1

I'm troubleshooting a friend's Windows 2k3 file server (that I had setup for them a few weeks ago). It got infected by a tenga.gen virus and he's trying to clean it now but doesn't have a server anti-virus on hand.

However, in the long run, would it be recommended to try to clean the server and get all traces of the virus off or just do a wipe and reinstall?

Normally, I would recommend the wipe and reinstall with a new virus scan from the start and slowly migrate verified cleaned files back onto it, but I moved out of the area and can't help in person.

wag2639
  • 2,145
  • 6
  • 24
  • 33

2 Answers2

6

Once code has been allowed to run with administrative privelages, the machine can no longer be trusted.

File listings, registry keys, network access - can all be comprimised; and you wouldn't be able to tell from the machine itself.

You can hope that the virus isn't a bad one, and didn't do the very nasty things. But the only way to be sure is to reinstall.

Ian Boyd
  • 5,293
  • 14
  • 60
  • 82
  • 3
    +1: You can never really feel good about the machine again, after it's been compromised. Cleaning a file server is a special nightmare as well, because the infection could be anywhere. – Satanicpuppy Jul 20 '10 at 17:30
  • 1
    +1: It presents a nice opportunity to test your scripted/imaged OS deployment and backup restoration operations. :) – jscott Jul 20 '10 at 18:02
  • 1
    " I say we take off, and nuke the site from orbit. It's the onyl way to be sure." - very wise woman – wag2639 Jul 22 '10 at 05:27
1

Given this analysis from Sophos, wipe and reinstall. It enables a remote command and control session, meaning anything else could be on there as well. So it's not just Win32/Tenga that you're worried about, but whatever else has been deployed subsequent to the infection.

K. Brian Kelley
  • 9,034
  • 32
  • 33