One of my SBS servers ended up with the file ALZZIP.BIN in the sys32 directory (infected). The only place this server has been is to WSUS. I am concerned about how that happened. Sent via BlackBerry by AT&T
-----Original Message----- From: "RAY ZORZ" <rz...@azcorrections.gov> Date: Wed, 05 Aug 2009 07:28:49 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Subject: Re: Virus? yes, saw that too. We're looking at options. It's not like a lot of people would have psexec loaded. >>> Jeff Bunting <bunting.j...@gmail.com> 8/5/2009 6:54 AM >>> FWIW, the article does state "Information from the field suggests that this trojan may use Psexec to propogate itself." On Wed, Aug 5, 2009 at 9:45 AM, RAY ZORZ <rz...@azcorrections.gov> wrote: > Thanks. Apparently they think it's this - > http://vil.nai.com/vil/content/v_138472.htm - which of course makes > little sense since they're saying they don't spread. The only way it would > get "deployed", therefore, would be WSUS or our attempts at SCCM deployment. > > They can detect it but can't prevent it. To clean it requires a manual > scan. > > Sheesh. > > >>> "Angus Scott-Fleming" <angu...@geoapps.com> 8/5/2009 6:38 AM >>> > On 4 Aug 2009 at 14:39, RAY ZORZ wrote: > > > Our McAfee is picking up a buffer overflow error on IE. The actual .exe > > changes, but the path is the same each time: > > > > C:\Documents and Settings\username\Application Data\upnpsvc.exe > > (Trojan.Agent) > > > > McAfee doesn't seem to clean it, just report it. > > > > Does this look familiar to anyone? > > Looks like malware according to a quick scan of results from this search: > http://www.google.com/search?q=upnpsvc.exe > > You can submit it to McAfee for examination here: > McAfee Avert(r) Labs WebImmune > https://www.webimmune.net/default.asp > > You can bring up your problems WRT what McAfee is seeing/doing (or not > doing) > in the McAfee Community forums here: > CORPORATE PROTECTION IN BUSINESS ENVIRONMENT - McAfee Support Forums > http://community.mcafee.com/forumdisplay.php?f=122 > > I searched the forums for "upnpsvc.exe" and found nothing. However, it is > listed once in the McAfee VIL: > > BackDoor-AWQ.b!28a72340cbb6 > http://vil.nai.com/vil/content/v_164324.htm > > ...Other detections that have been observed. > > FileName %USERPROFILE%\application data\upnpsvc.exe > Name: Generic BackDoor.u > > HTH > > Angus > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
