Lawrence Abrams: Using the information found in the diagnosis stage, you should harden rules on the corporate firewall to disable ports that may be accessed from the infected machine(s), different segments of the network or the outside world.
Due to the functioning of AIM (AOL Instant Messenger), this virus may be one that inserts its own away message, in the hopes that others will click on the links found in it and spread the infection further. To mitigate this risk, rules blocking port 5190 (AIM port) from being used on or through the network should be immediately instated. A quick e-mail asking everyone to shut down instant messaging software is desirable, so isolated network segments do not have a risk of infection.
If they were compromised by an SDBot/RBot or other backdoor malware, you should also immediately block outbound traffic to ports 6666 and 6667, eliminating the possibility of remote commands being issued from external IRC servers.
Using the firewall logs, you should be able to determine those machines that match your filters and clean them as necessary
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Margie Semilof, Editorial Director
to remove the greatest threats. A cursory scan with a program like Fport should be done on each computer to see if it is infected as well. This seems like a daunting task but it will eventually need to be done.
Kevin Beaver: In this stage, you should turn to your company's incident response plan and follow its detailed steps to contain, eradicate and recover from this issue. The incident response team would then determine whether or not to call in outside investigators to pursue this further.
Okay -- seriously -- an incident response plan probably doesn't exist. The first thing you should do is not panic, run around in circles and start shutting everything down. If the user's workstation contains critical information (i.e. private, confidential or other sensitive information) it may behoove you to at least unplug the network connection to minimize any losses.
If there's any possibility that outside forensics consultants or law enforcement will be called in for a formal investigation, simply unplugging the power cord from the computer (i.e. not cleanly shutting it down) would likely be the best course of action. This way, no memory, temporary files or swap files are tampered with (albeit they could become corrupt from such a harsh shutdown), and the drive can be imaged using forensics utilities so that the investigation can take place.
Tony Bradley: The very first thing I would do is verify that the antivirus software is enabled and current. I would also run Microsoft Baseline Security Analyzer (MBSA) or a similar tool to validate that all required patches have been installed.
When the connection drops, it would be useful to ping the Internet Gateway address and the IP address of the primary DNS server to determine if the machine can still communicate with them. There may be some issue with the DNS server or with this machine's ability to reach the DNS server.
Stage three: Recovery
About the experts: Expert bios are available on the scenario page.