[THIN] OT: Worm Problem
- From: "Bruce Jarrett-Norton" <bjarrett@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 30 Nov 2004 16:22:10 -0500
We are having major problems all day with a worm here in our office.
So far here is what we have:
The user has to be a local admin because it needs access the WinNt
folder (thus 98 machines are immune)
It places a file named "o" with no extension on it in the
c:\winnt\system32 folder
O has the following in it:
(ip address of previous machine) (random port number)
User 1 1
Get x.exe
On the systems in the c:\winnt\system32 folder there is an x.exe file
Through out the users registry this file is not located and if you try
to remove it it mutates to another file name.
It is also now a system service.
When the user reboots they get pop up after pop up for gay port sites
and their home page is redirected.
Running the updates from MS windows updating service stops the pop ups
CA antivirus does not see it or sees x.exe but gets an open file error
However, we are unable to remove the worm totally from a system.
Any help would be welcomed..
Bruce Jarrett-Norton
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and
get one month completely free.
http://www.activaeon.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
