Image by Intel Free Press

Fighting Viruses with Vipre

We’ve been calling it the “Mark Virus” in honor of our colleague Mark Betz, the first among us to deal with this nasty worm. The IT world at large knows it by various other names: W32/VBNA-X, Win32\Pronny and Win32/Vobfus.MD. Security focused Internet message boards indicate the virus’ first attacks occurred in late November 2012; we encountered it on our first client network in December.

Nasty Virus

The virus infects desktops and laptops but the symptoms appear on the network file server. The virus changes the root level folder’s properties to “hidden” so that no users can see them, and then creates executable files on the server with the same names as the root level folders AND makes the icon representing the executable the same familiar folder icon that the original folders had.
Some executables are also created with names like sexy.exe. Users are generally wise enough not to click on a strange file called sexy.exe, but they have no reason not to try to open the innocuous folder icon that they have been opening for years, whether it’s called “Finance” or “Fundraising” or “Programs.” Little do they know they are actually opening a viral executable that spreads the virus to their computers.

More Effective Response

The virus makes an interesting case study for Community IT because it illustrates how our response to fast moving viruses has changed as we better leverage our Help Desk. Fighting viruses used to be a desktop by desktop process; at each computer a Community IT technician would update antivirus definitions, run full virus scans, analyze results, isolate as needed, clear quarantines, replace one antivirus solution with another and so on.
Now, Community IT clients who have our Remote Monitoring and Management (RMM) solution LabTech benefit from that tool’s ability to centrally deploy Community IT’s centralized antivirus solution Vipre to all network laptops, desktops and servers with a single command. We then send commands to all network nodes to run Deep Scans from our LabTech Console. And from our LabTech Console, Centralized Services technicians can see which desktops/laptops are running the foreign processes associated with the worm and immediately isolate them from the larger network.
It’s still an ordeal and we still like to have one technician onsite to assist our Centralized Services technician on the ground. And the five to six Community IT clients who have recently weathered this virus were still significantly impacted as the virus was remediated. But the overall efficiency and effectiveness of our response is dramatically improved over the days when such tools were unavailable to us.
Going forward, we have been pleased with the effectiveness of Vipre in fighting this particular worm, but more importantly perhaps is that by deploying the solution from a central Community IT Vipre server, we are able to centrally monitor and manage the software, ensuring definitions are kept up-to-date and active.