Executing a Virus that is on a DFS Share?

[KapsZ28]

Our company has a DFS with about 20 servers. To my knowledge, there is no virus infection on any of the servers. However, there is one file share that the entire company has read access to. All the sudden there is an unusual EXE file sitting on this share. At the moment, nobody seems to know what the EXE file is and has left it on the share. What I am wondering, what happens if a single user executes this file and it is a virus? Would the virus most likely just infect their PC, or is it possible for the virus to infect all the servers in the DFS?

All the computers and servers are running Symantec Endpoint Protection, so hopefully if the file is executed it will be picked up right away and deleted. But what is the likely hood that running this EXE file would infect more than just the PC it was run from?

 

[YeOldeStonecat]

Have you tried answering the question as to if it's a virus...scanning it, and getting a few other opinions by submitting it to jotti or virustotal so that a dozen or more scanners can check it?

Can it infect the workstation that runs it? Yes. Can it infect the server(s) and/or rest of the network...yes, depends what the virus is.

 

[KapsZ28]

Here is some more information that I received. The file in the shared folder is called yldezr.exe. Scanning the exe file with SEP didn't find anything. The end user that ran the exe file received the error message below followed by alerts from SEP.

And here is information from Symantec. http://www.symantec.com/security_response/writeup.jsp?docid=2009-071713-2155-99

 

[YeOldeStonecat]

Yeah that csrsc.exe is common with a w32.spybot backdoor trojan,
It often will merge into the explorer shell of an operating system.

Hopefully your Symantec is centrally managed, I'd review the alerts and see if any workstation(s) stick out, and go clean those workstation(s).

As it stands now, I'd say you have code inside your network granting access from an external source.

 

[KapsZ28]

But in general, the only way for the servers to get infected would be if something was infected by running the file, right?

As in, if a user ran that EXE file off a DFS share, and their computer was not infected because Symantec blocked and deleted it, then the infection wouldn't spread?

I can't really explain it right, but I just want to know if a server that is NOT infected, but has an EXE file that contains a virus. Someone runs that EXE file from their computer. All the server is doing is allowing you to run the file. Nothing is actually being installed on the server, so the server itself would not actually be infected, right? The only way the server would be infected is if you ran the EXE file while log directly into the server, or if a computer was infected and spread the infection over the network.

 

[thee_rook]

lock down the .exe into its own folder with no one having access. I am at a loss to why it is still on your server? Also check when it was created and search for files created on the same date. Viruses know redundancy well. You prolly have more of them.

 

[KapsZ28]

lock down the .exe into its own folder with no one having access. I am at a loss to why it is still on your server? Also check when it was created and search for files created on the same date. Viruses know redundancy well. You prolly have more of them.

That is actually an excellent question. I don't personally have enough access to these servers to do anything. Since it is a DFS file share and there are 20 servers, the file could be on any of them, all of them, or just one of them. When I told the engineers about it, and they took their sweet time replying to me, I was finally informed that they can't locate the server where the file resides. So I personally when back to the share and went into the properties where you can access the DFS tab with all the server names. I went directly to the active server since that is where my computer is pointing to and I was able to see the file. When I accessed the other servers in the DFS, the file wasn't there. I sent this information to the engineers, and well, it is still there.

As of today we are having other virus issues on different servers. One of which appears to be the sality virus.

When I started here, I noticed many file shares that were infected or still had the remains of viruses. Client computers would be infected and they would map to a drive, and then the worm would replicate itself on to their mappings. Why most of this was never taken care of is beyond me. I am not involved in any of this. If I was, the infections would have been gone a long time ago. I am just trying to understand a little better about the spread of viruses because some of the information I heard didn't make much sense.