+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Mal/Behav-043 virus outbreak in Technical; We have noticed this Mal/Behav-043 spreading around quite a few of our machines late this afternoon. Sophos picked it up ...
  1. #1
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Mal/Behav-043 virus outbreak

    We have noticed this Mal/Behav-043 spreading around quite a few of our machines late this afternoon. Sophos picked it up but cant seem to delete it. The Sophos Website http://www.sophos.com/virusinfo/anal...lbehav043.html does not give much away at all but i noticed that protection only came out at 1-30pm today. Our Sophos Enterprise manager has updated the CID every hour since so this is why clients have just started to pick up the virus.


    God help us tomorrow.............keep your eye out as their is nothing on Google as of yet and nothing on Symantec either.

    This is the report we get

    Virus 'Mal/Behav-043' has been detected in "C:\WINDOWS\Installer\{0837A661-FEC3-48B3-876C-91E7D32048A9}\READMESHORTCUT.htm". Cleanup unavailable.

    The attempt to move the infected file "C:\WINDOWS\Installer\{0837A661-FEC3-48B3-876C-91E7D32048A9}\READMESHORTCUT.htm" failed. The user does not have the rights to perform the action on the infected file.

    Virus 'Mal/Behav-043' has been detected in "C:\WINDOWS\Installer\{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}\READMEICON.htm". Cleanup unavailable.

    The attempt to move the infected file "C:\WINDOWS\Installer\{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}\READMEICON.htm" failed. The user does not have the rights to perform the action on the infected file.

  2. #2

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 454 Times in 335 Posts
    Rep Power
    137

    Re: Mal/Behav-043 virus outbreak

    I saw this on Tuesday.

    You must kill the running process (it usually disguised)
    One killed Sophos can clean it.

    I was lucky there was only one machine infected and that was the only one connected at the time.

    It hogged 10% of the CPU but swallowed all of the 2 MB SDSL band width.

    I tried downloading a Sophos Update whilst the drone was active and could only get 2k per sec, killed the BOT and immediately got 286k.

    I dread to think what half a dozen will do to your network!

  3. #3

    Join Date
    May 2006
    Posts
    1,315
    Thank Post
    101
    Thanked 25 Times in 18 Posts
    Rep Power
    25

    Re: Mal/Behav-043 virus outbreak

    Just spotted this now on a couple of our clients. I've been through sophos manager on the server and not many clients appear to have been infected, but whether the server hasn't gotten around to pushing the CID on all the clients yet, who knows.

    The only reason I'm posting this is because I remember reading this thread yesterday and thinking that I hadn't noticed anything on our network. Then I saw the alerts this morning when I arrived at work.

    According to the logs though, sophos moved the virus on each infected client, so that should have stopped it dead. Will check said clients now though.

  4. #4
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75

    Re: Mal/Behav-043 virus outbreak

    Sophos found it here this morning - moved the virus into quarantine.

  5. #5

    Join Date
    May 2006
    Posts
    1,315
    Thank Post
    101
    Thanked 25 Times in 18 Posts
    Rep Power
    25

    Re: Mal/Behav-043 virus outbreak

    I'm curious now. I wish there was more info about it. The infected computers included one that only I really use (though it is possible pupils MAY have had access to it).

  6. #6
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75

    Re: Mal/Behav-043 virus outbreak

    Ours was picked up on the server in a user home directory. No reports of clients being infected yet.

  7. #7
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: Mal/Behav-043 virus outbreak

    As of last night we had 10 clients infected, up to know we have 50.

    Sophos puts it into quarantine but does not delete it. We have had to manually visit the machine and log on as admin to delete the files

    Keep your eyes open.

  8. #8

    Join Date
    Apr 2007
    Location
    Surrey
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Mal/Behav-043 virus outbreak

    This is NOT a virus outbreak.

    Sophos confirmed to me this morning that their IDEs were incorrectly identifying files as malware.

    The latest IDEs correct the problem. At least, that's what they say...

    Yes, just got the update through the enterprise library and deployed it. The files are no longer identified as mal/behav-043.

  9. #9
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: Mal/Behav-043 virus outbreak

    Press F5 while on your desktop or ‘Right Click’ and choose refresh.

    They should then come back.

    Also you have far too many files on your desktop, these should be saved in your home directory on the network and not on your desktop. This will affect the log on time when you log onto the network, I would imagine that it takes you quite a while to logon?

    I hope you are right? but funny enough we have had no more reported since around 9-45

  10. #10

    Join Date
    Apr 2007
    Location
    Surrey
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Mal/Behav-043 virus outbreak

    I thought it was odd because that installer file you identified was the same as my own, it contains Dreamweaver stuff which had not been modified in forever.

    It's worth noting that Sophos say their recommended configuration for action to be taken when a virus is detected is 'Do Nothing'. It's their get out of jail free card at times like this when I pointed out their software has just disabled or deleted a load of valid files.

  11. #11
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,507
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    46

    Re: Mal/Behav-043 virus outbreak

    What configuration do you use then for sophos on access? - mine is normal, on read, Cleanup - automatically cleanup and move to default location. our LEA advise delete but I was a bit concerned that important files may be deleted by an alert that turned out to be a mistake.

  12. #12
    limbo's Avatar
    Join Date
    Aug 2005
    Location
    Birmingham
    Posts
    460
    Thank Post
    2
    Thanked 41 Times in 36 Posts
    Rep Power
    25

    Re: Mal/Behav-043 virus outbreak

    We had an alert on two of our servers - the same piece of software on both and we have not used it in a couple of years so I was scratching my head for a while - this explains it all and makes a lot of sense.

    On our servers I used to have the access are on read - but it slows the backup down by several hours so it is now "on write" (but read on the work stations).

  13. #13

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,286
    Thank Post
    225
    Thanked 405 Times in 302 Posts
    Rep Power
    162

    Re: Mal/Behav-043 virus outbreak

    we had a report of a slightly differnet version in our admin area on an old Anti-nuke program. Had to have been a false positive as it has sat there for at least 6 years no problems.... Unless we've been breached that long!!!!

  14. #14

    Join Date
    Apr 2007
    Location
    Surrey
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Mal/Behav-043 virus outbreak

    Quote Originally Posted by chrbb
    What configuration do you use then for sophos on access? - mine is normal, on read, Cleanup - automatically cleanup and move to default location. our LEA advise delete but I was a bit concerned that important files may be deleted by an alert that turned out to be a mistake.
    I went with the same, except for the crucial last option and chose delete instead of move. Two reasons for that I suppose: 1. I'm prepared to risk losing a file and resorting to restoring a backup for the peace of mind I get from knowing any risky file is off my network. 2. I don't have the administration time to fully assess the accuracy of each identified threat so it would be left sitting in some toxic folder somewhere and, as I said in 1., I want this stuff off my network ASAP!

SHARE:
+ Post New Thread

Similar Threads

  1. Website Virus
    By karldenton in forum Web Development
    Replies: 6
    Last Post: 21st November 2007, 11:56 AM
  2. Virus Question
    By jlr58 in forum Windows
    Replies: 2
    Last Post: 27th June 2007, 08:06 PM
  3. Possible virus spreading?
    By sidewinder in forum Windows
    Replies: 4
    Last Post: 9th February 2007, 02:31 PM
  4. Anti-Virus Software
    By Mango_RW in forum Windows
    Replies: 21
    Last Post: 22nd June 2005, 11:11 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •