Endpoint Protection

 View Only
Expand all | Collapse all

Recurring W32.IRCbot infection on the network

  • 1.  Recurring W32.IRCbot infection on the network

    Posted Aug 30, 2009 01:18 PM
    Many of our computers on different network segment kept reporting the W32.IRCbot alert.

    The location of the malware is in the following locations:
    C:/windows/system32/wuauclt.exe
    C:/windows/system32/dllcache/wuauclt.exe

    SAV10 in these machines have taken the "Delete" action on the detected malware.

    I suspect there must is a rouge computer in the network that is infecting these machines, but we lack the visibility.

    Anyone has any idea on how to pinpoint this rouge computer?

    AC


  • 2.  RE: Recurring W32.IRCbot infection on the network

    Posted Aug 30, 2009 01:45 PM
    If you have  a firewall in the network , it can give you some information.

    Try to implement the following to prevent W32.ircbot  from spreading in the network

    ·         Use a firewall to block all incoming connections from the Internet to services that should not be publicly available.
    ·         Enforce a Complex password policy..
    ·         Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    ·         Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    ·         Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    ·         Install all Security patches from Microsoft


  • 3.  RE: Recurring W32.IRCbot infection on the network

    Posted Aug 30, 2009 01:46 PM
    Couple things here:

    1. It is possible that it is not an infected "machine" that is spreading this on your drive. From what I understand this can be spread through usb thumb drives too. What is your policy with autorun on your machines? Is it enabled?

    2. Let me start by saying I AM NOT JUST PROMOTING SEP ; ) but SEP has better ways than SAV for protecting against threads that can spread through your network. It also has application and device control which can help you guard against people using things like flash drives which can spread viruses. So maybe something to consider in the future.

    3. I would go through and check this registry entry on the infected machine. This virus alters this registry key so it "installs" itself again and again each time the computer is restarted. SAV should take care of this but who knows? So check this key:

    TheTrojan creates the following registry entry so that it is executed every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winapii" = "%Windir%\Winapii\Winapii.exe"

    4. Always when you get a virus try to do remove the infected computer from the network to keep it from spreading. I know that sometimes this isn't possible but it can help. Also do a full scan in safemode with system restore off. This is the first step in virus troubleshooting. Hope this helps.

    Grant-


  • 4.  RE: Recurring W32.IRCbot infection on the network



  • 5.  RE: Recurring W32.IRCbot infection on the network



  • 6.  RE: Recurring W32.IRCbot infection on the network

    Posted Sep 23, 2009 11:00 AM
    I've seen the same thing on my network.  I think this may be a false-positive, as I used the Qextract to pull out the original file and it appears to be fine.  It is still signed by Microsoft, and when submitted to VirusTotal, it doesn't flag anything.  Is there a way to find out if this is legit? 



  • 7.  RE: Recurring W32.IRCbot infection on the network

    Posted Sep 23, 2009 11:59 AM
    Submitt the file to Symantec Security Response:
    https://submit.symantec.com/websubmit/gold.cgi


  • 8.  RE: Recurring W32.IRCbot infection on the network

    Posted Oct 21, 2009 04:48 AM
    This same worm is reinfecting one of our clients. The server is a file server so there is no how I can disable the shares. SEP didnt detect it initially after which rapid release definitions detected it but then the virus keeps on reoccuring and now even after rapid release defs have been applied it doenst detect anymore.

    the client uses sphos to delete the .exe that the worm creates but it keeps on reoccuring. Any idea how I can remove the worm once and for all.

    regards


  • 9.  RE: Recurring W32.IRCbot infection on the network

    Posted Oct 21, 2009 05:34 AM

    Zubair,

    I know file servers are always infected......and we cannot disable sharing on this server
    then this will be no more a file server.
    1.One thing which is very clear the file server is getting infected from the clients accessing the ftp server.
    2.IF you are using sep 11 higher then MR3 then you can trace the infection sources and remove from the network.
    3.You can check the risk log of this file server on the sepm there you can find the column says source computer and source IP.Remove this machiens from the network and scann in safe.
    4.I dont know if you have access to sepm then in the Antivirus Antispyware polices
     -- Under the file System Autoprotect  click on advanced tab........there u will file one option call
    Risk tracer.......enable that one.....this will help you


     



  • 10.  RE: Recurring W32.IRCbot infection on the network

    Posted Nov 02, 2009 03:46 AM
    dear Hussain,

    I have already done that. we found that it points to 2 shares on the file servers that are most infected. when we clean the PCs, the AV just skips those .exe's as normal files and SEP doesnt catch the viruses.

    its a big pain for us now since the client is pondering at buying McAfee now.

    any other help or suggestion would be highly appreciated.

    regards


  • 11.  RE: Recurring W32.IRCbot infection on the network

    Posted Nov 03, 2009 11:55 AM
    I've just had this come up on a workstation.  I'm very puzzled that SEP 11 calls it w32.IRCBot, yet the file deleted was wuauclt.exe, not Winapii.exe??  And, happily but strangely, wuauclt.exe is still there (needed for Win Updates, yes?).  So, if it's really the IRCBot then why was it the wrong exe, and why is the exe there after deletion??  Probably I'm just not understanding what SEP is telling me.