EM console, but the laptops (30 - 40 of them on top of the domain setup) do not have reporting capability.

So what I need to really do is first off find the source of the infection (but how?) and secondly, any ideas on securing this machine so its at least a little virus resistant.

Cheers

Stu

Hi Stu,

I must warn you, I do work for Sophos, but I am interested in helping you with your issue. If your infection keeps returning, it is likely some sort of worm planting the malware we are seeing. The Mal/Basine-C is a Trojan, so something else is getting into the system and repeatedly planting this file. Without a lot more detail it is likely a worm that is exploiting a vulnerability. Being that your W2K3 server is not patched (Not service pack 2 with latest hotfixes) it is probably exploiting a vulnerability in a Windows process and planting these trojans. All we can do is stop the trojan's from executing once they have been planted. If you are running Sophos Anti-Virus 7, there is a high likelyhood we could prevent infection using our new HIPS and Suspicious File detection. If something is trying to use a buffer overflow in an exploitable service, we would likely detect with our HIPS or BOPS (Buffer Overflow Protection System) both of which were introduced in SAV 7. I am sorry your call to support was not satisfactory, but I can assure you as a company we are committed to assisting you. NOTE: I am not someone who is publicly responsible for speaking on behalf of Sophos, simply a concerned employee.

My advice:

1. Patch your servers! You may not be able to patch NT4, however your 2K3 server should be patched up unless you believe it will break your application.

2. Upgrade to SAV 7 and enable HIPS real-time protection and Suspicious File detection. If you are uncomfortable with these technologies, turn them on in Alert Only mode to see what they find. It may lead you to the source of the problem. On servers, I recommend alert only for a day, and if you do not experience any false positives, simply keep this service enabled for additional protection.

Please reply and let me know if any of this is helpful to you.