Banyak virus yang tersebar lewat jaringan komputer di warnet maupun kantor terutama akibat adanya akses internet. Satu komputer client saja yang terinfeksi, akan bisa menginfeksi seluruh jaringan komputer yang mungkin hingga ratusan. Apalagi setiap komputer client men-share file/folder akan lebih mudah terkena virus yang notabene selalu mencari peluang untuk mengandakan diri dan kemudian menyebar. Kalau sudah begini rasanya repot juga mengatasinya. Apa kita akan menscan satu persatu komputer client dan menghapusnya ? hmm, kalau memang hanya 5 s.d 10 client saya rasa nggak ada mslh, namun bagaimana jika ada 50 s.d 100 client ? apa anda akan melakukan satu persatu scan pada komputer client ? hmm up to you aja deh .., berikut ada artikel dari NORMAN tentang bagaimana menghapus virus yang sudah menginfeksi jaringan.
Stopping network share infectors
Many viruses today are share infectors. They infect open shares throughout the network. A single infected computer is capable of infecting hundreds of other machines.
It is a common scenario that many sites have open shares on their servers where all users has unlimited access. The intention of these shares is to provide an universal area where all users can exchange common files and information. Other scenarios include shares that are not intended for common purposes, but they are open due to lack of planning and security.
No matter the reason, these file shares are highly exposed to viruses like Pinfi and Funlove that have open file shares as a target for infection.
A share infector scenario:
The figure above illustrates an unprotected workstation (IP: 192.168.0.13) that is allowed to execute a file infected with the Pinfi virus. The infected workstation will propagate open file shares on computers in the network, look for files with .exe and .scr extension on these shares and then try to infect these files.
All servers in this situation are protected with updated antivirus software, which monitors the file system on the servers. An attempt to infect files on these shares will be detected and infected files are instantly cleaned.
The problem, however, is that the workstation is still infected and will re-infect the .exe and .scr files shortly after the antivirus software has performed the first clean operation. We now have an infect-clean-infect cycle that will go on forever unless something is being done with the original infection: the infected workstation.
Finding the source of the problem
In a large network with hundreds, even thousands of machines, it can be really hard to find this particular workstation. The Virus Alert message normally just points at the target file for the infection, which virus that was found, and what has been done to the file. There is obviously a need for some extra information to solve this problem.
One way of solving the problem is to use an external tool to monitor a file that is likely to be infected. To avoid too many changes on any of the original servers it may be a good idea to set up a new test machine in the network, create an open share on this machine, and place a copy the .exe file here. In the Pinfi case we know that .exe files are attractive targets to infect, and we copy the file calc.exe from the \Windows directory to the new file share. The calc.exe file is now a “bait” for the infector.
Before we connect the “bait” machine to the network, we need to install a “sniffer” program. We think Ethereal is a good alternative, but programs like Sniffer Pro and Etherpeek will do as well, but Ethereal can be downloaded free of charge. It contains a lot of functionality, so in this paper we will only cover functions relevant to solve this particular scenario.
You need two components:
1. Install and run the WinPCap driver that can be downloaded from winpcap.polito.it
2. Install and run Ethereal – can be downloaded from ethereal.com
NOTE: Although our experience with Ethereal is good, we do not support it, so you use it at your own risk.
Monitoring the activity on the network
When Ethereal is installed, make sure that the NVC’s On-access scanner is running on the machine, and start the NVC Utilities program where you open the Messages window.
Before you start monitoring the file, make sure that it gets infected by watching the virus alerts in the Messages window. If no virus alerts appear, then the bait does not work. Check again to make sure that the directory containing the bait really is shared, and that all users have full access to the share.
If this still does not work, you may need to install Ethereal on one of the servers where the infection originally appeared. Some share infectors just infect shares that were available upon start of the infected program. In such a case, find a file here to use as bait for the infection.
Now start Ethereal. We want to capture the activity that the machine receives via the network. But we only want to focus on activity related to the bait, which is the calc.exe test file.
n the lower left corner there is a field labelled Filter: In this field type the string:
smb.file contains “calc.exe”
Select the command Capture/Start and then click OK. The capture window appears. From now on watch the activity in the NVC Utilities’ Messages window. As soon as there is a new infection on our bait, close the Ethereal capture window. The log from the capture appears in the main window. Make sure that our filter is active by clicking Apply.
By watching the “Source” and “Destination” columns you should now be able to see the IP addresses used in manipulations of the calc.exe file. In our case the local address for our machine is 192.168.0.15. The other IP address involved in the transactions is 192.168.0.13.
Obviously a machine with the address 192.168.0.13 is the infector. You can now solve the problem by isolating it and then perform a complete On-demand scan supplied with the relevant fix(es).
Repeat the process to ensure that there are no other infectors in the network.
Sumber : Norman antivirus