2

We have a problem with a network virus that spread through our network and most computers have been infected.

What should I do to remove the virus? By installing and scanning anti-virus software, the virus wasn't removed. So I want to create Remote Installation Service and install Windows XP for each client and deploy Symantec anti-virus client to protect against viruses. How can I be sure that my server doesn't include a virus?

So please tell me the best and most efficient way to remove the virus from all computers.

Thanks

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
user19049
  • 487
  • 2
  • 14
  • 25

5 Answers5

7

Slash-and-burn. Just start reinstalling, making sure your installers aren't infected. There's no other way to get a well-written virus out.

While you're at it, set something up to quickly re-image machines. You'll need it again :)

Bill Weiss
  • 10,979
  • 3
  • 38
  • 66
  • agreed...thats the standard. There is no magic pil or easy answer for you...once your system is compromised its time to format and reinstall. – cop1152 Sep 01 '09 at 19:58
  • +1 - Vigorous agreement. Compromised operating system installations are untrustable operating system installations unless you have a mechanism like "Tripwire" to insure that OS binaries are unmodified. – Evan Anderson Sep 01 '09 at 21:10
  • And where do you run tripwire from? The known-bad machine? :) – Bill Weiss Sep 01 '09 at 21:25
  • 1
    "I say we take off and nuke the entire site from orbit. It's the only way to be sure." - Ripley – Chris Nava Sep 02 '09 at 04:51
  • Remember to disconnect machines from the network when you slash and burn. Otherwise, the newly installed machines may get re-infected by the old machines. Isolation is key. – sybreon Sep 02 '09 at 08:29
  • @Bill: You run Tripwire from a known good operating system media. Back in the 'day you might have run it from the bootable tape that the OS came on. Today, it'd be something like a bootable CD / DVD with a known-good OS distro on it. – Evan Anderson Sep 02 '09 at 18:42
  • @Evan: I know. I just can count the number of sites I've seen doing it "right" on one hand... maybe without much flexibility :) – Bill Weiss Sep 02 '09 at 22:31
6

Do the Internet and yourself a favor, disconnect your LAN NOW. This prevents many things that will make your job harder:

  1. disconnects your botnet slaves from their controllers
  2. malware loaders phoning home (so to speak) for more trojans to download
  3. spam forwarding
  4. limits infection vectors (finding more targets to go after)
  5. prevents further uploads of your confidential information

Shut down all infected or suspect computers, as in, power them off.

Start with, or make a known good machine, either by re-installing it or unpacking it. Harden it. Make another if you have someone working with you, so you each have one to work from. Attach them to the Internet or the LAN, but never both (for now). Now you have a computer to work from.

Start with all your managed network equipment, routers, switches, firewalls and gateways. Make sure there are no hacks installed. Harden them. Now you have a LAN you can work on.

Disinfect suspect computers agressively. The preferrable method is re-imaging. If you are not prepared for this, re-install and restore backups. If you are not prepared for this, try pulling the hard drives and attaching them via USB adapter to the known good machine(s). The key point is, it is difficult to disinfect a computer while malware is live. If you are working with a bootable disk in a non-bootable format, there is no live malware fighting your efforts.

Once you get to volume disinfecting/reinstallation, call in help. Temps, shipping/receiving clerks, admin assistances, interns, power users, if you tell management it will cut time they'll find someone to help you. Just having someone grab computers and put them all in a row will save you time to focus on the hard stuff.

kmarsh
  • 3,103
  • 16
  • 22
2

Bill is right. You'll spend a LOT more time trying to "fix" this than you would adopting a more aggressive policy.

  • Disconnect your RIS/antivirus server from the network
  • Format and reinstall (it's the only way to be sure)
  • Format and re-connect additional machines to the 'clean' network one at a time
  • At no time should you expose 'clean' computers to those that you know are infected

Beforehand, you may want to take a very close look at how this happened in the first place. Do you have a firewall betweek your network and the Internet? Do you have users connecting over VPN from their (virus-ridden) home computers? What are the chances that your users are disabling local antivirus? Do you have a DMZ separate from your LAN where Internet-facing servers (such as web servers) reside?

Kara Marfia
  • 7,892
  • 5
  • 33
  • 57
0

if your gateway allows traffic analysis, it could be very helpful in finding (some of) the infected machines

quaie
  • 1,122
  • 6
  • 14
0

Uses your virus detector and HiJackThis to scan each system. The ones that are infected should be re-installed. After installation put "Windows Defender" on them and the virus program asap.

djangofan
  • 4,182
  • 10
  • 46
  • 59