Unknown Virus Attack on Nt Iis Server

Our NT Server running IIS is attacked by an unknown virus. We've used

virus scanning software like norton and mcafee to scan but cannot find

any virus.

However, the content of all our programs with htm and asp extensions

are automatically overwritten by a 1kb file (containing some chinese

phases).

After we recovered the programs and files, it got overwritten again

the next day. Just applied the latest accumulate iis patch from

microsoft website.

Pls help to advice how to scan and detect the virus, and recover from

it.

Thanks.



3 thoughts on “Unknown Virus Attack on Nt Iis Server

  1. Hi there,

    The results of our search returned the following:

    Firstly, you definitely need to make sure that the virus scanning

    software you are using has the most updated virus definitions (norton

    can do this automatically through the LiveUpdate feature). Running a

    virus scan without having updated definitions is pointless if the

    virus is newer than the program update.

    An excellent resource for any security threat is:

    http://www.sarc.com/

    The microsoft IIS server has had many security-related issues in the

    past, but since you have applied the latest patch you will be safe

    according to microsoft. This essentially means that they are not aware

    of any additional holes in the software at this time. MS has released

    a information document regarding IIS and security issue here:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172925

    The issue that should concern you most at this point is whether or not

    this is a boot-sector virus. In essence, this type of virus writes

    itself to the BIOS (Basic Input Output System) so that the virus

    re-infects the system each time the computer is started up. For more

    information on some of these terms, please see:

    http://www.mcafee.com/anti-virus/virus_glossary.asp?

    If this is the case (you won't know until identifying the virus) you

    will need to rewrite you BIOS. This will wipe out the virus so that it

    is unable to reinfect the system on startup. The process involved in

    doing depends on the motherboard in your system (please consult the

    motherboard manual or online resource of the manufacturer).

    This link contains an example of a boot-sector virus that affects the

    Flash-BIOS, its worth reading in order to understand in detail how

    these viruses work:

    ://www.google.ca/search?q=cache:-CNuGFOzL1sC:www.vibert.ca/vn98007.pdf+rewrite+BIOS+boot+virus&hl=en

    PREVENTING FURTHER INFECTIONS:

    There are many alternatives to at least attempting to secure your

    system from further attacks:

    1. Virus scanner – you mentioned that you scanned when looking for the

    virus after infection had occured, but are scans a regular process?

    They should be done about once a week. Make sure you keep up to date

    with definitions as well.

    Be sure to active the option available in most virus scanners so that

    any information coming into or moving out of your system is scanned

    before transmission.

    2. Firewalls – there are many products on the market that provide a

    secure barrier between your system and attacks. While they are not

    extremely useful for preventing viruses, its important to remember

    that viruses are not the only thing that can affect the stability of a

    system.

    Here is an informative FAQ on firewalls…any questions you may have

    will be answered here:

    http://www.interhack.net/pubs/fwfaq/

    This is a commentary on how to secure public web servers:

    http://www.interhack.net/pubs/nist-w3sec/

    Here is some additional information on how firewalls work:

    http://grc.com/su-firewalls.htm

    If you have any additional questions feel free to post a clarification

    🙂

    Hope this helps!

    answerguru

  2. Thanks for the prompt reply.

    I've used the latest update of virus definition for both Norton,

    Mcafee and AVG but not virus is found. What should I do?

  3. Hi,

    If the virus cannot be found with the latest definitions, then one of

    the following is true:

    1. The virus is not yet listed in the definitions (unlikely since they

    are both up to date as of yesterday)

    2. This is not a virus (ie. there is another form of security breach

    in your system)

    Question:

    Has this problem occured again after the second time?

    Solution:

    The first thing to be done is to rewrite the BIOS. If you have your

    information backed up elsewhere and are bringing it back in each time

    that may be the problem (you are reinfecting yourself).

    Remember that if you have installed the latest IIS patch and nothing

    has gone wrong since, then you may have avoided the problem

    altogether. Investing in a firewall (either software or hardware) is

    definitely a good idea so that future issues are avoided.

    answerguru

Leave a Reply

Your email address will not be published. Required fields are marked *