Please Help! Worm wrecking havoc on the network!

Hi All,

Well it is me again. G I am having the week from hell!!

Could someone with experience please help me with a worm that has taken over our network. To start with the worm is the W32/sdbot.worm.? (question mark varys form computer to computer from c to gl to whatver).

This virus whilst not harmful is extremely annoying and frustrating. What it does is disbale on scan access of our virus scanner, then it opens a command prompt and runs ftp commands. We run terminal services and what is happening is these commands are coming through on peoples screens onto there e-mails and word documents. And as you can understand users are getting extremely upset.

The problem is this. Everytime we clean the virus of a computer it takes around 30 minutes and it is back again, from another computer passing it on. At the moment it had spread to around 50 of our companys PCs with more happening all the time. So at the moment we can clear it but cant stop it from happening again.

This however is mostly happening on Win2K machines and not XP which leads me to believe it is some security vulnerability. We have taken the following steps to no result.

Fully upgraded all Windows 2K machines with microsoft updates.
All machines have SP4
Updated McAfee with absolute latest DATS and upgrades (McAfee is the worst customer support people in the business)
Ran virus scan, cleaned virus.

So as you can see i have got the machines up to date with as much as i possibly can but i still cannot get it from re-appearig.

Has anyone dealt with this in the past and know how to stop it? At the moment i am just going around in circles getting nothing done.

Ideally i would like to find a patch to put it on the systems that stops it from re-appearing but have been unsuccessfull in finding anything.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sprkymrk

Well - here's a few things things you should do for starters if you can.

First, research HOW it's reinfecting your machines. Is it getting in through the firewall? Do a netstat -ano on an infected machine to see what ports it may be active on and then block that at your border.

Disconnect all your computers from the network. Reconnect only after everything on a subnet is cleaned, and only if you found out how it's getting into each machine and are able to stop it at your borders.

Initiate full AV scans on all computers, not just the ones displaying symtoms.

Here is Symantec's description They have a different name than the McAfee name:

W32.Kwbot.P.Worm is a worm that attempts to spread through file-sharing networks, such as KaZaA, iMesh, LimeWire, eDonkey2000, and Morpheus. It has Backdoor capabilities that allow a hacker to control a computer by using Internet Relay Chat (IRC). The existence of the file mscommand.exe is an indication of a possible infection.

They recommend:

Disable System Restore (Windows Me/XP). Update the virus definitions. Restart the computer in Safe mode or VGA mode. Run a full system scan and delete all the files detected as W32.Kwbot.P.Worm. Delete the value that was added to the registry.
Here is the registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

In the right pane, delete the value:
"System Efficiency Monitor"="mscommand.exe"