Antivirus software vendors have done a good job of automating the tasks associated with virus protection—everything from updating databases to detecting and removing threats. But you may still encounter situations your antivirus program can’t handle.
Such was the case with one TechRepublic member who posted his problem in our Technical Q&A. The member’s antivirus software detected a potential threat but was unable to remove it because the file was in use. To make matters worse, the member’s hard drive began to fill up with files created by the threat.
The file in question is a known hacker tool, and other TechRepublic members quickly found information about it and offered advice on how to deal with it. If you’re faced with a similar situation, these tips will come in handy.
TechRepublic member Hiepmeister said he uses Norton Antivirus Corporate Edition (NAVCE ) v7.6 and that it detected the file ZPVZYLH.EXE on an Exchange 2000 server. NAVCE identified the program as a virus called Hacktool.Flooder but wouldn't quarantine it.
When Hiepmeister attempted to remove the file manually, he found that he couldn’t.
“I tried deleting the file myself, but it wouldn't let me; it’s saying that the file is in use.”
In addition, Hiepmeister was dealing with an escalating disk space crisis.
“My C:\winnt\temp folder has been flooded with LB.tmp files,” Hiepmeister said. “It has filled up my entire C: drive.”
Hiepmeisterwas also concerned that a hacker was getting into his system and sending out mass e-mails.
Repeated attempts to remove the detected file failed because the system reported each time that it was in use. Frustrated with his inability to eliminate the problem, Hiepmeister turned to other TechRepublic members for help.
Resources and suggestions
Hiepmeistersaid that he could find no information about the file NAVCE detected, but TechRepublic member Grant Fleming, a LAN administrator, said that the Symantec site contains a brief note about it.
“It doesn't offer much, though,” Fleming acknowledged. “Just the consolation that the newest virus definitions would detect it.”
Fleming suggested that the file might be a Trojan that a hacker implanted to compromise Hiepmeister’s system, and he added that consulting resources on similar tools might yield some useful information about how to deal with it. The hacker, Fleming felt, likely had gained full access to Hiepmeister’s system.
Other members, including IT manager Ronald Caluste, uncovered additional information, which identified the file as Hacktool.Flooder.Along with Fleming, he pointed to a more comprehensive Symantec reference page on Hacktools. These are described as nonviral tools used by hackers for a variety of purposes, from port scanning to password stealing to mail flooding.
“This particular hack tool is the kind that floods newsgroups or mailboxes with messages and mails,” Caluste said.
He also suggested that the reason Hiepmeister couldn't delete the file might be that it was running in the background performing the task of flooding e-mail accounts.
Fleming advised Hiepmeister to contact Symantec directly for help in dealing with the problem. He also suggested that Hiepmeister start the system with a boot disk, which should at least allow him to delete the tool. Member Mnacey noted that it might be possible to boot the system in safe mode to remove the file.
Fleming stressed that removing the hack tool was only the first step. He said Hiepmeister would have to perform a thorough security check on the system because it’s likely to have been breached.
“I'd say almost assuredly [the hacker] has taken actions to open other back doors,” Fleming said.
He recommended that Hiepmeister take the following steps:
- Look for user accounts the hacker may have set up.
- Check permissions to see if any users have been granted admin rights they shouldn’t have.
- Use a packet sniffer to monitor incoming and outgoing traffic to look for abnormal and suspicious activities.
These measures, Fleming said, would take care of the current problem—but he also advised Hiepmeister to take steps to prevent future intrusions and to establish a policy for handling such situations should something like this recur.
Fleming listed the following Internet resources that provide additional details on securing networks and dealing with intrusions:
- AntiOnline’s FAQ on fighting hacker attacks
- LabMice.net’s Network and System Security page
- The High Technology Crime Investigation Association (HTCIA)
- The SANS Institute
- University of Washington Senior Security Engineer Dave Dittrich’s Web site
- Insecure.org (security tools)
- Snort (open source intrusion detection)
These sites offer a variety of information, ranging from tips on securing networks to software for detecting intrusions. Collectively, the sites provide administrators with valuable information and tools to prevent attacks and effectively deal with intrusions that do occur.
Hiepmeister’sexperience shows that we can't rely solely on antivirus software to protect networks from malicious files such as Trojans and other hacker software. We also can't assume that antivirus software will always effectively deal with threats, even those it can detect. Protecting networks and handling a detected intrusion require a thorough consideration of a broad range of security issues and a solid security policy.
You can follow the tips that these TechRepublic members have offered to remove a threat such as Hacktool.Flooder, but getting rid of the file is only one part of the issue. As Fleming pointed out, you must take additional measures to ensure that the infected system is secure to prevent future attacks.