1)I get numerous logon hits on my DC's. Some accounts are Admins,some are just regular users who get locked out. None of the attempts succeed. Check the Event Logs on the clients that got infected. If it is trying to get into the systems using passwords it is going after the local Administrator account and this won't show up on your DC. 2)The system I ran the exe was an WinXP sp1 fully MS patched(system restore disabled) and up to date via Symantec Corporate Edition 9.0. Still it got infected. Unless you this was run by someone with only User level rights this makes perfect sense, think about it. The virus uses exploits to get to the system and then executes itself. If you copy it to the system and then run it it doesn't matter if it is patched, you ran it.
Have you uploaded the file to Symantec and have you downloaded the Rapid Release definitions? How strong are the passwords on your desktops? Rename the local administrator account on the desktops, this should prevent it from getting to the machines in this manner. https://submit.symantec.com/platinum/ Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, December 01, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort I get numerous logon hits on my DC's. Some accounts are Admins,some are just regular users who get locked out. None of the attempts succed. I ran the exe on a clean patched up to date box while running filemon and regmon. The exe is wupdmngr.exe which creates a process called faxze.exe. It tries to "set information" on the index.dat file in tempoaray internet settings\content.ie5\ and in \cookies\ in the logged on user's profile(why it does that i have no idea) it also queries your internet history. I don't understand why it does that as well. What could it get from there? also it queries wininet.dll and imm32.dll and ws2help.dll and wsock32.dll in the systemroot and adds the usual entries to the "run" and "run services" reg keys in HKLM. It then tries to go out on port 54321. Some other varients which symantec calls w32.spybot.worm go out on ports 445 or 6667. The system I ran the exe was an WinXP sp1 fully MS patched(system restore disabled) and up to date via Symantec Corporate Edition 9.0. Still it got infected. I'm just looking for a clue as to how to stop this thing. I need a proactive solution and staring at the output of filemon or regmon isn't getting me any closer. I need an intrusion prevention system not an IDS. I can look at my firewall logs and see the machine this thing is coming from but I can't spen all day cleaning these things up every other week. I thought perhaps via GPO's and making sure no one was in the local admin group of their client and creating custom mobile groups via Symantec for continous live update would help. But if Symantec is not catching it,being up to date doesn't seem to help. All my boxes are not XP so my Win2k clients can't use the restricted software adm. And i'm sure there are viruses clever enough to get local system access even if executed by a regular user. What solution do I have? thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort I have Snort deployed in 28 offices, logging to a MS SQL server and we view alerts using BASE. I have a lot of custom virus signatures and would be willing to share of you want them. It works good to quickly identify who is spreading the worms. As far a fully patched machines getting infected check your passwords on those machines. One of the "features" of Randex is "Attempts to log on as an administrator to a random IP address that is protected by weak passwords. If successful, the worm will then copy itself to the remote computer and execute itself." Also Symantec has a problem disassembling some of these viruses and that can cause them to take longer to release defs. I keep a copy of Kapersky just so I can get a second opinion when I find suspicious files. Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/