Educause Security Discussion mailing list archives
Re: sys32.pif & msdos-1.pif & msdos.pif
From: "Griffith, Randall S." <randy () OU EDU>
Date: Mon, 19 Sep 2005 16:40:54 -0500
Laurie Coles, Past experience and LOTS of reading have lead us at the University of Oklahoma to develop policy within the university to: 1) Remove the machine from the network. 2) Identify any files than need to be backed up. Actually, we found it easier in the long run to create an image of the HD and hold it for 14 days. People always forget one or two important files that were stored in an odd location. 3) Delete the partition (in some instances new partitions were created for the hacker) and of course recreate the partition. 4) Low level format. 5) Install the operating system. 6) patch the operating system OFF LINE FROM A CD OR A CLOSED NETWORK. 7) Install and patch other necessary programs off line. 8) Restore the users data to a backup folder on the PC. To restore to their original locations would require knowing their passwords for the creation of their profile and we do not want our tech bench knowing or having everyone's passwords lying around on a bunch of paper. 9) QC - Quality Control - check the install to make certain all programs are installed and patched. Usually, one will have to place the system back online to do this as to the most current patches and AV definitions. 10) Delivery by a field technician who can assist the user in adjusting their domain profile once it is created to their preference. As to your methodology of finding the "infected" machines. How are you finding them? Anti-Virus? Or is it another method, perhaps a SNORT signature or an IPS. Have you performed a port mapping of any "infected" machines to determine if they have any additional ports open? If they have additional ports open are they consistent on other "infected" machines? If so, you can then scan your network (NMAP or some other scanner) for that port to quickly identify other "infected" machines. I hope this is helpful. If you have additional questions, please feel free to contact me if I may be of assistance. Regards and Good Luck, Randy Griffith randy () ou edu http://security.ou.edu http://cfl.ou.edu P.S. Please excuse the security website as we are trying to develop some new content after losing our web person. -----Original Message----- From: Laurie Coles [mailto:lcoles () CBU EDU] Sent: Monday, September 19, 2005 1:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] sys32.pif & msdos-1.pif & msdos.pif We have been having continual problems with a worm. We started out with msdos.pif running in the processes and it was also in the registry. I was able to find a tool to remove this worm. I then patched the computer with the most updated patches from Microsoft. Then I started seeing msdos-1.pif, now I'm seeing sys32.pif. These PCs have previously had this worm removed and have been patched. Has anybody else been seeing this type of problem. I cannot find anything on the internet about the sys32.pif. Thanks, Laurie Coles Laurie L. Coles Director of Network Services 901-321-3480
Current thread:
- sys32.pif & msdos-1.pif & msdos.pif Laurie Coles (Sep 19)
- <Possible follow-ups>
- Re: sys32.pif & msdos-1.pif & msdos.pif Barbara Chung (DURTSCHI) (Sep 19)
- Re: sys32.pif & msdos-1.pif & msdos.pif Griffith, Randall S. (Sep 19)