Eliminating a Zombie after receipt of a Zombie or Spam alert email

  • ID de l'article 17563
  • Mis à jour : 06 mars 2014

These instructions describe what to do on receipt of a Zombie or Spam alert email, and how to clean up the affected Windows NT/2000/XP/2003/Vista computer.

Note: ZombieAlert can be configured to send you the sample message as seen by SophosLabs.

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Windows 2000+

What To Do

1. Identifying the IP address of the Zombie computer

Upon receipt of a Zombie or Spam alert email, as the administrator, you must first identify which system on your network has generated this alert. The IP address in the email is the external IP address, and you will need to look within your own firewall, core switch, or network appliance, to map that external address to the system's internal address.

Any systems listed on the alert that have a publically facing IP will be easy to identify.

If the internal system's IP address is behind a network device with an NAT, you will need to review the network device routing table to map the external IP address to an internal IP address. You should refer to your network device documentation to perform this step correctly.

2. Identifying the computer itself

Once you have identified the internal IP address, you will need to use your internal resources to find the computer's location. One way to locate where a node is plugged in is to look at the network switch logs.

All organizations have different methods of identifying where their systems are physically located, use the method that best suits your environment.

3. Cleaning the affected computer

Once the computer has been located, disconnect the computer physically from the network.

Then follow the steps below to identify why the affected computer is exhibiting Spam or Zombie behavior:

  1. On a clean computer, download and run the Sophos emergency command line scanner.
    This will create and fill a folder on the clean computer called C:\SAV32CLI.
  2. On the same clean system, download the correct virus identity (IDE) files for the emergency scanner
    • Locate the download link for the zip file of IDEs for the 'Current CD and Web version'.
    • When you have downloaded the zipped file, open it and drag and drop (or extract) all of the IDEs into the SAV32CLI folder created above.
  3. Copy the SAV32CLI folder to a USB drive (that is write locked afterwards), or burn the folder to CD (and close the session if it is a CD/RW).
  4. Take the locked USB drive, or the CD you created, over to the affected computer that you unplugged from the network.
  5. Reboot the problem computer into safe mode:
    1. On Windows 2000
      Go to Start|Shut Down.
      Select 'Restart' from the dropdown list and click 'OK'. Windows will restart.
      Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8".
      In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt.
      When requested, logon as local administrator.
    2. On Windows XP and Windows 2003
      Go to Start|Shut Down.
      Select 'Restart' from the dropdown list and click 'OK'. Windows will restart.
      Press F8 repeatedly as the computer boots up to get to the Windows Advanced Options Menu.
      In this menu, select the third option "Safe Mode with Command Prompt", then select Windows XP or Windows 2003.
      When requested, logon as local administrator.
    3. On Windows Vista
      Go to Start, and click the arrow for the shut down options menu.
      Select 'Restart'. Windows will restart.
      Press F8 repeatedly as the computer boots up to get to the Windows Advanced Options Menu.
      In this menu, select the option "Safe Mode with Command Prompt".
      When requested, log on as an administrator with full admninistrative rights.
    4. On Windows NT
      Shut down all programs.
      Go to Start|Settings|Control Panel and double-click 'Services'. Stop as many services as possible using the Stop button. Close and shut down the Control Panel.
      Press the Ctrl, Alt and Del keys at the same time. Click 'Task Manager' and select the Processes tab. Select a process and click on 'End Process'. It may or may not end. Repeat this for other processes (including the Windows desktop).
      After closing all possible programs, go to File|New Task (Run) and type 'Cmd'.
      Close down the Task Manager screen.
  6. Running SAV32CLI
    • Place the CD or USB drive in the relevant CD drive or USB port (D: is used in this example).
    • At the command prompt on the computer in question type:
      This will access the CD or USB drive.
    • Type:
      CD SAV32CLI
      This will move you to the SAV32CLI folder.
    • Then type:
      This will remove any detected malicious files and saves a log file of the scan in the root of the C: drive.
    • Press 'Y' when asked if you want to remove files.
      For any item that is detected, write down the name of what malware it was identified as. Search the Sophos website to obtain details about the detected file, and to find out if there are any additional steps to perform after deleting or disinfecting the file.
    See basic DOS commands for more information on working at the command prompt.

4. Other instructions

While still in Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. Please read the warning about editing the registry.

  • To access the registry editor from Safe Mode, type 'regedit'.
  • A knowledgebase article describes other options you can use when running SAV32CLI.

5. Monitoring the computer after cleanup

Before plugging the computer back into the network, restart the system in normal mode (not safe mode).

Remove any files that were locked during the above scan manually, as described in the knowledgebase article on removing problem files.

  • Monitor the computer carefully for any unknown processes or behavior.
  • Any files that are found to be causing problems after running a complete scan (step 3 above) will need to be submitted to SophosLabs to determine if this is new malware or a variant.

6. Check your anti-virus software

Check that Sophos Anti-Virus is installed on the computer, and has been updated up until the time that the computer was disconnected from the network.

If Sophos is not installed, or the virus engine is not up to date, copy the entire Central Installation Directory used in your environment (e.g. ESXP, SAVSCFXP) to a CD or USB drive and install or upgrade the installation of Sophos Anti-Virus from there.

7. Check your security patches

Check that the computer is up to date with Windows Security Patches. For example, refer to an up to date computer on your network, and compare the hotfixes loaded. Alternatively, check with Windows Update or the Microsoft Baseline Analyzer. After you have identified what security patches are missing, download them from Microsoft, put them on CD or USB drive (locked), and install them.

8. Check for rootkits

On a clean computer, download, install, and run the Sophos Anti-Rootkit utility. (Note: the Anti-Rootkit utility cannot be run in safe mode).

9. Rebooting into normal mode

Once you are sure that the computer is free of rootkits, malware etc., and is up to date with Windows security patches, reconnect it to your network, then reboot.

10. Check your anti-virus installation

After the affected computer is fully connected to the network, confirm that the local installation of Sophos is updating from your server's Central Installation Directory.

If the computer is new to Enterprise Console, you will need to add it to a group with an Updating policy, so that it can update correctly.

11. Monitoring for malicious activity

Monitor this computer and your network firewall, and similar equipment, to make sure there are no further unknown port communications, or other suspicious behavior occurring.

If you encounter further problems, contact technical support saying that you are using these instructions, and which step you are having difficulty with.

Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent