Possible virus spreading?

[sidewinder]

Ive set Sophos to alert me whenever it finds a virus, and normally I get about 1 a day

Today however, Ive had about 30, all with the same viruses, so it looks like it could be spreading.

Thing is, all the reports say the file has been deleted, so the infection is gone. And how can it spread if its deleted?

Not noticed any network performance decrease, nothing is really happening at all, and 30 computers out of 400 odd that are on at the minute isnt much. But Im just a bit concerned

These are the 3 viruses that make up almost all of the alerts:

Virus 'Troj/Psyme-DL' has been detected in "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\LJD21B4L\new[1].htm". Cleanup unavailable.

Infected file "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\LJD21B4L\new[1].htm" has been deleted.

---

Virus 'Troj/Agent-DXR' has been detected in "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp2[1].htm". Cleanup unavailable.

Infected file "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp2[1].htm" has been deleted.

---

Virus 'Troj/CoreSrv-A' has been detected in "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp5[1].htm". Cleanup unavailable.

Infected file "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp5[1].htm" has been deleted.

---


Had a look on the net and they just look to be adware downloaders or something similar

[MK-2]

We thought we had one today. NAV had stopped updating on a whole suite. A few of the machines were just freezing up and refusing to reboot at times. Couldn't run NAV with updated definitions so had no way to check.
Ghosted it and it still done it.

Found out that the 'variable cpu fan control' that the motherboard does has decided that the best speed for the cpu fan is off at times.
FunFunFun

[alan-d]

I've been monitoring one student that brings a usb stick in - loads an .exe it and finds that Sophos has deleted it

She's been trying for a week now - just waiting for her to come and see us to complain

[sidewinder]

Came back from lunch and theres another 30/40 alerts

Ive noticed that all the alerts for these specific viruses seem to be coming from users all in the same year group.

Thinking it might be a web site that they're telling each other about and they're all going on it. Just need to catch one of the buggers at it to see what it is

[TechMonkey]

Ive set Sophos to alert me whenever it finds a virus, and normally I get about 1 a day

Today however, Ive had about 30, all with the same viruses, so it looks like it could be spreading.

Thing is, all the reports say the file has been deleted, so the infection is gone. And how can it spread if its deleted?

Not noticed any network performance decrease, nothing is really happening at all, and 30 computers out of 400 odd that are on at the minute isnt much. But Im just a bit concerned

These are the 3 viruses that make up almost all of the alerts:

Virus 'Troj/Psyme-DL' has been detected in "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\LJD21B4L\new[1].htm". Cleanup unavailable.

Infected file "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\LJD21B4L\new[1].htm" has been deleted.

---

Virus 'Troj/Agent-DXR' has been detected in "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp2[1].htm". Cleanup unavailable.

Infected file "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp2[1].htm" has been deleted.

---

Virus 'Troj/CoreSrv-A' has been detected in "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp5[1].htm". Cleanup unavailable.

Infected file "C:\Documents and Settings\kkturl\Local Settings\Temporary Internet Files\Content.IE5\RWQ14NIJ\exp5[1].htm" has been deleted.

---


Had a look on the net and they just look to be adware downloaders or something similar

When they are in the temp internet files it normally means there is a website or popup trying to do something. This many points to a popular website going around thorugh word of mouth or someone using it lots as they go around. Only way we have found to track the website down is to search our internet logs on the Proxy for the htm page minus the number in square brackets, so exp5.htm. Then filter the website.