agusdarlis

Many viruses today are share infectors. They infect open shares throughout the network. A single infected computer is capable of infecting hundreds of other machines.

It is a common scenario that many sites have open shares on their servers where all users has unlimited access. The intention of these shares is to provide an universal area where all users can exchange common files and information. Other scenarios include shares that are not intended for common purposes, but they are open due to lack of planning and security.
No matter the reason, these file shares are highly exposed to viruses like Pinfi and Funlove that have open file shares as a target for infection.

Many viruses today are share infectors. They infect open shares throughout the network. A single infected computer is capable of infecting hundreds of other machines.

It is a common scenario that many sites have open shares on their servers where all users has unlimited access. The intention of these shares is to provide an universal area where all users can exchange common files and information. Other scenarios include shares that are not intended for common purposes, but they are open due to lack of planning and security.
No matter the reason, these file shares are highly exposed to viruses like Pinfi and Funlove that have open file shares as a target for infection.

A share infector scenario:


The figure above illustrates an unprotected workstation (IP: 192.168.0.13) that is allowed to execute a file infected with the Pinfi virus. The infected workstation will propagate open file shares on computers in the network, look for files with .exe and .scr extension on these shares and then try to infect these files.

All servers in this situation are protected with updated antivirus software, which monitors the file system on the servers. An attempt to infect files on these shares will be detected and infected files are instantly cleaned.

The problem, however, is that the workstation is still infected and will re-infect the .exe and .scr files shortly after the antivirus software has performed the first clean operation. We now have an infect-clean-infect cycle that will go on forever unless something is being done with the original infection: the infected workstation.

Finding the source of the problem

In a large network with hundreds, even thousands of machines, it can be really hard to find this particular workstation. The Virus Alert message normally just points at the target file for the infection, which virus that was found, and what has been done to the file. There is obviously a need for some extra information to solve this problem.