Jump to content

Mal-Ware/Virus' From Hell


Minagera
 Share

Recommended Posts

Just throwing this up here for giggles, or if any of you other IT folk run into this stuff, but my entire weekend was spent rebuilding our exchange server and master domain controllers because of some very horrible bits of malware.

 

Noytcyr

Soxpeca

Tdydowkc

Afisicx

Mabdiwe

Wsldoekd

 

Every tool I used to remove these failed, even the master tool, ComboFix. This are a real pain, and I just got tired of fooling with them. I rebuild the servers instead of fixing this malware. Those will all show up as services in the machines, and they are nearly impossible to get rid of.

Link to comment
Share on other sites

Just throwing this up here for giggles, or if any of you other IT folk run into this stuff, but my entire weekend was spent rebuilding our exchange server and master domain controllers because of some very horrible bits of malware.

 

Noytcyr

Soxpeca

Tdydowkc

Afisicx

Mabdiwe

Wsldoekd

 

Every tool I used to remove these failed, even the master tool, ComboFix. This are a real pain, and I just got tired of fooling with them. I rebuild the servers instead of fixing this malware. Those will all show up as services in the machines, and they are nearly impossible to get rid of.

 

 

 

who has permissions they should'nt ?

meh be safe take em all away ^^

Link to comment
Share on other sites

Sounds like unpatched servers to me.. But a lot of people are still debating applying the SP3 for Xp , so :rolleyes: what can you do??

 

My old job got hit because 'they dont believe in applying updates that haven't been 'tested' because they may break their 'legacy applications' I'm like, "every hear of an 'application server'"? ??

Link to comment
Share on other sites

Sounds like unpatched servers to me.. But a lot of people are still debating applying the SP3 for Xp , so :rolleyes: what can you do??

 

My old job got hit because 'they dont believe in applying updates that haven't been 'tested' because they may break their 'legacy applications' I'm like, "every hear of an 'application server'"? ??

 

 

oh thats funny stuff ^^ yes sir.

Link to comment
Share on other sites

Theres your problem, windows, on a server.

 

I would suggest linux. It's free, open source, and well easy to learn if you're smart enough to run a windows server. A recent virus came out affecting Ubuntu users, and it was fixed within 24 hours, whereas some windows patches take 7 years. just saying.

 

Nothing against windows honestly, I just love to promote the linux community =) If you're unfamiliar take a look into fedora, I know its good for networking, and pretty easy to learn, most distros also have a "server edition" But I really couldn't tell you which is best, theres a lot to suite your needs, I'd definitely recoomend one with a big user base to help you out (redhat, mandrake, ubuntu, slackware, etc)

Edited by iamlew
Link to comment
Share on other sites

Something destroyed my 500gb drive partition tables and master boot record... been trying to scan and recover the data for the past few days, but I think it's a complete loss. Unreadable sectors FTL.

 

Maybe it's easier to start over...

 

-Robert

Link to comment
Share on other sites

yeah sometimes its just best to cut your losses, i'd search around for a linux live cd with a recovery tool, might be able to backup some of your things, but with bad sectors I don't really think so. I think fedora may have a recovery tool... www.linuxquestions.org - always good for help.
Link to comment
Share on other sites

Do you run IDS software (SNORT) on your network or do you have an IDS devices? Additionally you could use a Web/http proxy to control access to malicious websites.

 

If you can track source of the malware, I use this website ' www.threatexpert.com' I has helped me identify malware in the past.

 

Hope you fixed it.

Link to comment
Share on other sites

Do you run IDS software (SNORT) on your network or do you have an IDS devices? Additionally you could use a Web/http proxy to control access to malicious websites.

 

If you can track source of the malware, I use this website ' www.threatexpert.com' I has helped me identify malware in the past.

 

Hope you fixed it.

 

 

I have a Cisco ASA with the Trend CSC module in front of my network. It sniffs out quite a bit, but obviously not everything.

 

I can identify the mal-ware, however it is the removal that is posing the problem.

 

Just a side note, what I did was retire my current domain controller, build a new one with the same name and IP, and got my radius and that jazz working on it. After which I used a program from microsoft called Process Manager, a super task manager of sorts, to suspend the mal-ware on our exchange box. Suspended it won't run, and it won't restart. Then I dismounted our Corporate Information Store copied it to a spare box via esefile.exe and proceeded to do a repair and defrag with eseutil.exe This was a dry-run test of sorts to this weekend, or next weekend, I can bring down exchange completely and pull all three of our Information Stores over to a new w2k3 box running exchange 2k3 rather than a w2k box running exchange 2k.

Link to comment
Share on other sites

you should submit a sample of the malware to threatexpert.com. If its identified (MD5 HASH) they usually link you to either a removal tool or an analysis page that shows the registry entries, dlls and other crap thats placed there. I feel your pain man I use virustotal and threatexpert to help out when Im in that situation. Having a sample of them alway at least you are 'halfway' there.

 

Good luck.

Link to comment
Share on other sites

 Share

×
×
  • Create New...