[Dshield] Possible virus/worm?

Isaac Perez pobletman at hotmail.com
Sun Oct 24 17:56:43 GMT 2004


I had more or less the same problem, but with the avg antivirus, it can't
detect a virus that collapse the network attacking other windows in the port
445, in our case windows xp.
In our case the virus was a .dll and runs explorer.exe to conect the
network.
We cleaned it with stinger:
http://vil.nai.com/vil/stinger/
you can try it.
I wish it will be useful to you.

----- Original Message -----
From: "Ted August" <taugust04 at gmail.com>
To: <list at lists.dshield.org>
Sent: Saturday, October 23, 2004 9:08 PM
Subject: [Dshield] Possible virus/worm?


> Hello everyone,
>
> I am new to this list, but I have been google-ing all day and have not
> been able to find anything to my answers so far.  Our network was
> recently hit with a new worm/virus that has not been detected by
> Symantec AV Corporate.
>
> The symptoms are as follows:
>
> 1.  Creates a file called "quiktime32.exe" (note the mis-spelling) in
> c:\%systemroot%\system32.
> 2.  Creates a service called "QuickTime Player" that cannot be
> disabled or stopped from the Computer Management Console.
> 3.  Generates a ton of traffic on port 445.
>
> One of our network admins believes that this is a new variant of
> Sasser, but otherwise we have been unsuccessful in diagnosing the
> problem.  It seems to have only hit mostly Windows 2000 computers on
> our network.
>
> If anyone else having the same problem, and could provide some
> feedback as to what this is, it would be much appreciated.  We did
> submit the file to Symantec but haven't heard back yet.
>
> Thanks!
>
> Ted August
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list