Dismiss Notice

Welcome To CK5!

Registering is free and easy! Hope to see you on the forums soon.

Score a FREE t-shirt and membership sticker when you sign up for a Premium Membership and choose the recurring plan.

slap my arese back in place with a virus...

Discussion in 'The Lounge' started by newyorkin, Apr 29, 2003.

  1. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    [ QUOTE ]
    Virus Found!Virus name: W32.HLLW.Nebiwo in File: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.exe by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied

    [/ QUOTE ]


    Pride nailed me. I patched everything, updated my stuff, and sat back and watched the rest of the company get pounded by this virus while all my stuff stayed clean and hidden (well, I didn't just sit back, I helped where I could).
    Now I'm going to be spending the day (probably night too) cleaning up the new variant that's pounding me today.
     
  2. Z3PR

    Z3PR Banned

    Joined:
    Mar 30, 2002
    Posts:
    19,217
    Likes Received:
    0
    Location:
    Everywhere
  3. Goober

    Goober 1/2 ton status

    Joined:
    Apr 26, 2002
    Posts:
    2,222
    Likes Received:
    0
    Location:
    Mayberry (Auburn, WA)
    Actually W32.HLLW.Nebiwo isn't a virus, it's a worm that acts as a delivery device for trojans. /forums/images/graemlins/grin.gif



    This little monster was written specifically for Windows 2000. It replicates via SMB over tcp port 445. As you may recall, the SMB protocol in the old world of NT ran on top of NBT (thats why you block UDP ports 137, 138 and TCP port 139 at your firewalls) but Windows 2000 can run SMB directly over TCP/IP. This added functionality is provided over port 445.


    If you have updated NAV on all your machines you should be OK. Better yet, are you running NAV in Managed Mode?

    Make sure you update you virus definition files so that your AV client will be able to stop not only this worm but it also needs to recognize anything that this little hummer wants to deliver to you.









    Relax, This is the fun part of tech support!! /forums/images/graemlins/grin.gif /forums/images/graemlins/grin.gif /forums/images/graemlins/grin.gif /forums/images/graemlins/grin.gif /forums/images/graemlins/grin.gif








    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.nebiwo.removal.tool.html
     
  4. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    Thanks Goob. I've been researching the **** out of this lil' beotch (not by choice), and I just finished a script that'll walk out along the network and check every machine connected for the virus, then destroy it, logging everything along the way...

    Turns out only 3 boxes were actually infected. Each of them have/had a NAV problem. I know one was because the user doesn't use a logon script which would have checked and changed the nav server (very dumb oversight on my part). Another was the user had un-installed NAV because it was interfering with some software (she has to be a local admin to run certain progs, and a phone support guy at some point had her remove nav. I hate giving them that access!).
    The other one is a mystery, the users logon script should have been changing the nav server every time she logged on. I'll figure it out soon I'm sure, priority now is to get these boxes back in service...
    Ahhhh, my arse would be physically running around without vbscript... Thanks to scripting, I can stuff Krispy Kremes in my face while I watch it go out and zap the little puker... Although I'm a little annoyed that I missed lunch and have to resort to leftover krispy kremes from the lunchroom...
     
  5. Goober

    Goober 1/2 ton status

    Joined:
    Apr 26, 2002
    Posts:
    2,222
    Likes Received:
    0
    Location:
    Mayberry (Auburn, WA)
    Glad to hear you got it under control.



    [ QUOTE ]
    she has to be a local admin to run certain progs

    [/ QUOTE ]

    There's a problem, right there.

    Unless she is a developer, she doesn't need Admin rights. If she is a developer she can have Admin rights in her development domain only, N O T in the production environment.


    One of the best parts of my job is when people come crying about needing to have Local Administrator rights on their machines. I don't even let them finish their sentence and I interrupt them with a hearty "NO!".

    Depending on who it is that's asking, my boss usually gets a phone call within a few minutes. Then she sticks her head in the door and tells me (laughing) that while she agrees with saying "NO" to the idiots, I should at least let them make a formal request.



    It's great to have a good boss! /forums/images/graemlins/grin.gif
     

Share This Page