Removing Virtumond: Definitive Guide

Posted on January 21st, 2009 in Howtos, IT Security, Windows Admin by Rodney

I recently came across a server, a domain controller no less, which had been infected with Virtumond (sometimes called Virtuamonde), Vundo and Smitfraud. These are particularly nasty pieces of work and if you read many blogs, you’ll see they’re a pain in the but to get rid of. Many people speak of the utter inability to get rid of the thing.

Ok, not to brag, but it’s not as hard as they’re making it. You can actually get rid of it fairly quickly. Here’s how.

Firstly, download a fresh copy of Spybot Search and Destroy, for later on.

1. You need to find where it is and start the removal process. You do this as follows:

  • Go to c:\windows\system32.
  • Sort by date with the newest files at the top.
  • You should see a bunch of {random_string}.dll files.
  • Take note of the oldest of these.
  • Search the hard disk for files made at the same time and if directories or files have been created that are suspicious – quarantine them.
  • Delete as many as you can – many will be in use and not deletable right now.

2. Now we want to stop the virus running so much. You can’t stop it yet but we can slow it down.

  • Download a product called Process Explorer.
  • Using Process Explorer, stop any processes called x.exe or msddll.exe, then delete the files.
  • Noting from which {random_string}.dll files couldn’t be deleted, search the registry for those strings and remove the keys associated with them.
  • You’ll find this location full of problems and you may not be able to delete them: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify.
  • Sub keys in here based on the random string DLLs in c:\windows\system32\ must be deleted.

3. Now we need to get rid of the files that are still running and cannot be deleted. Virtumond is a pain in the butt and pretty clever. You can’t use pendmove and you can’t use safe mode to get rid of it. But you can use a Linux Live CD because Linux doesn’t have to respect Window’s rules.

4. Download a Linux Live CD. Fedora 10 is good because it natively handles your NTFS drives in read write. Boot off it and use it to browse to localdisk/WINDOWS/system32/ and sort by date. Delete those pesky {random_name}.dll files. Now they’re gone.

5. Boot Windows back up in safe mode.

  • Remove the remaining registry keys from above.
  • Install a fresh copy of Spybot Search and Destroy.
  • Run a spyware cleaner, like Spybot Search and Destroy. Twice
  • Check the hosts file: c:\windows\system32\drivers\etc\hosts.

6. Boot back up in normal mode and check for the presence of Virtumond. It shouldn’t be running any longer. For peace of mind, run a few more spyware checks, like Spybot, AdAware, Windows Defender and Bit Defender. It should be clean.

7. Get your Windows CD handy. Open the command prompt and run this command:
sfc /scannow
This takes ages but it checks the system files on the computer are genuine Windows files and replaces the ones that are not.

8. Reinstall your antivirus software, after removing it completely, and patch patch patch!

Change IP Address in safe mode

Posted on January 21st, 2009 in Howtos, Windows Admin by Rodney

Ok, long story short, some people I know managed to get their server boned up. I am trying to fix it for them but they’re making it hard. Not only is the server infected with Viruamonde, but they’ve managed to lose DNS, AD and RPC.

Plus Windows now thinks it needs to activate.

So it took it offsite to repair but I can’t log in because activation attempts to run before you’re allowed to change your network settings. Their server, being a domain controller, is in an invalid IP range for my network. I can’t change the IP address in safe mode, because the network doesn’t load.

So I have to change it in the registry. Here’s how I did it.

1. Load the box in safe mode by pressing F5 at boot up.
2. Open the registry.
3. Go to the follow Registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\"Card number"
3a. Get the value of “servicename” to use in 3b.
3b. Go to this key:
HKLM\SYSTEM\CurrentControlSet\Services\"ServiceName"\Parameters\TcpIp
4. Change the network settings such as DNS, IP Address, Subnet mask and default gateway. These are just multi line strings.

Increasing Mail Store in Exchange 2003

Posted on January 8th, 2009 in Howtos, MS Exchange, Windows Admin by Rodney

Owners of Microsoft Small Business Server 2003 have often complained that the Exchange server hard limits the mail store size to 16GB. These days – 16GB of email isn’t that much – especially when you have many users.

However, this limit is not actually a hard limit. You can in fact increase the mail store up to 75GB, very easily. You won’t even have to do a reboot.

Here’s how:

Step 1.
Download and install the Exchange 2003 Service pack 2. You can download it from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=535bef85-3096-45f8-aa43-60f1f58b3c40&displaylang=en

Step 2.
Open your prefered registry editor. For example:
Start > run > regedit.

Step 3.
Find the following registry keys.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\{Your Server name}\Private-Mailbox Store GUID
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\{Your Server name}\Public-Public Store GUID

Step 4.
Add these new DWORDS to both of those keys;
DWORD: Database Size Limit in Gb
Value: Between 1 and 75 (in decimal)
(This is the mailstore size)

DWORD: Database Size Buffer in Percentage
Value: Between 1 and 100
(This is the % free at which warnings will start. 10% is fine).

DWORD: Database Size Check Start Time in Hours From Midnight
Value: Between 0 and 23
(This is the time of day the mailstore will be size checked. Do it off peak).

Step 5.
Restart your Exchange services. If you view the Application logs, you should see the mail size has now increased from 16GB to whatever value you used.