Mal/Behav-043 virus outbreak

We have noticed this Mal/Behav-043 spreading around quite a few of our machines late this afternoon. Sophos picked it up but cant seem to delete it. The Sophos Website http://www.sophos.com/virusinfo/anal...lbehav043.html does not give much away at all but i noticed that protection only came out at 1-30pm today. Our Sophos Enterprise manager has updated the CID every hour since so this is why clients have just started to pick up the virus.


God help us tomorrow.............keep your eye out as their is nothing on Google as of yet and nothing on Symantec either.

This is the report we get

Virus 'Mal/Behav-043' has been detected in "C:\WINDOWS\Installer\{0837A661-FEC3-48B3-876C-91E7D32048A9}\READMESHORTCUT.htm". Cleanup unavailable.

The attempt to move the infected file "C:\WINDOWS\Installer\{0837A661-FEC3-48B3-876C-91E7D32048A9}\READMESHORTCUT.htm" failed. The user does not have the rights to perform the action on the infected file.

Virus 'Mal/Behav-043' has been detected in "C:\WINDOWS\Installer\{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}\READMEICON.htm". Cleanup unavailable.

The attempt to move the infected file "C:\WINDOWS\Installer\{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}\READMEICON.htm" failed. The user does not have the rights to perform the action on the infected file.

I saw this on Tuesday.

You must kill the running process (it usually disguised)
One killed Sophos can clean it.

I was lucky there was only one machine infected and that was the only one connected at the time.

It hogged 10% of the CPU but swallowed all of the 2 MB SDSL band width.

I tried downloading a Sophos Update whilst the drone was active and could only get 2k per sec, killed the BOT and immediately got 286k.

I dread to think what half a dozen will do to your network!

Just spotted this now on a couple of our clients. I've been through sophos manager on the server and not many clients appear to have been infected, but whether the server hasn't gotten around to pushing the CID on all the clients yet, who knows.

The only reason I'm posting this is because I remember reading this thread yesterday and thinking that I hadn't noticed anything on our network. Then I saw the alerts this morning when I arrived at work.

According to the logs though, sophos moved the virus on each infected client, so that should have stopped it dead. Will check said clients now though.

Sophos found it here this morning - moved the virus into quarantine.

I'm curious now. I wish there was more info about it. The infected computers included one that only I really use (though it is possible pupils MAY have had access to it).

Ours was picked up on the server in a user home directory. No reports of clients being infected yet.

As of last night we had 10 clients infected, up to know we have 50.

Sophos puts it into quarantine but does not delete it. We have had to manually visit the machine and log on as admin to delete the files

Keep your eyes open.

This is NOT a virus outbreak.

Sophos confirmed to me this morning that their IDEs were incorrectly identifying files as malware.

The latest IDEs correct the problem. At least, that's what they say...

Yes, just got the update through the enterprise library and deployed it. The files are no longer identified as mal/behav-043.

Quote:

---

Press F5 while on your desktop or ‘Right Click’ and choose refresh.

They should then come back.

Also you have far too many files on your desktop, these should be saved in your home directory on the network and not on your desktop. This will affect the log on time when you log onto the network, I would imagine that it takes you quite a while to logon?

---

I hope you are right? but funny enough we have had no more reported since around 9-45

I thought it was odd because that installer file you identified was the same as my own, it contains Dreamweaver stuff which had not been modified in forever.

It's worth noting that Sophos say their recommended configuration for action to be taken when a virus is detected is 'Do Nothing'. It's their get out of jail free card at times like this when I pointed out their software has just disabled or deleted a load of valid files.

What configuration do you use then for sophos on access? - mine is normal, on read, Cleanup - automatically cleanup and move to default location. our LEA advise delete but I was a bit concerned that important files may be deleted by an alert that turned out to be a mistake.

We had an alert on two of our servers - the same piece of software on both and we have not used it in a couple of years so I was scratching my head for a while - this explains it all and makes a lot of sense.

On our servers I used to have the access are on read - but it slows the backup down by several hours so it is now "on write" (but read on the work stations).

we had a report of a slightly differnet version in our admin area on an old Anti-nuke program. Had to have been a false positive as it has sat there for at least 6 years no problems.... Unless we've been breached that long!!!! ;)

Quote:

---

Originally Posted by chrbb

What configuration do you use then for sophos on access? - mine is normal, on read, Cleanup - automatically cleanup and move to default location. our LEA advise delete but I was a bit concerned that important files may be deleted by an alert that turned out to be a mistake.

---

I went with the same, except for the crucial last option and chose delete instead of move. Two reasons for that I suppose: 1. I'm prepared to risk losing a file and resorting to restoring a backup for the peace of mind I get from knowing any risky file is off my network. 2. I don't have the administration time to fully assess the accuracy of each identified threat so it would be left sitting in some toxic folder somewhere and, as I said in 1., I want this stuff off my network ASAP!