Worm found in Win2k server

E

Ed

You mentioned you ran an online av scan. So I'm to assume you do not have a
AntiVirus software running on the server? If so, then that explains why you
probably have the virus. It's best to install an AV on your server and have
it download virus updates daily and maybe to perform a scan afterwords.

Someone could have brought an infected disc, checked their email, etc.
 
J

Jeff Cochran

I am wondering there is a worm in a Windows 2000 server. No one was using
that server for browsing or working during weekend. However, worm was found
by online anti-virus scanning. Basically there is a Netscreen firewall which
is installed between LAN and internet and all recent updated patches were
installed too. But how can the worm be develop in Windows 2000 server?
Click to expand...

Start by Googtling for details of the worm, that may tell you the
attack vector. Check firewall logs as well.

What you're asking is how a system connected to the internet through a
firewall which nobody used get a worm. The answer is: Many
possibilities, including you have poor security on the system and/or
it is behind on updates. A simple example is that you don't have an
AV program active on the system, and you assume a firewall blocks
everything.

Jeff
 
W

Wilson Cheung

Can a firewall block viruses or worm? On the other hand, Norton Anti-virus
program was installed. That's why i'm wondering worms are still found in the
system.

Wilson
 
B

Benn Wolff

Norton Sucks, 100%! get rid of norton.


Wilson Cheung said:
Can a firewall block viruses or worm? On the other hand, Norton Anti-virus
program was installed. That's why i'm wondering worms are still found in the
system.

Wilson
Click to expand...
 
R

Robert Moir

Wilson said:
Can a firewall block viruses
No

or worm?
Click to expand...

Maybe. Certainly not by itself.
On the other hand, Norton
Anti-virus program was installed. That's why i'm wondering worms are
still found in the system.
Click to expand...

Because there is an unpatched vulnerability on the system which either a
hacker or an automated worm was able to exploit. Virus scanner and Firewalls
are all well and good, but they don't stop you needing to manage your
servers properly just the same as seatbelts and airbags might be useful
during a car accident but that doesn't mean its a good idea to intentionally
drive into other things at full speed.


--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
K

Karl Levinson [x y] mvp

It's impossible to answer this question unless you tell us the exact name
and variant of the virus, such as "Sobig.F"
 
M

Michael Bednarek

In Trend Micro, the name of this worm is "WORM_SDBOT.SN".
In Symantec, the name is "W32.Gaobot.SN".

Norton antivirus always find "Msgfix.exe" and "payload" in my Windows 2000
server. Or everytimes when I scan manually from Antivirus.com
Click to expand...

Review your passwords (that worm gets in by trying a number of
passwords).

Review your firewall; your server should be invisible to the outside
world. Also, review your firewall's outbound rules: start with denying
everything except HTTP. Never allow IRC, in this case 6667 specifically.

Review your AV software: a functioning, up-to-date, real-time AV program
should have caught this. Investigate why it didn't.
Karl Levinson [x y] mvp said:
It's impossible to answer this question unless you tell us the exact name
and variant of the virus, such as "Sobig.F"


Wilson Cheung said:
Hello,

I am wondering there is a worm in a Windows 2000 server. No one was using
that server for browsing or working during weekend. However, worm was found
by online anti-virus scanning. Basically there is a Netscreen firewall which
is installed between LAN and internet and all recent updated patches were
installed too. But how can the worm be develop in Windows 2000 server?
Click to expand...
Click to expand...
Click to expand...
 
D

Dave

it is common for worms to get onto machines that have a date/time set in the
future. all the virus/worm/trojan/adware/spyware programs refuse to run if
your system date isn't correct.
 
O

Oli Restorick [MVP]

Michael Bednarek said:
Review your firewall; your server should be invisible to the outside
world. Also, review your firewall's outbound rules: start with denying
everything except HTTP. Never allow IRC, in this case 6667 specifically.
Click to expand...

Also bear in mind that worms often find their way into networks on laptops
that have been connected to somebody's home Internet connection and are then
brought onto the company network.

Oli
 
R

Roger Abell

You have not said whether you AV is set to do on-access checks.
Consider, if not, and this server is use for storage by client machines,
and those are infected, then as soon as you clean the storage on the
server it will be reinfected from the clients.
However, in light of the further info - reset your passwords.
 
M

Mike Matheny

Then what do you suggest? Name me an Enterprise Anti-Virus program, and I
can shoot holes in it as to deficiencies and just plain old operability.
(you know - the user interface sucks!)
 
D

David Barnes

I'll second the opinion on Norton.

Norton does not block spyware, trojans and some worms..
IMHO it Sucks..!!!



Karl Levinson [x y] mvp said:
That's your opinion, not mine.

Benn Wolff said:
Norton Sucks, 100%! get rid of norton.
Click to expand...
Click to expand...
 
W

Wilson Cheung

Hello,

I am wondering there is a worm in a Windows 2000 server. No one was using
that server for browsing or working during weekend. However, worm was found
by online anti-virus scanning. Basically there is a Netscreen firewall which
is installed between LAN and internet and all recent updated patches were
installed too. But how can the worm be develop in Windows 2000 server?
Thanks!

Wilson
 
W

Wilson Cheung

In Trend Micro, the name of this worm is "WORM_SDBOT.SN".
In Symantec, the name is "W32.Gaobot.SN".

Norton antivirus always find "Msgfix.exe" and "payload" in my Windows 2000
server. Or everytimes when I scan manually from Antivirus.com


Wilson


Karl Levinson [x y] mvp said:
It's impossible to answer this question unless you tell us the exact name
and variant of the virus, such as "Sobig.F"


Wilson Cheung said:
Hello,

I am wondering there is a worm in a Windows 2000 server. No one was using
that server for browsing or working during weekend. However, worm was found
by online anti-virus scanning. Basically there is a Netscreen firewall which
is installed between LAN and internet and all recent updated patches were
installed too. But how can the worm be develop in Windows 2000 server?
Thanks!

Wilson
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

w2k and Anti-virus software, firewall etc 1
Will Security Essentials continue to update for XP? 8
MSBlaster worm / WIN2K Server 1
Disable Your Antivirus Software (Except Microsoft's) 30
I think I found the culprit 10
Norton AntiVirus Version Number Deception? 6
The file does not have a program associated with it 4
Multiple Viruses Windows 7 5

Top