Re: pesky malware

["Holland II, Richard H" <rick.holland () UTDALLAS EDU>]

For those using Virusscan, are you using virus scan 8.5 or 8.7, and do
you see better detections/remediation from 8.7?  Also are you using the
default spyware protection that comes out of the box with Virus scan or
are you using the McAfee AntiSpyware Enterprise Module?  I am curious
how much more effective the Antispyware module is. 

-- 
Rick Holland
rick {dot} holland {at} utdallas {dot} edu
Senior Information Security Analyst
The University of Texas at Dallas

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Friday, April 17, 2009 10:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: pesky malware

 We frequently have malware on our machines. We are currently using
CounterSpy Enterprise, in addition to McAfee.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Friday, April 17, 2009 7:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] pesky malware

We have found a number of machines infected with Trojans and other
malware and are struggling with removal.  It appears that each machine
is infected with a generic downloader which grabs random malware making
each infection different.  Most machines have been Windows XP, all
windows updates applied.  We are using McAfee VirusScan Enterprise, but
at this point, McAfee is not effective at finding and cleaning the
machines.

So far McAfee has found the Generic!atr Trojan, Generic Downloader.x
Trojan and the Sality.gen.c Virus.  However, there is still something
running on our machines that is not being detected.  We know this by the
existence of a registry entry in HKLM\Software\Microsoft\Windows\Current
Version\Run.  File name is always different but the key calls
'rundll32.exe' at 'c:\windows\randomname.dll'.  Also, most infected
clients are running 'services.exe' which is trying to connect to
multiple hosts outbound on port 25 (which McAfee has blocked).  Other
than that, there is no unusual network activity coming from any of these
machines.  Delete the file and registry key, reboot and it's back.
System restore turned off.  No other invalid services running. Used
HijackThis to examine startup items.

A copy of the dll has been submitted to WebImmune, but we have not heard
back.  We are unsure of the method of infection but it appears to be
contained.  Trouble is, we don't have a consistent way of cleaning it.
At this point, we are not trying to clean faculty and staff machines
anymore but are just pulling the hdd's and giving them new hardware with
a clean image.  I am told the techs have had success on student's
machines with combo's of Malwarebytes, Avira AV, Spybot SD and
SuperAntispware but have not seen those logs yet.

Anyone else finding this type of behavior?  Advice?

Jacob Barros
Network Administrator
Grace College