Video Screencast Help

Server got infected by Multiple Virus.

Created: 05 Oct 2012 | 20 comments

We are continues getting virus on the server and because of this we are getting multiple Shortcut of so many file and if we are trying to access shortcut then nothing get executed.

 Please Help me to idenfied which virus can create this problem and how to stop it.

Risk Name mentions Below:-

 

 

Auto-Protect scan

W32.Changeup.C

1

Auto-Protect scan

Adware.FlashEnhancer

1

Auto-Protect scan

W32.Stuxnet!lnk

1

Auto-Protect scan

W32.Changeup.C

1

Auto-Protect scan

W32.Changeup.C

1

Auto-Protect scan

W32.Changeup.C

1

Auto-Protect scan

W32.Stuxnet!lnk

1

Auto-Protect scan

Bloodhound.Exploit.346

1

Auto-Protect scan

Bloodhound.Exploit.346

1

Auto-Protect scan

Bloodhound.Exploit.346

1

Auto-Protect scan

Bloodhound.Exploit.346

1

Auto-Protect scan

Bloodhound.Exploit.346

1

Auto-Protect scan

Bloodhound.Exploit.346

1

Auto-Protect scan

W32.Stuxnet!lnk

1

 

Comments 20 CommentsJump to latest comment

Ashish-Sharma's picture

 

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

 

Check this thread

https://www-secure.symantec.com/connect/forums/virus-cleanup-exercise

Secondly, about the Tools like Power Eraser, I would recommend you to check this Thread:

https://www-secure.symantec.com/connect/forums/need-virus-removal-tool

 

Security Best Practice Recommendations

http://www.symantec.com/docs/TECH91705

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/docs/TECH122943

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

http://www.symantec.com/docs/TECH98360

Thanks In Advance

Ashish Sharma

 

 

Mick2009's picture

Hi Nagesh,

One thing I note is that all of those detections are from Auto-Protect.  I recommend running a manual scan with the latest definitions, not just on this server but on all the computers which connect to it.  Then, view the logs to ensure everythign has been deleted completely and not "left alone" or "partially removed."

What Symantc product do you use to defend your network, and what components?  (If you do not use firewall and IPS, I recommend adding them!  Relying on AV alone is fighting with one arm tied behind your back.)

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Please do keep this thread up-to-dte with your progress!

 

 

With thanks and best regards,

Mick

Nagesh Singh's picture

Dear Mick2009,

This is a critical server and there are some application which are not compatible with NTP as well as PTS so server having Only Antivirus and Antispywhere component.

Thanks & Regards,

Nagesh Singh

 

Mithun Sanghavi's picture

Hello,

W32.Changeup.C  is a worm that spreads through removable and shared drives by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

W32.Stuxnet!lnk is a detection for .lnk files created by the W32.Stuxnet worm.

Bloodhound.Exploit.346 is a heuristic detection for files attempting to exploit the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

So, as we see these above Threats appears when there are open vulnerabilities on the machines.

In your case, I would suggest the below Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions.

2) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines.

3) Make sure ALL the client machines are using the Latest Vendor Patches installed.

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable the System Restore with GPO

http://support.microsoft.com/kb/283073

6) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

7) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

8) Incase of any shared / mapped drives present, make sure these are password protected.

9) Scan ALL the machines...

 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Nagesh Singh's picture

Dear Mithun,

Can you please help me to create custom Intrusion Prevention signatures for W32.changeup.C in SEP so that we can block all the traffic?

Thanks & Regards,

Nagesh Singh

 

Nagesh Singh's picture

Thanks Pete,

 

let us know the signature for W32.Stuxnet!lnk also.

Thanks & Regards,

Nagesh Singh

 

Nagesh Singh's picture

Thanks Ashish,

 

Can you please confirm if we have Enable the Intrusion prevention policy on the SEPM but client do not have NTP & PTP component (because of some application dependence (Server OS)).

Is our Intrusion prevention policy work?

Thanks & Regards,

Nagesh Singh

 

pete_4u2002's picture

it will work only if IPS component is installed and enabled.

Mithun Sanghavi's picture

Hello,

Policies on SEPM would not take effect, if these features are not installed on the SEP client machines.

I would suggest you to make sure you install SEP full feature set on the client machines.

Secondly, check these Articles:

About the types of threat protection that Symantec Endpoint Protection provides

http://www.symantec.com/docs/HOWTO55272

How Symantec Endpoint Protection protection features work together

http://www.symantec.com/docs/HOWTO55268 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

How about the source? Mabye can try pinpoint how those files get there....

pete_4u2002's picture

have you enabled the risktracer to know the source of the infection?

sandra.g's picture

A great idea, but...

Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect.  Risk Tracer requires Network Threat Protection and IPS to be installed and IPS Active Response to be enabled.

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH94526

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Nagesh Singh's picture

Dear Pete4u2002/ Mithun,

 

If we try to enable the intrusion Prevention policy then we have to enable NTP Component.

but It not possible in my case.I can't enable NTP on Server.

and Even we have enable the Risk Tracer but nothing found.

 

Thanks & Regards,

Nagesh Singh

 

Mithun Sanghavi's picture

Hello,

Did you follow the Article provided by Sandra above?

Risk Tracer relies upon the Windows File and Printer Sharing. If this is disabled (as per MS Article 199346, http://support.microsoft.com/kb/199346) Risk Tracer will not work.

Please see What is Risk Tracer? for more information.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Riya31's picture

For risk tracer to work you have to enable NTP.You can scan the system either with SERT or using NPE tool.

also ensure that all ms patches are installed on system and drives are not shared.

Nagesh Singh's picture

Thanks Riya,

We have Scan the server with NTP and fix the error which we have found but after 2 days again we have found Virus infection on the server.

(Note: - we can't Enable NTP on the server because of cluster Environment).

Thanks & Regards,

Nagesh Singh