Zotob fun

By Roger on August 15, 2005 7:46 AM |

So we had a computer report in that it was infected with w32.spybot.worm with a file c:\winnt\system32\winpnp.exe. Symantec has reported that systems with old virus defs may detect Zotob as that. What's funny though is the writeup doesn't currently mention a file named winpnp.exe. I did see over at the SANS Diary that when a system is exploited, this file is downloaded via ftp. Unfortunately that probably means the SAV Threat Monitor (that's probably the wrong name for it) wont record the IP address that infected it.

Still trying to track this system down. It was connected in via the VPN when I got the virus alerts and its offline before I can find it again. End Point compliance would be worth its weight in gold right now. We're reduced to putting a note on the users door to catch the computer when it comes in.

On Sunday we had an impromptu patching party to make sure that critical Windows 2000 Servers were patched. I also made sure Symantec's Antivirus defs were pushed out.

Categories

Antivirus

Tags

About this Entry

This page contains a single entry by Roger published on August 15, 2005 7:46 AM.

SANS Raises the Warning Flag was the previous entry in this blog.

Unknown virus is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search