[TCLUG] OT Virus help!!

Tue Jul 6 15:28:24 CDT 2004

Send the file to me in a password-protected zip.  I have access to
several AV vendors and can submit the file for analysis.  You may want
to do more of an examination of your environment because I doubt it is
simply that file..there are likely registry entries, etc. involved as
well.  Plus, as you said, you will want to identify the potential avenue
of infection and also how this is spreading and what it is doing.

Have you isolated a known "infected" host on a stand-alone hub (with no
other hosts on it, obviously) and ran a sniffer (ethereal), port scan
(nmap), security audit app (nessus), fport, filemon, etc etc as well as
several of the AV vendors standalone tools?  McAfee/NAI offers Stinger
(http://vil.nai.com/vil/stinger/) and Trend Micro offers a System
Cleaner (http://www.trendmicro.com/download/tsc.asp).

Just a few suggestions.  Good luck.

-----Original Message-----
From: tclug-list-bounces at mn-linux.org on behalf of Jason Sievert
Sent: Tue 7/6/2004 3:01 PM
To: TCLUG Mailing List
Subject: [TCLUG] OT Virus help!!

Hey guys, my company is getting blasted with a virus that I can find 
nothing about.  None of our latests virus scanners can seem to find it. 
  It looks to be a single file, nortonav.exe, that is run at startup via

the registry in windows.  It is choking our network to the point that 
nothing can be done at this point.  The hardest hit seem to be windows 
2000.  All of the computers do have the latest patches as of today.  It 
does show up under the task manager as nortonav.exe.  I am still trying 
to figure out how it gets in and what the traffic looks like.  Has 
anybody seen anything like this???

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list