Help with Agobot-JX

N

Nick

Hi, Windows 2000 SP4, Sophos AV (up to date), Agobot-JX.

A machine on our network that hadn't been updating has caught
Agobot-JX and it is spreading around the network by dumping a file in
system32 called winhlpp32.exe which then seems to try and unpack into
wupdate.exe. Sophos detects the virus straight away, but around 10% of
the time, still allows the machine to become infected with registry
changes (hklm/s/m/w/c/run), a changes hosts file and a service running
on the PC.

How is a patched machine with an up to date virus checker still
becoming infected? I understand that it will still get the dropper
file, but it shouldn't then become infected and pass it on.

Any advice?

thanks,
 
K

kurt wismer

Nick said:
Hi, Windows 2000 SP4, Sophos AV (up to date), Agobot-JX.

A machine on our network that hadn't been updating has caught Agobot-JX
and it is spreading around the network by dumping a file in system32
called winhlpp32.exe which then seems to try and unpack into
wupdate.exe. Sophos detects the virus straight away, but around 10% of
the time, still allows the machine to become infected with registry
changes (hklm/s/m/w/c/run), a changes hosts file and a service running
on the PC.

How is a patched machine with an up to date virus checker still becoming
infected? I understand that it will still get the dropper file, but it
shouldn't then become infected and pass it on.
Click to expand...

anti-virus programs cannot prevent network share enumeration as the
process that's doing the infecting isn't actually on the machine that's
getting infected... they can only detect the file after it has been
completely written to the disk and then only when you initiate a system
scan or something tries to access the file (if you have an on-access
scanner deployed)...

i would consider hardening your intranet a little better - most
machines on your network should *not* have access the the system32
directory or in fact most directories except those that are absolutely
necessary (for some as yet undetermined business process that may take
place in your shop) and then only when explicitly configured and only
for the machines/user accounts that are required to have access to
those shares...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Disable and Enable Restore in Windows Xp after virus/worm infection 15
new doom varient? 3
Removal of RisinG / sds2d21.exe / sdsxd.exe 0
New virus - VERY DANGEROUS! 62
Help: Prokill and NGVCK.a 1
BearWare Comprehensive Security Plan 32
Discovery of trojan "package" on Win2K server yesterday (foundtskmgr2.exe) 6
KRiLE and Zvi Netiv... for old times sake 8

Top