A user got his home computer infected with a virus that isn’t detected by SAV. When the system is connected to the internet it first makes a connection to an IP on port 6666, I’m assuming this is to download info for the virus or to open a back door since they do not use IRC. After that connection is made the system opens up hundreds of connections to random or incremental IP blocks on port 25 and tries to send out emails.
I got email scanning on in SAV but it doesn’t pick up a virus instead I get a bunch of messages from Symentec email proxy saying my message couldn’t be delivered, too may connections from one client and other 5XX email errors but none of them have contained the name of the virus, most of them were 5XX by the receiving email server for too many connections, spam, phishing, etc.. The emails have subjects like “our official blog”, “Please save her”, “his profile” and about 15 other subjects that it seems to rotate though.
I disabled the email filtering to try and get PID for the process opening all of the SMTP connections using netstat –a –n –b and the PID comes back to services.exe.
Here is the SAV info on the system.
Windows XP Pro SP 3
Symantec Anti-Virus 10.1.6.6010
Scan Engine 81.3.0.13
Virus Defs 6/30/2009 Rev 2
I tried to run a full scan SAV, and every time I do I get “Could not start scan. Scan engine returned error 0x20000058”. I searched around for this error but couldn’t find anything on Symantec or any other site relating this error to a Virus of any type. I ran a full scan with the most up to date Spybot SnD and nothing was found.
So, I rebooted into safe mode and was able to run a full scan with SAV in safe mode and not get the 0x20000058 error, however the scan turned up nothing, I also ran another scan with Spybot SnD and nothing was found there either.
I didn’t really get to look at it any more then that, it was about 3am after the last scan and I decided to call it a night. If anyone had any thoughts on what it could be, or next steps please let me know.
Thanks!