Yo yo.
Sit-rep: we were brought down 2 days ago by the Vobfus.gen virus. IT spreads over networks, and external drives. It crates shortcuts of folders and files and completely messes up directory structure. Our file server was completely FUBAR, but we managed to clean and restore off of a backup.
or so we thought.
Seems the infection is still there, because there is a goezuc.exe file in the task manager, that does not want to go away. It is not in the directory it says it is, and registry entries with it are impossible to delete.
Google is not helping.
Q: Has anyone here had an encounter with this virus? If so, can you help with some info on HTF to get rid of it?
Vobfus.gen Virus Thread
-
GreyWolf
- Registered User
- Posts: 4754
- Joined: 06 Aug 2003, 02:00
- Processor: PHENOM II 945
- Motherboard: Asus M4A78
- Graphics card: HIS ICEQ 4850 1GB
- Memory: 4GB CORSAIR XMS II 1066
- Location: , location, location!
Vobfus.gen Virus Thread
"Every normal man must be tempted at times to spit on his hands, hoist that black flag, and begin slitting throats."
- H. L. Mancken
- H. L. Mancken
Re: Vobfus.gen Virus Thread
How many users have you got connected to fileshares on your File server ?
Sometimes It wont help to recover from backup, because if there are PC's which is infected on the network.
It will copy it self to those shared folders on your file server as soon as the can connect to the shares.
(Yes they are dormant, but i have managed to infect an uninfected server by double clicking an icon which i thought was a folder
Even after i knew of these infecting exes.)
Start by making 100% sure you have turned off Autorun on your whole network including servers.
Schedule some downtime,
If your shares only contain data file such as .doc .xls ect ect you can run del *.exe /s /q (Use with caution)
Or rather use dir /s /b *.exe to get a list of EXE on the shares.
and scan all of your server's local drives using the local AV
You should be able to stop the process you are talking about by creating a batch file which kills the process then delete it.
You can also use the registry to block a specified application.
You can also create a dummy file and lock it by removing permissions.
Once you know the server has no infections when you look at the shared folders turn on the Owner Column and when a file has been created you should be
able to see which user is the owner of the infected files. (That's if its a domain controller env)
I know the feeling especially if you work for a company which cant afford downtime.
You end up touching and going and firefight what the virus has caused.
All you need to do is, sit get your stuff together think of a plan on how you will go about it then execute it
Sometimes It wont help to recover from backup, because if there are PC's which is infected on the network.
It will copy it self to those shared folders on your file server as soon as the can connect to the shares.
(Yes they are dormant, but i have managed to infect an uninfected server by double clicking an icon which i thought was a folder
Even after i knew of these infecting exes.)
Start by making 100% sure you have turned off Autorun on your whole network including servers.
Schedule some downtime,
If your shares only contain data file such as .doc .xls ect ect you can run del *.exe /s /q (Use with caution)
Or rather use dir /s /b *.exe to get a list of EXE on the shares.
and scan all of your server's local drives using the local AV
You should be able to stop the process you are talking about by creating a batch file which kills the process then delete it.
You can also use the registry to block a specified application.
You can also create a dummy file and lock it by removing permissions.
Once you know the server has no infections when you look at the shared folders turn on the Owner Column and when a file has been created you should be
able to see which user is the owner of the infected files. (That's if its a domain controller env)
I know the feeling especially if you work for a company which cant afford downtime.
You end up touching and going and firefight what the virus has caused.
All you need to do is, sit get your stuff together think of a plan on how you will go about it then execute it
_̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡
-
GreyWolf
- Registered User
- Posts: 4754
- Joined: 06 Aug 2003, 02:00
- Processor: PHENOM II 945
- Motherboard: Asus M4A78
- Graphics card: HIS ICEQ 4850 1GB
- Memory: 4GB CORSAIR XMS II 1066
- Location: , location, location!
Re: Vobfus.gen Virus Thread
wow.. thanks m8. Will pass this on to our IT guys. Well, all of it except for the downtime, cos we have been down for 2 days, and the boss will not accept any more of it.DeeVeeDee wrote:How many users have you got connected to fileshares on your File server ?
Sometimes It wont help to recover from backup, because if there are PC's which is infected on the network.
It will copy it self to those shared folders on your file server as soon as the can connect to the shares.
(Yes they are dormant, but i have managed to infect an uninfected server by double clicking an icon which i thought was a folder
Even after i knew of these infecting exes.)
Start by making 100% sure you have turned off Autorun on your whole network including servers.
Schedule some downtime,
If your shares only contain data file such as .doc .xls ect ect you can run del *.exe /s /q (Use with caution)
Or rather use dir /s /b *.exe to get a list of EXE on the shares.
and scan all of your server's local drives using the local AV
You should be able to stop the process you are talking about by creating a batch file which kills the process then delete it.
You can also use the registry to block a specified application.
You can also create a dummy file and lock it by removing permissions.
Once you know the server has no infections when you look at the shared folders turn on the Owner Column and when a file has been created you should be
able to see which user is the owner of the infected files. (That's if its a domain controller env)
I know the feeling especially if you work for a company which cant afford downtime.
You end up touching and going and firefight what the virus has caused.
All you need to do is, sit get your stuff together think of a plan on how you will go about it then execute it
"Every normal man must be tempted at times to spit on his hands, hoist that black flag, and begin slitting throats."
- H. L. Mancken
- H. L. Mancken