[Dshield] virus that disable regedit/msconfig?

allan.vanleeuwen@orangemail.nl allan.vanleeuwen at orangemail.nl
Thu Oct 28 13:23:15 GMT 2004


Hi Brian

A lot of the rdbot / sdbot variants kill regedit and msconfig processes
every 5 seconds or so.
You can evade this by renaming your regedit.exe to something else. It does
mean however that you did not completely clean the infection yet, there
should be at least 1 more process running that is causing this. A boot into
safe mode will most likely also allow you to use the regedit utility.

Hope it helps ...

Allan

-----Original Message-----
From: Diamond King [mailto:mercyful_fated at yahoo.com] 
Sent: Thursday, October 28, 2004 7:51 AM
To: list at lists.dshield.org
Subject: [Dshield] virus that disable regedit/msconfig?

hello people. Recently, there are some viruses attack on our network. For
your information, our gateway is a Linux machine equipped with Squid and
shorewall firewall. Last week, the Squid started to act weird and as i
browse through the cache.log file, i can see many  "Request header is too
large (24575 bytes)" logs on it. This made the squid performance slow down. 

We went to scan the user's PC with trendmicro's sysclean utility and spyware
doctor. Most of the infected user are unable to start it's antivirus
software. By the way, the infected user are attacking port 135,139 and 445.
It also attacking the port 80 and 443( i reckon that's the reason why Squid
is slow). Sysclean found WORM_SDBOT.SE while spyware doctor detected at
least a hundred of spywares. 

One of the symptom of this virus is we are unable to run regedit,msconfig as
well. It popup a few second then went off. Same thing happened while we
tried to patch their Windows. After scanning it, the infected PC seems to
stop spreading but i still can see few http port request on ip address
192.x.x.x. Weird thing. However, after cleaning sdbot.se, we still cant
access regedit/msconfig or patch the system. Can someone please advice me
what can be done to resolve this issue? thanks for the time.

brian


		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
===========================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
email..

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
===========================================================





More information about the list mailing list