[Dshield] virus that disable regedit/msconfig?

TS ts at spekkens.com
Thu Oct 28 12:42:31 GMT 2004


Hello,

I have had this before.  The trick I used to get rid of it was to download
the Symantec update file, boot in safe mode, run the update and then scan
the PC in safe mode.  As I remember the AV (Symantec AV Corp 9.0) had no
trouble starting in safe mode.  As well, as I remember, I was able to run
regedit in safe mode.  Hopefully I'm remembering correctly.

If I am remembering wrong, though, then check the virus database for viruses
which kill msconfig, regedit, etc and obtain a removal tool for them and try
running those.

TS

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Diamond King
Sent: October 28, 2004 1:51 AM
To: list at lists.dshield.org
Subject: [Dshield] virus that disable regedit/msconfig?


hello people. Recently, there are some viruses attack
on our network. For your information, our gateway is a
Linux machine equipped with Squid and shorewall
firewall. Last week, the Squid started to act weird
and as i browse through the cache.log file, i can see
many  "Request header is too large (24575 bytes)" logs
on it. This made the squid performance slow down.

We went to scan the user's PC with trendmicro's
sysclean utility and spyware doctor. Most of the
infected user are unable to start it's antivirus
software. By the way, the infected user are attacking
port 135,139 and 445. It also attacking the port 80
and 443( i reckon that's the reason why Squid is
slow). Sysclean found WORM_SDBOT.SE while spyware
doctor detected at least a hundred of spywares.

One of the symptom of this virus is we are unable to
run regedit,msconfig as well. It popup a few second
then went off. Same thing happened while we tried to
patch their Windows. After scanning it, the infected
PC seems to stop spreading but i still can see few
http port request on ip address 192.x.x.x. Weird
thing. However, after cleaning sdbot.se, we still cant
access regedit/msconfig or patch the system. Can
someone please advice me what can be done to resolve
this issue? thanks for the time.

brian



__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list