Main Menu

Virus Tools

Started by Lazybones, March 03, 2009, 09:48:25 PM

Previous topic - Next topic

Lazybones

Now in week two of battling virus outbreaks on our network I thought I would share some things with you.

- THe first round of infections started with a SINGLE file passing through two different vendors AV systems and then being opened by a single user.

- The second round appears to have started by exploits in websites or forum software that droped the trojans on to internal systems.

If you run a network, DO NOT depend on one vendor / engine, if you can have more than two.

1. www.VirusTotal.com
- Upload a file and it will test it with 39 different scanning engines and report the results, this is VERY handy if you have a suspect file that your current scanner didn't detect anything on. It is also a way to clearly see HOW FREEKING SLOW some vendors are and how little protection you may have.
- NONE of the single engine scanners seem to have done well with the files I have submitted over the last few weeks.
- One of my sample files was detected by only 30% of the engines!

2.Online Scanners
- http://onecare.live.com/site/en-us/default.htm Believe it or not Microsoft is one of the very FEW vendors that have detected all 3 of the Trojans that have been flooting around our network

- http://housecall.trendmicro.com/
- http://www.kaspersky.com/virusscanner
- http://www.bitdefender.com/scan8/ie.html
- http://www.eset.com/onlinescan/

3. Offline scanning using a boot Device
- http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
- http://www.ubcd4win.com/ - complicated


PS: If you THINK you don't need antivirus software and you are running a windows OS on the internet and or a local network you are looking for trouble.

Thorin

It really sucks when you get an infection on a large network, hey?  So what virus did you get for round one?  And how did you trace it back to that one file?
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Lazybones

They were trojans so the did not spread too badly.

We traced the detection logs back to the earliest case onworkstations then checked our mail logs to find the initial point of infection.

onceawhile

for trojan you should add combofix to the list
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

updated almost daily.
did a great job removing while my scanner detected, but wasn't able to remove.