[RESOLVED] Tracking the person who keeps infecting with VBS.LOVELETTER

February 6th, 2001, 01:44 PM

Here at my work we keep getting infected every month or two with the columbia variation of the VBS.LOVELETTER virus. We are almost positive that we are being infected internally by someone that has archived the virus onto a floppy or CD-R since it is always the same virus. We run NT4.0 and Win2k only. We find the files and delete all the infected ones but someone keeps infecting us. How can I track where the virus is being introduced, can I track one of the VBS files through sever logs? Any help would be greatly appreciated.

February 6th, 2001, 03:52 PM

You should have antivirus clients with updated signatures installed on all network workstations to pick up the virus before it can do anything. I use CA InoculateIT at work and if somebody shuts down their antivirus client, the server terminates their network connection automatically! I also have virus scanner running on the server for maximum protection. We have never been infected since using this setup.

The other option is to remove the file association for VBS so the script can't run anymore. Most people never need Visual Basic Scripting anyway. You can also download this free tool http://www.cerberus-infosec.co.uk/vf.exe that will go through the registry and remove any VBS related extensions so the VBS related viruses can't do anything.

Don't try to track the virus manually, you are wasting your time.

Good luck in your hunt.

------------------
sHIFT hAPPENS11

thirdfey · February 6th, 2001, 09:27 PM

are you auditing your network? if so, the vbs virus goes out and looks for every drive either local or mapped to rename the picture files and such, so setup auditing to track down when files are changed. to make this easier on your security log setup a dummy folder with a bunch of file types that the virus attacks and audit up the but. So the next time you get hit with the virus and gets to the folder in a network drive, you can see in the security log the username that did it, setup a dummy folder in each of your shares if need be. That should do it for you I would think.

------------------
we are number one, all others are number two......or lower

February 6th, 2001, 01:44 PM	#1
cerebralcortex Guest Posts: n/a	Tracking the person who keeps infecting with VBS.LOVELETTER Here at my work we keep getting infected every month or two with the columbia variation of the VBS.LOVELETTER virus. We are almost positive that we are being infected internally by someone that has archived the virus onto a floppy or CD-R since it is always the same virus. We run NT4.0 and Win2k only. We find the files and delete all the infected ones but someone keeps infecting us. How can I track where the virus is being introduced, can I track one of the VBS files through sever logs? Any help would be greatly appreciated.

February 6th, 2001, 09:27 PM	#3
thirdfey Registered User Join Date: Jun 2000 Location: Pinehurst, NC USA Posts: 1,887	are you auditing your network? if so, the vbs virus goes out and looks for every drive either local or mapped to rename the picture files and such, so setup auditing to track down when files are changed. to make this easier on your security log setup a dummy folder with a bunch of file types that the virus attacks and audit up the but. So the next time you get hit with the virus and gets to the folder in a network drive, you can see in the security log the username that did it, setup a dummy folder in each of your shares if need be. That should do it for you I would think. ------------------ we are number one, all others are number two......or lower __________________ I'd rather be riding my motorcycle "I gotta have more cowbell, baby" Bruce Dickinson(Christopher Walken)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

February 6th, 2001, 03:52 PM	#2
MacGyver Guest Posts: n/a	You should have antivirus clients with updated signatures installed on all network workstations to pick up the virus before it can do anything. I use CA InoculateIT at work and if somebody shuts down their antivirus client, the server terminates their network connection automatically! I also have virus scanner running on the server for maximum protection. We have never been infected since using this setup. The other option is to remove the file association for VBS so the script can't run anymore. Most people never need Visual Basic Scripting anyway. You can also download this free tool http://www.cerberus-infosec.co.uk/vf.exe that will go through the registry and remove any VBS related extensions so the VBS related viruses can't do anything. Don't try to track the virus manually, you are wasting your time. Good luck in your hunt. ------------------ sHIFT hAPPENS11