Jump to content
Sign in to follow this  
Signman

Virus Files Appearing Almost Daily

Recommended Posts

Just wondering if this kind of thing happens to you guys....I have a W2K and a Win98se machine networked together and on a company network. I run AVG on both computers. About a month or so ago, my Win98 machine was suddenly attacked with the klez worm. AVG caught it and removed it. Just to be safe, I did an online scan and found some files that were still on there. I had to manually delete them. Now, about 2 or 3 times a week, I get this variation of the klez virus and go through the steps of removing it. Why does this thing keep attacking this one computer? It hasn't migrated to my W2K machine yet...knock on wood. I am not the only one at our company that it happens to either. We both have the same thing happen to us. Funny thing is, I don't go on the net or do any surfing with the Win98 machine but I let it do the automatic updates to AVG. What do you guys think? Is there something I could try to avoid getting this thing several times a week? By the way, we have ran virus scanners on all our computers and nothing was found on any of the others, just mine and another co-worker.

Share this post


Link to post
Share on other sites

Yea, I'm getting the klez I virus every day, sometimes two or three times a day since 1/26/02. The last two days I haven't seen anything, but I made all my settings to there highest levels on my ISP's spam blocker...caught a few of them buggers :mrgreen: , from there I can view in html, saw a whole lot of script in just one message as an attachment

Share this post


Link to post
Share on other sites

Signman,

 

Many viruses are "network" aware. If there are shared drives/folders on any machine on the network, it seeks them out and jumps in, the nasty part is it doesn't install on those PC's unless you actually click on it or something similar to activate it. It just lies in wait harmlessly undetected until a connection is made to the share.

 

I have had this happen twice. Both times from working on AOL PC's. Last week I was working on another AoHell PC, as soon as it was plugged into my network klez jumped to any and all available shared directories on the network. I now had 6 machines to clean up. All the machines have to be unplugged from the network, and individually cleaned up. They have to all be left unplugged from the network until they are all completely clean or as soon as one PC makes a connection to the other it will jump back in.

 

I have scanned other machines from known clean ones, as soon as the machine connects to the infected machine to scan it, klez jumps on the scanning machine. It's a nasty little bugger, and half the files need to be "manually" deleted. The virus scanners can't remove all of them.

Share this post


Link to post
Share on other sites

Hello Bruce....I don't share my drives or folders with anyone else on our network, nor can I access their files either. So far I have found that my 2 computers are connected together (in my office) to the hub there, then to the wall, which comes out in our "computer equipment room", then is connected to another hub then into a Large fiber optic box on the wall. there are only 2 more machines connected to that hub. These 2 other machines are clear of any viruses at present but it is one of those computers that gets the virus at the same time one of mine does. Could we be passing it back and forth between us even if we are not sharing files? Sometimes we can go for days without an attack and then...Boom, one of us has it. Doesn't make since to me.

Share this post


Link to post
Share on other sites

Hi Volt!

Yes, we both keep that on our desktop so we can boot to safe mode and remove it quickly. Sometimes we still have to remove some files manually. It just gets tiresome to have to do this every few days. I can't figure out why my W2k Pro machine has never picked it up. They are networked together....beats me!

Share this post


Link to post
Share on other sites

Yes the machines can be passing it back and forth between themselves. Shares are the quickest way, but not the only way. Next time it is discovered, remove the infected machine from the network and then check all the other machines. The PC's on a network, constantly communicate with each other, that simple communication is enough to pass on the virus. My guess is indeed they are passing it back and forth between each other, and that you haven't found the culprit file yet.

 

Looking for .rar files is a good start. They may not always be detected as the virus until they are executed. For instance, my wifes PC was on the network when the AOL machine was connected, AVG never detected anything. The first time she opened Internet Explorer AVG went crazy. However AVG didn't remove everything, and one .rar file was hidden and read only.

 

I had to unhide all the files and search them out, once I found them, I unhid them, changed them to archives as administrator so I could delete them.

 

I have never in all my years of computing gotten a virus form the inetrnet. This year was the first time I ever had to deal with them, bith times was when someone dropped off an AOL PC for me to work on, both times as sson as plugged those machines into my network, the virus went to work.

 

New rule for me, if it has AOL then it gets formatted before it ever gets plugged into my network, if the customer don't like that they can go elsewhere. I despise their forward to email everyone, and open everything mentality. The use of AOL's software to begin with is usually a good indicator, of their web intelligence.

 

Shame on me for ever even reaching for that spare ethernet cable in the first place. :mrsgreen: It won't happen ever again.

Share this post


Link to post
Share on other sites

Simply plugging the machine into the network does it Volt.

 

As soon as the machine gets plugged in the very first thing it will do is communicate with the other PC's to obtain an IP address, and get a list of PC's from the "master browser". That simple communication is enough apparently.

 

That is it, I don't have to do anything more then plug the machine in, and the virus starts to spread.

 

You remember when my nephews fiance' had her virus problem and I sent her here for help because I didn't have any experience with viruses?

 

Well her PC was the first one that ever did it to me. When she couldn't fix it she brought it here, I plugged it in to the network and immediately had one hell of a mess to clean up. At that time I was sharing my internet connection with the nieghbor so I had 9 PC's to clean up. :mrsgreen:

 

No longer sharing the connection, so I only had my own machines to clean up this time. Needless to say these viruses are "network" aware. You do not have to do anything for it to spread from one PC to the other. They detect immediatly that they are on a lan, and do their best to spread quickly.

 

My wifes machine sat there quitely for more then a half hour, as soon as she opened internet exploder, AVG went off. Something in IE triggered the file to be executed. I don't know why or how, I jsut know that it did, that is when I immediately began checking the other machines to find the klez files sitting there on the others waiting for whatever it is that triggers them to be executed. The virus detectors don't seem to pick it up, until the file somehow gets activated, but the files are indeed there waiting quitely to do their dirty work.

 

It gets into the hidden "system" files on the windows machines. On my linux machines it is harmless, but also jumps onto any shares that are there. I don't worry about the linux boxes, because it doesn't harm them, it doesn't execute and the files are not hidden, it just sits there waiting for a windows box. So I usually just unplug the linux boxes and come back to them later. A simple delete of the 5 files klez put on them is easy, they are all easily seen and can not get any further then the shared directory.

 

The windows machines however get the virus in several places, the files are often hidden, and extensive searching is needed to find them all. So they become my priority, that is where the damage is done. Linux users on a network need to be aware, that if they have a share on a network that gives windows machines "write" priveledges, that viri like klez, will jump to that share, it won't harm the linux machine at all and could sit there forever without hurting it, but if they don't remove the files klez will infect the windows machines on the network.

 

Thats why viri scanners for linux scan for "windows" viri. Those scanners are intended to protect windows networks with linux servers from attack more then they are intended to protect linux from harm.

 

So be aware that if you are networked, and get one infected machine, the best thing you can do is to "immediately" isolate that machine, do not allow it to stay on the network for even so much as a minute longer then it takes to pull the ethernet cable.

Share this post


Link to post
Share on other sites

My method of cleaning everything up must have worked.

 

I just followed those instructions, and all was good. Scanned with their Elkern tool in safe mode, and then ran avg in the safe mode via command line.

 

I never checked their site for instructions LOL, I just used common sense and after reading their instructions, I was suprised that I did everything almost exactly as they recomended with the exception of scanning by command line after I cleaned up.

 

I still say, and they did also, that isolating the infected machine from the network, is the most important and very first step that should be taken!!

 

Thanks for the link Volt.

Share this post


Link to post
Share on other sites

Bruce is right Volt, I must be gettin' it from just being plugged into the network because I don't even get on the net with this 98 machine. (just to update my AVG) We will have to investigate further the next time it pops up. I unplug mine and do the removal thing and sometimes have to manually remove a file or two. Before I plug it back up, I notify the co worker and he does his too. We then plug them back up but evidently we are missing something somewhere.

Share this post


Link to post
Share on other sites

If you wait till next time it pops up you are waiting too long. You need to find the offending files on whatever machine they are sitting on. They could be on a machine, without ever being noticed or detected by virus scanners. I would check every machine in every possible way.

 

I would be willing to bet it is still on your network.

Share this post


Link to post
Share on other sites

Signman, I know you said you aren't sharing your drives but double-check to be sure. If you right-click on C: in My Computer and look at the Sharing tab, does it say "Not shared"? That's the most common way the files will get there other than email.

 

Another trick that can bite you is having the Guest user added to the Administrator group in Windows 2000 or XP. If that happens then anyone on the Internet can connect to your admin shares (C$, D$) and do anything they want to the drives.

Share this post


Link to post
Share on other sites
:nuke: I can't imagine anyone in a buisness intentionally adding the guest account to the administrators group :nuke::woot::woot: Thats a scary prospect Dave, the only time I have seen someone do it is when they dind't know how to set up shares with user permissions, they just went the easy/dangerous route and give the world access. :mrsgreen:

Share this post


Link to post
Share on other sites

I'm not on a network but it keeps on comming, Did the download cleaning software and ran in safemode, Still getting Klez e-mails tho, Should I contact my ISP?

Share this post


Link to post
Share on other sites

If you're on the Internet then you're on a network. Make sure Netbios is not enabled on whatever connection goes out to the Internet.

 

The hole that Klez exploits was closed in a patch from about a year ago. If you haven't applied that patch, it is possible to be infected with Klez just by getting the emails and having a preview pane open in Outlook. Make sure that isn't happening. If you're up to date with Windows Update then you should be fine.

 

The source of the Klez emails is not the From address, so notifying the "sender" doesn't help. Your ISP won't be able to help either. :(

Share this post


Link to post
Share on other sites

Thanks Dave, I'm not using explorer or outlook cuz I started using Mozilla and Mozilla e-mail also, but I'll get all the latest updates from M$

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...