VIrus or Worm on LAN but cannot locate

  • Thread starter Thread starter Jose Armando
  • Start date Start date
J

Jose Armando

Hi everyone,

this is a small LAN (10 PCs) so it can be controlled easily...

After the last batch of patches came out we installed on Friday (left
machined unpatched for 2 days...)

We now have 4 machines showing connections to a Pub IP's 6667 port which
tells me that there is a worm running...

I also noticed the "makecash.exe" file appearing on my metwork shares... The
only AV distro that picks that up is Sophos but its own scanners do not show
that we have the virus (registry is clean , etc...)

Question is has anyone had a similar experience and is there anyway we can
remove/delete/stop this??

I have already started rebuilding some machines but I would still like to
know why/how this happened...

Many thanks,

Jose
 
Hi everyone,

this is a small LAN (10 PCs) so it can be controlled easily...

After the last batch of patches came out we installed on Friday (left
machined unpatched for 2 days...)

We now have 4 machines showing connections to a Pub IP's 6667 port which
tells me that there is a worm running...

I also noticed the "makecash.exe" file appearing on my metwork shares...
The only AV distro that picks that up is Sophos but its own scanners do
not show that we have the virus (registry is clean , etc...)

Question is has anyone had a similar experience and is there anyway we can
remove/delete/stop this??

I have already started rebuilding some machines but I would still like to
know why/how this happened...

Many thanks,

Jose
Click to expand...

See: http://www.sophos.com/virusinfo/analyses/w32kwbotg.html

It has removal instructions.
 
Hi everyone,

this is a small LAN (10 PCs) so it can be controlled easily...

After the last batch of patches came out we installed on Friday (left
machined unpatched for 2 days...)

We now have 4 machines showing connections to a Pub IP's 6667 port which
tells me that there is a worm running...

I also noticed the "makecash.exe" file appearing on my metwork shares... The
only AV distro that picks that up is Sophos but its own scanners do not show
that we have the virus (registry is clean , etc...)

Question is has anyone had a similar experience and is there anyway we can
remove/delete/stop this??

I have already started rebuilding some machines but I would still like to
know why/how this happened...

Many thanks,
Click to expand...



Try Trend Micro's online scan (www.trend.com)

Also you can download AVG antivirus from

http://www.grisoft.com/us/us_dwnl_free.php

Burn it on a CD. If you have a very recent virus you may need to get
the updated virus sig file from avg, also. Put it on the CD.

Both ar free.
 
Jose Armando said:
Hi everyone,

this is a small LAN (10 PCs) so it can be controlled easily...

After the last batch of patches came out we installed on Friday (left
machined unpatched for 2 days...)

We now have 4 machines showing connections to a Pub IP's 6667 port which
tells me that there is a worm running...

I also noticed the "makecash.exe" file appearing on my metwork shares... The
only AV distro that picks that up is Sophos but its own scanners do not show
that we have the virus (registry is clean , etc...)

Question is has anyone had a similar experience and is there anyway we can
remove/delete/stop this??

I have already started rebuilding some machines but I would still like to
know why/how this happened...

Many thanks,

Jose
Click to expand...

http://www.sophos.com/virusinfo/analyses/w32kwbotg.html
 
I believe mirc uses that port as well. Try using stinger.exe off mcafee to
rid yourself of the irc backdoor. It's free.
wb
hope this helps.
 
I have already started rebuilding some machines but I would still like
to know why/how this happened...
Click to expand...

Well, it didn't just happen by itself. Maybe, you need to investigate what
the users of the machines are doing. A little education for the users on
prevention may go a long way for you. It's a shame you have to rebuild
machines to rid the network of the compromise.

Duane :)
 
Back
Top