Hi Folks, I'm really stumped at this moment.

In a customer's network there is a virus that none of the anti virus proggies do find or inhibit, and that doesn't show up if I search for the symptoms on google.
It first adds a user called "tux" on the machine, then deactivates all user accounts, opens a countdown window to let you save your data (about 3 hours of time) and then reboots the machine. You can't log on anymore after that, and it also sometimes deletes the user that has been logged in and does a cleanup of the files of said user.
The virus seems to be able to transfer itself via .jpg images.

Anybody got any idea?

THX

AlpineRAM

 

I know it's not much help, but "Tux" is the name of the penguin Linux system uses as its mascot.

 

Yep, I knew that.... posting from my Linux machines...

THX

AlpineRAM

 

Have you tried calling or e-mailing Norton Anti Virus or another anti virus company? They would be the people to get going on it.

Don't you just love guys who create these viruses?

 

Viruses arent that complex.

Sounds like someone, either locally or remotely, has compromised it for their own good.

 

Well the problem got solved. It was a PIA since the infection could not be found with the standard antivirus apps like Norton etc. The good part now is that we've got all the machines running again and took images that are stored in a separate location.
What a nice night...

AlpineRAM

 

Since you had us shaking in our shoes here could you shed a little light on what you did to get rid of it?Thanks,Ron G

 

Since we had to get it back to running again as quickly as possible we just wiped the hard disks of each workstation using Knoppix and then installed a basic winXP machine with generic drivers to roll out across the network by means of a disk image. The problem was compunded by the fact that there's been a Win2K Server as PDC that also got infected and was constantly reinfecting the workstations. The Linux servers weren't in trouble, so we changed over to Samba as a PDC and backup DC in the domain.
The Win2K Server is going to be converted into a Linux machine shortly....

AlpineRAM

 

At least you had some options in the way of backups,most of us do not.Thanks,Ron G

 

Well this company is a photo studio- fully digital. It's a PIA to backup the several terabytes they generate per month....
Right now it seems that the problem is getting compounded by one of the workers there having a grudge and doing weird things- like cutting cables etc...

Now it's almost back to square one because this guy disconnected and smashed the backup server- no video surveillance in the sec. server room yet... I'm getting mad...
(I'd like to insert a lot of profanity here- this guy gets $$$ well €€€€ respectively for doing his job and that ain't ruining the company. Now I'm sitting here at work even though I have the flu... --- more profanity from my side)


Well tried to keep my rant family friendly

AlpineRAM

 

Hey Alpine, I played with Mandrake Linux a while back and then didn't for a while. I'd like to try it out again. What's the latest popular version of Linux and where can I get it?

 

Alpine, I'm not claiming to know your business but you indicated this company is being attacked by an employee, either current or past. Could it be possible that you don't have a virus in the system at all, but possibly a small program loop. What I'm trying to describe is a program that is designed to do the functions you described earlier and may have been installed by someone having a valid pass word and access to the server/system. This type of attack probably would not register as a virus to an anti-virus program. It should show up in the start up menu or logs. Just thinking out loud.

 

Have you tried Avast?

 

It was a virus, detection routines do now find it- bad luck for the customer to be hit before the virus definitions detecting it had been made. It was actually a troyan-downloader that fetched a kind of stack with instructions that were carried out by the OS itself.
Now it's for the interesting task to find out who did the hardware damage...

AlpineRAM