Re: sys32.pif & msdos-1.pif & msdos.pif

["Griffith, Randall S." <randy () OU EDU>]

Laurie Coles,

Past experience and LOTS of reading have lead us at the University of
Oklahoma to develop policy within the university to:
1)  Remove the machine from the network.
2)  Identify any files than need to be backed up.  Actually, we found it
easier in the long run to create an image of the HD and hold it for 14
days.  People always forget one or two important files that were stored
in an odd location.
3)  Delete the partition (in some instances new partitions were created
for the hacker) and of course recreate the partition.
4)  Low level format.
5)  Install the operating system.
6)  patch the operating system OFF LINE FROM A CD OR A CLOSED NETWORK.
7)  Install and patch other necessary programs off line.
8)  Restore the users data to a backup folder on the PC.  To restore to
their original locations would require knowing their passwords for the
creation of their profile and we do not want our tech bench knowing or
having everyone's passwords lying around on a bunch of paper.
9)  QC - Quality Control - check the install to make certain all
programs are installed and patched.  Usually, one will have to place the
system back online to do this as to the most current patches and AV
definitions.
10) Delivery by a field technician who can assist the user in adjusting
their domain profile once it is created to their preference.

As to your methodology of finding the "infected" machines.  How are you
finding them?  Anti-Virus? Or is it another method, perhaps a SNORT
signature or an IPS.  Have you performed a port mapping of any
"infected" machines to determine if they have any additional ports open?
If they have additional ports open are they consistent on other
"infected" machines?  If so, you can then scan your network (NMAP or
some other scanner) for that port to quickly identify other "infected"
machines.

I hope this is helpful.  If you have additional questions, please feel
free to contact me if I may be of assistance.

Regards and Good Luck,

Randy Griffith
randy () ou edu

http://security.ou.edu
http://cfl.ou.edu

P.S. Please excuse the security website as we are trying to develop some
new content after losing our web person.

-----Original Message-----
From: Laurie Coles [mailto:lcoles () CBU EDU] 
Sent: Monday, September 19, 2005 1:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] sys32.pif & msdos-1.pif & msdos.pif

 

We have been having continual problems with a worm. We started out with
msdos.pif running in the processes and it was also in the registry. I
was able to find a tool to remove this worm. I then patched the computer
with the most updated patches from Microsoft. Then I started seeing
msdos-1.pif, now I'm seeing sys32.pif. These PCs have previously had
this worm removed and have been patched. Has anybody else been seeing
this type of problem. I cannot find anything on the internet about the
sys32.pif. Thanks, Laurie Coles

 

Laurie L. Coles

Director of Network Services

901-321-3480