Real experience: A summary of the removal of virus by network management

Mr. A has three years of network management experience, before entering B company to do network administrator, skilled technology for the former company more than two years of it platform to provide strong support, never appeared any big problems. Since entering B Company for two months puzzled a lot, daily tired like for B Company's IT system for fire-fighting services.

B Company's computer network environment is very good: a NetScreen 25 firewall as a border firewall, at the same time for broadband routing, firewall four network interface for ADSL line connection, in fact, three VLAN respectively connected three 3COM 10/100 Gigabit switch. The entire company has about 60 computers, of which 47 are laptops. Server four, network printer five a VLAN; a notebook is a VLAN; a desktop is divided into one VLAN.

Using mcafee8.5i as a client-side anti-virus software, all computer antivirus software settings are updated daily to kill the virus once a week. According to the normal situation, B Company computer number, both hardware Firewall client and anti-virus software, as a network management should be very relaxed! However, it backfired, since Mr. A entered B company, a word, that is "tired"!

This is not, at the end of November B Company network again outbreak of large area of virus attack, Mr. A three days day and night overtime, installation of operating system 7, all computer network anti-virus, finally again the network virus cleared, so that the network back to normal. Summon up the courage to write the report of the end of November virus attack to the boss, the following is the report of the incident:

Network Virus Failure Analysis:

1, McAfee Anti-Virus software constantly jumped out of the alarm window, providing C:\autorun.inf, D:\autorun.inf, E:\autorun.inf and other documents found virus.

2, Internet Explorer browser constantly open the Http://mysupport.mcafee.com window, causing the computer system to run slowly. cannot be used.

3, Ctrl+alt+del look at the task Manager is gray, modify the registry to enter the task manager more than dozens of reg.exe process.

4, C disk, D disk, E disk, etc. root directory automatically generate hidden, only say the attributes of Autorun.inf files and SOS.exe files.

Through analysis, found that the company infected with the virus is a malicious program, the security vendors to locate the virus: Trojan-downloader.win32.delf.gen. Virus variants are released quickly, and this variant can be handled in response to most anti-virus software to avoid being killed.

The virus program by inserting malicious frame code in the Web page file, through a variety of system or application vulnerabilities spread Trojan, but also release the use of the system Autorun function of Autorun.inf files and corresponding files. At the same time, a variety of virus repeat infection, can be rapidly spread through the internal domain of the network.

Virus Name: Trojan-downloader.win32.delf.gen

Virus type: Trojan Horse downloader

Virus behavior: After the program is run, release the file:%system%\systom.exe%system%\autorun.inf

And in each partition of the disk release files Sos.exe and Autorun.inf, the virus in large areas of infection, in addition to the main virus described above, there are a variety of different viruses attack together, resulting in many of the company's computer can not be used normally.