Monday, April 09, 2007

Attack of the Virus

It was a typical Sunday. Easter lunch followed by a short trip home. No big deal. Before I could sit down to read the news, my cellphone rings. It's work. Hmmmm...I'm not on call. What could this be? So, despite my better judgment, I answer the phone.

"Hello?"

"Mike?"

"Yes."

"We have a problem." dut dut duuuuhhhhh

After a few minutes on the phone, I determined that I have to travel into the office. A virus has apparently infiltrated our formerly impenetrable network of firewalls and antivirus servers. A worm. An ugly little worm. And it was spreading...quickly through all of our offices.

Obviously, the first question that comes to mind is why didn't our antivirus catch this? Well, it appears this is a variation on a previous virus. We had updated our definitions last on April 4th. The update that would have caught this virus was put out on April 7th. Oops. One of the first things I noticed was that our Windows Server 2000 machines (yes, we still have them) were rebooting. Hmmm...so, I took them off the network and began applying Microsoft updates and antivirus updates. After some serious frustration, we were able to get them working again.

Then we attacked the Server 2003 machines and got them patched and working. Meanwhile, the antivirus server that would be pushing updates to all the client PCs was in quite a bit of turmoil. After some serious revamping, I was finally able to get it stable to the point that it was pushing out the clients. After having this office and our southern command firmly under control, we began working on the outer offices. Eventually, we were able to get them stable and their antivirus servers to a point they would push updates today.

Needless to say, this virus infiltration cost me 12 hours. I was here until 3:00 a.m. last night. But, the reward is this morning as our users login none the wiser. While I still think we have remnants of the worm attempting to make its way around our offices, luckily our virus updates are being pushed before it can attack the machine. So far, not a single call. It seems to have targeted Windows 2000 and 2003 Server first though...but it attacked XP too. What great fun it was for all!

4 comments:

Anonymous said...

Owned!

I am shocked, *SHOCKED* to think that there are worms that aren't caught by a corporate AV engine. I submit for review, recent Email transaction between myself and Symantec.

I don't really intend to stop using Symantec products, but I was in total bitch mode at the time of writing.

-----------------------------------

Jason,

Thank you for your reply. Unfortunately, analysis took longer than expected,
as The Symbatchdiag attached to the case is not complete and appears to have been run through a terminal session.

Terminal Sessions or changes to default user permissions are not recommended for installing ot troubleshooting
any server class application. Avoiding these situations will alleviate most problems of this nature.

I will close your case.

Best regards,

Raymond Kundra
Product Support Analyst
Enterprise Support

Symantec Corporation
www.symantec.com


________________________________________
From: Jason Davis [mailto:]
Sent: Thursday, March 29, 2007 10:23 AM
To: Raymond Kundra
Subject: RE: Symantec Technical Support: Case ID 311-231-721
Sorry to be blunt, but the last Email I received from you was exactly four weeks ago. I find that completely obscene.

I won’t be using Symantec AV anymore for any of my small business clients. I’ve already formatted the affected PCs and can’t afford to waste any more time on this issue.

Jason


From: Raymond Kundra [mailto:]
Sent: Thursday, March 29, 2007 12:16 PM
To: Jason Davis
Subject: Symantec Technical Support: Case ID 311-231-721

Jason,

Has this issue been resolved?

Here is information received from your log submissions:

-----

This looks like it may be an OS/environmental issue.

The Symbatchdiag attached to the case is not complete and appears to have been run through a terminal session according to the Local_Data.txt file.
One of the attached JPG files also show two recycle bins and two IE icons on the desktop.

The testsec that was gathered separately from the symbatchdiag showed that the user was a member of several groups.
Notes in the case indicate a request for the customer to log in as a member and ensure that they were not a member of any other group.

Please create a new user on the local machine and make sure the new user is ONLY a member of administrators and no other groups.

If the removal and install of Symantec AntiVirus does not complete and run correctly after logging in as the new user, please run symbatchdiag again and make sure that it includes the application and system event logs, testsec.htm is complete with good information, and that esuglpdu.html, GPO_Data.txt, Process_to_Path.txt information is complete.

Regards,


Raymond Kundra
Product Support Analyst
Enterprise Support

Symantec Corporation
www.symantec.com

Anonymous said...

Finally! It's your turn - and not mine for a change.

Mike said...

Well, just an update on it...it appears the threat is fully contained. At last count, we're down to maybe 50 machines that don't have the latest virus signatures...most of those just haven't been turned on for whatever reason. It didn't attack XP like it did the servers...and all the servers have been updated. Monday morning, no complaints about WAN speed, so I believe our efforts were successful. Whew!

Anonymous said...

mmm, crap support.
contact on the 13th of feb, then contact on the 1st of march, and then 29th of march.

no sense of urgency...