Script Checking for Funlove virus 
Author Message
 Script Checking for Funlove virus

We have recently been hit with the Funlove virus pretty bad on our network
at work.  Several servers have been infected so bad we have had to rebuild
them.  To see is we can find all copies of it, I am looking for a way to see
if the FLC service is running on the server via a script I run remotely.
How would I do this?

thanks,

Jason



Tue, 13 May 2003 15:32:24 GMT  
 Script Checking for Funlove virus


Quote:
> We have recently been hit with the Funlove virus pretty bad on our network
> at work.  Several servers have been infected so bad we have had to rebuild
> them.  To see is we can find all copies of it, I am looking for a way to
see
> if the FLC service is running on the server via a script I run remotely.
> How would I do this?

I'm not sure, but why would you do something like this anyway? Whats wrong
with your antivirus software?


Wed, 14 May 2003 03:26:19 GMT  
 Script Checking for Funlove virus
This is a good question. Generally, large corporations with large
networks to protect must very carefully examine their desktop and
server configurations, how their antivirus software is configured throughout
the intranet. Generally it is not sufficient to assume that just because
antivirus software is deployed, that your network is protected. End users
can often reconfigure settings (say, to NOT scan all file types, for example).
Current virus trends often exercise poorly configured network share
privileges (shared writeable system drives, for example).

IT professionals should proactively scan their networks for status on poorly
shared shares, services running on ports that may indicate malicious activity
etc. The exact strategy will depend on the OSs deployed, the architecture
of the network and the level of paranoia :)

For the specific case of Funlove, one must read the antivirus vendors status
and solutions. Infected machines usually indicate a combination of non-timely
up-to-date virus definitions, along with an infection path (shared writeable folder).

In this case, one might can a network proactively looking, for example, for a
shared system drive with C:\windows\system\flcss.exe present.

There are several approaches to writing such monitor network scripts (for
example wsh win32 scripts). Since such scripts are likely to be quite
powerful, it is important to properly support the development effort, and
ensure that the developers really understand network scripting.

Cheers,
 -- Mitch Gallant

Quote:



> > We have recently been hit with the Funlove virus pretty bad on our network
> > at work.  Several servers have been infected so bad we have had to rebuild
> > them.  To see is we can find all copies of it, I am looking for a way to
> see
> > if the FLC service is running on the server via a script I run remotely.
> > How would I do this?

> I'm not sure, but why would you do something like this anyway? Whats wrong
> with your antivirus software?



Wed, 14 May 2003 08:06:02 GMT  
 Script Checking for Funlove virus
Well it seems that some servers never had any antivirus software installed
on them or else their existing software is outdated (is has not been updated
since April).    In reality, the reason their is none or out of date
software has to do with the fact that we are in the middle of the transition
of our IT from 1 outsourcing company to another and as soon as the first
lost their contract, they stopped doing some of their functions such as
this.  The problem is that some of our servers still sit at their location
and they have told us that if we roll out our antivirs software on the
servers at their location, that they will not longer in any way support
them.  This issue is above me, it is more policital than anything, I am just
trying to stop the damn virus.

We are running NT4 sp3/5/6a for these servers.  All I want to do here is
check to see if flsss.exe, if it exists, stop the service and output it to a
file.  If it does not exist, create a directory called flcss.exe in
\winnt\system32 so it cannot be infected and output that to a file.  My
question is how to get the remote script to enumerate through a list of
servers.  Once I have a list of infected servers. then I can deal with it
since those servers will require special handling.  Any help is appreciated.

Jason



Quote:
> This is a good question. Generally, large corporations with large
> networks to protect must very carefully examine their desktop and
> server configurations, how their antivirus software is configured
throughout
> the intranet. Generally it is not sufficient to assume that just because
> antivirus software is deployed, that your network is protected. End users
> can often reconfigure settings (say, to NOT scan all file types, for
example).
> Current virus trends often exercise poorly configured network share
> privileges (shared writeable system drives, for example).

> IT professionals should proactively scan their networks for status on
poorly
> shared shares, services running on ports that may indicate malicious
activity
> etc. The exact strategy will depend on the OSs deployed, the architecture
> of the network and the level of paranoia :)

> For the specific case of Funlove, one must read the antivirus vendors
status
> and solutions. Infected machines usually indicate a combination of
non-timely
> up-to-date virus definitions, along with an infection path (shared
writeable folder).

> In this case, one might can a network proactively looking, for example,
for a
> shared system drive with C:\windows\system\flcss.exe present.

> There are several approaches to writing such monitor network scripts (for
> example wsh win32 scripts). Since such scripts are likely to be quite
> powerful, it is important to properly support the development effort, and
> ensure that the developers really understand network scripting.

> Cheers,
>  -- Mitch Gallant




> > > We have recently been hit with the Funlove virus pretty bad on our
network
> > > at work.  Several servers have been infected so bad we have had to
rebuild
> > > them.  To see is we can find all copies of it, I am looking for a way
to
> > see
> > > if the FLC service is running on the server via a script I run
remotely.
> > > How would I do this?

> > I'm not sure, but why would you do something like this anyway? Whats
wrong
> > with your antivirus software?



Wed, 14 May 2003 03:00:00 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. VIRUS : W32.FunLove.4099

2. VIRUS VIRUS VIRUS

3. Checking to see if virus killers etc are running and then closing them

4. virus check?

5. Possible virus -- check my description

6. funlove.gen

7. Outlook problem after "Funlove" attack

8. I feel silly - Script Virus

9. Web Script Virus on IE6

10. Script Exploit Virus

11. can java script carry a virus???

12. can java script carry a virus???

 

 
Powered by phpBB® Forum Software