Zotob fun

So we had a computer report in that it was infected with w32.spybot.worm with a file c:\winnt\system32\winpnp.exe. Symantec has reported that systems with old virus defs may detect Zotob as that. What’s funny though is the writeup doesn’t currently mention a file named winpnp.exe. I did see over at the SANS Diary that when a system is exploited, this file is downloaded via ftp. Unfortunately that probably means the SAV Threat Monitor (that’s probably the wrong name for it) wont record the IP address that infected it.
Still trying to track this system down. It was connected in via the VPN when I got the virus alerts and its offline before I can find it again. End Point compliance would be worth its weight in gold right now. We’re reduced to putting a note on the users door to catch the computer when it comes in.
On Sunday we had an impromptu patching party to make sure that critical Windows 2000 Servers were patched. I also made sure Symantec’s Antivirus defs were pushed out.