Educause Security Discussion mailing list archives
Re: pesky malware
From: David Boyer <david () BVU EDU>
Date: Fri, 17 Apr 2009 10:29:54 -0500
Give Super AntiSpyware a shot. We had a nasty piece of malware on a few machines a couple weeks ago, and it's the only thing that even detected it, and we tried multiple commercial and free products.
"Basgen, Brian" <bbasgen () PIMA EDU> 10:22 AM 4/17/2009 >>>
We frequently have malware on our machines. We are currently using CounterSpy Enterprise, in addition to McAfee. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Friday, April 17, 2009 7:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] pesky malware We have found a number of machines infected with Trojans and other malware and are struggling with removal. It appears that each machine is infected with a generic downloader which grabs random malware making each infection different. Most machines have been Windows XP, all windows updates applied. We are using McAfee VirusScan Enterprise, but at this point, McAfee is not effective at finding and cleaning the machines. So far McAfee has found the Generic!atr Trojan, Generic Downloader.x Trojan and the Sality.gen.c Virus. However, there is still something running on our machines that is not being detected. We know this by the existence of a registry entry in HKLM\Software\Microsoft\Windows\Current Version\Run. File name is always different but the key calls 'rundll32.exe' at 'c:\windows\randomname.dll'. Also, most infected clients are running 'services.exe' which is trying to connect to multiple hosts outbound on port 25 (which McAfee has blocked). Other than that, there is no unusual network activity coming from any of these machines. Delete the file and registry key, reboot and it's back. System restore turned off. No other invalid services running. Used HijackThis to examine startup items. A copy of the dll has been submitted to WebImmune, but we have not heard back. We are unsure of the method of infection but it appears to be contained. Trouble is, we don't have a consistent way of cleaning it. At this point, we are not trying to clean faculty and staff machines anymore but are just pulling the hdd's and giving them new hardware with a clean image. I am told the techs have had success on student's machines with combo's of Malwarebytes, Avira AV, Spybot SD and SuperAntispware but have not seen those logs yet. Anyone else finding this type of behavior? Advice? Jacob Barros Network Administrator Grace College
Current thread:
- pesky malware Barros, Jacob (Apr 17)
- <Possible follow-ups>
- Re: pesky malware Basgen, Brian (Apr 17)
- Re: pesky malware McCrary, Barbara (Apr 17)
- Re: pesky malware David Boyer (Apr 17)
- Re: pesky malware Holland II, Richard H (Apr 17)
- Re: pesky malware Curt Wilson (Apr 17)