[Dshield] Possible virus/worm?

Ted August taugust04 at gmail.com
Sat Oct 23 19:08:49 GMT 2004


Hello everyone,

I am new to this list, but I have been google-ing all day and have not
been able to find anything to my answers so far.  Our network was
recently hit with a new worm/virus that has not been detected by
Symantec AV Corporate.

The symptoms are as follows:

1.  Creates a file called "quiktime32.exe" (note the mis-spelling) in
c:\%systemroot%\system32.
2.  Creates a service called "QuickTime Player" that cannot be
disabled or stopped from the Computer Management Console.
3.  Generates a ton of traffic on port 445.

One of our network admins believes that this is a new variant of
Sasser, but otherwise we have been unsuccessful in diagnosing the
problem.  It seems to have only hit mostly Windows 2000 computers on
our network.

If anyone else having the same problem, and could provide some
feedback as to what this is, it would be much appreciated.  We did
submit the file to Symantec but haven't heard back yet.

Thanks!

Ted August



More information about the list mailing list