[THIN] Re: New worm ALERT!!

  • From: "Rick Mack" <Rick.Mack@xxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 22 Oct 2004 19:04:58 +1000

Hi People,
 
My wife brought a brand new variant of an old worm OPASRV home from school. Not 
detected by the latest versions of Norton, Trend or McAfee.
 
Symptoms are high CPU utilization, slow or blocked network access.
 
The payload is a 20K executable, srv32.exe which installs itself as a service 
and is located in system32.
 
The old OPASRV worm spread from other infected PCs via port 137, not sure what 
this one does.
 
Initial mode of infection not known as yet.
 
Removal is fairly straighforward. Use taskmgr to kill srv32.xe and delete the 
srv32 entry under HKLM\System\CurrentControlSet\Services.
 
I'm send a copy of the worm to Trend for analysis.
 
regards,
 
Rick
 
Ulrich Mack
Volante Systems
 
 
 
 

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Dogers
Sent: Fri 22/10/2004 6:33 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: ThinStation



Well, I call them test machines, but theyre actually live machines staff use :)

I think its quite a good setup, the only problem I have is that the
machines currently aren't booting remotely, I've not got round to
setting up RIS on the network yet. Theres a very active mail list for
it as well (http://lists.sourceforge.net/lists/listinfo/thinstation-general)
and they recently had a poll on there as to who uses it on what scale,
seems theres 5 users with over 500 clients using it somewhere!
http://sourceforge.net/mailarchive/forum.php?thread_id=5730699&forum_id=33087

Theres also a "LiveCD" which you can download, burn and test it out
with, although its a "stable" version, not the cutting edge beta
version, which is generally stable anyway!

Andrew


On Fri, 22 Oct 2004 08:34:20 +0200, Lennart Koschella
<lk@xxxxxxxxxxxxxxxxxxxx> wrote:
> dogers@xxxxxxxxx wrote:
>
>  >I've got a few (3!) test machines running it, what do you want to know?
>
> Generally I'd like to know whether it's worth to take a deeper look at it.
> We have currently about 50 older PCs (Pentium I/II class) which we want to
> use as thin clients without putting a lot of energy into it. I read the
> documentation on the ThinStation website and it looks as if it is exactly
> what we need. Now I wonder if someone really uses ThinStation in a
> productive environment (and can give me some hopefully positive feedback).
>
>
>
>
> With kind regards,
>
> Lennart Koschella
> System Adminstrator
> University Hospital Tuebingen/Germany
>
> ********************************************************
> This Weeks Sponsor RTO Software
> Do you know which applications are abusing your CPU and memory?
> Would you like to learn? --   Free for a limited time!
> Get the RTO Performance Analyzer to quickly learn the applications, users,
> and time of day possible problems exist.
> http://www.rtosoft.com/enter.asp?id=320
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? --   Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id=320
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm



#####################################################################################
This e-mail, including all attachments, may be confidential or privileged.  
Confidentiality or privilege is not waived or lost because this e-mail has been 
sent to you in error.  If you are not the intended recipient any use, 
disclosure or copying of this e-mail is prohibited.  If you have received it in 
error please notify the sender immediately by reply e-mail and destroy all 
copies of this e-mail and any attachments.  All liability for direct and 
indirect loss arising from this e-mail and any attachments is hereby disclaimed 
to the extent permitted by law.
#####################################################################################

Other related posts:

  • » [THIN] Re: New worm ALERT!!
  1. Home
  2. thin
  3. Archive
  4. 10-2004