Re: [Dshield] Philis.bq clean up

["Sue Young" <[EMAIL PROTECTED]>]

 Reimaging is best but there are two things I've found that help with
this situation if you can't reimage.  

First, turn off system restore before running the removal tool.  That'll
work if the virus isn't really aggressive.  

Second, if the virus is aggressive and keeps regenerating but you can
identify the files it's using, boot with the setup disk and go into the
repair console.  You can delete the files in the repair console and if
you've also disabled the system restore function they shouldn't come
back.  You'll also have to clean up registry entries and make sure you
can get every one of the files.

It is always safer to reimage the workstation since a lot of trojans
will download others and you'll get a whole zoo. 


Thanks,

Sue Young, CISSP



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Warner, Mark
Sent: Wednesday, November 29, 2006 5:22 AM
To: General DShield Discussion List
Subject: [Dshield] Philis.bq clean up

We seemed to have been infected with the Philis.bq virus in our network.
Mcafee has a tool but the regeneration keeps rebuilding the virus on
restart.  Presently we have about 35 infected machines.  Today we will
reimage about 20 of them.  Has anyone found a removal method that works
for this?
We cannot find its method of spreading or stop the kickstart of the
virus.  Any help would be good.
mark

-----Original Message-----
From: "jayjwa" <[EMAIL PROTECTED]>
To: "General DShield Discussion List" <[EMAIL PROTECTED]>
Sent: 11/29/06 1:42 AM
Subject: Re: [Dshield] POP3 wrong password for ....


On Sun, 26 Nov 2006, Tom wrote:

-> Heads up.  Our logs are showing bot activity increasing over the last

-> month or so searching for a user and then trying passwords over and 
-> over again to authenticate.

I was wondering what those where. It's tcpwrapped off anyway. You may be
able to use one of those ssh brute force blocking tools modified for
POP3. Just change the log the script looks in and search for "wrong
password for" and add them to the firewall (maybe time limited).

Also I'm seeing alot of VNC attempts (tcp/5900) filling the firewall
logs.

--
Linux 2.6.18.2 on Pentium II (Klamath) up 69.33 Linux 2.6.18.2 on
Intel(R) Pentium(R) 4 CPU 2.80GHz up 20.03 Minix 2.0.4 (currently
offline) _________________________________________


_________________________________________



The contents of this e-mail message and its attachments (if any) may be proprietary and/or confidential and are intended solely for the addressee(s) hereof.  In addition, this e-mail message and its attachments (if any) may be subject to non-disclosure or confidentiality agreements or applicable legal privileges, including privileges protecting communications between attorneys or solicitors and their clients or the work product of attorneys and solicitors.  If you are not the named addressee, or if this e-mail message has been addressed to you in error, please do not read, disclose, reproduce, distribute, disseminate or otherwise use this message or any of its attachments. Delivery of this e-mail message to any person other than the intended recipient(s) is not intended in any way to waive privilege or confidentiality. If you have received this e-mail message in error, please alert the sender by reply e-mail; we also request that you immediately delete this e-mail message and its attachments (if any). Grosvenor Capital Management, L.P. and its related entities
("Grosvenor") reserve the right to monitor all e-mail communications through their networks.  Grosvenor gives no assurances that this e-mail message and its attachments (if any) are free of viruses and other harmful code.



_________________________________________