Watch out for a process called Win32load.exe on your machines! JK http://thethin.net http://www.osmess.com Trend has just released the below Worm advisory. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSPRE E.A Description: This worm spreads via network shares. It also gives remote control access to infected systems. It allows remote users to connect to the infected machine and then download and execute files on the compromised system. This worm runs on Windows 95, 98, ME, NT, XP, and 2000 but will not be able to spread and drop copies of itself to Windows 9x/ME systems. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use the Trend Micro System Cleaner. MANUAL REMOVAL INSTRUCTIONS Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager. On Windows 9x/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: Win32load Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries: Windows Subsys In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>RunServices In the right panel, locate and delete the entry or entries: Windows Subsys Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system. Restoring other Registry Keys Open Registry Editor In the left panel, double-click the following: HKEY_LOCAL_MACHINE>System>Current Control Set> Control>Lsa In the right panel, locate and the entry: restrictanonymous Right-click the entry and click Modify. Type in the default value of 0 and click OK. Close Registry Editor. Related to <: BAT_NETSPREE.A In the wild Yes Payload 1 Compromises network security Language English Platform Windows 95/98/ME/NT/2000/XP Encrypted No Size of Details: Installation Upon execution, this worm drops a copy of itself in the System directory as . It also adds the following registry entries so that the dropped copy is executed every time Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\ Windows Subsys = "%System%\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices Windows Subsys = "%System%\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32 *Where %System% is the Windows system folder, which is usually C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP. It also modifies the data value of the following registry entry to "DWORD:0": HKEY_LOCAL_MACHINE\System\Current Control Set\ Control\Lsa restrictanonymous The worm then stays resident in memory. At least one of the executing copy is always a dropped copy in the System folder. Network propagation To propagate through network, it executes its batch file component PSEXEC.BAT, which Trend Micro detects as BAT_NETSPREE.A. It also uses the tool PSEXEC.EXE to drop a copy of itself to other computers. This worm tries to spread to network through the interprocess communication share, or the IPC$. The worm tries to authenticate itself to other computers in the network by first trying to establish a null session connection, which is just connecting without a user name and password. However, if it is password-protected, the worm also tries other hardcoded user names and passwords to get in. Once the worm has authenticated itself, it uses the file PSEXEC.EXE to drop a copy of itself as %Windows%\System32\Win32load.exe. It also uses this tool to set the attribute of the copy to read-only. Note: Since IPC$ is only available in NT-based machines, the worm fails to propagate and drop copies of itself to Windows 9x/ME systems. Backdoor routine The worm notifies the hacker by connecting to the IRC server master.leet-gamer.net and then joining the IRC channel #lc_breed. It uses the default IRC port 6667 for this connection. It gives remote control access to infected systems. It allows remote users to connect to the infected machine and then download and execute files on the compromised system. It then downloads the file LCP_NETBIOS.DLL. This file is an NT-based system service that installs the files in the system. Denial of Service Tool This worm can also allow an attacker to initiate Denial of Service attacks to other infected users. Description created: 10 hours, 15 minutes ago (Jan. 26, 2003 11:02:15 PM GMT -0800) Description updated: 9 hours, 58 minutes ago (Jan. 26, 2003 11:19:10 PM GMT -0800) ******************************************************************** This Week's Sponsor: RTO Software - TScale TScale increases Terminal Server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - Not more servers. If you?re using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=80 ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm