Virus Outbreak at work

A[L]C · 8 Nov 2006 at 13:57

hehe got a virus outbreak at work. Some people are getting notification from SAV10 of w32.spybot.worm and others getting a 60 second shut down message then the machine powers off.

All machines have SAV10 installed with the latest updates. Sounds like the blaster or sasser but surprised SAV didnt pick it up :confused:

A[L]C · 8 Nov 2006 at 13:58

Oh it also appears to be locking AD accounts too :confused:

Beansprout · 8 Nov 2006 at 13:58

Run Windows Update - sounds like some patches aren't installed. Also/Or see here for a list of the probable patches which need installing

Then/Or disconnect each machine from the network and run a full virus scan.

A[L]C · 8 Nov 2006 at 14:03

Beansprout said:
Run Windows Update - sounds like some patches aren't installed. Also/Or see here for a list of the probable patches which need installing

Then/Or disconnect each machine from the network and run a full virus scan.

1600 pcs over 90 remote sites

All pcs updated using WSUS from a central server.

Beansprout · 8 Nov 2006 at 14:29

A[L]C said:
1600 pcs over 90 remote sites

All pcs updated using WSUS from a central server.

Weird o.o.

Removal instructions here, hopefully they'll help

Energize · 8 Nov 2006 at 14:36

I'd love something like that to happen at my school.

A[L]C · 8 Nov 2006 at 14:49

TBH its a nightmare. Im on the service desk and we're getting mullered. Soooooooooo busy

Meatball · 8 Nov 2006 at 15:39

stop the pcs shutting down by:

1) Start
2) Run
3) type in: shutdown /a

Steve Watford · 8 Nov 2006 at 16:08

Sounds like you need new computers, I'll take the 1600 broken PCs off you for free though.

Ebay here I come.

stoofa · 8 Nov 2006 at 17:37

If you site was properly configured with SAV:

All Windows PC's running SAV
At least one SAV server configured to collect definitions daily
All clients (via SAV server configuration) told to update daily
Clients not able to shut-down SAV services
SAV features for laptop users configured correctly
Any machine not running SAV or good virus checker not allowed on network

Then you would not have this outbreak you've currently got...period.

Once you've got things cleaned up somebody needs to find out what went wrong, why it went wrong and take steps to make sure it doesn't happen again.
Our last virus outbreak was about 18 months ago when one of our engineers bought an unprotected machine onto our network and then proceeded to download some e-mail via a web interface.
He infected his machine which then scanned around the network and found two Windows servers that were not running AV (because they only ever connected to the Internet for Windows Update) and infected them.

SAV is just amazing in a corporate environment and as long as it is configured correctly more or less faultless.
You cannot of course account for human stupidity...

A[L]C · 8 Nov 2006 at 18:22

stoofa said:
You cannot of course account for human stupidity...

I think we've found the problem right there. Unfortunately the business is waste management... ie bin men, most of whom dont even have home pc's

Ev0 · 8 Nov 2006 at 19:05

Hows does the outbreak start for this, running an executable or something?

Easy enough to sort if your systems are setup a certain way, I'd be interested to see how something like this would go at my place.