Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2003 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus Like Activity

Syntax

Just received this regarding some strange behaviour on a workstation protected by sophos does this ring bells to anyone out there?

On Friday **** reported to me that his computer had replaced the normal google search engine to a picture of 3 old men. I have now seen a similar instance but this time on the *********** website, the school slide show being replaced by 2 pictures not on the website (a picture of 2 cables and a badger). I have run sophos to check for viruses, **** machine came up with no viruses the key stage 1 laptop is still running. If we log onto other machines we do not get the problem, any ideas.

:2877


This thread was automatically locked due to age.
  • 0

    I don't know what it is - but yes, we were hit about 18 months ago by a webpage that replaced our intranet page, across most stations, this had malicious code in it - the first thing I did was to block the website via our proxy server and then contact Sophos with the name of the website so they could start delving in to what is going on - may be best to raise a support call through the Sophos site, then call them immediately so you can aim to get the quickest turn around possible!

    When you're having virus like activity, you have no idea what else is going on that ISN'T visible - this activity could have opened up a security loop where malware is being dropped left, right and centre.

    To sum it all up - contact Sophos asap with as much detail as you have.

    Hope that helps - in the end.

    :2882
  • 0

    Hello Syntax

    What options have you enabled in Sophos?

    Are you doing rootkit scanning? What about suspicious scanning?

    If Sophos doesnt report on either of those, i dont think it would be threat related.

    I have come across two scenarios where i though it might be a threat due to behaviour. 

    When creating a folder, instead of the the default 'New Folder' it started giving birds name. Strange i know.

    Turned out to be a recently installed version of alzip. 2hours later laughing at the amount of time it took to figure it out.

    2nd scenario, Sophos wasnt detecting anything 'abnormally' suspicious.

    Turned out the company screen saver (which waslegate during the original deployment of Sophos), was demend susipicious, and was authorized.

    later on, the screen saver was infected and distributed to every machine in the network.

    Pondering why Sophos wasnt detecting anything, becuase it had been previously authorized.

    If you have enabled Sophos to scan fully, with suspicious, rootkit, etc and it doesnt report anything

    Look into recently installed programs, look at what has been authorized.

    On a side note, a few years ago I once saw a program (april fools joke program) That would change the mouse into something else for about 5seconds. This happended every 10 minutes.

    It wasnt a threat but it always stuck by me. If i didnt know the program was capable of doing it, i would think it is a threat.

    The Threats ive seen now days dont really do that. They not out to impress the users, they out to impress the people they drive past in their new car from fraud .

    :2911
  • 0

    Hi All

    Thanks for your replies its profile related not machine and not parasitical Sophos has been set for root kit & HIPS there is no increase  in port activities Client or server side, i am still investigating an isolated workstation with a user profile showing this behaviour, my gut feeling is not parasitical or hijacker. When i find issue ill post for others

    :smileywink:

    Regards

    :2927
Unfiltered HTML