A client recently had a laptop that was infected with a virus and lots of spyware. The company cleaned the laptop and gave it back to the user. A few days later, the client called to tell me that Internet access was down at one of its remote locations. I went to the remote site to troubleshoot the Internet connection. The firewall was getting bombarded with so many packets that the firewall was crashing.
I looked at the server and examined the registry run keys. I discovered the virus bling.exe in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry subkey. Spyware Exterminator was loaded on the Windows 2000 server, but when the spyware software tried to download the most recent pattern files from the Internet, the machine froze. I restarted the machine, but it refused to boot because the server couldn't load one of the system files. I tried to run both Safe Mode and the Recovery Console (RC), but I was unsuccessful. Most likely the virus had corrupted one or more of the system32 files or the disk partition.
After several attempts to rescue the server failed, I decided to rebuild the server from scratch. Fortunately, the server was software-mirrored, so I broke the mirror and saved a copy of the data on the mirrored disk. Next, I formatted one of the disks and reinstalled Win2K. Because the server was infected with at least one virus, I didn’t want to restore from tape and reinfect the server, so I ran Dcpromo on the server to make it a domain controller (DC). Then I manually reinstalled all the programs (Win2K Service Pack 4—SP4, Critical Updates, VERITAS Software Backup Exec, Norton Antivirus (NAV) Corporate, Microsoft Exchange 2000 Server with SP3, and Symantec Mail Security for Exchange) on the server. I then reconnected the mirrored disk and copied all the server data files from the old mirrored disk to the new disk. After I confirmed that all the data was intact, I made a backup of the server. Then I formatted the secondary mirrored disk and remirrored the disks. This process restored the server to its earlier state without the bling virus. Next, I examined each workstation's registry. Almost all of them had either the bling.exe or msmacroprotxz.exe virus in the run keys. Even with the most recent pattern files, NAV Corporate didn't identify these programs as viruses. I submitted the programs to Symantec and received confirmation that they were both infected with the W32.Spybot worm. Symantec directed me to a location to download a beta virus pattern that identified these files as viruses. Because of the bad experience with the server, I attempted to manually clean the workstations. I opened Microsoft Task Manager on each infected machine and noticed that bling.exe was running as a process. I was unable to kill the process via the Task Manager, so I downloaded Sysinternals Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. Process Explorer let me kill the process. After doing so, I was able to delete bling.exe from the hard disk.
When bling.exe infects your system, it typically downloads other virus or spyware programs to the computer. On severely infected machines, I found more than eight spyware programs. I discovered the spyware by examining the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run subkeys. Bling.exe also created additional OLE entries in the registry. I suggest you search the entire registry for bling.exe and delete any references to bling.exe after you kill the process and remove it from your hard disk.
Many other computers on the LAN and WAN were infected with the same virus, but the antivirus software was now detecting the virus and preventing it from spreading to other computers. Cleaning up the virus kept my company busy for the next few days. After the initial emergency was over, I took another look at the laptop that was originally infected. I discovered that the user’s firewall had failed. Unfortunately, the user was savvy enough to know how to connect the laptop directly to the DSL line without any firewall protection. The laptop became infected while the user surfed the Web unprotected. The user then brought the laptop into the office, and it infected the entire corporate network. This user is now well aware of the dangers of surfing the Internet without a firewall. I'm currently working on a procedure to quarantine any laptops to ensure they're virus free before they can connect to the corporate network.
Tip: DNS Replication Problems
I recently ran into problems when I tried to run Adprep on a Win2K DC to introduce a Windows Server 2003 machine as a DC. Adprep/forestprep would fail with an Error 52 message when I attempted to run the program on the Win2K Schema Master. It turns out that another DC had the Active Directory (AD) domain installed in a secondary DNS zone instead of an AD-integrated zone. To fix the problem, I ran Dcpromo on the DC that had the AD domain installed in a secondary zone. Dcpromo automatically placed the DNS server into AD-integrated mode. As you know, configuring a DC with an AD domain configured in a secondary DNS zone can cause problems with AD name resolution. If the computer is a DC, make sure that it has the AD domain installed in an AD-integrated zone.
