Re: pesky malware

["McCrary, Barbara" <bmccrary () OGSLP ORG>]

We are using the combination you mentioned which includes Malwarebytes
but we are also using sysinternals rootkit revealer. 


Note:  This communication and attachments, if any, are intended solely
for the use of the addressee hereof.  In addition, this information and
attachments, if any, may contain information that is confidential,
privileged and exempt from disclosure under applicable law.  If you are
not the intended recipient of this information, you are prohibited from
reading, disclosing, reproducing, distributing, disseminating, or
otherwise using this information.  If you have received this message in
error, please promptly notify the sender and immediately, delete this
communication from your system.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Friday, April 17, 2009 10:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] pesky malware

 We frequently have malware on our machines. We are currently using
CounterSpy Enterprise, in addition to McAfee.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Friday, April 17, 2009 7:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] pesky malware

We have found a number of machines infected with Trojans and other
malware and are struggling with removal.  It appears that each machine
is infected with a generic downloader which grabs random malware making
each infection different.  Most machines have been Windows XP, all
windows updates applied.  We are using McAfee VirusScan Enterprise, but
at this point, McAfee is not effective at finding and cleaning the
machines.

So far McAfee has found the Generic!atr Trojan, Generic Downloader.x
Trojan and the Sality.gen.c Virus.  However, there is still something
running on our machines that is not being detected.  We know this by the
existence of a registry entry in HKLM\Software\Microsoft\Windows\Current
Version\Run.  File name is always different but the key calls
'rundll32.exe' at 'c:\windows\randomname.dll'.  Also, most infected
clients are running 'services.exe' which is trying to connect to
multiple hosts outbound on port 25 (which McAfee has blocked).  Other
than that, there is no unusual network activity coming from any of these
machines.  Delete the file and registry key, reboot and it's back.
System restore turned off.  No other invalid services running. Used
HijackThis to examine startup items.

A copy of the dll has been submitted to WebImmune, but we have not heard
back.  We are unsure of the method of infection but it appears to be
contained.  Trouble is, we don't have a consistent way of cleaning it.
At this point, we are not trying to clean faculty and staff machines
anymore but are just pulling the hdd's and giving them new hardware with
a clean image.  I am told the techs have had success on student's
machines with combo's of Malwarebytes, Avira AV, Spybot SD and
SuperAntispware but have not seen those logs yet.

Anyone else finding this type of behavior?  Advice?

Jacob Barros
Network Administrator
Grace College