none
Severe Virus Problem on Windows Small Business Server 2003 SP2 32-bit

    السؤال

  • Hi,

    We are using Windows SBS 2003 SP2 32-bit for production purposes. This server is primarily used as Application Server to run IIS based applications.  We have McAfee Anti-virus running on this server. We also access this server through Remote Desktop and for FTP.

    Since last few days, we have very strange behavior on this server. As soon as this server is plugged into the network, within 3-5 minutes, the internet goes down for the entire network and the moment we plug this server out of network, internet works.

    Symptoms

    (1) McAfee Anti-virus has stopped working.

    (2) A folder is created on C:\ with name Shortcut to McAfee and inside that another folder is create  AcidBurn1.

    (3) Tons of junk files are copied inside this folder. The size of these files goes up to 10-40 GB.

    (4) We see few new services created automatically in Services Manager namely, sssXXXXXXX, and few services with junk characters in its description. Please click the following link to view the Screenshot of Services(PNG file is linked)

    What we have already tried

    (1) Malwarebytes Anti-malware software runs and re-runs in normal and safe mode

    (2) Windows Malicious Software run (normal and safe mode)

    (3) Tried to monitor network activity & event viewer but nothing odd found there and since the server brings down internet in 3-5 minutes after logging in, it is difficult to get any real clue.

    (4) Tried to start /enable McAfee but does not work

    (5) Isolated this server from network and disabled all Remote Desktop / FTP related ports but still not success, server still brings internet down in 3-5 minutes

    We have no idea about what this virus is and we would like to get some help on this issue.  We are ready to purchase a network security solution to resolve this problem for now as well as protect our network against such attacks in future.

    Any help will be highly appreciated.

    Thanks

    Vaibhav

    • تم النقل بواسطة Tim QuanModerator 28/ربيع الأول/1432 07:02 ص (From:Security)
    26/ربيع الأول/1432 05:47 ص

جميع الردود

  • 1. I would have reinstalled the compromised system. You never know if it was really cleaned until format and reinstall. Do not retain ANY executable from the infected server, reinstall everything from the scratch. Otherwise you gonna fight the virus consequences for ages.

    2. Please revise the service usage pattern - for example, FTP is not any secure by design. Could be that someone from the Internet was able to monitor you FTP traffic and hacked into the system.

    3. Do not rely on antiviruses as primary antimalware measure. Antiviruses cannot beat up the viruses, it's a matter of fact. Consider revising Administrators group membership (no more than 2-3 accounts), always keep the system and applications up to date, implement Software Restriction Policies to prevent malware from running. Remember that no any firewall stops malware that comes from users/administrators and their flash drives/downloads/rdp sessions/etc.


    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
    26/ربيع الأول/1432 07:11 ص
  • Hi Vaibhav, if you need more help with virus-related issues, please contact Microsoft Product Support Services.

    Visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. 

    For support outside the United States and Canada, visit the Product Support Services Web page (<http://support.microsoft.com/?pr=SecurityHome>  ).


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • تم الاقتراح كإجابة بواسطة James XiongModerator 14/جمادى الأولى/1433 03:56 ص
    • تم إلغاء اقتراح كإجابة بواسطة James XiongModerator 14/جمادى الأولى/1433 03:56 ص
    • تم التحرير بواسطة James XiongModerator 14/جمادى الأولى/1433 03:56 ص PCSafety Center update
    02/ربيع الثاني/1432 01:08 ص
    المشرف
  • Hi,

    Thanks for your input.

    Based on your suggestions, we are in the process of outlining certain service / usage restrictions to make sure that server is not compromised in future.

    -Vaibhav

    17/ربيع الثاني/1432 05:28 ص