Re: network request not supported - source virus??

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Vera Noest,

You're right...crossing my fingers is not an adequate response for a
production environment. The crossing my fingers part was that I removed the
current virus successfully since Norton and MacAfee could not detect it.

After looking at the file on each server I noticed it attached my one web
server on 6/1/05 at 8:16pm EST and then spread from there. I'm the only one
with access so I'm trying to figure out how the virus was able to attach
since I wasn't accessing the server that day. I only have 4 ports open so I
thought I was okay...guess not.

Do you have any suggestion on how to protect myself from future attachs?

Thanks

"Vera Noest [MVP]" wrote:

> FWIW:
> "Crossing your fingers" doesn't seem an adequate response in a
> situation where it's perfectly possible that you still have an open
> backdoor in a production environment.
>
> The McAfee forum shows that the virus is detected by 9 of the
> listed antivirus engines and was missed by 10 of them.
> Unfortunately for you, McAfee missed it.
>
> Have you at all investigated where the infection started? How about
> your workstations? Why do you believe that you are *not* going to
> be re-infected?
>
> And since this infection usually spreads using KaZaA file sharing
> and mIRC: either your Administrator is playing around with an
> Administrative account on your production servers, or your users
> are file sharing and chatting during work hours AND they have way
> too high permissions, since the original infection was able to
> modify the registry in places where no normal user should go!
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?c2FtZSBwcm9ibGVt?=
> <sameproblem@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 05 jun 2005 in
> microsoft.public.win2000.termserv.apps:
>
> > I posted this problem also on Mcafee and it does seem like a new
> > virus http://forums.mcafeehelp.com/viewtopic.php?p=240094#240094
> > I've also updated all critical win 2000 server updates and at
> > least for the past 12 hours the server has been running like
> > normal. I'm crossing my fingers.
> >
> > Thanks for your help.
> >
> > "Patrick Rouse" wrote:
> >
> >> These are some that I like:
> >>
> >> http://housecall.trendmicro.com
> >> http://www.spywareinfo.com/xscan.php
> >> Spybot Search & Destroy
> >>
> >> --
> >> Patrick Rouse
> >> Microsoft MVP - Terminal Server
> >> http://www.workthin.com
> >>
> >>
> >> "Vera Noest [MVP]" wrote:
> >>
> >> > Sounds like one of those SpyBot backdoors to me.
> >> > It probably loads in
> >> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
> >> > Run] and related registry keys, which explains why you can
> >> > log in for a minute or 2 after rebooting. Once the service is
> >> > started, you're locked out again.
> >> >
> >> > Why don't you run another anti-virus program or an online
> >> > virus check?
> >> >
> >> > _________________________________________________________
> >> > Vera Noest
> >> > MCSE, CCEA, Microsoft MVP - Terminal Server
> >> > http://hem.fyristorg.com/vera/IT
> >> > ___ please respond in newsgroup, NOT by private email ___
> >> >
> >> > =?Utf-8?B?c2FtZSBwcm9ibGVt?=
> >> > <sameproblem@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 04 jun 2005
> >> > in microsoft.public.win2000.termserv.apps:
> >> >
> >> > > On 6/2/05 all of my licensed Windows 2000 Servers w/SP4
> >> > > would not allow anyone to login via remote or at the
> >> > > console. Then have been running for 5+ months without
> >> > > change. If I were to reset the server I could login within
> >> > > approx 2 minutes but after that I would be locked out. This
> >> > > and a few other forums have others with the same problem
> >> > > starting on 6/2/05. Therefore, I felt/feel this is either a
> >> > > Microsoft bug or a virus.
> >> > >
> >> > > In review of my system32 folder I found a file that looked
> >> > > like it did not belong 'msupdtm.exe' since a clean install
> >> > > I have of windows 2000 server w/sp4 did not have the file.
> >> > > However, I ran Managed McAfee and no viruses were found.
> >> > > Has anyone found a solution to the BIG PROBLEM yet??
> >> > >
> >> > > HELP!!!
>
.

Relevant Pages

  • Re: After Tonights Episode
    ... outplay and outsmart but crossing your ... Is Cirie in 3rd grade? ... your hatred to Amanda since she also crossed her fingers and did treat ... Cirie only honored her promise because she thought Ozzy wouldn't play ...
    (alt.tv.survivor)
  • Re: network request not supported - source virus??
    ... backdoor in a production environment. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... I'm crossing my fingers. ...
    (microsoft.public.win2000.termserv.apps)
  • Re: After Tonights Episode
    ... outplay and outsmart but crossing your ... Is Cirie in 3rd grade? ... your hatred to Amanda since she also crossed her fingers and did treat ... Cirie only honored her promise because she thought Ozzy wouldn't play ...
    (alt.tv.survivor)
  • Re: #17 GNUBG 2-ply or BG GIANT
    ... X has to take into account the gammon threats too. ... The "safe" play leaves X with a crystal prime, ... If I was O, I'd be crossing my fingers hoping X moves 12/8, 6/1. ...
    (rec.games.backgammon)
  • Re: The crappy lappy....
    ... I could offer the server box with a tape slot that looks like a handle that ... loads your fingers into the mechanism as proof of my deviousness if it ...
    (uk.radio.amateur)