Hello all,

Around 0:30am last night the BA backup server stopped responding, and although attempts to reboot were carried out the server did not come back online. Since it was late, I didn't bother pursuing it until this morning.

Even this morning the server remained unresponsive so I went to check why. Upon turning the screen on there was simply a blank screen. Despite several resets it never made it to the boot screen. Safe mode did work, but this is useless as none of the server components could load.

Despite several attempts to get it back online including hardware checks and error log checking, I have decided to simply reinstall the operating system. This is a slow task and will likely take me at least a few hours. No data has been lost however so don't worry. (Thats a relief to me as well, since downloading 700GB of betas again would be very annoying).

The server should be coming back online within the next 20-30 minutes, but won't be fully restored until at least 2 hours from now.

It should be noted that no backups have been performed in the last 12 hours, and likely won't be running until at least 3pm GMT.

Andy (Admin)

It would seem that somehow the server was affected by a very mild virus called "dl.exe". It would randomly appear when the backup software was run, which it was somehow attached to. It planted itself in system32, system restore and the program files of the backup software. All I had to do was disable system restore, and delete all instances of dl.exe from the system. It seems fine now and I'm working to restore the software.

EDIT: OK looks like this virus is smarter than I thought. It keeps randomly re-appearing. I'm installing AVG now to see if that can get rid of it.

I hope you get rid of the virus.
They can be nasty.

Maybe off-topic:
A classmate of me had also an virus like this, and after deletion with McAfee it would scan the next drive and delete it there mean while it would copy itself back to the drive and it all started over again, I think it is still busy after 2 months.

AVG reported the virus as Win32/Gaelicum.A.

This virus replicates itself throughout all executable files on the system. It also interacts with the 16bit subsystem and causes random errors. "dl.exe" is a part of the virus as well and is replicated throughout the drive and registry.

I'm on my 2nd reinstall of Windows now, and this time I found a link: http://www.avg.com/us.virus-removal.ndi-93721 which has two executable files you can run to clean the system up. Lets hope I last long enough to be able to get that done before it strikes again.

I've managed to get Windows back on now and its scanning all of the drives for the virus. I also got AVG on running full time too so if it tries to run AVG should stop it.

That's good to hear that you should have it under control...

This might be alittle off topic but when i get a virus on my computer and it doesn't want to get off there (constantly re copying to the drive) i boot up a Linux distro that I've installed AVG Linux free on (i used reconstructor to put my own ubuntu system together) and will run the anti virus that way , This helps because then main os never loads so the files it usally can't scan the anti virus will scan due to the fact its not in use.

Nick

I heard ComboFix is a great AV tool, I think it's programmed in VB but it helped me remove a trojan when other methods didn't work.

Got it sorted. AVG found all of the infected files and fixed them. I'm slowly getting everything back online.

Ahh, it's nice to hear you finally got rid of it.

My worst virus was Trojan.WinREG.Zapchast
At the time, I was one of the first infections (I know this because there were only 2 hits on google!), so I had to format

Thought I recognised this virus, I had it a long time ago on the Family PC under the alternative name of Win32/Tenga.A

Quite a nasty-quick spreader, thankfully Avast dealt with it for me

Well at least now you know next time to apply patches that are over 6 years old.

While it can spread using that flaw, it's not it's sole method of spreading. It appends itself to EXE files all over the hard drive, so that when they run it reintroduces the files into the system. It also means if you download an infected EXE, you can get the virus that way.

I didn't mention that because I thought anyone running a backup server wouldn't be randomly downloading files onto a server and launching them, unless some of the software installed on the server is warez, or you're not scanning files prior to transferring them over to a backup server...and if that was the case, then what was Patient X?

I remember this Worm from when it first spread, it infected every system (happened with blaster too...) at the college I was working at, thankfully I was just a DV-Studies Tech, not an IT Tech.

Well, a good lesson here, always make sure your antivirus software is up to date. What's that, you don't run antivirus on your server? Well, you deserve a virus then.

Normally I didn't because in 4 years of running a server at home I've not had a virus on it, but there is a first time for everything. Now I'm running AVG Pro on both my server and laptop.

That's just asking for trouble

I also got Tenga.A as six-character random file names in all of my shared folders. The EXE had the Windows XP folder icon.
Also "Win32:Wuke-B" (GameSetup.exe, 8-bit installshield icon) got contracted on the same folders.

Did I forgot to check "Read-only" on my shared folders?

Luckily the "damage" went no longer than here -- I have C$ and ADMIN$ turned off thanks to TuneUp Utilities.