Unknown exploit - Boot.ini/Windows shares

Unknown exploit - Boot.ini/Windows shares
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Unknown exploit - Boot.ini/Windows shares Pieter van der Walt 02-20-2006
Posted by Pieter van der Walt on February 20, 2006, 5:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have a situation currently where a company's network is under some
kind of attack.

- PC's boot.ini file gets overwritten, resets partition pointers to 0
- we have found in some cases the NTLDR gets deleted
- no virus signatures can find a problem despite running multiple AV
packages
- pc slows down, spontaneous reboot and after reboot boot.ini is
changed
- looks like it spreads via public shares - is there a way of forcibly
disabling network shares, i.e. through registry perhaps?


All windows updates have been done and ther symptoms are experienced on
windows nt, 2000 and xp machines.


We thought it may the W32.opaserv.k.worm but not that!!


Anyone who has come across similar experiences please let me know asap!


Thanks
P.



Posted by =?Utf-8?B?TWlsbyAoIE1TUFNTKQ== on February 20, 2006, 7:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Isolate the workstation or server try to simulate a random check ( bandwidth
spikes or a heuristic scope of logs and transmission where to and which one
among the PC is deliberately running at beyond of what is expected esp. off
office hours that bandwidth is controlled.



--
Milo
MSPSS - ESCA



Posted by David H. Lipman on February 20, 2006, 5:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| I have a situation currently where a company's network is under some
| kind of attack.
|
| - PC's boot.ini file gets overwritten, resets partition pointers to 0
| - we have found in some cases the NTLDR gets deleted
| - no virus signatures can find a problem despite running multiple AV
| packages
| - pc slows down, spontaneous reboot and after reboot boot.ini is
| changed
| - looks like it spreads via public shares - is there a way of forcibly
| disabling network shares, i.e. through registry perhaps?
|
| All windows updates have been done and ther symptoms are experienced on
| windows nt, 2000 and xp machines.
|
| We thought it may the W32.opaserv.k.worm but not that!!
|
| Anyone who has come across similar experiences please let me know asap!
|
| Thanks
| P.
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Stefan Kanthak on February 21, 2006, 3:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> I have a situation currently where a company's network is under some
> kind of attack.
>
> - PC's boot.ini file gets overwritten, resets partition pointers to 0
> - we have found in some cases the NTLDR gets deleted
> - no virus signatures can find a problem despite running multiple AV
> packages
> - pc slows down, spontaneous reboot and after reboot boot.ini is
> changed
> - looks like it spreads via public shares - is there a way of forcibly
> disabling network shares, i.e. through registry perhaps?

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoFileSharing"=dword:01
"NoPrintSharing"=dword:01

But (BIG BUT): if it's malware, how does it get administrative rights?
Your users have accounts with administrative or power user rights?

And when it's malware: get your backups and restore ALL systems, but don't
connect them to the network until you've removed ALL user accounts from
the administrators group or the power users and setup strong passwords for
all accounts!

BTW: virus scanners only detect known malware. You'll have to use other
measures when you really want to protect your network. Think of software
restriction policies for XP and only allow execution from %SystemRoot%
and beyond and %ProgramFiles% and beyond.

Stefan


Posted by Pieter van der Walt on February 22, 2006, 5:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Situation has been contained - and we now have expertise with tools
onsite... no exact explanation as to the exact cause yet...


>I have a situation currently where a company's network is under some
> kind of attack.
>
> - PC's boot.ini file gets overwritten, resets partition pointers to 0
> - we have found in some cases the NTLDR gets deleted
> - no virus signatures can find a problem despite running multiple AV
> packages
> - pc slows down, spontaneous reboot and after reboot boot.ini is
> changed
> - looks like it spreads via public shares - is there a way of forcibly
> disabling network shares, i.e. through registry perhaps?
>
>
> All windows updates have been done and ther symptoms are experienced on
> windows nt, 2000 and xp machines.
>
>
> We thought it may the W32.opaserv.k.worm but not that!!
>
>
> Anyone who has come across similar experiences please let me know asap!
>
>
> Thanks
> P.
>
>



Similar ThreadsPosted
Boot Malmo on my USB Mem!! Help October 20, 2005, 9:18 am
Boot Virus Help June 22, 2006, 12:50 pm
boot problem November 24, 2007, 12:59 pm
Please help!! Boot Virus?? May 10, 2008, 11:46 am
Question(s) about VBS/Petik-V & boot.ini December 14, 2005, 3:41 am
Boot. Malmo threat May 11, 2006, 5:20 am
Boot Sector virus September 22, 2006, 6:38 pm
Can't boot to safe mode June 3, 2007, 5:33 pm
Boot Malmo removal from a USB Mem Stick??? September 28, 2005, 3:56 pm
Anti Virus Solutions That Use Their Own Boot CD? July 2, 2008, 1:47 pm

The site map in XML format XML site map

Contact Us | Privacy Policy