Our NT Server running IIS is attacked by an unknown virus.  We've used
virus scanning software like norton and mcafee to scan but cannot find
any virus.
However, the content of all our programs with htm and asp extensions
are automatically overwritten by a 1kb file (containing some chinese
phases).
After we recovered the programs and files, it got overwritten again
the next day. Just applied the latest accumulate iis patch from
microsoft website.
Pls help to advice how to scan and detect the virus, and recover from
it.
Thanks.

Hi there,

The results of our search returned the following:

Firstly, you definitely need to make sure that the virus scanning
software you are using has the most updated virus definitions (norton
can do this automatically through the LiveUpdate feature). Running a
virus scan without having updated definitions is pointless if the
virus is newer than the program update.

An excellent resource for any security threat is:
http://www.sarc.com/

The microsoft IIS server has had many security-related issues in the
past, but since you have applied the latest patch you will be safe
according to microsoft. This essentially means that they are not aware
of any additional holes in the software at this time. MS has released
a information document regarding IIS and security issue here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172925

The issue that should concern you most at this point is whether or not
this is a boot-sector virus. In essence, this type of virus writes
itself to the BIOS (Basic Input Output System) so that the virus
re-infects the system each time the computer is started up. For more
information on some of these terms, please see:
http://www.mcafee.com/anti-virus/virus_glossary.asp?

If this is the case (you won't know until identifying the virus) you
will need to rewrite you BIOS. This will wipe out the virus so that it
is unable to reinfect the system on startup. The process involved in
doing depends on the motherboard in your system (please consult the
motherboard manual or online resource of the manufacturer).

This link contains an example of a boot-sector virus that affects the
Flash-BIOS, its worth reading in order to understand in detail how
these viruses work:
://www.google.ca/search?q=cache:-CNuGFOzL1sC:www.vibert.ca/vn98007.pdf+rewrite+BIOS+boot+virus&hl=en

PREVENTING FURTHER INFECTIONS:

There are many alternatives to at least attempting to secure your
system from further attacks:

1. Virus scanner - you mentioned that you scanned when looking for the
virus after infection had occured, but are scans a regular process?
They should be done about once a week. Make sure you keep up to date
with definitions as well.

Be sure to active the option available in most virus scanners so that
any information coming into or moving out of your system is scanned
before transmission.

2. Firewalls - there are many products on the market that provide a
secure barrier between your system and attacks. While they are not
extremely useful for preventing viruses, its important to remember
that viruses are not the only thing that can affect the stability of a
system.

Here is an informative FAQ on firewalls...any questions you may have
will be answered here:
http://www.interhack.net/pubs/fwfaq/

This is a commentary on how to secure public web servers:
http://www.interhack.net/pubs/nist-w3sec/

Here is some additional information on how firewalls work:
http://grc.com/su-firewalls.htm

If you have any additional questions feel free to post a clarification
:)

Hope this helps!

answerguru

---

Request for Answer Clarification by joni-ga on 02 May 2002 09:57 PDT

Thanks for the prompt reply.
I've used the latest update of virus definition for both Norton,
Mcafee and AVG but not virus is found.  What should I do?

---

Clarification of Answer by answerguru-ga on 02 May 2002 10:36 PDT

Hi,

If the virus cannot be found with the latest definitions, then one of
the following is true:

1. The virus is not yet listed in the definitions (unlikely since they
are both up to date as of yesterday)

2. This is not a virus (ie. there is another form of security breach
in your system)

Question:
Has this problem occured again after the second time?

Solution:

The first thing to be done is to rewrite the BIOS. If you have your
information backed up elsewhere and are bringing it back in each time
that may be the problem (you are reinfecting yourself).

Remember that if you have installed the latest IIS patch and nothing
has gone wrong since, then you may have avoided the problem
altogether. Investing in a firewall (either software or hardware) is
definitely a good idea so that future issues are avoided.

answerguru

It doesn't particularly sound like a virus, but rather some other sort
of security vulnerability in IIS. Since NT/IIS has a pretty weak
security track record, I would suggest setting up either a firewall or
a reverse proxy between your web server and the rest of the world.
That way you can keep running NT/IIS for your application, but isolate
yourself a bit.

Personally, I would recommend taking the fairly simple/cheap step of
setting up a small PC running FreeBSD (or Linux), install squid
(http://www.squid-cache.org/), set up DNS to point to that machine
instead of your IIS server, and remove your IIS server from being
externally routable. That way, all external attacks will have to
compromize a simple, highly secure machine before they can get to your
IIS server. As a side benefit, squid can cache all of your static
content, which will take some load off of IIS.

I would consider downloading and running the Microsoft Baseline
Security Analyzer at
(http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp). 
This may find problems you were not aware of (incorrect order of hot
fixes, etc) because it actually looks at the version of the DLL's, not
just at the registry.  There are also several good tools at this site
including the IIS Lockdown tool that you should run.

Perhaps the attack is coming from another host inside your
organization.  In other words, the other computer is infected, and not
the webserver.

If someone mapped to a Webserver share from an infected computer, that
computer will continue to re-infect any shares it is connected to, no
matter how often you clean up the targeted server.

This happened with our webservers.  Unfortunately, the information you
are looking for most -- the name of the virus -- escapes me.  We
cleaned this up a year or two ago.

Temporarily turn on full auditing (usrmgr \\hostname | Policies |
Audit, click on File and Object Access under the Success column) to
see who is changing the files.  Note that auditing like this will slow
performance, so turn it off when not needed.

Personally I would update your server to Win2000 Adv Server...It has a
great upgrade path from WinNT and it really easy to get the latest
security updates on the web. You will love how much easier it is for
your server to recognize new hardware etc...

MuddyNYC

Look at the partitions on your boot drive. I've seen a virus in the
past that was not identifiable that had created it's own partition.

The symptoms you describe suggest that this might be some security problem
with your IIS/ASP. In this case, secureIIS from Eeye might help you solve
the problem http://www.eeye.com/html/Products/SecureIIS/index.html.

This situation does have a hint of how the Code Red virus infects
systems and IIS servers in particular. It is worth a look in that
direction.

Here is a link to a detection tool for the code red worm, which might
be what has infected the IIS server:


http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html