Spybot Virus & Network Connectivity

[dougalovich]

Hello All,

I have been called to a job where the entire network had ground to a
halt. About 30 Windows 2000 machines, all running AVG Antivirus that is
up-to-date.

I narrowed the problem down to 4 PCs that were infected with the Spybot
virus (see link) that were clogging up the network. I started by
unplugging their cables and the remainder of the network is functioning
normally now.

http://www.sarc.com/avcenter/venc/data/w32.spybot.cym.html

I have removed the offending file and corrected the registry entries as
described in the above link and internet connectivity has been restored
on these machines as well as the other PCs on the network.

However, these 4 PCs cannot communicate with others on the network, the
server, shared printer etc.

They can ping the server and other PCs, it just seems that any kind of
communication involving mapped drives etc on the local network is
'broken'.

I would rather not have to rebuild these PCs, but I know I'll probably
have to. I haven't tried reinstalling the network protocols etc. yet,
but I have done a virus scan and also cleared suspect items with
HijackThis and also checked with LSPFix.

I was wondering if there were any other common registry tweaks that the
virus might have employed to 'break' it's networking capabilites. As I
said, the PCs can access the internet and also ping the server
successfully. Any error messages are of the kind that you'd expect if a
network cable was unplugged or if the server was down etc.

DNS information is fine and I also cannot access the server if I just
use the IP address.

Any help would be appreciated.

Thanks in advance,

David.

 

[David H. Lipman]

From: <[email protected]>

| Hello All,
|
| I have been called to a job where the entire network had ground to a
| halt. About 30 Windows 2000 machines, all running AVG Antivirus that is
| up-to-date.
|
| I narrowed the problem down to 4 PCs that were infected with the Spybot
| virus (see link) that were clogging up the network. I started by
| unplugging their cables and the remainder of the network is functioning
| normally now.
|
| http://www.sarc.com/avcenter/venc/data/w32.spybot.cym.html
|
| I have removed the offending file and corrected the registry entries as
| described in the above link and internet connectivity has been restored
| on these machines as well as the other PCs on the network.
|
| However, these 4 PCs cannot communicate with others on the network, the
| server, shared printer etc.
|
| They can ping the server and other PCs, it just seems that any kind of
| communication involving mapped drives etc on the local network is
| 'broken'.
|
| I would rather not have to rebuild these PCs, but I know I'll probably
| have to. I haven't tried reinstalling the network protocols etc. yet,
| but I have done a virus scan and also cleared suspect items with
| HijackThis and also checked with LSPFix.
|
| I was wondering if there were any other common registry tweaks that the
| virus might have employed to 'break' it's networking capabilites. As I
| said, the PCs can access the internet and also ping the server
| successfully. Any error messages are of the kind that you'd expect if a
| network cable was unplugged or if the server was down etc.
|
| DNS information is fine and I also cannot access the server if I just
| use the IP address.
|
| Any help would be appreciated.
|
| Thanks in advance,
|
| David.

30 nodes running AVG, tsk, tsk.....
I hope that is at least the AVG PAID-for version.

If YOU are a professional, you must *strongly* suggest an Enterprise anti virus solution to
replace AVG.

There are *many* variants to the SDBot/SpyBot worm. 100's and growing !
It speads through inadequately secured NetBIOS Shares, RCP/RPCSS DCOM and LSASS
vulnerabilities and other vulnerabilities.

Chances are this variant has modified parameters for; LSASS, NetBIOS and others.

The Symantec library article noted...
"Adds the value:
"LSArestrictAnonymous" = "1"
to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
to restrict anonymous access to IPC$ share and help secure the system."

I am sure there are *other* modifications as well.

Normally I don't suggest flattening a system but... In this cae I do.
I suggest you make a Ghost image of each dysfunctional platform then rebuild the OS and then
extract the user's data from the Ghost images made.

Finally I suggest scanning the remaining platforms via my Multi AV Scanning tool...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[dougalovich]

30 nodes running AVG, tsk, tsk.....

I hope that is at least the AVG PAID-for version.

If YOU are a professional, you must *strongly* suggest an Enterprise anti virus solution to
replace AVG.

That's what I thought!
I've gotten them to agree to McAfee Ent, which I'll be ordering today!

I'll run your tool on the other PCs, though there is no sign (i.e. of
explore32) on them. However I know that's no guarantee!

Looks like rebuilds then!

Thanks for your advice,

David.

 

[dougalovich]

Update,

As the machines were running fine other than the loss of network
connectivity, I decided to spend 10-15 mins trying to find a easier fix
than rebuilding.

Firstly, I thought I'd try uninstalling Client for Microsoft Networks,
TCP/IP protocol and File and Printer Sharing and then reinstalled. Lo
and behold it worked!!

So I did it on the rest of the machines, took 5 mins per machine.

1 installation of McAfee enterprise, complete adware / spyware scan and
a full compliment of Windows Updates later, all is well on all
machines.

D

 

[David H. Lipman]

From: <[email protected]>

|
| Update,
|
| As the machines were running fine other than the loss of network
| connectivity, I decided to spend 10-15 mins trying to find a easier fix
| than rebuilding.
|
| Firstly, I thought I'd try uninstalling Client for Microsoft Networks,
| TCP/IP protocol and File and Printer Sharing and then reinstalled. Lo
| and behold it worked!!
|
| So I did it on the rest of the machines, took 5 mins per machine.
|
| 1 installation of McAfee enterprise, complete adware / spyware scan and
| a full compliment of Windows Updates later, all is well on all
| machines.
|
| D

Thanx for updating the thread. It is greatly appreciated !

Was that McAfee VirusScan v8.0i ?