Closed
|
Case #
|
10009
|
|
Affiliated Job:
|
New Trier Township District 2031
|
|
Opened:
|
Monday, February 1, 2010
|
|
Closed:
|
Thursday, February 11, 2010
|
Total Hit Count:
|
29751
|
|
Last Hit:
|
Wednesday, December 11, 2024 11:57:43 AM
|
Unique Hit Count:
|
7543
|
|
Last Unique Hit:
|
Wednesday, December 11, 2024 11:57:43 AM
|
Case Type(s):
|
Helpdesk, Development, Server
|
|
Case Notes(s):
|
All cases are posted for review purposes only. Any implementations should be performed at your own risk.
|
|
|
Problem:
|
Despite our Sophos Enterprise deployment, the Conficker virus penetrated and was introduced into our environment sometime around December or January. Helpdesk tried to battle this infestation; however, due to many systems not having Sophos installed or problems with the installation; the virus outbreak spread across the entire network. It appears the virus remains in the local subnet that it exists and therefore the servers remained unaffected.
On-Access scanning was enabled and Windows XP SP3 was installed across the network; therefore, the effects of the virus were disabled, but the spreading could occur for those machines without Sophos. The virus spreads by trying to place a file into the Windows directory via an infected machine to a remote machine on the same subnet across the network. It also attempts to create scheduled tasks forcing the new file to run at various time intervals. Having On-Access scanning enabled permits the clean machines to remain clean; but if the machine is already infected, a full scan is required.
|
|
Action(s) Performed:
|
Total Action(s): 1
|
Action #
|
Recorded Date
|
Type
|
Hit(s)
|
User
|
Expand Details
|
10038
|
2/11/2010 2:43:33 PM
|
Development
|
3966
|
contact@danieljchu.com
|
Our first step was to gather information about the machines without Sophos, More ...
|
|
|
Resolution:
|
Among the actions taken, the most useful action was to force run the "Microsoft Windows Malicious Software Removal Tool." We did this through the Logon Script which does the following:
- | Copies the mrt.exe locally | - | Runs the mrt.exe scan | - | Checks the final log create by the mrt scan for "Threat detected:" | | o | If found, the log is copied out to the server into a "01-VirusFound" folder - also, if the words "the system needs to be restarted." is found in the log, the user is prompted to reboot | o | Otherwise it is either placed into "02-NoVirusFound" or "03-CouldNotRun" dependent on the success of the scan |
|
This script runs in the background without the user ever knowing and these logs help to identify the machines requiring further attention. Using these reports we could determine the machines with or without Sophos and also identify the ones infected, possibly indicating the antivirus agent would need installed on that system.
Code to Run MRT Scan [RunMRT.cmd]: @ECHO OFF ECHO Processing Microsoft's Malicious Software Removal Tool...
C: CD\WINDOWS\DEBUG type mrt.log >> mrt.org del /F /Q mrt.log del /F /Q mrt.txt
C: CD %USERPROFILE%\Local Settings\TempMKDIR MRTSCAN CD MRTSCAN del /F /Q mrt*.* COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\Sleep.exe COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\logon-scan\mrt.exe mrtv34.exe
SET PATH=%PATH%;%USERPROFILE%\Local Settings\Temp\MRTSCAN;
IF EXIST "%USERPROFILE%\Local Settings\Temp\MRTSCAN\mrtv34.exe" ( GOTO CONTINUE01 ) ELSE ( GOTO CONTINUE02 )
:CONTINUE01 call Sleep.exe 5 Start /wait mrtv34.exe /q
:CONTINUE02 REM del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
C: CD\WINDOWS\DEBUG ECHO ----* > mrt.txt ECHO Scan Run By: %USERNAME% completed at %DATE%, %TIME% >> mrt.txt ECHO ----* >> mrt.txt type mrt.log >> mrt.txt type mrt.txt >> mrt.org del /F /Q mrt.log
IF EXIST "C:\WINDOWS\DEBUG\mrt.txt" ( GOTO CONTINUE03 ) ELSE ( GOTO CONTINUE04 )
:CONTINUE03
findstr /n /c:"Threat detected:" "C:\WINDOWS\DEBUG\mrt.txt" IF %errorlevel%==0 ( copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log
findstr /n /c:".*the system needs to be restarted." "C:\WINDOWS\DEBUG\mrt.txt" IF %errorlevel%==0 ( > "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO ON ERROR RESUME NEXT >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Dim Answer >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Set wshShell = CreateObject( "WScript.Shell" ^) >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Answer = MsgBox ( "A scan performed at logon has discovered & cleaned" ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "a virus found on this machine [%COMPUTERNAME%]." ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Please reboot at your next opportunity, to reboot" ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "now click 'Yes.' Otherwise, to reboot later, simply click 'No.'" ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Thank you for your assistance! - NTHS Help Desk.", 4, _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "New Trier: Help Desk" ^) >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO If Answer = 6 Then wshShell.Run "shutdown -r -f -t 20", 0, false WSCRIPT.EXE "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" DEL /F /Q "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" )
) ELSE ( copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log )
del /F /Q mrt.txt
GOTO END
:CONTINUE04
IF EXIST "C:\WINDOWS\DEBUG\mrt.log" ( ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log type %windir%\debug\mrt.log >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ) ELSE ( IF EXIST "C:\WINDOWS\DEBUG\mrt.org" ( ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log type %windir%\debug\mrt.org >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ) ELSE ( ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO mrt.log, .txt or .org file does not exist >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ) )
:END
|
|
|
|
|
|
|