[THIN] Re: OT: Worm Problem

On Tue, 30 Nov 2004 16:22:10 -0500, Bruce Jarrett-Norton
<bjarrett@xxxxxxxxxxxxxx> wrote:
> We are having major problems all day with a worm here in our office.
> So far here is what we have:
> The user has to be a local admin because it needs access the WinNt
> folder (thus 98 machines are immune)
> It places a file named "o" with no extension on it in the
> c:\winnt\system32 folder
> O has the following in it:
> 
> (ip address of previous machine) (random port number)
> User 1 1
> Get x.exe
> 
> On the systems in the c:\winnt\system32 folder there is an x.exe file
> Through out the users registry this file is not located and if you try
> to remove it it mutates to another file name.
> It is also now a system service.
> 
> When the user reboots they get pop up after pop up for gay port sites
> and their home page is redirected.
> Running the updates from MS windows updating service stops the pop ups
> CA antivirus does not see it or sees x.exe but gets an open file error
> However, we are unable to remove the worm totally from a system.

Sounds a lovely little beasty! Have you tried process explorer on it,
seeing what service its running as and files its using? If its a
service service (ie, in the services.msc list) then you should be able
to remove it from hklm\system\currentcontrolset\services - search for
the name its displaying or the exe its running. Then send a copy of
x.exe to the antivirus dissection team!

Andrew
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and 
get one month completely free.
http://www.activaeon.com
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: