Questions

Local profiles being created w/o authorization (using domain accounts)

+
0 Votes
Locked

Local profiles being created w/o authorization (using domain accounts)

tj.patterson
Recently, we have discovered that various local profiles have been created on different computers on our network. We are running around 1,000 to 1,200 computers, in an Active Directory environment.

Also, we are finding 1.exe and 2.exe running on these machines. Also, NTVDM.exe running anywhere from 95% to 100% CPU at a constant rate. Google searching concluded that this relates to terminal service servers running mixes of 16-bit and 32-bit apps. One of my colleagues found that RADIUS may be a factor. We took our recently created RADIUS server offline.

To give you an idea of how large scale this issue appears I am the only one who actively logs on to my computer, using domain credentials. We don't use local accounts, except for administrator. There are a few other users who seldomly log on. My computer normally houses about 7 profiles. Today, I had 60 profiles on my computer. None of those users ever logged in to my computer.

In addition to this, many of these profiles are high profile users in the school corporation, such as administrators. However, these users don't have any type of Domain Admin access at all.

In reference to the NTVDM.exe, there is one particular AD account that seems to be running the process. His account was disabled today. However, this did not stop the process from randomly appearing on our network.

We have a subnetted network, but we do not have the subnets VLANed out.

The profiles that keep creating themselves on machines are spreading throughout our network. Not all of these profiles pop up on each computer, but certain ones are on nearly every one we have found infected.

Only one of our servers (thankfully) has had the profiles pop up. It was not a domain controller, but it is a server that is joined to the domain. We run a Server 2003 Native environment.

I don't know if this is related or not, but we did find a machine that was performing HEAVY WAN traffic. We had the computer shut down. This may or may not be the cause, but since it is frozen with Deep Freeze we are unable to view logs. Our best luck with that is questioning people as to who was using the machine at the time.

Hopefully this info isn't too terribly scattered. Any help would be great! 5 of us (6 in our dept) worked for 8 hours today trying to isolate and determine what was going on.
  • +
    0 Votes
    BFilmFan

    You are infected with the TROJ_SUA.A and Trojan.W32.Lineage worms.

    The answer is to scan the systems with antivrius software, get one of the free ones like AVG http://free.avg.com/ to use.

    You may need to set up a new machine off the LAN, put on the AV software and then have it scan systems for the infection and remove it.

    You have your work cut out for ya. Best of luck.

    +
    0 Votes
    r_lakdawala

    This virus is doing null sessions on your machine. in order to stop spreading following things needs to be done

    1. Turn off File and Print sharing on your machines and servers (except domain controller, file and print servers)
    2. this virus is connecting to 5 different servers with helper.exe file trying to download virus from and you may want to block connection to this servers on your firewall. If you are using Cisco PIX or ASA Shun command will do that fine

    3. List of servers trying to connect to
    64.239.8.185
    217.172.172.
    67.15.150.130
    61.153.3.48
    208.116.50.186

  • +
    0 Votes
    BFilmFan

    You are infected with the TROJ_SUA.A and Trojan.W32.Lineage worms.

    The answer is to scan the systems with antivrius software, get one of the free ones like AVG http://free.avg.com/ to use.

    You may need to set up a new machine off the LAN, put on the AV software and then have it scan systems for the infection and remove it.

    You have your work cut out for ya. Best of luck.

    +
    0 Votes
    r_lakdawala

    This virus is doing null sessions on your machine. in order to stop spreading following things needs to be done

    1. Turn off File and Print sharing on your machines and servers (except domain controller, file and print servers)
    2. this virus is connecting to 5 different servers with helper.exe file trying to download virus from and you may want to block connection to this servers on your firewall. If you are using Cisco PIX or ASA Shun command will do that fine

    3. List of servers trying to connect to
    64.239.8.185
    217.172.172.
    67.15.150.130
    61.153.3.48
    208.116.50.186