Last week we had two systems get infected with a worm. This was a variant of the PinkSlipBot worm. Subsequently I found several systems that had worm files on the hard drives, but the systems don't appear to be infected. I was able to delete the files and subsequent scans using McAfee, Sophos' free tool, MalwareBytes, and Kapersky's TDSSKiller all came up clean. I even attached a couple of the hard drives to a different computer that I am sure is clean and ran virus scans on the hard drive while they weren't being used as a boot source.
The systems in question weren't protected by AV software at the time. Yet, aside from the two I know were infected the rest don't appear to be infected. They just had the infected exe files sitting on the hard drives.
My question is: Why would the worm have propagated the files to multiple systems, but not executed the files to infect the systems?
Is there anything else I need to do to be sure the systems aren't infected?
Not a virus expert and definately know little of that infection. I would run getsusp from here adding your email details to the preferences to see if Mcafee sees anything suspect.
That said info of original version here
Maybe the question needs asking on a malware forrum though another mod or user might chime in. sorry I could not assist more
I have to say the same as Tony, I am no Virus Expert either. As you stated, you detected a "Variant" of the (PinkSlipBot) worm defined by McAfee. Each Anti-Virus Vendor has individual names for said such Malware-Infections. http://www.threatexpert.com/threats/w32-pinkslipbot.html
You seem to have taken the proper steps to assure your system is clean. I would do as PeaceKeeper suggested,and run the latest Getsusp Tool. Then would Download the latest McAfee Rootkit Remover/ save to desktop and close all applications. Open the saved folder and "Right-Click" and run as "Administrator"
I would follow up with "Hitman Pro". This infection has different classifications, primarily known as a "PWS" which could explain why it seemingly lays "Dormant" until it is user activated. If further concerned, as Tony suggested you can consult a "Malware Forum".
Moved this to Corporate User Assistance in Malware Discussion as I suspect this is a corporate environment, no?
Probably propagated through network shares, plug-in flash drives or other gadgets or email, just a few suggestions?
Hopefully someone with corporate experience will offer their thoughts.
I can move this to ePO if you'd prefer, it may elicit more comments there I suppose.
.Message was edited by: Ex_Brit on 19/03/14 7:05:45 EDT AM
yes, this is a corporate network.
I suppose the virus could've been written to lay dormant waiting for some specific action before executing and infecting the computers. Its just weird that it infected two computers but not the others. Makes me worry I've missed something.