Re: Virus that causes a lot of traffic ?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Paul fpvt2 (anonymous_at_discussions.microsoft.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 07:24:03 -0800

Thank you for your reply.
Earlier I failed to mention that those viruses were found
on more than 1 machines.
For ex: Bkdr./bounce.a. and Troj SQLSpida.B were found on
1 machine.
IRC/Flood.ap Trojan was on a different machine.
Malware.pe_parite.a was on a different machine.
malware.worm_agobot-2 was on a different machine.
W32/Sdbot.worm.gen.T was on a different machine.
W32/Sdbot.worm.gen.R was on a different machine.

I am just wondering how to best clean or delete those
viruses ?
We do have Symantec AV with the latest virus definition
installed, and we have it running on schedule every day.
It did not catch the viruses mentioned above. We also
have firewall.

Thanks a lot.

>-----Original Message-----
>yes they can cause high bandwidth usage on your network
and the rest of the
>world by distributing themselves from your internet
connection. if you have
>all that stuff on your servers its best to unplug them
completely and
>rebuild from scratch making sure that all software is
installed from clean
>sources. do not expose them to your lan or the internet
until they have all
>patches and proper virus protection and firewalls. you
will also probably
>have to clean all the other machines on your network as
they are likely also
>infected at this point... note that if you leave one
infected machine on the
>network it will quickly reinfect any other machine that
you clean up.
>
>"Paul fpvt2" <anonymous@discussions.microsoft.com> wrote
in message
>news:16ed01c4d6e9$6279f3e0$a501280a@phx.gbl...
>> Hi Dave,
>> Yesterday, our network administrator ran the Stinger
and
>> Trend Housecall (albeit not in a safe mode) on our
>> Win2000 servers.
>>
>> The following were the viruses that can not be cleaned.
>> Do you know the best way to clean these viruses ? Do we
>> need to reboot the machine in a safe mode, go to DOS
>> prompt, unhide the directory and files, and delete
them ?
>>
>> . Bkdr./bounce.a. It is in c:\winnt\system32
>> \config\services.exe. Housecall can not clean it.
>> . Troj SQLSpida.B. It is in c:\winnt\system32
>> \drivers\services.exe. This is a hidden file that was
>> only shown when when "Show all hidden files and
>> directories" in Windows explorer was selected.
Housecall
>> can not clean it.
>> . HTML_Netsky.P. It is in c:\program
>> files\..\..\RYGJYXY0* Layer2 nonamefl*. In Windows
>> explorer, even after "Show all hidden files and
>> directories" was selected, you still can not see this
>> directory. Housecall can not clean it.
>> . IRC/Flood.ap Trojan at c:\winnt\system32
>> \OCXDLL.EXE\DLL32NT.HLP. Stinger can not clean this
file.
>>
>>
>> The following were viruses that were successfully
cleaned:
>> . Malware.pe_parite.a
>> . malware.worm_agobot-2
>> . W32/Sdbot.worm.gen.T
>> . W32/Sdbot.worm.gen.R
>>
>> Do you think any of the malware that were found above
>> could cause the high bandwith traffic on the servers ?
>>
>> Thanks again in advance.
>>
>> >-----Original Message-----
>> >You will have to use Ethereal or some other packet
>> analysis tool and examine the traffic
>> >to/from the server to see what's going on. In the
mean
>> time, I suggest performing the
>> >following...
>> >
>> >1) Download the following four items...
>> >
>> > McAfee Stinger
>> > http://vil.nai.com/vil/stinger/
>> >
>> > Trend Sysclean Package
>> > http://www.trendmicro.com/download/dcs.asp
>> >
>> > Latest Trend Pattern File.
>> >
http://www.trendmicro.com/download/pattern.asp
>> >
>> > Adaware SE (free personal version v1.05)
>> > http://www.lavasoftusa.com/
>> >
>> >Create a directory.
>> >On drive "C:\"
>> >(e.g., "c:\New Folder")
>> >or the desktop
>> >(e.g., "C:\Documents and Settings\lipman\Desktop\New
>> Folder")
>> >
>> >Download Sysclean.com and place it in that directory.
>> >Download the Trend Pattern File by obtaining the ZIP
>> file.
>> >For example; lpt265.zip
>> >
>> >Extract the contents of the ZIP file and place the
>> contents in the same directory as
>> >sysclean.com.
>> >
>> >2) Update Adaware with the latest definitions.
>> >3) If you are using WinME or WinXP, disable System
>> Restore
>> >
>>
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
>> m
>> >4) Reboot your PC into Safe Mode
>> >5) Using Trend Sysclean, Stinger and Adaware,
>> perform a Full Scan of your
>> > platform and clean/delete any
>> infectors/parasites found.
>> > (a few cycles may be needed)
>> >6) Restart your PC and perform a "final" Full Scan
>> of your platform using the three
>> > utilities; Trend Sysclean, Stinger and
Adaware
>> >7) If you are using WinME or WinXP, Re-enable
System
>> Restore and re-apply any
>> > System Restore preferences, (e.g. HD space to
>> use suggested 400 ~ 600MB),
>> >8) Reboot your PC.
>> >9) If you are using WinME or WinXP, create a new
>> Restore point
>> >
>> >
>> >* * * Please report your results ! * * *
>> >
>> >Dave
>> >
>> >
>> >
>> >
>> >
>> >
>> >"Paul fpvt2" <anonymous@discussions.microsoft.com>
wrote
>> in message
>> >news:0ac601c4d49b$07adda30$a501280a@phx.gbl...
>> >| Recently some of our servers received many traffic
that
>> >| it caused the servers to go down. We have installed
SP3
>> >| for SQL Server 2000, so I don't think it is related
>> with
>> >| the W32/SQLSlammer.worm. We also installed Symantec
>> >| antivirus software in all our servers. Is there any
>> other
>> >| viruses that would case a lot of traffic to your
>> machine ?
>> >|
>> >| Thank you.
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: Virus that causes a lot of traffic ?
    ... have to clean all the other machines on your network as they are likely also ... > Win2000 servers. ... > The following were the viruses that can not be cleaned. ...
    (microsoft.public.win2000.general)
  • Re: question re list
    ... > This message has been scanned for viruses and ... > believed to be clean. ... > I have scoured dozens and dozens of pages on google. ... > pre-Fedora 3, in any cae, which would lead one to suspect that this ...
    (Fedora)
  • Re: Firefox on 9.04 wont play videos at YouTube
    ... When I installed 9.04, it found the internet OK, but 9.1 cannot find it by itself, and I cant make it. ... This message has been scanned for viruses and ... dangerous content by MailScanner, and is ... believed to be clean. ...
    (Ubuntu)
  • Re: Virus: No Sound; Task Manager maxing out CPU
    ... It found 331 viruses! ... Never assume that any single product will clean your computer. ... What kind of steps would you take to be able to "certify" a machine as ... "Certified" free of known malware of all types when returned to the ...
    (alt.comp.anti-virus)
  • Re: Virus: No Sound; Task Manager maxing out CPU
    ... It found 331 viruses! ... I use David's tool and MBAM on machines that have been compromised where the owner has not requested that I certify the machines as clean. ... Anything that you're willing to SIGN a statement that the machine is "Certified" free of known malware of all types when returned to the customer - in most cases there is liability involved if you don't do it properly. ...
    (alt.comp.anti-virus)