• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Anig Virus

G

gsboriqua

Gawd
Joined
May 31, 2002
Messages
815
Ok, I'm at my wits end. I am an engineer at company and our systems continue to get periodically infected with the anig virus. We clean and remove the virus and it gets reinfected again. Our systems are running anti virus with latest defs (we have had anig get past norton and Trend Micro). Our IT security team seems hopeless. They have been trying to help but do not have a clue as to whats possibly happening. I'm sure other large networks have been hit besides ours. I was hoping to run into someone who may have found a permanent solution on killing this bug.

Thanks!

BTW: Please do not recommend a different anti virus solution as thats not really an option. I work in a semi conductor fab and the vendors have strict guidelines as to what software can run on the tools.
 
Isolate the virus, and send it to your A/V vendor (note that you might need to compress it into a password-protected ZIP file, as they probably run A/V software on their SMTP servers or workstations, that would block the attachment). Explain to them what's going on, and see if they have anything to contribute.

Do you allow people to bring laptops from home in? Is there a common point of infection? Are you /actually/ getting infected, or is there just the odd file that turns up (and could have been copied over from someone doing work at home)?
 
gsboriqua said:
Ok, I'm at my wits end. I am an engineer at company and our systems continue to get periodically infected with the anig virus. We clean and remove the virus and it gets reinfected again. Our systems are running anti virus with latest defs (we have had anig get past norton and Trend Micro). Our IT security team seems hopeless. They have been trying to help but do not have a clue as to whats possibly happening. I'm sure other large networks have been hit besides ours. I was hoping to run into someone who may have found a permanent solution on killing this bug.
Click to expand...

Is your company blocking IM software?
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.anig.html
"W32.HLLW.Anig is a network-aware worm that captures keystrokes and passwords. The worm also opens a backdoor on port 5190."

5190 - same port as AIM connects on (and everything that connects to AIM, Trillian, GAIM, etc...)
 
daft question/option, but if you are running xp do you have the restore option turned on? it does have the ability to store viruses, we have had to clear the files by hand to get rid of a worm on the network a while back
 
What version of Trend are you running?

If you're running 6.5 with damage cleanup enabled then I wouldnt think Trend would have any trouble with this.

I'd recommend turning off the system restore as was suggested, and also clear out temp files.

If you can capture the EXE, you can generate a hash from the executable and if you're on a windows domain you should be able to push out a policy to all the machines that blocks an exe with that hash from even running. That should kill it right there.

You should also close port 5190.

Figuring out the infection vector is extremely important too...
 
Thanks for the responses. We have tried talking to Symantec about this and they haven't come up with any real permanent solutions. I'll see if they have contacted Trend Micro about this.

The fab network is isolated and doesn't allow DHCP which keeps the laptaps from home out of there.

IM software is installed (by users unfortunately) on some PC's so thats a good idea to look into. Thing is I doubt we will be able to stop people from installing it and the IT group doesn't want to block it. I will bring it up with security though and see what happens.

PC's that are getting infected are all NT boxes so no system restore there.
Boscoh said:
What version of Trend are you running?

If you're running 6.5 with damage cleanup enabled then I wouldnt think Trend would have any trouble with this.

I'd recommend turning off the system restore as was suggested, and also clear out temp files.

If you can capture the EXE, you can generate a hash from the executable and if you're on a windows domain you should be able to push out a policy to all the machines that blocks an exe with that hash from even running. That should kill it right there.

You should also close port 5190.

Figuring out the infection vector is extremely important too...
Click to expand...

As for the trend version, its a corp client that connects to a trend server on the intranet. I don't think the versions correlate to the consumer versions but I could be wrong. Either case its running engine 7.1, unsure of the actual client version. The exe is NTOSa32. I will start blocking those ports and see what happens. It apears that Trend and norton both isolate ntgina.dll but leave the other part alone. Norton can identify it but can't do anything about it. This causes a BSOD when you reboot the PC. We end up booting with NTFS pro and copying over MSGINA.DLL to replace NTGINA.DLL if that makes any sense.

Thanks again for all the tips we will see what happens
 
6.5 is a version of OfficeScan. Looking at my system tray icon, I'm running engine 7.1, pattern 2.364.06, DCE/DCT 3.9/487.

If you right click the icon, OfficeScan Main, and go to Help>About then it should tell you the Program Version. Mine is 6.5.

If you're not running the Damage Cleanup Services, you guys should consider investing in it. It helps a lot.

Trend shouldnt have a problem getting the EXE unless it's in a place where trend cant get to it...such as the system restore folder or a network drive. Do you guys have the "scan network drive" option turned on for real time scanning?
 
Im not at work or I would check the version number. I don't believe its setup to scan network drives. Just real time scan on local drives. The servers it maps drives to *should* be pretty well protected. I'll ask the IT group about the clean up services for Trend. I'm not sure why the exe can execute. Thats what makes it so baffling. It executes and runs its services with Norton and Trend. Its not a new virus so its pretty annoying.
 
Just wanted to say thanks again!

We ended up creating a script that checked for the virus. If found it would run the fixanig tool. It would then copy over a NTOSA32 and copy msgina.dll over ntgina.dll, deny access to those two files and restart (if not found it would just copy these files over). Anig apparently looks for those files while traveling through the network, if found it ignores the PC and moves on. Round about way of doing things but hopefully this stops the madness!
 
You must log in or register to reply here.
Back
Top