[THIN] Re: OT: Worm Problem
- From: "Trevor Fuson" <fuson@xxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 30 Nov 2004 14:43:37 -0800
Get autoruns and process explorer.
1. First check all of the boxes under the view menu in autoruns, then
delete all of the worm entries.
2. Go to process explorer, find the worm process and pause it.
3. Do a search on the worm file handles and manually close them.
4. Delete all of the worm files, or move them to a safe directory.
5. Kill the worm processes in process explorer.
6. Go back into autoruns (refresh) and clean out the any new entries.
7. Keep repeating until you get all of the worms out, if they keep
returning you are missing a process that is spawning them. Use Filemon
to find out what process is spawning the new worm processes if you can't
determine which process is causing the spawning.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Bruce Jarrett-Norton
Sent: Tuesday, November 30, 2004 1:22 PM
We are having major problems all day with a worm here in our office.
So far here is what we have:
The user has to be a local admin because it needs access the WinNt
folder (thus 98 machines are immune) It places a file named "o" with no
extension on it in the
c:\winnt\system32 folder
O has the following in it:
(ip address of previous machine) (random port number) User 1 1 Get x.exe
On the systems in the c:\winnt\system32 folder there is an x.exe file
Through out the users registry this file is not located and if you try
to remove it it mutates to another file name.
It is also now a system service.
When the user reboots they get pop up after pop up for gay port sites
and their home page is redirected.
Running the updates from MS windows updating service stops the pop ups
CA antivirus does not see it or sees x.exe but gets an open file error
However, we are unable to remove the worm totally from a system.
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and
get one month completely free.
http://www.activaeon.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
