Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

18 Servers & 350 PC's Infected With W32.Xpaj.B


  • Please log in to reply
7 replies to this topic

#1 invtechnologies

invtechnologies

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 31 March 2011 - 08:26 AM

I am IT admin for a local private school and we are experiencing major issues with W32.Xpaj.B infection. I am not sure if anyone else has run into this but it is difficult to remove and spreads quickly over the network. It affects several system files including dll and exe files. We have been working with TrendMicro (which is running on all machines) Symantec and AVG and none of them have a sufficient cleaning or prevention solution. We have had these problems for two weeks and cannot resolve. Students are on spring break this week but will return on Monday. If anyone has seen this particular infection before and has any insight please help. Even when we wipe and rebuild machines, infection continues to return. Note, there is also a variant W32.Xpaj.A that some of you may have come across. Note- just for context, our staff includes 2 CCNA, 2 MCSA and 1 Server 2008 certified professionals. Thanks for your help.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:23 AM

Posted 31 March 2011 - 08:42 AM

Are you restoring these machines from backups?

#3 invtechnologies

invtechnologies
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 31 March 2011 - 08:48 AM

Not at this time, just rebuilding the desktops. We are not sure if the servers backup files are infected so we are waiting on that. We really want to try to clean the servers but at this point nothing works to actually clean.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:23 AM

Posted 31 March 2011 - 09:04 AM

I would scan any software that you are using on a known clean computer, and see about making sure that your router or switches are not infected, and I would recommend doing one machine at a time.

#5 invtechnologies

invtechnologies
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 31 March 2011 - 10:14 AM

Thanks. We have done all standard practices. We have been working with major AV vendors Symantec, TrendMicro and AVG and they have no solution either.

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:23 AM

Posted 31 March 2011 - 02:30 PM

You are reinfecting yourself via the installation medium, or via the backed up files.

#7 invtechnologies

invtechnologies
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 31 March 2011 - 02:49 PM

Anyone else????

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:23 AM

Posted 31 March 2011 - 03:20 PM

Hi,

have you checked that all external devices connected to the PCs are clean? The infection spreads through removable devices and therefore one overlooked infected flash drive could reinfect the entire network.
Also take into consideration that any executable on a flash drive inserted while the PCs were infected has likely also been compromised.

I'd advise to a) either ban all flash drives from the network for torubleshooting or B) disinfect all flash drives and use a utility like flash_disinfector (only works on XP) or Panda Vaccine (only works if the flash dirves aren't connected to Mac/Linux PCs) to vaccine the flash drives and prevent that they can automatically reinfect the PC.
Also disable file sharing unless it's aboslutely needed.

Could you elaborate on how you cleaned the PCs? You'd need to clean them all at once and keep the clean ones disconnected from the infected ones to avoid reinfection from the rest of the server. I'd definitely recommend a reformat and reinstall as "cleaning procedure". Anything else lis likely to lead to reinfection due to one overlooked/undetected file.

regards myrti

Edited by myrti, 31 March 2011 - 03:20 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users