cmd & autorun.inf

[Mornedb]

Can anyone pls assist.
We have a server that is running server2003.on this server there is a shared folder that the whole company acces on a regular basis.
in this folder there is 2 files that does not belong there - cmd.exe (this files has a picture of a hamburger on it) and the autorun.inf.
When we delete these files they just return a few minutes later.when users click on this cmd file there
local pc gets infected with a couple of notepad docs that is labled brokensole_bh.
When you open this file there is a poem.
The cmd process then runs in task manager and there is also a cmd.exe icon under startup,
Its failry easy to remove this from a local machine,our issue is that we cannot remove it from the server,various AV's and removal tools does not even pick it up as i virus

pls assist

 

[Nerfherder]

I have that virus.

I used Avast to get rid of it.

 

[howardb]

Sounds like an autorun virus or similar - MS Security Essentials will also remove it completely.

 

[ramar]

MS Security Essentials does not run on Server 2003. You need a good server antivirus. I can recommend Eset Business Edition or Kaspersky Openspace suite.

 

[Random717]

Avast server version has a 60 or 90 day trial, very useful...
There are a few possibilities as to why the files keep reappearing. One is that a system connecting to the share is infected, so it keeps reinfecting it when it is cleaned. Monitor the users that are connected and what files are open to track it down (right click My Computer, Manage, under System Tools is Shared Folders, which shows current sessions and open files). Another possibility is that the virus installed a scheduled task to reinstall itself (delete anything that wasn't manually created, they're normally called AT0), or it's sitting in memory and just reinstalling itself (use task manager to kill every process you can, have a cmd windows open to abort any shutdown prompts that appear, then delete the files followed by a virus scan).

 

[wishblade]

Definately malware...

 

[gregmcc]

Malware Bytes

 

[keveenjones]

You can download latest antivirus and install in that server computer and then full scan compute. After completed scanning process you can see that virus, so you can delete that virus from your server computer.

 

[PsyWulf]

Engrish detected!

 

[thisgeek]

Here's how to block those nasty files from being saved to your server.

On your server, see if you have an app under Administrative Tools called the File Server Resource Manager.

1) In there, go to File Screening Management, and then right-click File Groups, and select Create File Group. Give it a name - Autorun.inf
Under "Files to Include" type Autorun.inf and click add. (You could create a different file group here with different file specs. There should be a bunch of defaults already). Click OK.

2)Go to File Screen Templates, right click it, and select Create File Screen Template. Call it 'Suspicious Files'.
Screening type is Active. Under File Groups, select the newly created 'Autorun.inf' (You can create other file groups or modify existing ones with the buttons on the right). Also select any other file groups you may have created, or Executable File group, whatever you like. At this point, you can just click OK, OR you can investigate the other tabs to see what kind of notification options you might want to have should the file screen be triggered.

3) Go to File Screens, right click it, and select Create File Screen. Browse to the root of the path you want to block autorun.inf from being saved to. Select the option 'Derive properties from this file screen template' and select your newly created Suspicious Files template. Click Create.

The server will no longer allow Autorun.inf files (and whatever else you may have selected) to be saved in the path you specified.
This will not effect existing files, only future attempts to save them.

 

[wishblade]

thisgeek is spot on.

In addition though, here's some words of advice:
- Microsft has cautioned against the executing of autorun files on folder access (through explorer) but they appparently don't follow their own advice. So there are, if I rememebr correctly, 2 registry keys that need to be edited to properly prevent Explorer from auto executing autorun files contained within a folder when the folder is accessed. A google search will turn these up. Use them, on each PC, and on the server.
- ensure that you make use of an effective anti-virus product. If you are a corporate environment, use an effective corporate AV product, that you pay for, and receieve support for (NOT a free edition version)!!!
- Make sure that the server is running a regularly updated, effective AV product. Only thing would be the customization of the product for the server, and not running any firewall component. Your AV product on the server should then not be allowing the execution of the virus on the server, which means that we don't have to worry about the serverbeing physically infected. Which means that we only have to worry about virus files being placed (dumped) in shares on the server.

Now, since the share is obviously writable by someone ( or everyone, or whoever...), and the infection keeps returning, that would suggest that at least one of those machines that have write access to the share are the source of the infection (a logical approach).

To start with, you need to clean out all the PC's that can write to the share. Easier said than done, since you may not want to take the entire company offline and doing it all after hours might ot be feasible (laptops taken home, after-hours pay, getting somebody to actually stay after hours etc, etc)...
So a process can be followed, which only inconveniences and couple of users at any given time:
1. Do what thisgeek mentioned above.
2. Block write access to the share for a couple of users.
3. Ensure the those users' machines are fully patched with latest updates, explorer has been tamed, and that they are clean from infection.
4. Once all cleared, give them write access to the share again, and the instruction to not run the cmd.exe file (or whichever file/s are the cause of the infection). Since explorer won't be executing the autorun.inf on opening the folder, the virus won't be auto executing. Part of this may be ensuring that file extensions are visible as part of step 3, since bob.doc and bob.exe may look the same, giving the bob.exe file a 50% chance of being clicked on, and the virus executed.
5. Once all the PC's are patched, clean, updated, etc, run a full scan of the server, with the idea of renaming / qauranteening any lingering infected files.

Feel free to comment, but it generally works...
Have fun