I get numerous logon hits on my DC's. Some accounts are Admins,some are just regular users who get locked out. None of the attempts succed. I ran the exe on a clean patched up to date box while running filemon and regmon. The exe is wupdmngr.exe which creates a process called faxze.exe. It tries to "set information" on the index.dat file in tempoaray internet settings\content.ie5\ and in \cookies\ in the logged on user's profile(why it does that i have no idea) it also queries your internet history. I don't understand why it does that as well. What could it get from there? also it queries wininet.dll and imm32.dll and ws2help.dll and wsock32.dll in the systemroot and adds the usual entries to the "run" and "run services" reg keys in HKLM. It then tries to go out on port 54321. Some other varients which symantec calls w32.spybot.worm go out on ports 445 or 6667.
The system I ran the exe was an WinXP sp1 fully MS patched(system restore disabled) and up to date via Symantec Corporate Edition 9.0. Still it got infected. I'm just looking for a clue as to how to stop this thing. I need a proactive solution and staring at the output of filemon or regmon isn't getting me any closer. I need an intrusion prevention system not an IDS. I can look at my firewall logs and see the machine this thing is coming from but I can't spen all day cleaning these things up every other week. I thought perhaps via GPO's and making sure no one was in the local admin group of their client and creating custom mobile groups via Symantec for continous live update would help. But if Symantec is not catching it,being up to date doesn't seem to help. All my boxes are not XP so my Win2k clients can't use the restricted software adm. And i'm sure there are viruses clever enough to get local system access even if executed by a regular user. What solution do I have? thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort I have Snort deployed in 28 offices, logging to a MS SQL server and we view alerts using BASE. I have a lot of custom virus signatures and would be willing to share of you want them. It works good to quickly identify who is spreading the worms. As far a fully patched machines getting infected check your passwords on those machines. One of the "features" of Randex is "Attempts to log on as an administrator to a random IP address that is protected by weak passwords. If successful, the worm will then copy itself to the remote computer and execute itself." Also Symantec has a problem disassembling some of these viruses and that can cause them to take longer to release defs. I keep a copy of Kapersky just so I can get a second opinion when I find suspicious files. Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, December 01, 2004 10:42 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Snort Anyone had good experiences with snort and can you recommend it as a IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs are up to date. I'm looking for something cheap(read: free) to help me stop these things or at least contain them. My managers are looking int Cisco Self defending networks solution but thats big $$ and might be a whole other mangement headache. I was looking on some combination of our current AV(Symantec corporate 9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched and up to date systems and then they go out on ports 445 or 54321 or 6666 and even though our firewall(watchguard) blocks these ports, enough of these infected systems can DOS my firewall or bring network traffic to a crawl. Any recommendations? thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/