Archive for Virus
Malware/Virus delivered through fake e-mail from UPS
Posted by: | CommentsI have had several incidents this week of customer systems being infected by executables attached to e-mails appearing to be from UPS.
Looking around the blogs, these e-mails seem to be having a higher than normal infection rate. It is time consuming to get rid of and makes the infected machines unusable and creates a huge number of network connections.
The exact subject line of the email’s that have been received is:
UPS Tracking Number 5440074870
Attached to the e-mail is a zip file containing an executable which when executed installs "XP Security Center".
Much more information about the detail of the actual email can be found on the Trend Malware Blog. The worrying thing about this e-mail is that both of the machines that it infected have their e-mail filtered by very well known external 3rd party mail systems, then have virus scanning on their own Exchange servers and finally on their desktop machines. At the moment this e-mail is still slipping through the net.
This virus does a LOT of clever things to prevent you getting rid of it. I noticed that when trying to run Autoruns from Sysinternals that it just would not work. Renaming the autoruns executable allows it to run. It also stops you being able to install/download Windows Defender, disables system restore, removes the system tools program group amongst other things.
Not a very sophisticated solution but for now I have edited the Exchange IMF custom weighting file on customer systems to ensure that messages with "UPS Tracking" in the subject line are never delivered to the recipients and definitely classed as spam.
I had written a separate post on how to remove the virus manually, but at the moment I am still monitoring the infected machines to ensure they are completely clean.
Using packet capture to find virus infected clients
Posted by: | CommentsToday a customer started to get a lot of their e-mails bounced. In fact they could not even e-mail me to let me know about the problem as my own mail servers were rejecting their messages.
The reason for this was because their IP address had been listed on the CBL.
I had a poke around the server and everything seemed to be in good order; patched up to date, virus scanner had nothing interesting to report, netstat did not show any abnormal connections and Exchange queues seemed normal. So I assumed that the problem must be coming from one of the network PCs.
This customer has a dual nic SBS 2003 Standard edition server, not my preferred set-up, but the system had to be implemented in this way to fit in with existing infrastructure. It is not possible to see what traffic is passing through the NAT gateway on RRAS with the built in tools, but Microsoft Netmon 3.1 should be able to show up any strange network traffic. I installed it and ran the following filter:
Tcp.dstport == 25 and ipv4.Address != 192.168.200.1
192.168.200.1 is the IP address of the internet facing NIC on the SBS machine.
Within a couple of minutes this filter showed all the machines on the network sending SMTP based traffic except for the SBS server itself. Fortunately there was only one. I took remote control of the machine and from the command line ran:
netstat -ano |find ?��Ǩ?�:25?��Ǩ�?
The output of this command showed me the local processes which were attempting to communicate with other hosts on port 25 and gave me confirmation that this PC was definitely infected with some kind of mass mailing virus or worm. Killing the process listed by the netstat command stopped the mass mailer and gave some breathing space to find the cause of the problem.
Turns out the machine in question had its virus checker disabled. So I turned it back on and ran a full scan which turned up almost 6,000 files infected with W32/MyDoom.
Once the problem had been found it was easy to sort, but because I have so few customers with this set-up it had not occurred to me how little visibility you get over network traffic with the SBS 2003 standard edition tools.
The joys of travelling sales laptops 