This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NetworkDistribution Virus or ShadowBroker Issue

NetworkDistribution Virus has effected our network in location of "C:\Windows\NetworkDistribution\". The fact is sophos endpoint can clean those virus in given location. But after restart computer it show's again. When we re-setup computer and deploy sophos end point it solves the problem. But We have almost 1000 computers are still affected by that virus.
I think it was attacked by shadowbroker (https://github.com/misterch0c/shadowbroker).

Do you have any solution to recover that solution. I have tried (https://www.trendmicro.ae/vinfo/nz/threat-encyclopedia/malware/trojan.win32.vools.ag) that one but i failed.

Please we need your help.



This thread was automatically locked due to age.
Parents
  • Hello Mohammad Shahjahan,

    How to Remove Malware would probably be the better forum ( might monitor Malware but not this one). 

    sophos endpoint can clean those virus
    so you have at least one detection - what's its name? Did it automatically clean up or did you request the cleanup with either the console or the local Quarantine Manager? Did you also run an on-demand scan (Full system scan... from the console, a scheduled scan, ...)? Please note that catchy names aren't necessarily a useful description of the actual incident, so please as many details as possible.

    almost 1000 computers are still affected
    Looking at Trend Micro's description: dropped by other malware or as a file downloaded unknowingly. Not very likely (but not improbable) that almost 1000 users visit the same compromised site, it seems that it has spread on your network (and might still do so). How many endpoints do you have in total?
    after restart computer it show's again
    There might be an undetected component, another endpoint might re-infect it, or the computer might access some compromised location.
    any solution
    As said, just a catchy name rarely describes the nature and extent of the infection. Often you face not a single application but a framework that can use different components and mechanisms and serves various "purposes". If yet undetected components are involved there's no out-of-the-box solution. So you have to assess what is going on.

    re-setup [...] solves the problem
    so, once reimaged an endpoint is not reinfected? This would indicate there's no (longer a) component that actively spreads. That'd be a start. AutoRuns might help to find the persistent piece(s). Can't tell what you might find, if you do find something submit a sample.

    Christian     

Reply
  • Hello Mohammad Shahjahan,

    How to Remove Malware would probably be the better forum ( might monitor Malware but not this one). 

    sophos endpoint can clean those virus
    so you have at least one detection - what's its name? Did it automatically clean up or did you request the cleanup with either the console or the local Quarantine Manager? Did you also run an on-demand scan (Full system scan... from the console, a scheduled scan, ...)? Please note that catchy names aren't necessarily a useful description of the actual incident, so please as many details as possible.

    almost 1000 computers are still affected
    Looking at Trend Micro's description: dropped by other malware or as a file downloaded unknowingly. Not very likely (but not improbable) that almost 1000 users visit the same compromised site, it seems that it has spread on your network (and might still do so). How many endpoints do you have in total?
    after restart computer it show's again
    There might be an undetected component, another endpoint might re-infect it, or the computer might access some compromised location.
    any solution
    As said, just a catchy name rarely describes the nature and extent of the infection. Often you face not a single application but a framework that can use different components and mechanisms and serves various "purposes". If yet undetected components are involved there's no out-of-the-box solution. So you have to assess what is going on.

    re-setup [...] solves the problem
    so, once reimaged an endpoint is not reinfected? This would indicate there's no (longer a) component that actively spreads. That'd be a start. AutoRuns might help to find the persistent piece(s). Can't tell what you might find, if you do find something submit a sample.

    Christian     

Children
No Data