Re: network request not supported - source virus??

Vera Noest,

I wanted to thank you for your reply.

I am a little concerned with one part of your suggestion and feel it’s a
dammed if you do and dammed if you don't solution. Not a good feeling for a
production environment at all.

If a server is working perfect in a production environment would you update
the software if there were no problems…of course NOT…and especially NOT in a
production environment without testing first. Why create possible problems
on a system that is working. Therefore, why should I apply Windows Updates
blindly or even have to on a server that is working perfectly….If I don’t I
may get a virus and if I do my software may stop working because of some
little conflict that the update caused…something that may not show up right
away even if I was able to test. I’m sure that’s why most people don’t
update their windows….I’ve seen it happen where a windows update stop a
production server because some part of the software didn’t like the update
and decided to start generating problems…of course the vendor had no long
term solution and suggest for the short term to rollback the windows update.
With some apps sometimes it’s best to leave a server as is.

Also, if one had many window servers running and tested every windows update
before applying to live server that would give that person a full time job
for live since Microsoft seems to release patches on average of two per
month....

Anyway, just wanted to post my two cents worth.

Thanks again.


"Vera Noest [MVP]" wrote:

> OK, good that you investigated how the infection started.
>
> Trend Micro has this information about the virus:
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
> VName=WORM_RBOT.BJF
>
> Aliases: Malware.b, W32.Spybot.Worm, Win32.Rbot.gen*2
> This worm arrives through network shares. Upon execution, it drops a
> copy of itself in the Windows system folder. It modifies the registry
> to ensure its automatic execution at every Windows start...
>
> It turns out that the virus is new, but it exploits old, known
> vulnerabilities. Each of them has been covered in a Microsoft
> critical security update.
>
> There's really not one single measure which prevents problems like
> this, it's more a continuous effort in several fields.
>
> I've noticed that the four or five similar reports all mentioned that
> they hadn't applied Windows critical security updates. That's
> definitively something to see to, and it would have prevented the
> problem.
>
> Another line of defence is to work with minimal user rights.
> I do all of my normal work under a normal user account, and have made
> sure that normal users cannot modify crucial registry keys like the
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> and related registry keys.
>
> If I need to do something that requires Administrator permissions, I
> am very careful to *only* do what I need to do, and never start
> Internet Explorer, read email, or run similar programs. Once you
> start surfing from a server with Administrative rights, you can
> unknowingly infect your server with this kind of malicious programs.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?c2FtZSBwcm9ibGVt?=
> <sameproblem@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 06 jun 2005 in
> microsoft.public.win2000.termserv.apps:
>
> > Vera Noest,
> >
> > You're right...crossing my fingers is not an adequate response
> > for a production environment. The crossing my fingers part was
> > that I removed the current virus successfully since Norton and
> > MacAfee could not detect it.
> >
> > After looking at the file on each server I noticed it attached
> > my one web server on 6/1/05 at 8:16pm EST and then spread from
> > there. I'm the only one with access so I'm trying to figure out
> > how the virus was able to attach since I wasn't accessing the
> > server that day. I only have 4 ports open so I thought I was
> > okay...guess not.
> >
> > Do you have any suggestion on how to protect myself from future
> > attachs?
> >
> > Thanks
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> FWIW:
> >> "Crossing your fingers" doesn't seem an adequate response in a
> >> situation where it's perfectly possible that you still have an
> >> open backdoor in a production environment.
> >>
> >> The McAfee forum shows that the virus is detected by 9 of the
> >> listed antivirus engines and was missed by 10 of them.
> >> Unfortunately for you, McAfee missed it.
> >>
> >> Have you at all investigated where the infection started? How
> >> about your workstations? Why do you believe that you are *not*
> >> going to be re-infected?
> >>
> >> And since this infection usually spreads using KaZaA file
> >> sharing and mIRC: either your Administrator is playing around
> >> with an Administrative account on your production servers, or
> >> your users are file sharing and chatting during work hours AND
> >> they have way too high permissions, since the original
> >> infection was able to modify the registry in places where no
> >> normal user should go!
> >>
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?c2FtZSBwcm9ibGVt?=
> >> <sameproblem@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 05 jun 2005 in
> >> microsoft.public.win2000.termserv.apps:
> >>
> >> > I posted this problem also on Mcafee and it does seem like a
> >> > new virus
> >> > http://forums.mcafeehelp.com/viewtopic.php?p=240094#240094
> >> > I've also updated all critical win 2000 server updates and at
> >> > least for the past 12 hours the server has been running like
> >> > normal. I'm crossing my fingers.
> >> >
> >> > Thanks for your help.
> >> >
> >> > "Patrick Rouse" wrote:
> >> >
> >> >> These are some that I like:
> >> >>
> >> >> http://housecall.trendmicro.com
> >> >> http://www.spywareinfo.com/xscan.php
> >> >> Spybot Search & Destroy
> >> >>
> >> >> --
> >> >> Patrick Rouse
> >> >> Microsoft MVP - Terminal Server
> >> >> http://www.workthin.com
> >> >>
> >> >>
> >> >> "Vera Noest [MVP]" wrote:
> >> >>
> >> >> > Sounds like one of those SpyBot backdoors to me.
> >> >> > It probably loads in
> >> >> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
> >> >> > on\ Run] and related registry keys, which explains why you
> >> >> > can log in for a minute or 2 after rebooting. Once the
> >> >> > service is started, you're locked out again.
> >> >> >
> >> >> > Why don't you run another anti-virus program or an online
> >> >> > virus check?
> >> >> >
> >> >> > _________________________________________________________
> >> >> > Vera Noest
> >> >> > MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> > http://hem.fyristorg.com/vera/IT
> >> >> > ___ please respond in newsgroup, NOT by private email ___
> >> >> >
> >> >> > =?Utf-8?B?c2FtZSBwcm9ibGVt?=
> >> >> > <sameproblem@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 04 jun
> >> >> > 2005 in microsoft.public.win2000.termserv.apps:
> >> >> >
> >> >> > > On 6/2/05 all of my licensed Windows 2000 Servers w/SP4
> >> >> > > would not allow anyone to login via remote or at the
> >> >> > > console. Then have been running for 5+ months without
> >> >> > > change. If I were to reset the server I could login
> >> >> > > within approx 2 minutes but after that I would be locked
> >> >> > > out. This and a few other forums have others with the
> >> >> > > same problem starting on 6/2/05. Therefore, I felt/feel
> >> >> > > this is either a Microsoft bug or a virus.
> >> >> > >
> >> >> > > In review of my system32 folder I found a file that
> >> >> > > looked like it did not belong 'msupdtm.exe' since a
> >> >> > > clean install I have of windows 2000 server w/sp4 did
> >> >> > > not have the file. However, I ran Managed McAfee and no
> >> >> > > viruses were found. Has anyone found a solution to the
> >> >> > > BIG PROBLEM yet??
> >> >> > >
> >> >> > > HELP!!!
>
.

Relevant Pages

  • Re: server stopped dns
    ... the server did an automatic windows update over the weekend and dowmloaded a ... virus into the winserv32.exethis virus ... stopped you going into regedit and stopped the WINS Server. ...
    (microsoft.public.win2000.networking)
  • Re: Windows update error 80244019
    ... The requested URL does not exist on the server. ... Retry the download a couple ... But since the system recovery I know have Windows update error ...
    (microsoft.public.windowsupdate)
  • RE: Windows update access slow from my SBS 2003 Server
    ... I understand that the SBS server box can not apply ... access the following Windows Update web sites and use the HTTP and HTTPS ... you can configure the following settings on the ISA server: ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Firewall and Word 2004 Security Updatel
    ... Verify that the server is not listed as nor the port listed as ... >Internet Explorer, ... >instructions to YOUR firewall to build the same settings in your given ... Enter "Windows Update" in the Name field, ...
    (microsoft.public.windowsupdate)
  • Re: Is VMS losing the Financial Sector, also?
    ... On Behalf Of Bill Gunshannon ... Is VMS losing the Financial Sector, ... One of their Customers was running Windows Server and was down for 2 ...
    (comp.os.vms)