Page 1 of 1

problem related with W32.Randef.F worm

PostPosted: Thu Jun 04, 2009 7:31 am
by cmora
Hi

We are experimenting the error related with problems with the auth accounts. We check in the active directory, and detect all the users with the account locked. check the sucess viewer, and found the error published in this kb Microsoft document.

http://support.microsoft.com/?scid=kb%3 ... &x=10&y=19

The error appear extremly repetitive in the sucess viewer (3 times per second)

All the stations and the servers have escan AV 9.0.824.411. We do a complete scan under safe mode with MWAV in all the computers. Found some incidences related with kido and anothers virus, but nothing related with the randex or some variant.

All the accounts appear locked again a few minutes after to unlock it

We was unplug the AD server, to evaluate if the lock account continue, and the problem continue.

All the clues are related with a virus, but the virus referenced in the Microsoft KB are very old (the documentation about that virus is dated from 2004).

what another process can we do to detect if is really a virus the problem?

thanks in advance

PostPosted: Mon Jun 08, 2009 4:07 pm
by Varghese
The account lockout normally happens with the Kido virus that you encountered in your network.

Make sure you scan the whole network thoroughly with mwav in safemode and purge out all the kido incidents in the network. Also apply all the patches from Microsoft for Kido. You can also do this using eScan, from the Tools Section.