Post #39,645
5/23/02 12:28:04 PM
|
Couple of thoughts
What are the permissions on the file and what are using to to delete? From technet- PSS ID Number: Q165126 Article last modified on 08-09-2001 WINDOWS:2000; winnt:4.0
====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server - Microsoft Windows 2000 Advanced Server ------------------------------------------------------------------------------- SYMPTOMS ======== If directory permissions are set to full control for everyone, and permissions for a file within that directory are set to "no access" or "delete" (only), anyone should be able to delete the file. This is expected behavior and works correctly in File Manager and at a command prompt. This is also documented in the "Setting Directory Permissions" section of the Windows NT Server System Guide. However, if you attempt to delete the file by using Windows NT Explorer, it returns an access denied error. Adding read permission to the file allows the file to be deleted. CAUSE ===== Windows NT Explorer attempts to move the file to the recycle bin (for undelete) and it fails with access denied. STATUS ====== Microsoft has confirmed this to be a problem in Windows NT version 4.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.
Another issue might be ownership. try logging in to the system as whoever is shown as the owner of the file.
"Patriotism means to stand by the country. It does NOT mean to stand by the President or any other public official save exactly to the degree in which he himself stands by the country. It is patriotic to support him insofar as he efficiently serves the country. It is unpatriotic not to oppose him to the exact extent that by inefficiency or otherwise he fails in his duty to stand by the country." ~ Theodore Roosevelt
|
Post #39,693
5/23/02 3:28:31 PM
|
Been through that one
My current suspicion is there's still something running of Klez.H/Elkern.C. I'm going to go look at that again now, and hit that FAT partition from a DOS boot.
[link|http://www.aaxnet.com|AAx]
|
Post #39,766
5/24/02 12:43:38 AM
|
Yup, it was still in there - in fact . .
. . it was everywhere. The reason scans of the server drives from "clean" machines showed nothing was there were no clean machines, anywhere on the network.
Once a machine has the Klez, the virus detector can't find most (or any) of the infected files. Running the updated virus checker showed only 5 machines with infected files. Using a special Klez/Elkern tool working from a "Safe Mode" boot showed every machine on the network was riddled with Klez/Elkern.
All those "Access Denied" files were denied because Klez/Elkern was using them.
[link|http://www.aaxnet.com|AAx]
|
Post #39,802
5/24/02 10:36:08 AM
|
Every machine?
Damn. I suppose that could throw off your troubleshooting a bit.
"Patriotism means to stand by the country. It does NOT mean to stand by the President or any other public official save exactly to the degree in which he himself stands by the country. It is patriotic to support him insofar as he efficiently serves the country. It is unpatriotic not to oppose him to the exact extent that by inefficiency or otherwise he fails in his duty to stand by the country." ~ Theodore Roosevelt
|
Post #39,804
5/24/02 10:46:16 AM
|
Yup, every single one.
If it was on the network, shared drives or no, it was infected.
Lowest infection was 36 files, highest 266. The 266 one was one that shown infection with a regular scan the day before, with 269 infections removed. A normal scan with an up-to-date-to-the-day scanner before running the removal tool showed 1 infection.
[link|http://www.aaxnet.com|AAx]
|
Post #42,683
6/17/02 6:53:56 PM
|
What are you using...
...to scan and fix Klez-infested boxen? I'm starting to get worried about things here, despite our defenses. There are some mobile systems that walk in and out of the network.
In particular, realtime scanning under Linux w/ Samba would be most useful.
-- Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com] [link|http://kmself.home.netcom.com/|[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand?
Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/...a_alert.html]]
|
Post #42,710
6/17/02 11:46:46 PM
|
We use Command . .
. . because it's the easiest to keep updated on a CD-ROM I can carry around. The [link|http://www.commandsoftware.com/virus/kerp.html|Klez.H tool] is free. An up-to-date antivirus (Post April 19th) to keep you uninfected is not (download Command for $24).
An important thing is to use the Klez tool in Safe Mode (works on all Win95/98/Me, NT, XP, 2000) and put on an updated antivirus before reattaching to the network. This thing spreads fast.
I know Symantec has a Klez tool, and I presume everyone else does too.
Some machines I have found with multiple infections (Klez.H and SirCam) I've had to pre-clean with the DOS version of the antivirus before I could even run the Klez tool. I use DOS disks made from a good Command installation, copy them all to a directory on a CD-ROM for convenience, and either run from the CD-ROM or copy all the files to the hard disk and run from there so I can take the CD-ROM to the next machine.
Most disks scan pretty fast, but the absolute worst case is a Windows Me machine with System Recovery turned on and plenty of Temporary Internet Files. I've had one of these take over 2 hours, most of it in the System Recovery Temp files (89,000 files).
Going to call some more clients this week - this is easy money - like shooting fish in a barrel. "If you run Windows and read Email, You Have the Klez!"
[link|http://www.aaxnet.com|AAx]
|
Post #42,716
6/18/02 12:07:18 AM
|
Once again, Andrew supplies a new sig.
"If you run Windows and read Email, You Have the Klez!" -Andrew Grygus
|
Post #42,723
6/18/02 12:38:30 AM
|
Thanks. I used Symantec's FixKlez.com...
...on a WinME laptop here. Probably 20 minutes or so to scan, with System Recovery disabled (Symantec advised this). Booted to safe mode. Thankfully, the system was clean.
Despite the Windows desktops, we run Eudora rather than MS LookOut, and have virus filtering on all in and outbound mail, as well as the desktops.
I'm starting to get interested in virus scanners to run over our Samba and web staging / FTP servers. I see this as a potential vector for infection as well. Hmmm... Ouch. Yeah, that would be a Good Thing
Any take on Klez infestations by email client? Is it mostly LookOut / OE or are other systems equally vulnerable?
-- Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com] [link|http://kmself.home.netcom.com/|[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]] What part of "gestalt" don't you understand?
Keep software free. Oppose the CBDTPA. Kill S.2048 dead. [link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/...a_alert.html]]
|
Post #42,726
6/18/02 1:21:53 AM
|
Any can be vulnerable if . . .
. . you open the mail. Only Outlook will propegate the virus by email, but once it's running it goes for network drives. Anything accessable to Windows cllients is vulnerable. The worst infection I've seen was at a client that uses Microsoft Exchange Server intensively - only 2 of his 20 computers had less than 150 infected files.
At a client who does not use Outlook (not since SirCam emailed his customer list to all his competitors), some machines escaped infection. Three other clients who also use PMMail were 100% infected.
Klez.H has a long list of email tricks to get you to open it. My favorite is the one disguised as an undelivered mail notice. Who can resist opening the message to see why their mail wasn't delivered? A more obvious one is the one that warns about Klez.E.
One client receives many real bounced email notices from virus filtering services because someone who is infected had his address in their Outlook address book. Klez.H uses forged return addresses to hide the identity of infected machines.
Most of the infections are actually Elkern.C, which Klez.H brings with it - only a few are actually Klez.H. Elkern.C infects mainly Microsoft Office subdirectories in \\Program Files. I haven't seen a definitive analysis of Elkern.C, but previous Elkern versions are said to destroy all files on hard disks on March 13th and September 13th.
The worst infected machine I've seen had over 450 files infected, but about 33 and 95 and 165 files are common infection points. The one with 450 infections had to be reformatted, as did several machines that had multiple viruses, but most infected machines recover well.
[link|http://www.aaxnet.com|AAx]
|
Post #42,738
6/18/02 9:45:01 AM
6/18/02 9:45:42 AM
|
And they call me crazy for *STILL* using OS/2......
Edited by n3jja
June 18, 2002, 09:45:42 AM EDT
|
Post #42,739
6/18/02 9:51:15 AM
|
At last count . .
. . my main OS/2 workstation had 290 virus infected files, containing about a dozen different viruses, worms and trojans - and that's just because my email trash bin gets auto-emptied of old deletes. Since no infected files are likely to be transferred to my one lonely Windows machine, I just ignore 'em.
[link|http://www.aaxnet.com|AAx]
|
Post #42,759
6/18/02 12:53:21 PM
|
Interesting....
my main OS/2 workstation had 290 virus infected files, containing about a dozen different viruses, worms and trojans
Well, since I've never installed any AV software on my OS/2 partition, I couldn't tell you if I have any viruses or not. What I can say is that since the vast majority of these things are VBS, W32, or HTML, I feel fairly well protected because:
1) VBS doesn't work on OS/2 and (as far as I know) never will. Maybe it would run under Odin? I don't do Odin, so I wouldn't know.
2) W32 code doesn't run on OS/2 either, unless you have Odin installed, and I am certainly not about to do that. If I need to run W32 code, that's what I have a W98SE partition for.
3) I use PMMail/2 which automagically strips all HTML from incoming email. Anything that makes it past that usually comes up as garbage (or in some cases just blank) in the Read window and I delete those things without bothering to look at them. Similarly, I can always see the complete file name under OS/2. This makes file attachments that come up as Britney_Spears.jpg.vbs pretty damned obvious to anyone with 3 functioning brain cells. Double file extensions should send up flares as big as SCUD missles even if you don't update your AV software as often as you should. That's how I knew my GF hadn't bothered to update her NAV software since I installed it for her. One of the emails she sent me last year had warning signs all over it as soon as I saw it.
Now, in fairness, she didn't know she had done it because she had the preview window in NutScape set on by default (still does.... *boggle*) and the code just started emailing people in her address book. Fortunately for her, I was only the second person to get the email sent to me, so I managed to nip it in the bud before it got way out of hand. Final tally was about 10 people she gave it to instead of the 50 or so it might have been.
I'm also quite happy about the fact that a good majority of these things like KAZAA, etc that contain SpyWare don't run on OS/2 either. I've only run into one instance where a web site tried to initiate a file download and since OS/2 is kind enough to let me know such things, it wasn't much of a deal.
All in all, \ufffd'm not worried in the least about most of this crap that infests the W32 world. Most of the time, I just laugh.
|
Post #42,779
6/18/02 2:01:07 PM
|
Out of curiosity . .
. . I occasionally scan my OS/2 workstation drives over the network from my Windows machine.
[link|http://www.aaxnet.com|AAx]
|
Post #42,786
6/18/02 2:52:30 PM
|
Ah...
I occasionally scan my OS/2 workstation drives over the network from my Windows machine.
In my case, my OS/2 machine *is* my Windoze machine. It's also my DOS machine and my Linux machine as well.
I just love the sight of Boot Manager in the morning (and the afternoon, and the evening...). ;-)
I guess I should probably scan the Novell server and see what's there. I don't expect to find much, since I've been on her about updating NAV often, but one can never tell.
If enough things show up, I'll just have to ban her from the MP3 collection; or at least make it Read-Only for her. ;-)
|
Post #42,772
6/18/02 1:37:49 PM
|
How can I tell?
I've been trusting the network guys here to keep this in check. Whenever I hear about a new outbreak I double-check to make sure they already know. Either they're very good, or simply disabling preview and not opening the obvious spam mostly alleviates the problem. I haven't noticed any problems.
=== Microsoft offers them the one thing most business people will pay any price for - the ability to say "we had no choice - everyone's doing it that way." -- [link|http://z.iwethey.org/forums/render/content/show?contentid=38978|Andrew Grygus]
|
Post #42,776
6/18/02 1:56:55 PM
|
The only way to tell for sure . .
. . is to download a free Klez tool and run it in Safe Mode.
[link|http://www.aaxnet.com|AAx]
|