[THIN] Re: OT: Worm Problem
- From: "Bruce Jarrett-Norton" <bjarrett@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 1 Dec 2004 08:46:55 -0500
Thank you for this..
What we ended up doing so far is unplugging the machine from the network
and then we are able to stop the x.exe process. Then we rename x.exe to
x.exe.bad that the o file to o.bad.
We plug back into the network and run all the critical windows updates
that are out there. We do this because we did notice that our "newer"
more updated pcs were not infected. Well that goes to show the problems
with only 3 it people for 200 users spread out through 4 states can do
for you. We are now starting the SUS evaluation process. Better late
then never I guess.
Bruce
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Trevor Fuson
Sent: Tuesday, November 30, 2004 5:44 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: Worm Problem
Get autoruns and process explorer.
1. First check all of the boxes under the view menu in autoruns, then
delete all of the worm entries.
2. Go to process explorer, find the worm process and pause it. 3. Do a
search on the worm file handles and manually close them. 4. Delete all
of the worm files, or move them to a safe directory. 5. Kill the worm
processes in process explorer. 6. Go back into autoruns (refresh) and
clean out the any new entries. 7. Keep repeating until you get all of
the worms out, if they keep returning you are missing a process that is
spawning them. Use Filemon to find out what process is spawning the new
worm processes if you can't determine which process is causing the
spawning.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Bruce Jarrett-Norton
Sent: Tuesday, November 30, 2004 1:22 PM
We are having major problems all day with a worm here in our office. So
far here is what we have: The user has to be a local admin because it
needs access the WinNt folder (thus 98 machines are immune) It places a
file named "o" with no extension on it in the c:\winnt\system32 folder O
has the following in it:
(ip address of previous machine) (random port number) User 1 1 Get x.exe
On the systems in the c:\winnt\system32 folder there is an x.exe file
Through out the users registry this file is not located and if you try
to remove it it mutates to another file name. It is also now a system
service.
When the user reboots they get pop up after pop up for gay port sites
and their home page is redirected. Running the updates from MS windows
updating service stops the pop ups CA antivirus does not see it or sees
x.exe but gets an open file error However, we are unable to remove the
worm totally from a system.
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and
get one month completely free.
http://www.activaeon.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm ThinWiki community http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and
get one month completely free.
http://www.activaeon.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
