DevNetwork Forums

[chillpill_rohit]

Check this out guys.........the virus is evidently Win32/Virut.AC which is appearing on a more common basis..........when i googled for it......i found out this

Name W32/Virut-W
Type

* Virus

How it spreads

* Infected files

Affected operating systems

* Windows

Side effects

* Allows others to access the computer

Aliases

* Win32.Virut.av
* PE_VIRUT.AV
* Win32/Virut.AC

Protection

* Download virus identity (IDE) file

and further


This section is for technical experts who want to know more.

W32/Virut-W is a virus for the Windows platform.

W32/Virut-W attempts to hook the operating system and infect files with an EXE or SCR extension.

W32/Virut-W may also attempt to connect to a remote IRC server, and may download and execute further files if instructed to do so.

W32/Virut-W may modify the following registry entry in order to bypass the Windows firewall:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List


now doesn't it make sense to our problem? Surely it does.......very importantly it "attempts to connect to a remote IRC server, and may download and execute further files if instructed to do so."

which is what we all were fearing about.........so its not that our computers are affected but some other computers on our own network are infected and causing us this problem........

So slowly the things are getting into right places and the puzzle is getting solved........... I had promised you all about the solution and here it is...... only because our cable operator and his tech team gave us all the needed support we were able to solve this nuisance..... HATs OFF to them !

Regards,
Rohit Jain.

[chillpill_rohit]

And 1 more thing we need to understand....... the infected computers need not be connected to the internet when they are creating this havoc........this is what we have found out.......... there mere presence on the LAN is enuff to start the broadcasting and clogg the server........... so dont be under the assumption that there PCs must be connected to internet when they are broadcasting............ and this is quiet simple to xplain also coz once these PCs have that Win32/Virut.AC virus it downloads hosts of other trojans from the remote servers and than start sending heavy arp requests..........so now even if the net is disable these machines are already infected enuff to clogg the entire network once they are ACTIVE and into the LAN..........

[Merge9]

Brilliant!!! Fantastic work Rohit. I really appreciate you figuring this one out. You are correct. We have three computers on my home wireless network and two of them were showing that injected line - the third one (my girlfriends) was not. Doing the network sniff showed it was her computer sending out the signal. We cut her from the network and it injected script disappears. Turns out her virus protection had runout so she was totally open to attack. So at least we have pinpointed it. I have downloaded the virus software you recommend and am scanning her system now. Will this be enough to get rid of the virus?? or are others measures needed to clear it? Interestingly enough hijackthis showed up nothing on her computer.

Again my thanks Rohit - you have done many people a great service.

[chillpill_rohit]

Dude its not only me re............its because of our collective measures............like me many people had left their own work and started to sneak into this problem...........special thanks to Anjanesh to start this thread and actually informing us abt this problem........also my local cable operator and his tech team esp MR. Shine helped us a lot to pin point such computers who were sending such heavy broadcast to the server.............so as i mentioned its all our efforts (and not a single person's) that made this problem solved
And i hope many other affected networks also follow this thread and try this solution out and post here there experiences...............That will help us understanding this problem in more detail.....

Regards,
Rohit Jain

[chillpill_rohit]

I have downloaded the virus software you recommend and am scanning her system now. Will this be enough to get rid of the virus?? or are others measures needed to clear it?

The updated version of Nod32 (and in that case any of the other good antivirus like Kaspersky which have now issued updates relating to this problem) will solve ur problem...........and i also recommend u to use NoAdware tool or Spybot (both updated) which is very much successful in finding out various adwares and other malwares infecting the PC.............and yhea do me 1 favour ..........post the logs of the virus scan which ull do on the infected computer as it may help in generalizing the problem further more............

And most of all use FireFox and not Internet Explorer for web surfing.........as Anjanesh had pointed out correctly IE is capable of activating the ActiveX objects (also mentioned in the decoded JS) which is not possible in FireFox.........so its better u go for FireFox as ur browser rather than IE.........

[anjanesh]

This is exactly whats happening :

The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a Denial of Service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

[yochints]

unfortunately my local cable and ISP guys are almost on the verge of giving up ! i have had detailed meetings with them but the local cable network in my area is in a mess, since there is hardly any tagging or control on the connections. I have given them a few suspicious IP addresses (which we found using a packet sniffer), but due to limited resources they are finding it very tough to track them down. the ip's and mac addresses could have been remotely disabled if only the main switches over here were managed, but the local cable guys refuse to support the purchase of one !

let's c how it progresses anyways

[anjanesh]

yochints - are you the only one facing net issues ? Or are others complaining ?

[VladSun]

Finally, it appears to be a virus - so it's a local issue. You can't expect that there are a lot of people in this forum who faced this problem. The bad thing is that the virus uses the switched environment weaknesses to interact with other PC in it - so it's needed just one PC to be infected.

I've never used an AV software on my PC (both Linux and Windows OS) - I use just a firewall - almost every virus nowadays performs some network activity which is easy to detect with modern firewalls.

[yochints]

anjanesh

No, my entire area network (2 suburbs) is facing the problem. There are multiple ISP's including Sify, Tata and Pacenet. All local customers have complaint. I am discussing with my local cable engineers from Tata and Sify on a daily basis. They debug from my office only, since the main switch is located in my building. These engineers are so frustrated due to poor support from the cable guys and the company and the huge number of complaints that a couple of them have already given their resignations !

The network is very unorganised. There is no single person or company willing to take responsibility. Its quite a mess. There was a managed switch which got stolen a few weeks back. Since then the engineers face a tough time, since they are using an unmanaged switch which makes tracking very difficult if the team is small.

[VladSun]

There are *very* cheap switches that are not vulnerable to ARP spoofing/poisoning/flooding. The switch has N ports, N-1 are downlink (i.e. connected to the users or other switches) and one uplink port (i.e. connected to one of the "downlink" ports of the previous switch). Also, downlink ports can be "locked" tow work only with the first seen MAC address. In a LAN that consist only of this type of switches, a user can only "see" the gateway and nothing else.

These switches are sold here for about 30$.

[chillpill_rohit]

Guys we can solve the probs without a manageable switch.......even my cable operator didnt have a managealbe switch still we managed to get rid of the infected PCs on our network......actually today i aint feeling well....so cant be on PC for longer time.....yochints just call me up and ill tell u what xactly we did........im sorry for this but im really helpless today.......

[chillpill_rohit]

Hey people i got hosts of other important network sniffing softwares.......

chck them out.....they rock man.........ehtersnoop looks too rudimentary in front of them

http://www.filesland.com/download/arp.html

im analysing them in detail and its making our job much easier to find out the broadcast causing PCs..........

Regards,
Rohit Jain
(no more an affected user )

[ciesnet]

I am the local Cable Operator chillpill_rohit is talking about.

GIven below is a simple procedure that our network with the help of Rohit and some invaluable input from Anjanesh (who devoted his valuable time coming down to Andheri - a suburb in Mumbai - last sunday) and together brainstormed into finding a solution. Below is how we proceeded thereafter.

Ours is a multi ISP network, being serviced by Sify, Pacenet, IOL Broadband, IN Cablenet, Tata and Syscon Technologies. Interestingly. we were getting network disconnection problems only in the IOL Broadband network, and so our primary suspicion was on users who had taken packages from IOL, and to a greater extent the ISP and the servers deployed therein. Also, we do not use managable switches.

Our first test was disconnecting the netire network and isolating one PC and connecting it directly with the feed from the ISP. When we did that, we realised that the injected javascript just disappeared. We loaded the network and connected my machine again from the network switch, and voila, the javascript and the disconnections appeared.

This atleast gave us a direction so as to where to look into.

Next, with the help of Rohit, and our tech team, we started seeking out machines showing unusual behaviour. What we discovered is that some machines were showing extremely high ARP requests, Since our network has a log of which ips are given to which users, and the sniffers gave us indications of which ip addresses are throwing ARP requests, we simply identified the users, and our tech team visited their place.

When we visited the first place, what we found is that that machine was NOT using any anti-virus protection. We installed a Trial Version of NOD 32 (they have a fully working 30 day trial version, can be downloaded from http://www.eset.com)

When we installed NOD 32 on his system and scanned his system , we discovered around 1700 milacious infections (including variants of trojans). We got a log file from the machine in order to study whether ADS.EXE or ADS.JS was found.

Though there was no trace of any such file, we discovered, that the moment the machine got clean, the ARP request stopped comming from that machine declogging the network. For almost an hour, the network was absolutely clear, when we noticed the js appearing again.

We followed the same procedure again, and we discovered 2 more ip addresses - following the same pattern. We isolated the machines from the network, and installed and sacnned their machines using NOD 32, and the ARP requests stopped comming from those machines.

From Sunday - January 20, 2008 through today, January 23, 2008, we managed to identify around 11 machines.

What we found was -

of the 11 machines, 6 of them DID NOT HAVE ANY ANTI VIRUS
3 of them had a NON UPDATED Antivirus - as good as having no Anti virus
and 2 of them having some free antivirus which could not detect any viruses, which were detected when e installed NOD 32.

Our procedure was simple. Identify rogue ips, isolate machines of those ips, educate people using those machines about what is happening (usually clients when informed, co-operate), installed the anti-virus, and scanned the machines, and EACH OF THE MACHINE WE SCANNED, we found viruses.

At of the time of writing this, I am relieved to say that around 90% of my network is now back to full function, barring scant instances of the js floating. However, the frequency of disconnections has reduced drastically, and we strongly believe that as the week goes by, we would be able to put a stop to this js once and for all.

Two important things here.

1. Our investigations showed, that even though it was just IOL broadband subscribers whose internet faced frequent disruptions, the infected machines were not limited to users using IOLs service. We got infected machines of subscribers using Sify and Syscon too. What we are now evaluating is, why is it that only one ISP was suffering breakdowns, inspite of machines using alternative services too were infected. I shall get a resolution of this too soon.

2. The machine NEED NOT be connected to the internet for sending these ARP requests and clogging the network. Even if an infected computer is merely switched on, the process of clogging and JS injections start. More on this too soon.

I hope this post of mine may help those infected networks by way of the affected users being able to convince their service providers, and all of us able to use the internet peacefully.

Lastly, without the help of our ISP - IOL, Mr. Rohit, and Mr Anjanesh, and our tech team, I would not have been able to share what i just did.

All the best.

Aashish
Admin - CIES (Andheri West)

[VladSun]

I think you should buy some network equipment
Your service should not rely on users experience and interaction with the network in order to work properly. There are so many ways you could have prevented this or at least to minimize the number of affected users.

If you need any help in doing it - ask - I'll be happy to answer.

Best regards.