|
Posted by on January 5, 2007, 3:54 am
If you were Registered and logged in, you could reply and use other advanced thread options
William wrote:
> on 04 Jan 2007, something possessed to write:
>
> > Hi,
> >
> > can't find anything on this on the net - virus websites, Mcaffee (for
> > what it's worth), Symantec etc, nor in newsgroups or anything so am a
> > bit stuck.
> >
> > Basically a running and re-occuring exe called "Wind0wz.exe" was
> > running on this Windows 2003 server and the first we realised was when
> > the customer's internet access stopped.
> >
> > What happened was that their Sonicwall firewall was reporting a
> > Synflood attack from this server - the server was flooding the entire
> > subnet on TCP port 2967 which filled up the NAT table on the Sonicwall,
> > effectively stopping any other traffic through it.
> >
> > Only when we killed this exe did it stop. the exe popped up again later
> > so we put blocking rules on that TCP port to "effectively" stop it. We
> > have no knowledge of how to erradicate this problem and
> > spyware/malware/virus checking full sweeps have not detected it.
> > Current A/V is Symantec 10d and it was fully up to date.
> >
> > As far as we are aware no other computers on the subnet have been
> > infected with this as nothing else is broadcasting in this way.
> >
> > We also put a GP on the server blocking that exe but not sure if that's
> > going to work yet as the program runs as system and the GP setting to
> > block exes is under user configuration - not sure if "system" counts as
> > a user.
> >
> > So, hope this helps someone else out there out if they get this - or
> > maybe someone's come across this before and can help us?
> >
> > Oh - the only other thing was that the server had not windows updated
> > for ages and have 70 criticals which we're currently putting on.
> >
> > Cheers
> >
> > MoF.
> >
> Without Windows updates, who knows what's lurking on there. In my
> experience, computer malware are often like roaches, the average user
> will only notice one after an extensive infestation. Anyway, before you
> do a clean wipe (which is probably the best policy), submit the file
> Wind0wz.exe to virustotal at www.virustotal.com. It will scan the file
> against several major AV vendors and give you results. It will also
> submit the file to the AV vendors for analysis.
>
> Regards,
>
> Will
Cool well thanks for your comments both of you - i understand that you
can never be sure with a system that has had a virus/malware and the
only way to be sure is a full wipe/reinstall etc .... it's trying to
convince a customer they need to pay for it is the thing :/
The annoying thing re your virustotal.com comment is that we can't find
the exe. We've not deleted it so i can only think that it's a renamed
temporary file when it's launched and deletes itself when you kill the
program?? We've searched on a whole load of parts of the word Wind0wz
*d0w* etc etc but can't find it on the server! Great....what a life
people who create these things must lead - sad twats.
| 
XML site map