W2K machine hit again

  • Thread starter Thread starter Duh_OZ
  • Start date Start date
D

Duh_OZ

Second time it's been hit with some malware in the last month. This
time is it blackmal.e, forgot what the last one was. Machine has no
e-mail client installed, used more or less as a print server. McAfee
(hey work computer, what can I say) up-to-date and all patches were
applied. McAfee caught it, but had 8 infected files in the Document
and Settings folder. Doing a full scan now, just in case. I'll
also run hijackthis, along with SpyBot and Adaware. Last time no
residual effects and I checked all the other computers (Win 98 & Win
NT) which showed nothing. Not sure where the *limited* attacks are
coming from.
 
McAfee caught it, but had 8 infected files in the Document
and Settings folder.
Click to expand...

This seems contradictory. If McAfee caught it, how did you get infected
files?

-Frank
 
Second time it's been hit with some malware in the last month. This
time is it blackmal.e, forgot what the last one was. Machine has no
e-mail client installed, used more or less as a print server. McAfee
(hey work computer, what can I say) up-to-date and all patches were
applied. McAfee caught it, but had 8 infected files in the Document
and Settings folder. Doing a full scan now, just in case. I'll
also run hijackthis, along with SpyBot and Adaware. Last time no
residual effects and I checked all the other computers (Win 98 & Win
NT) which showed nothing. Not sure where the *limited* attacks are
coming from.
Click to expand...

Open shares, low security settings and/or lack of patches.

Art
http://home.epix.net/~artnpeg
 
X-No-Archive: yes

--

Duh_OZ said:
Second time it's been hit with some malware in the last month. This
time is it blackmal.e, forgot what the last one was. Machine has no
e-mail client installed, used more or less as a print server. McAfee
(hey work computer, what can I say) up-to-date and all patches were
applied. McAfee caught it, but had 8 infected files in the Document
and Settings folder. Doing a full scan now, just in case. I'll
also run hijackthis, along with SpyBot and Adaware. Last time no
residual effects and I checked all the other computers (Win 98 & Win
NT) which showed nothing. Not sure where the *limited* attacks are
coming from.
Click to expand...
A disgruntled employee?
 
Frankster said:
This seems contradictory. If McAfee caught it, how did you get infected
files?

-Frank
Click to expand...
========
That's what I like to know! Ended up with 9 seperate infected files
almost all with strange names (just one called temp.exe), and all in
Document and Settings. Unplugged the network cable for the night.
 
Duh_OZ said:
========
That's what I like to know! Ended up with 9 seperate infected files
almost all with strange names (just one called temp.exe), and all in
Document and Settings. Unplugged the network cable for the night.
Click to expand...

Not that this is happening here but it is not at all contradictory to find such things.
Malware known to the scanner can still get by in the first instance by an unknown
dropper or injector. In fact a fast infector could infect each file a scanner scans
just after it has finished scanning the clean file. Only until the next time the file is
accessed will the AV pick up on it.

Even for viruses, an initial planted instance can get by because AV is designed
to detect only the further instances i.e. infected files as opposed to first instance
trojan file. You need trojan detection for the droppers or injectors but virus
detectors for further instances.
 
From: "Duh_OZ" <[email protected]>

|
| =============
| I do know all the patches have been applied. I'll review the shares
| and run some port tests.

You haven't stated WHAT you are infected with. That would help.

Are you using Sun Java ? If yes is it at version 5 update 6 level with all older versions
removed ?
 
David said:
You haven't stated WHAT you are infected with. That would help.

Are you using Sun Java ? If yes is it at version 5 update 6 level with all older versions
removed ?

--
Click to expand...
Actually I did in my original post, but I said it was w32.blackmal.e,
which of course McAfee names mywife.d??. I called it blackmal.e as
I've seen it with that name more often on the web so it stuck.

Again, everything was still contained in Document and Settings(main
folder, none in sub folders) so it may have just been starting up.

I'll post an update tomorrow if I have a chance (blasted Friday
meetings).

Ex-manager initially set it up a few years back - been fine until the
last month. I'll check out who can access it - the department is
spread across two buildings about 6 miles apart so someone in the other
building may be passing it on.
 
On that special day, Duh_OZ, ([email protected]) said...
Actually I did in my original post, but I said it was w32.blackmal.e,
which of course McAfee names mywife.d??. I called it blackmal.e as
I've seen it with that name more often on the web so it stuck.
Click to expand...

So it is the currently prevalent Nyxem.E

Others call it Kapser, too. Or Kamasutra, or Tearec. Seems they can't
keep to a common denominator.

Whatever, it is said to be spreading via mass mailing; which rises the
question: how did it get onto a machine, that doesn't even have a mail
program? Maybe via the printer spool, but that doesn't really make much
more sense, because in order to be copied to the printer by this
method, someone must first have decided to send the Nyxem/Blackmal etc
to the printer.

So who is printing worm mails?


Gabriele Neukam

(e-mail address removed)
 
========
That's what I like to know! Ended up with 9 seperate infected files
almost all with strange names (just one called temp.exe), and all in
Document and Settings. Unplugged the network cable for the night.
Click to expand...
Wel, he said no email client. So it's coming in via an
unprotected or weakly protected share - and it has shares coz
it's a print server. Direct file transmission over shares is
tricky for av to intercept, so you often see then pick up the
problem only after infection.
Put proper passwords on those shares.
 
On that special day, Duh_OZ, ([email protected]) said...


So it is the currently prevalent Nyxem.E

Others call it Kapser, too. Or Kamasutra, or Tearec. Seems they can't
keep to a common denominator.
Click to expand...

CME42, iirc, is a name accordin to some standard somebody's
trying to push for mailserver-based scanners.
Whatever, it is said to be spreading via mass mailing;
Click to expand...

Mail is the primary route but it spreads via shares too.
 
Duh_OZ said:
Second time it's been hit with some malware in the last month. This
time is it blackmal.e, forgot what the last one was. Machine has no
e-mail client installed, used more or less as a print server. McAfee
(hey work computer, what can I say) up-to-date and all patches were
applied. McAfee caught it, but had 8 infected files in the Document
and Settings folder. Doing a full scan now, just in case. I'll
also run hijackthis, along with SpyBot and Adaware. Last time no
residual effects and I checked all the other computers (Win 98 & Win
NT) which showed nothing. Not sure where the *limited* attacks are
coming from.
Click to expand...

Its worth checking all the other pcs on the network. There me be an infected
pc which is trying to infect others on the network.

We had a virus scare on our network a couple of years back and I eventually
traced it back to the MD's laptop which he had taken home and connected to
the internet without a firewall. (Don't recall why the anti-virus on his pc
didn't stop it.)

Hope you get to the bottom of it.
 
Update:

Found one other (Win NT) machine (no e-mail client on it either) that
had two infected files, but no others. Deleted them (forgot to look
for the creation date ;-( ) rescanned, ran hijackthis, all is clean.

I then removed all the (drive) shares for now, and assigned new
passwords for anyone that had access to the the machine. Very few
did, but my ex-manager was out there so I deleted him (the user, not
the actual person, but one can dream, no? ).

Off to meetings now *ugh*
 
Back
Top