2 Replies Latest reply on May 26, 2010 5:12 AM by robindefoe

    Roaming Profile Infected by a Trojan

    robindefoe

      Hi

       

      We use VirusScan Enterprise v8.7 on all of our machines, updated by an ePO4.5 Server. An alert popped up indicating that PWS-Zbot!remnant had been found on one of the PCs. EPO stated that "file infected. Undetermined clean error, delete failed".

       

      The user was trying to login to a call centre website and the alert popped up when she did so. Assuming it was a problem with the machine, she switched to another and got the same message. After investiagtion I was able to ascetain that if she tried to login to the website on a machine logged in under somebody else's profile there was no problem. Further, I determined that logged in under her profile, accessing the website under a different user identity threw up an alert.

       

      Having tried to clean the infection unsuccessfully, I was left with no alternative but to delete the user's profile and then remove the roaming profile from all PCs and the Server. Having done this, I re-created the user's profile and everything returned to normal.

       

      Now I'm left with two questions; the obvious one being how did the trojan get past our defences? (Bearing in mind that I check that DAT updates are taking place every day). The second question; the reason for using roaming profiles is so that people can jump on to any available machine, so in a case such as this I might have to deal with five machines or more. Is there no way of scanning and cleaning the trojan from romaing profiles?

       

       

      Thanks in advance.

       

      Robin

        • 1. Re: Roaming Profile Infected by a Trojan
          pato

          Hi Robin

          The main problem here is the Virus and Mcafee (and also other vendors) lack of detecting it.

          As you stated, you had (or still have) PWS-Zbot. Some information about it: http://vil.nai.com/vil/content/v_143802.htm

          This Virus gets updated nearly every day, which means it's close to impossible to catch the latest variants of it

          Here some more information (and also a good program to get maybe rid of it): http://www.spywareremove.com/removeTrojanZbot.html

          As you see, this virus can/will catch all passwords, credit card numbers, lower pc security settings, and and and.

          Here a site where you can see the current virus scanner detection rate of the several existing files: https://zeustracker.abuse.ch/monitor.php

           

          But now to the question on how it got onto the pc. I fear you have on that website a new variant which wasn't or still isn't completely detected by Mcafee (the virus is made of several components with several files, if the infection is successfull). But only having it on the website isn't enough to catch it, you also seem to have an outdated plugin in that browser. So check the most dangerous plugins (flash, shockwave, pdf reader (also alternative programs, not just adobe ones) and java) first if they are up to date. If they aren't then the virus has an easy way onto the pc.

          Are those up 2 date on your pc?

           

          I hope this helps a little.

          Pato

          1 of 1 people found this helpful
          • 2. Re: Roaming Profile Infected by a Trojan
            robindefoe

            Thanks for your reply Pato, it was really helpful.

             

            My guess is that the trojan was picked up from a different website in the first instance (before an appropriate DAT update caught it). Then, every time the user tried to login to this site (and maybe it could have been any site that required a login) the now updated DAT caught it.

             

            You were right to question the possibility of plugins being outdated. The site in question requires Java, but when I originally installed it they had advised against using the latest version. I've now contacted them and asked why I can't use v6.20 (and told them this is for security reasons).

             

            Regards

             

            Robin