Workstations prompting to login as another user - Bearshare?

TheMSsForum.com: The Microsoft Software Forum

I've just had an incident where users on several workstations had a login
screen popping up asking them to log in to the network as one of the other
users, say "Jim". I checked Jim's machine - he was running BearShare and
LimeWare, which I see are Gnutella clients, as well as several other pieces
of malware. I removed these from his machine, and scanned him for viruses
(clean).

My questions are:
What was Jim's machine doing that caused the other machines to attempt to
login as him?
What might be infected/affected?
What do I need to clean up?
What can I do to prevent this happening again?
Top

Re: Workstations prompting to login as another user - Bearshare? by Cris

Cris
Tue Dec 30 10:01:10 CST 2003

These are pretty much all cases of P2P(Peer to Peer File Sharing) software
which have absolutely no business being installed in a business enviroment.
Kazaa, another P2P network, had a terrible virus going around for a while.

Sounds like some sort of Trojan/spyware at work.
I would get a copy of Spybot Search and Destroy and load it on that machine
http://www.safer-networking.org/index.php?page=spybotsd and see what it
finds (you will probably be amazed

And then to be on the safe side also get Ad Aware from lavasoftusa.com.
Sometimes it finds a thing or two that Spybot does not. Both programs have
the ability to "immunize"

Finally a written policy needs to be in place that outlines acceptable
internet access and email usage as well as outlining the procedure for
approval for installing new software. And after they have been properly
warned, random audits are a good thing.

--
Cris Hanna [SBS-MVP]
-------------------------
Please do not directly to me but rather reply to the newsgroup so that all
may benefit from the information.
"Andrew H" <ajhpms@hotmail.com> wrote in message
news:ujEXUduzDHA.1740@TK2MSFTNGP09.phx.gbl...
> I've just had an incident where users on several workstations had a login
> screen popping up asking them to log in to the network as one of the other
> users, say "Jim". I checked Jim's machine - he was running BearShare and
> LimeWare, which I see are Gnutella clients, as well as several other
pieces
> of malware. I removed these from his machine, and scanned him for viruses
> (clean).
>
> My questions are:
> What was Jim's machine doing that caused the other machines to attempt to
> login as him?
> What might be infected/affected?
> What do I need to clean up?
> What can I do to prevent this happening again?
>
>
>
>
>


Top

Re: Workstations prompting to login as another user - Bearshare? by Mark

Mark
Tue Dec 30 10:30:44 CST 2003

enforce a company policy that fires these people if they install it!

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"Andrew H" <ajhpms@hotmail.com> wrote in message
news:ujEXUduzDHA.1740@TK2MSFTNGP09.phx.gbl...
> I've just had an incident where users on several workstations had a login
> screen popping up asking them to log in to the network as one of the other
> users, say "Jim". I checked Jim's machine - he was running BearShare and
> LimeWare, which I see are Gnutella clients, as well as several other
pieces
> of malware. I removed these from his machine, and scanned him for viruses
> (clean).
>
> My questions are:
> What was Jim's machine doing that caused the other machines to attempt to
> login as him?
> What might be infected/affected?
> What do I need to clean up?
> What can I do to prevent this happening again?
>
>
>
>
>


Top

Re: Workstations prompting to login as another user - Bearshare? by Andrew

Andrew
Wed Dec 31 06:07:08 CST 2003

I have already run AD-Aware against the rogue users machine, and (no
surprise) found plenty that didn't belong there. But part of my question
relates to what else I need to scan - every machine on the LAN, the machines
where the login prompt appeared, etc?


"Cris Hanna (SBS-MVP)" <crishannanospam@mindspring.com> wrote in message
news:eWSfn4uzDHA.2148@TK2MSFTNGP12.phx.gbl...
> These are pretty much all cases of P2P(Peer to Peer File Sharing) software
> which have absolutely no business being installed in a business
enviroment.
> Kazaa, another P2P network, had a terrible virus going around for a while.
>
> Sounds like some sort of Trojan/spyware at work.
> I would get a copy of Spybot Search and Destroy and load it on that
machine
> http://www.safer-networking.org/index.php?page=spybotsd and see what it
> finds (you will probably be amazed
>
> And then to be on the safe side also get Ad Aware from lavasoftusa.com.
> Sometimes it finds a thing or two that Spybot does not. Both programs
have
> the ability to "immunize"
>
> Finally a written policy needs to be in place that outlines acceptable
> internet access and email usage as well as outlining the procedure for
> approval for installing new software. And after they have been properly
> warned, random audits are a good thing.
>
> --
> Cris Hanna [SBS-MVP]
> -------------------------
> Please do not directly to me but rather reply to the newsgroup so that all
> may benefit from the information.
> "Andrew H" <ajhpms@hotmail.com> wrote in message
> news:ujEXUduzDHA.1740@TK2MSFTNGP09.phx.gbl...
> > I've just had an incident where users on several workstations had a
login
> > screen popping up asking them to log in to the network as one of the
other
> > users, say "Jim". I checked Jim's machine - he was running BearShare
and
> > LimeWare, which I see are Gnutella clients, as well as several other
> pieces
> > of malware. I removed these from his machine, and scanned him for
viruses
> > (clean).
> >
> > My questions are:
> > What was Jim's machine doing that caused the other machines to attempt
to
> > login as him?
> > What might be infected/affected?
> > What do I need to clean up?
> > What can I do to prevent this happening again?
> >
> >
> >
> >
> >
>
>


Top

Re: Workstations prompting to login as another user - Bearshare? by Cris

Cris
Wed Dec 31 10:18:05 CST 2003

If this is happening on several machines...yes...scan it all.
And you may never make it go away without flattening the machines...but I
strongly suggest spybot as well as Ad Aware.

--
Cris Hanna [SBS-MVP]
-------------------------
Please do not directly to me but rather reply to the newsgroup so that all
may benefit from the information.
"Andrew H" <ajhpms@hotmail.com> wrote in message
news:OeFSRa5zDHA.2448@TK2MSFTNGP12.phx.gbl...
> I have already run AD-Aware against the rogue users machine, and (no
> surprise) found plenty that didn't belong there. But part of my question
> relates to what else I need to scan - every machine on the LAN, the
machines
> where the login prompt appeared, etc?
>
>
> "Cris Hanna (SBS-MVP)" <crishannanospam@mindspring.com> wrote in message
> news:eWSfn4uzDHA.2148@TK2MSFTNGP12.phx.gbl...
> > These are pretty much all cases of P2P(Peer to Peer File Sharing)
software
> > which have absolutely no business being installed in a business
> enviroment.
> > Kazaa, another P2P network, had a terrible virus going around for a
while.
> >
> > Sounds like some sort of Trojan/spyware at work.
> > I would get a copy of Spybot Search and Destroy and load it on that
> machine
> > http://www.safer-networking.org/index.php?page=spybotsd and see what it
> > finds (you will probably be amazed
> >
> > And then to be on the safe side also get Ad Aware from lavasoftusa.com.
> > Sometimes it finds a thing or two that Spybot does not. Both programs
> have
> > the ability to "immunize"
> >
> > Finally a written policy needs to be in place that outlines acceptable
> > internet access and email usage as well as outlining the procedure for
> > approval for installing new software. And after they have been
properly
> > warned, random audits are a good thing.
> >
> > --
> > Cris Hanna [SBS-MVP]
> > -------------------------
> > Please do not directly to me but rather reply to the newsgroup so that
all
> > may benefit from the information.
> > "Andrew H" <ajhpms@hotmail.com> wrote in message
> > news:ujEXUduzDHA.1740@TK2MSFTNGP09.phx.gbl...
> > > I've just had an incident where users on several workstations had a
> login
> > > screen popping up asking them to log in to the network as one of the
> other
> > > users, say "Jim". I checked Jim's machine - he was running BearShare
> and
> > > LimeWare, which I see are Gnutella clients, as well as several other
> > pieces
> > > of malware. I removed these from his machine, and scanned him for
> viruses
> > > (clean).
> > >
> > > My questions are:
> > > What was Jim's machine doing that caused the other machines to attempt
> to
> > > login as him?
> > > What might be infected/affected?
> > > What do I need to clean up?
> > > What can I do to prevent this happening again?
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>


Top